![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n
\u4f60\u5c31\u4f1a\u53d1\u73b0\u662f\u52a8\u6001flag\u4e86<\/p>\n\n\n\n
Pwn\u7684\u51fa\u9898\u548c\u52a8\u6001flag<\/h2>\n\n\n\n
\u7b80\u5355\u7f16\u5199\u4e00\u4e2a\u7b80\u5355\u7684 C \u7a0b\u5e8f\uff08\u6267\u884c \/bin\/sh<\/code>\uff09\uff0c\u5e76\u4f7f\u7528 socat<\/code> \u5c06\u5176\u7ed1\u5b9a\u5230 80 \u7aef\u53e3\u4e0a\u6765\u5b9e\u73b0\u3002<\/p>\n\n\n\n\u76ee\u5f55\u7ed3\u6784<\/p>\n\n\n\n
pwn\/\n\u251c\u2500\u2500 Dockerfile\n\u251c\u2500\u2500 flag.sh\n\u2514\u2500\u2500 src\/\n \u2514\u2500\u2500 pwn.c<\/code><\/pre>\n\n\n\npwn.c<\/p>\n\n\n\n
\u7b80\u5355\u7684 pwn \u7b7e\u5230\u6e90\u7801\uff0c\u4f5c\u7528\u662f\u76f4\u63a5\u5f39\u51fa\u4e00\u4e2a shell\u3002\u6ce8\u610f\uff1apwn \u9898\u5fc5\u987b\u5173\u95ed I\/O \u7f13\u51b2\uff0c\u5426\u5219\u901a\u8fc7\u7f51\u7edc\u8fde\u63a5\u65f6\u4f1a\u65e0\u6cd5\u6b63\u5e38\u8f93\u5165\u8f93\u51fa\u3002<\/p>\n\n\n\n
#include <stdio.h>\n#include <stdlib.h>\n\nint main() {\n \/\/ \u5173\u95ed I\/O \u7f13\u51b2\uff08\u9632\u6b62\u7f51\u7edc\u622a\u65ad\uff09\n setvbuf(stdin, NULL, _IONBF, 0);\n setvbuf(stdout, NULL, _IONBF, 0);\n setvbuf(stderr, NULL, _IONBF, 0);\n\n puts(\"Welcome to GZCTF Pwn Signin!\");\n puts(\"\u7b80\u5355\u7684\u6f14\u793a!\u563b\u563b\u563b\");\n\n \/\/ \u76f4\u63a5\u7ed9\u4e88 shell\n system(\"\/bin\/sh\");\n\n return 0;\n}<\/code><\/pre>\n\n\n\nflag.sh (\u542f\u52a8\u4e0e\u52a8\u6001 flag \u811a\u672c)<\/p>\n\n\n\n
\u8d1f\u8d23\u5c06 GZCTF \u4e0b\u53d1\u7684\u53d8\u91cf\u5199\u5165\u6839\u76ee\u5f55\uff0c\u968f\u540e\u6e05\u7a7a\u53d8\u91cf\u5e76\u542f\u52a8\u7aef\u53e3\u76d1\u542c\u3002<\/p>\n\n\n\n
#!\/bin\/sh\n\n# 1. \u63a5\u6536\u52a8\u6001\u53d8\u91cf\uff0c\u82e5\u5e73\u53f0\u672a\u4e0b\u53d1\u5219\u4f7f\u7528\u9ed8\u8ba4\u503c flag{sanjiu}\necho \"${GZCTF_FLAG:-flag{sanjiu}}\" > \/flag\n\n# 2. \u4fee\u6539 flag \u6587\u4ef6\u6743\u9650\u4e3a\u5168\u5c40\u53ea\u8bfb\uff0c\u9632\u6b62\u88ab\u9009\u624b\u610f\u5916\u4fee\u6539\u6216\u5220\u9664\nchmod 444 \/flag\n\n# 3. \u5f7b\u5e95\u9500\u6bc1\u73af\u5883\u53d8\u91cf\uff0c\u9632\u6b62\u9009\u624b\u76f4\u63a5\u8fd0\u884c env \u547d\u4ee4\u975e\u9884\u671f\u62ff\u5230 flag\nunset GZCTF_FLAG\n\n# 4. \u5207\u6362\u5230\u4f4e\u6743\u9650\u7528\u6237 ctf\uff0c\u4f7f\u7528 socat \u76d1\u542c 80 \u7aef\u53e3\u5e76\u5c06\u6d41\u91cd\u5b9a\u5411\u5230 pwn \u4e8c\u8fdb\u5236\u6587\u4ef6\n# EXEC \u6a21\u5f0f\u4e0b\uff0c\u6bcf\u6b21\u6709 nc \u8fde\u63a5\u8fdb\u6765\uff0c\u90fd\u4f1a fork \u4e00\u4e2a\u65b0\u7684 pwn \u8fdb\u7a0b\nexec su ctf -c \"socat TCP-LISTEN:80,reuseaddr,fork EXEC:\/home\/ctf\/pwn,stderr\"<\/code><\/pre>\n\n\n\nDockerfile<\/p>\n\n\n\n
