![](https://img-blog.csdnimg.cn/20201014180756925.png?x-oss-process=image/resize,m_fixed,h_64,w_64)
pwnable
文章平均质量分 60
Umiade
这个作者很懒,什么都没留下…
展开
-
pwnable.kr [Toddler's Bottle] - coin1
Mommy, I wanna play a game! (if your network response time is too slow, try nc 0 9007 inside pwnable.kr server) Running at : nc pwnable.kr 9007 游戏规则如下: --------------------------------------原创 2017-03-17 15:20:35 · 958 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - passcode
Mommy told me to make a passcode based login system. My initial C code was compiled without any error! Well, there was some compiler warning, but who cares about that? ssh passcode@pwnable.k原创 2017-03-27 00:00:27 · 514 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - shellshock
Mommy, there was a shocking news about bash. I bet you already know, but lets just make it sure :) ssh shellshock@pwnable.kr -p2222 (pw:guest) 有关14年关于低于4.3版本 bash 的一个漏洞 shellshock , CVE-2014-62原创 2017-03-16 16:14:16 · 319 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - blackjack
Hey! check out this C implementation of blackjack game! I found it online * http://cboard.cprogramming.com/c-programming/114023-simple-blackjack-program.html I like to give my flags to milli原创 2017-03-21 17:04:26 · 328 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - uaf
Mommy, what is Use After Free bug? ssh uaf@pwnable.kr -p2222 (pw:guest) 根据提示已经可以知道这里需要我们利用漏洞Use-After-Free(UAF)。 该漏洞的简单原理为: 产生迷途指针(Dangling pointer)——已分配的内存释放之后,其指针并没有因为内存释放而置为NULL,而是继续指向已释放内存。 这原创 2017-04-10 21:09:19 · 722 阅读 · 0 评论 -
pwnable.kr [Rookiss] - [simple login]
Can you get authentication from this server? Download : http://pwnable.kr/bin/login Running at : nc pwnable.kr 9003 Rookiss 初体验就从相对熟悉的逆向这一块开始好了。下载好文件后发现是 elf 64 ,在虚拟机上简单跑一跑,要求输入一个 Authenticat原创 2017-03-23 22:46:42 · 1345 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - mistake
We all make mistakes, let’s move on. (don’t take this too seriously, no fancy hacking skill is required at all) This task is based on real event Thanks to dhmonkey hint : operator prior原创 2017-03-14 16:39:53 · 535 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - leg
Daddy told me I should study arm. But I prefer to study my leg! Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ssh leg@pwnable.kr -p2222 (pw:guest) 考查AR原创 2017-03-14 16:22:30 · 839 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - cmd2
Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission… but I wanna play anytime I want! ssh cmd2@pwnable.kr -p2222 (pw:fla原创 2017-03-23 13:29:33 · 533 阅读 · 1 评论 -
pwnable.kr [Toddler's Bottle] - input
这题流程相对较长,考查Linux编程的基本功(笔者做到这题不禁感叹自己基本功还是欠了不少火候)。 在一开始,尝试写Python脚本去完成验证,但stage 2关于stdio的验证却苦无思路。 这里感谢werew在他的writeup中提供的解决思路,这才豁然开朗。 参考链接:https://werewblog.wordpress.com/2016/01/11/pwnable-kr-input/关原创 2017-03-13 14:57:17 · 1209 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - random
c语言中取随机数函数rand()为伪随机,需要依赖srand()提供的随机数种子seed。如果每次seed都设相同值,rand()所产生的随机数值每次就会一样。没有置随机数种子直接调用rand(),得到的结果也是一样。 题目源码如下:/* ssh random@pwnable.kr -p2222 (pw:guest) */ #include <stdio.h>int main(){ uns原创 2017-03-13 14:09:46 · 483 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - flag
考查简单的逆向分析能力,主要还是看了不了解套路。 用IDA打开flag文件,发现程序流程异常,检测不到库函数,察觉到有壳。 用任意hex编辑器打开,也可以直接在IDA中观察Hex View,可以看到是加了UPX壳。 这里便可以直接用UPX壳工具解包(https://upx.github.io/), upx -d -o flag_unpack flag 之后重新用IDA打开,查看main原创 2017-03-13 10:11:36 · 298 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - cmd1
Mommy! what is PATH environment in Linux? ssh cmd1@pwnable.kr -p2222 (pw:guest) 没搞懂这题和环境变量有什么关联,不过还是要珍惜这最后一道水题。先看源码 cmd1.c:#include <stdio.h> #include <string.h>int filter(char* cmd){ int r=0;原创 2017-03-22 15:14:39 · 466 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - lotto
Mommy! I made a lotto program for my homework. do you want to play? ssh lotto@pwnable.kr -p2222 (pw:guest) 同样是一个小游戏,考查…细心程度。源码如下:#include <stdio.h> #include <stdlib.h> #include <string.h> #incl原创 2017-03-22 14:30:49 · 799 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - bof
简单的栈溢出练习。 源码如下:#include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key ==原创 2017-03-11 22:47:19 · 413 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - collision
ssh col@pwnable.kr -p2222 (pw:guest) 简单的hash练习,源代码如下:#include <stdio.h> #include <string.h> unsigned long hashcode = 0x21DD09EC; unsigned long check_password(const char* p){ int* ip = (int*)p;原创 2017-03-11 22:13:00 · 351 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] -fd
最近由前辈推荐,去到http://pwnable.kr/开始人生中第一次正经的刷题。 Toddler's Bottle.... :( 第一题fd主要是为了介绍玩法 ssh fd@pwnable.kr -p2222 (pw:guest) 源码如下: #include #include #include char buf[32]; int main(int argc, char* ar原创 2017-03-11 21:35:19 · 341 阅读 · 0 评论 -
pwnable.kr [Toddler's Bottle] - codemap
写在最前:想要成为安全大牛的愿望还是这么遥不可及。 渐渐地,没有什么忧虑的大学生活也好像开始有了一些属于小人物的忐忑。 还是坚信自己很厉害,可是道路前方仍是一篇迷蒙。感谢帮助过我的前辈,以及让我可以暂时不考虑经济压力的父母。 I have a binary that has a lot information inside heap. How fast can you reverse-原创 2017-06-02 17:22:24 · 1058 阅读 · 0 评论