kir[A]'s 小黑屋

kir[A]'s 小黑屋

Ju5t f0r fun~

红帽杯2018线下赛AWD PWN(更新格式化字符利用)
今年红帽杯给web题恶心到了,刚备份的代码已经有某国企的3个不死马,不知道如何做到这么快的,题目质量也堪忧,跟去年的没法比。比赛过程花太多时间在web,都没好好看看pwn,其实很简单,血亏T_T…. 保护情况12345Arch: amd64-64-littleRELRO: Partial RELROStack: Canary foundNX: NX enabledPIE: PIE enabled 程序分析123456789101112131415161718192021222324252627282930313233343536373839404...
广东红帽杯2018 writeup
MiscNot Only Wireshark(solved)http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/NotOnlyWireshark_ed63b63425ec3ed09470d8715b208293.zip?pass=nullhint: tshark打开流量包,直接查看http数据,发现存在很多name=xxx的访问记录,将所有16进制提取出来。1# strings 123.pcapng| grep name| grep -oP "name=[0-9A-F]+"| tr -d 'na...
Python-is-the-best-language
本文纯属抄袭,如有改动,纯属手残。 原writeup见: http://skysec.top/2018/04/01/Python-is-the-best-language/#%E6%BA%90%E7%A0%81%E7%BB%93%E6%9E%84 https://xz.aliyun.com/t/2219#toc-1 https://lorexxar.cn/2018/03/26/qwb2018/#python-is-best-language 环境搭建12345678pip install Flaskpip install flask_loginpip install flask_boot...
qwb-pwn-opm
opm首先学习一下在IDA创建结构体,https://blog.csdn.net/hgy413/article/details/7104304 12345600000000 role struc ; (sizeof=0x20, mappedto_6)00000000 func dq ?00000008 name dq ?00000010 length dq ?00000018 punch_num dq ?00000020 role ends 按y重新设置类型后,add_r...
qwb-pwn-raisepig
raisepig跟pwnable.tw的Secret Garden非常似。菜单有5个选项:12345puts("1 . Raise a pig ");puts("2 . Visit pigs ");puts("3 . Eat a pig");puts("4 . Eat the whole Pig Farm");puts("5 . Leave the Farm"); IDA中建一个pig的结构体: 1234500000000 pigs struc ; (sizeof=0...
qwb-pwn-silent1&2
好菜,只做了一题,慢慢补~ silent程序有3个功能,分别是add,delete和edit 12345678910111213141516171819__int64 add_(){ size_t size; // [rsp+0h] [rbp-20h] unsigned __int64 i; // [rsp+8h] [rbp-18h] void *v3; // [rsp+10h] [rbp-10h] unsigned __int64 v4; // [rsp+18h] [rbp-8h] v4 = __readfsqword(0x28u); __isoc99_scanf...
Hgame pwn
终于补完了Hgame的pwn,学到很多新姿势。 guess_number12345678printf("enter your guess:"); __isoc99_scanf("%s", &nptr); if ( atoi(&nptr) == a1 ) { printf("OHHHHHHH! u did it !\norz orz orz orz\nhere is your flag:"); system("cat flag"); exit(0); } 虽然开了canary,但是只要输入的东西覆盖到随机数,判断一样就cat f...
HITCTF2018-writeup
easy_xor.apk1234a='kmqgwg]Tm3=NE_/4ouKJW@WE^'b='#$%$#!&#^_^~(:p@_*#######'c = [chr(ord(x)^ord(y)) for x,y in zip(a,b)]print ''.join(c) 简单xor即可:HITCTF{w3lc0me_t0_hitctf} stackflow123456789int vuln(){ char buf; // [esp+0h] [ebp-28h] puts("Welcome to pwn world!\nLeave your name:"); fflus...
pwn-imdb
blog已经搭了一段时间了,拖延症发作,一直没写。最近没做什么有意思的题,就写一下某CTF群的入群题解题思路。 程序伪代码menu1234567891011121314151617181920212223242526272829303132333435void __fastcall main(__int64 a1, char **a2, char **a3){ char v3; // [rsp+0h] [rbp-18h] setbuf(stdout, 0LL); signal(14, handler); puts("*** Welcome to IMDB ***"); ...
avatar
kir[A]
Ju5t f0r fun~
FRIENDS
Google