\u57fa\u4e8e Ubuntu 22.04\uff0c\u5185\u7f6e\u963f\u91cc\u4e91 APT \u955c\u50cf\u52a0\u901f\u3002<\/p>\n\n\n\n
# Pwn \u9898\u901a\u5e38\u4f7f\u7528 Ubuntu \u4f5c\u4e3a\u57fa\u7840\u8fd0\u884c\u73af\u5883\nFROM ubuntu:22.04\n\n# \u66ff\u6362 Ubuntu \u8f6f\u4ef6\u6e90\u4e3a\u963f\u91cc\u4e91\u6e90\uff08\u52a0\u901f\u6784\u5efa\uff0c\u89e3\u51b3\u56fd\u5185 apt update \u5361\u6b7b\u95ee\u9898\uff09\nRUN sed -i 's@\/\/.*archive.ubuntu.com@\/\/mirrors.aliyun.com@g' \/etc\/apt\/sources.list && \n sed -i 's\/security.ubuntu.com\/mirrors.aliyun.com\/g' \/etc\/apt\/sources.list\n\n# \u5b89\u88c5 gcc (\u7528\u4e8e\u7f16\u8bd1\u6e90\u7801) \u548c socat (\u7528\u4e8e\u7aef\u53e3\u8f6c\u53d1)\nRUN apt-get update && \n DEBIAN_FRONTEND=noninteractive apt-get install -y gcc socat && \n rm -rf \/var\/lib\/apt\/lists\/*\n\n# \u521b\u5efa\u4f4e\u6743\u9650\u7528\u6237 ctf (Pwn \u9898\u7edd\u4e0d\u80fd\u7ed9 root \u6743\u9650\u8fd0\u884c\u4e8c\u8fdb\u5236\uff0c\u5426\u5219\u4f1a\u88ab\u6253\u7a7f\u5bbf\u4e3b\u673a)\nRUN useradd -m ctf\n\n# \u5c06\u6e90\u7801\u548c\u542f\u52a8\u811a\u672c\u62f7\u8d1d\u8fdb\u5bb9\u5668\nCOPY src\/pwn.c \/home\/ctf\/pwn.c\nCOPY flag.sh \/flag.sh\n\n# \u7f16\u8bd1 C \u6e90\u7801\uff0c\u5e76\u8bbe\u7f6e\u6743\u9650\u63a7\u5236\nRUN gcc \/home\/ctf\/pwn.c -o \/home\/ctf\/pwn && \n chown root:ctf \/home\/ctf\/pwn && \n chmod 750 \/home\/ctf\/pwn && \n chmod +x \/flag.sh\n\n# \u58f0\u660e\u66b4\u9732 80 \u7aef\u53e3\nEXPOSE 80\n\n# \u5bb9\u5668\u542f\u52a8\u65f6\u6267\u884c\u7684\u811a\u672c\nCMD [\"\/flag.sh\"]<\/code><\/pre>\n\n\n\n\u6784\u5efa\u955c\u50cf<\/p>\n\n\n\n
docker build -t pwn .<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u548c\u524d\u9762\u4e00\u6837\u8bbe\u7f6e<\/p>\n\n\n\n
flag{[GUID]}<\/code><\/pre>\n\n\n\n\u6211\u8fd8\u662f\u7528\u7684\u662f80\u7aef\u53e3<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u542f\u52a8nc\u8fde\u63a5\u5c31\u884c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
docker \u547d\u4ee4<\/h2>\n\n\n\n1. \u955c\u50cf\u6784\u5efa\u4e0e\u7ba1\u7406 \n# \u6784\u5efa\u955c\u50cf \ndocker build -t <image_name> .