반응형
반응형
반응형


blukat - 3 pt

Sometimes, pwnable is strange...

hint: if this challenge is hard, you are a skilled player.


ssh blukat@pwnable.kr -p2222 (pw: guest)





1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
char flag[100];
char password[100];
char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+";
void calc_flag(char* s){
    int i;
    for(i=0; i<strlen(s); i++){
        flag[i] = s[i] ^ key[i];
    }
    printf("%s\n", flag);
}
int main(){
    FILE* fp = fopen("/home/blukat/password""r");
    fgets(password, 100, fp);
    char buf[100];
    printf("guess the password!\n");
    fgets(buf, 128, stdin);
    if(!strcmp(password, buf)){
        printf("congrats! here is your flag: ");
        calc_flag(password);
    }
    else{
        printf("wrong guess!\n");
        exit(0);
    }
    return 0;
}
 
 
cs


gdb로 열어서 strcmp 부분에 breakpoint을 걸고 password의 값을 확인했다.


   0x000000000040085c <+98>: lea    rax,[rbp-0x70]

   0x0000000000400860 <+102>: mov    rsi,rax

   0x0000000000400863 <+105>: mov    edi,0x6010a0

   0x0000000000400868 <+110>: call   0x400650 <strcmp@plt>


(gdb) b *main+110

Breakpoint 1 at 0x400868

(gdb) r

Starting program: /home/blukat/blukat 

guess the password!

a


Breakpoint 1, 0x0000000000400868 in main ()

(gdb) x/s 0x6010a0

0x6010a0 <password>: "cat: password: Permission denied\n"


password를 입력해주면 flag가 나온다.

blukat@ubuntu:~$ ./blukat 
guess the password!
cat: password: Permission denied  
congrats! here is your flag: Pl3as_DonT_Miss_youR_GrouP_Perm!!

간.단.


반응형

'WAR GAME > Pwnable.kr' 카테고리의 다른 글

pwnable.kr [horcruxes] 풀이  (0) 2019.02.25
pwnable.kr [unlink] 풀이  (0) 2018.06.13
pwnable.kr [asm] 풀이  (0) 2018.06.13
pwnable.kr [memcpy] 풀이  (0) 2018.06.12
pwnable.kr [uaf] 풀이  (1) 2018.06.11

+ Recent posts