堇姬 Naup's Blog

2024-10-24 1.1k words 5 mins

Pwnable.tw-unexploitable

Pwnable.tw-unexploitable Author: 堇姬Naup IDA分析1234567int __fastcall main(int argc, const char **argv, const char **envp){ char buf[16]; // [rsp+0h] [rbp-10h] BYREF sleep(3u); return read(0, buf, 0x100uLL);} 分析非常明顯的buffer overflow 1234567pwndbg> checksecFile: /home/naup/Desktop/pwn/p

2024-10-22 2.2k words 13 mins

SunshineCTF 2024 writeup-by.naup96321

SunshineCTF 2024 writeup-by.naup96321 Author: 堇姬NaupWAN - r.k.10 This is myself some solve script and easy writeup. Just record some questions My solve list My team score board ScriptingThis catagory challenge give you one git bundleUse 1git clone <git bundle> <folder path> can get git.

2024-10-02 2.8k words 15 mins

Pwnable.tw-BookWriter

Pwnable.tw-BookWriter Author: 堇姬Naup libcglibc all in one 中沒有 2.23-0ubuntu5所以去網路上找libchttps://launchpad.net/ubuntu/xenial/amd64/libc6/2.23-0ubuntu5 把amd64載下來 1dpkg -X libc6_2.23-0ubuntu5_amd64.deb . 在libs裡面就有ld跟libc了 patchelf直接patch上去 12patchelf --set-interpreter ld-2.23.so bookwriterpatchelf --rep

2024-09-25 2.2k words 12 mins

Pwnable.tw-Secret Of My Heart

Pwnable.tw-Secret Of My Heart Author: 堇姬Naup libcglibc all in one 中沒有 2.23-0ubuntu5所以去網路上找libchttps://launchpad.net/ubuntu/xenial/amd64/libc6/2.23-0ubuntu5 把i386載下來 1dpkg -X libc6_2.23-0ubuntu5_amd64.deb . 在libs裡面就有ld跟libc了 patchelf直接patch上去 12patchelf --set-interpreter ld-2.23.so secret_of_my_hear

2024-09-23 1k words 5 mins

Pwnable.tw-Dubblesort

Pwnable.tw-Dubblesort Author: 堇姬Naup libcglibc all in one 中沒有 2.23-0ubuntu5所以去網路上找libchttps://launchpad.net/ubuntu/xenial/i386/libc6/2.23-0ubuntu5 把i386載下來 1dpkg -X libc6_2.23-0ubuntu5_i386.deb . 在libs裡面就有ld跟libc了 patchelf直接patch上去 12patchelf --set-interpreter ld-2.23.so dubblesortpatchelf --replac

2024-09-23 3.5k words 19 mins

Pwnable.tw-Re-alloc

Pwnable.tw-Re-alloc Author: 堇姬Naup env他的版本是 Ubuntu GLIBC 2.29-0ubuntu2glibc all in one載下 libc跟ld 1./download_old 2.29-0ubuntu2_amd64 用 patchelf 來patch 123456patchelf --set-interpreter ld-2.29.so reallocpatchelf --replace-needed libc.so.6 ./libc-2.29.so reallocnaup@naup-virtual-machine:~/Desktop/pw

2024-09-21 4.7k words 27 mins

Pwnable.tw-secret garden

Pwnable.tw-Secret Garden Author libcglibc all in one 中沒有 2.23-0ubuntu5所以去網路上找libchttps://launchpad.net/ubuntu/xenial/amd64/libc6/2.23-0ubuntu5 把i386載下來 1dpkg -X libc6_2.23-0ubuntu5_amd64.deb . 在libs裡面就有ld跟libc了 patchelf直接patch上去 12patchelf --set-interpreter ld-2.23.so seethefilepatchelf --replace-n

2024-09-20 2.3k words 13 mins

Pwnable.tw-seethefile

Pwnable.tw-seethefile Author: 堇姬Naup libcglibc all in one 中沒有 2.23-0ubuntu5所以去網路上找libchttps://launchpad.net/ubuntu/xenial/i386/libc6/2.23-0ubuntu5 把i386載下來 1dpkg -X libc6_2.23-0ubuntu5_i386.deb . 在libs裡面就有ld跟libc了 patchelf直接patch上去 12patchelf --set-interpreter ld-2.23.so seethefilepatchelf --replac

2024-09-16 1.6k words 8 mins

Pwnable.tw-3x17

Pwnable.tw-3x17 Author: 堇姬Naup 分析一樣IDA開逆這題把debug symbol全部拔掉，我們先定位main在哪裡 start12345678910111213141516171819// positive sp value has been detected, the output may be wrong!void __fastcall __noreturn start(__int64 a1, __int64 a2, __int64 a3){ __int64 v3; // rax unsigned int v4; // esi __int64

2024-09-11 1.9k words 11 mins

Pwnable.tw-tcache tear

Pwnable.tw-tcache tear Author: 堇姬Naup analyze code先IDA逆一波，把函數重新命名 main123456789101112131415161718192021222324252627282930313233343536373839404142434445void __fastcall __noreturn main(__int64 a1, char **a2, char **a3){ __int64 choice; // rax unsigned int free_chunk_cnt; // [rsp+Ch] [rbp-4h]