cookie 값을 알아내자. 조금 더 간단하게 익스 적을 순 있는데 귀찮다. 1byte 씩 알아내면 된다. 밑의 익스는 그대로 복붙하면 답 나오지 않는다. 그냥 풀이과정 이랄까.
Exploit Code
from pwn import *
def send(id, pw):
p.sendlineafter('ID\n', id)
p.sendlineafter('PW\n', pw)
cookie = 'you_will_never_guess_this_sugar_honey_salt_cookie'
s = '1234567890abcdefghijklmnopqrstuvwxyz-_'
# 1. Find the 1~12
for j in range(0, 12):
p=remote('pwnable.kr', 9006)
send('-'*(12-j), '-')
p.recvuntil('(')
enc = p.recv(32)
p.close()
for i in range(0, len(s)):
p=remote('pwnable.kr', 9006)
id = '-'*(15-j)+cookie+s[i]
send(id, '1')
p.recvuntil('(')
data = p.recv(32)
if enc == data:
cookie += s[i]
print cookie
p.close()
break
else:
p.close()
# 2. Find the 13~28
for j in range(0, 16):
p=remote('pwnable.kr', 9006)
send('-'*(16-j), '-')
p.recvuntil('(')
p.recv(32)
enc = p.recv(32)
p.close()
for i in range(0, len(s)):
p=remote('pwnable.kr', 9006)
id = '-'*(19-j)+cookie+s[i]
send(id, '1')
p.recvuntil('(')
p.recv(32)
data = p.recv(32)
if enc == data:
cookie += s[i]
print cookie
p.close()
break
else:
p.close()
# 3. Find the 29~44
for j in range(0, 16):
p=remote('pwnable.kr', 9006)
send('-'*(16-j), '-')
p.recvuntil('(')
p.recv(64)
enc = p.recv(32)
p.close()
for i in range(0, len(s)):
p=remote('pwnable.kr', 9006)
id = '-'*(19-j)+cookie+s[i]
send(id, '1')
p.recvuntil('(')
p.recv(64)
data = p.recv(32)
if enc == data:
cookie += s[i]
print cookie
p.close()
break
else:
p.close()
# 4. Find the 45~
for j in range(0, 16):
p=remote('pwnable.kr', 9006)
send('-'*(16-j), '-')
p.recvuntil('(')
p.recv(96)
enc = p.recv(32)
p.close()
for i in range(0, len(s)):
p=remote('pwnable.kr', 9006)
id = '-'*(19-j)+cookie+s[i]
send(id, '1')
p.recvuntil('(')
p.recv(96)
data = p.recv(32)
if enc == data:
cookie += s[i]
print cookie
p.close()
break
else:
p.close()
Capture the Flag
'Writeup [pwn] > pwnable.kr' 카테고리의 다른 글
| echo1 (0) | 2020.03.07 |
|---|---|
| dragon (0) | 2020.03.07 |
| brainfuck (0) | 2020.03.07 |
| ascii_easy (0) | 2020.03.07 |
| unlink (0) | 2020.03.07 |