\n# \u5217\u51fa\u672c\u5730\u955c\u50cf \ndocker images\ndocker image ls\n# \u641c\u7d22\u955c\u50cf\ndocker search <image_name>\n# \u4ece\u4ed3\u5e93\u62c9\u53d6\u955c\u50cf\ndocker pull <image_name>:<tag>\n# \u63a8\u9001\u955c\u50cf\u5230\u4ed3\u5e93 \ndocker push <image_name>:<tag>\n# \u67e5\u770b\u955c\u50cf\u8be6\u7ec6\u4fe1\u606f\ndocker inspect <image_name>\n# \u663e\u793a\u955c\u50cf\u5386\u53f2 \ndocker history <image_name>\n# \u7ed9\u955c\u50cf\u6253\u6807\u7b7e\ndocker tag <old_name> <new_name>\n# \u5220\u9664\u955c\u50cf \ndocker rmi <image_name>\ndocker image rm <image_name>\n\n 2. \u5bb9\u5668\u8fd0\u884c\u6d4b\u8bd5 \n# \u8fd0\u884c\u65b0\u5bb9\u5668\ndocker run [options] <image_name>\n# \u540e\u53f0\u8fd0\u884c\u5e76\u6620\u5c04\u7aef\u53e3 \ndocker run -d --name my-container -p 8080:80 <image_name>\n# \u4ea4\u4e92\u6a21\u5f0f\u8fd0\u884c\uff0c\u9000\u51fa\u5373\u711a\ndocker run -it --rm <image_name> \/bin\/bash\n# \u6ce8\u5165\u73af\u5883\u53d8\u91cf\ndocker run -e ENV_VAR=value <image_name>\n\n3. \u5e38\u7528\u57fa\u7840\u670d\u52a1\u542f\u52a8\n# \u8fd0\u884c Nginx \u5bb9\u5668\ndocker run -d --name my-nginx -p 80:80 nginx\n# \u8fd0\u884c MySQL \u5bb9\u5668 (\u6302\u8f7d\u6570\u636e\u5e76\u8bbe\u7f6e root \u5bc6\u7801) \ndocker run -d --name mysql-db -e MYSQL_ROOT_PASSWORD=123456 -v mysql_data:\/var\/lib\/mysql mysql:8.0\n\n4. \u8c03\u8bd5\u4e0e\u6392\u9519\n# \u5217\u51fa\u8fd0\u884c\u4e2d\u7684\u5bb9\u5668 \ndocker ps\n# \u5217\u51fa\u6240\u6709\u5bb9\u5668\uff08\u5305\u62ec\u505c\u6b62\u7684\uff09 \ndocker ps -a\n# \u67e5\u770b\u5bb9\u5668\u65e5\u5fd7\ndocker logs <container_name>\n# \u5b9e\u65f6\u67e5\u770b\u5bb9\u5668\u65e5\u5fd7 \ndocker logs -f <container_name>\n# \u67e5\u770b\u5b9e\u65f6\u65e5\u5fd7\u793a\u4f8b\ndocker logs -f my-nginx\n# \u67e5\u770b\u5bb9\u5668\u8fdb\u7a0b \ndocker top <container_name>\n# \u8fdb\u5165\u8fd0\u884c\u4e2d\u7684\u5bb9\u5668 \ndocker exec -it <container_name> \/bin\/bash\ndocker exec -it <container_name> sh\n# \u8fdb\u5165\u5bb9\u5668\u8c03\u8bd5\u793a\u4f8b\ndocker exec -it my-nginx \/bin\/bash\n\n5. Docker Compose \n# \u6784\u5efa\u670d\u52a1\u955c\u50cf \ndocker-compose build\n# \u542f\u52a8\u670d\u52a1 \ndocker-compose up\n# \u540e\u53f0\u8fd0\u884c\u670d\u52a1 \ndocker-compose up -d\n# \u67e5\u770b\u670d\u52a1\u72b6\u6001 \ndocker-compose ps\n# \u67e5\u770b\u670d\u52a1\u65e5\u5fd7 \ndocker-compose logs\n# \u5b9e\u65f6\u65e5\u5fd7 \ndocker-compose logs -f\n# \u505c\u6b62\u670d\u52a1 \ndocker-compose down\n# \u505c\u6b62\u670d\u52a1\u5e76\u540c\u65f6\u5220\u9664\u5377\ndocker-compose down -v\n\n6.