[随波逐流]CTF Flags

随波逐流信息安全网 www.1o1o.xyz

   [随波逐流]CTF Flags

软件版本:v1.0.0   数据版本: v20260526
返    回

Virtual

 广告模块
ID: 2066
标题: Virtual
描述: Notes: The intended solution was using printf (format string) to leak libc. When overflowing the executeAsAService function (After changing the path), rdi contains the address of the path, the format string should be stored there. Calling printf requires setting rax register to 0, however there are no gadgets in the binary to do so. In order to make rax null, you'll have to dump the vd.so memory area & extract gadgets from there, there's a xor eax, eax; ret; gadget. That memory area depends on the kernel used and that's the main reason for using this specific setup (qemu). After the libc leak, you should be able to either pop a shell or open/read/write the flag (Which was I used in the solver). Writing this with pwntools wouldn't work since some bytes are not written in memory, If someone knows the reason please let me know, I spent a while looking into it. That's why the solver is written in C. Vdso base is written after the env. variables table.
类型: PWN
网站: bugku
题目链接: https://ctf.bugku.com/challenges/detail/id/2213.html
赛事: SecurinetsQualsCTF2023
年度: 2023
Flag值: Securinets{1e9Endre_5ymBO1s_goEs_brrrrrrrrrrrrrrrrrrrrrrrrrr}
writeup: https://blog.csdn.net/weixin_52640415/article/details/132197305
答案错误,我要更正