pwnableMemo0有一个login函数,login success了会调用一个输出flag的函数
1234567891011121314151617181920212223242526272829unsigned __int64 login(){ unsigned __int64 v0; // rax size_t v1; // rax _BYTE *s1; // [rsp+8h] [rbp-38h] char s[40]; // [rsp+10h] [rbp-30h] BYREF unsigned __int64 v5; // [rsp+38h] [rbp-8...
learn about kernel pwn
尝试编译kernel和文件系统,使用qemu启动step1:make filesystem (compile busybox)https://ctf-wiki.org/pwn/linux/kernel-mode/environment/qemu-emulate/#_3
下载busybox编译
123456wget https://busybox.net/downloads/busybox-1.32.1.tar.bz2tar -jxf busybox-1.32.1.tar.bz2make menuconfig // 在Setting中把buil...
唉咱好菜,就出了两个题,后几题都没有思路
Maimai查分器子函数这里有一个格式化字符串和栈溢出漏洞,用格式化字符串泄露libc的地址和canary的值,然后打ret2libc就好了,打通后catflag发现没有权限,看了一下challenge文件,有suid权限,所以可以用libc中的setuid(0)函数提权,然后cat flag
123456789101112131415161718192021222324252627282930unsigned __int64 sub_19EA(){ char buf[8]; // [rsp+0h] [rbp-10h] BYREF ...
Delulu格式化字符串改低位两个字节就好了
123456789101112131415161718int __cdecl main(int argc, const char **argv, const char **envp){ __int64 v4[2]; // [rsp+0h] [rbp-40h] BYREF __int64 buf[6]; // [rsp+10h] [rbp-30h] BYREF buf[5] = __readfsqword(0x28u); v4[0] = 322419390LL; v4[1] = (__int64)v4; memset(bu...
Adventure这印度的服务器稀烂,打半天打不通
有一个子函数里面存在栈溢出,用libcsearcher打ret2libc就好了
123456789101112void __cdecl hatchEgg(){ char name[20]; // [rsp+0h] [rbp-20h] BYREF puts("You wish to hatch the egg!"); puts("Give the baby dragon a name"); getchar(); fflush(stdin); gets(name); print...
pwnbetterthanufgets那存在一个溢出,覆盖 v6为727,v5的值小于v6就好了
1234567891011121314151617181920212223242526272829303132333435363738int __cdecl main(int argc, const char **argv, const char **envp){ char s[16]; // [rsp+0h] [rbp-20h] BYREF unsigned __int64 v5; // [rsp+10h] [rbp-10h] unsigned int v6; // [rs...
pwn你满了,那我就漫出来了![补]123456789101112131415161718192021222324252627282930313233343536373839int __cdecl __noreturn main(int argc, const char **argv, const char **envp){ unsigned int v3; // [rsp+4h] [rbp-Ch] BYREF unsigned __int64 v4; // [rsp+8h] [rbp-8h] v4 = __readfsqword(0x28u); init(argc, ...
pwn[签到]stack题目逻辑是这样的,其实就是找一个比 0x58 大很多,低一个字节小于 0x40的数,就能溢出了
12345678910111213141516char *run(){ char buf[76]; // [rsp+0h] [rbp-50h] BYREF size_t nbytes; // [rsp+4Ch] [rbp-4h] printf("Give me the length: "); LODWORD(nbytes) = get_int(); if ( (unsigned __int8)nbytes > 0x40u )...
唉咱好菜,就出了一题
HappyCTF123456789101112131415161718192021222324252627282930public vulnvuln proc nearbuf= byte ptr -110hvar_8= qword ptr -8; __unwind {endbr64push rbpmov rbp, rspsub rsp, 110hlea rax, aNowPlzYouInput ; "Now,plz you input:"mov rdi, rax ; scall ...
pwnElden Ring Ⅱ一个heap manager相关的题目,glibc 2.31,没有pie,包括add edit show delete四个功能,在delete这里有一个uaf
123456789101112131415161718void delete_note(){ unsigned int v0; // [rsp+Ch] [rbp-4h] BYREF printf("Index: "); __isoc99_scanf("%u", &v0); if ( v0 <= 0xF ) { i...
