반응형
blukat - 3 pt
Sometimes, pwnable is strange...
hint: if this challenge is hard, you are a skilled player.
ssh blukat@pwnable.kr -p2222 (pw: guest)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | #include <stdio.h> #include <string.h> #include <stdlib.h> #include <fcntl.h> char flag[100]; char password[100]; char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+"; void calc_flag(char* s){ int i; for(i=0; i<strlen(s); i++){ flag[i] = s[i] ^ key[i]; } printf("%s\n", flag); } int main(){ FILE* fp = fopen("/home/blukat/password", "r"); fgets(password, 100, fp); char buf[100]; printf("guess the password!\n"); fgets(buf, 128, stdin); if(!strcmp(password, buf)){ printf("congrats! here is your flag: "); calc_flag(password); } else{ printf("wrong guess!\n"); exit(0); } return 0; } | cs |
gdb로 열어서 strcmp 부분에 breakpoint을 걸고 password의 값을 확인했다.
0x000000000040085c <+98>: lea rax,[rbp-0x70]
0x0000000000400860 <+102>: mov rsi,rax
0x0000000000400863 <+105>: mov edi,0x6010a0
0x0000000000400868 <+110>: call 0x400650 <strcmp@plt>
(gdb) b *main+110
Breakpoint 1 at 0x400868
(gdb) r
Starting program: /home/blukat/blukat
guess the password!
a
Breakpoint 1, 0x0000000000400868 in main ()
(gdb) x/s 0x6010a0
0x6010a0 <password>: "cat: password: Permission denied\n"
password를 입력해주면 flag가 나온다.
blukat@ubuntu:~$ ./blukat
guess the password!
cat: password: Permission denied
congrats! here is your flag: Pl3as_DonT_Miss_youR_GrouP_Perm!!
간.단.
반응형
'WAR GAME > Pwnable.kr' 카테고리의 다른 글
| pwnable.kr [horcruxes] 풀이 (0) | 2019.02.25 |
|---|---|
| pwnable.kr [unlink] 풀이 (0) | 2018.06.13 |
| pwnable.kr [asm] 풀이 (0) | 2018.06.13 |
| pwnable.kr [memcpy] 풀이 (0) | 2018.06.12 |
| pwnable.kr [uaf] 풀이 (1) | 2018.06.11 |