\u73af\u5883\u6e05\u7406\u4e0e\u79bb\u7ebf\u8fc1\u79fb\n# \u5220\u9664\u6784\u5efa\u7f13\u5b58 \ndocker builder prune -f\n# \u6e05\u7406\u6240\u6709\u6784\u5efa\u7f13\u5b58\uff0c\u5305\u62ec\u5931\u8d25\u7684\u6784\u5efa \ndocker builder prune\n# \u6e05\u7406\u6240\u6709\u6784\u5efa\u7f13\u5b58\uff0c\u5305\u62ec\u5185\u90e8\u7f13\u5b58 \ndocker builder prune -a\n# \u5220\u9664\u6240\u6709\u60ac\u7a7a\u955c\u50cf\uff08\u5305\u62ec\u6784\u5efa\u5931\u8d25\u7684\u4e2d\u95f4\u5c42\uff09\ndocker image prune\n# \u5f3a\u5236\u5220\u9664\u6240\u6709\u60ac\u7a7a\u955c\u50cf\ndocker image prune -f\n# \u5220\u9664\u6240\u6709\u672a\u88ab\u4f7f\u7528\u7684\u955c\u50cf\uff08\u8c28\u614e\u4f7f\u7528\uff09 \ndocker image prune -a\n# \u5bfc\u51fa\u955c\u50cf \ndocker save -o <file.tar> <image_name>\n# \u5bfc\u5165\u955c\u50cf \ndocker load -i <file.tar><\/code><\/pre>\n\n\n\n\u87f9\u87f9\u89c2\u770b<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5199\u7684\u5982\u679c\u4e0d\u597d\u89c1\u8c05\uff0c\u4f5c\u8005\u6c34\u5e73\u6709\u9650 \u9879\u76ee\u5730\u5740 GitHub – GZTimeWalker\/GZCTF: […]<\/p>\n","protected":false},"author":1,"featured_media":3591,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,1],"tags":[],"class_list":["post-3573","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-4","category-learn"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3573"}],"version-history":[{"count":1,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3573\/revisions"}],"predecessor-version":[{"id":3592,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3573\/revisions\/3592"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/media\/3591"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-172-1024x499.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-173-1024x245.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-174-1024x84.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-175.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-176-1024x557.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-177-1024x98.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-178.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-179-1024x536.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-180-1024x566.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-181.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-182.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-183-1024x475.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-184-1024x446.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-185.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-186.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-187-1024x485.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/04\/image-188-1024x526.png\")
<\/div><\/figure>\n\n\n\n