Mr.Be1ieVe's Treasure

路虽远行则将至,事虽难做则必成

Pwn常用指令

ldd filename 读取libc ROPgadget --binary filename --only "pop|ret" __libc_start_main = u64(sh.recvuntil("\x7f")[-6:].ljust(8,'\x00')) __libc_start_main = u32(sh.recvuntil("\xf7")[-4:]) __libc_start_main = u32(sh.recv(4)) canary = u64(sh.recv(7).rjust(8,"\x00")) log.success("canary------>" + hex(canary)) 接受成int型地址:str_addr = int(sh.recvuntil("\n",True),16) seccomp-tools dump ./filename 找不到flag:grep -rn flag * 32位 第

Posted by Mr.Be1ieVe on Wednesday, February 5, 2020

leak_canary-others_babystack

Full RELRO GOT表只读 s申请的是0x80,但读入0x100。并且canary在stack -0x8的地方 先泄露canary,puts函数在输出时,只

Posted by Mr.Be1ieVe on Tuesday, February 4, 2020

Linux常见问题解决方法

E: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable) E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it? ps -A | grep apt sudo kill -9 processnumber sudo rm /var/lib/dpkg/lock sudo rm /var/lib/dpkg/lock-frontend E: Could not get lock /var/cache/apt/archives/lock - open (11: Resource temporarily unavailable) E: Unable to lock directory /var/cache/apt/archives/ sudo killall apt-get sudo rm /var/lib/apt/lists/lock sudo rm /var/cache/apt/archives/lock sudo rm

Posted by Mr.Be1ieVe on Monday, February 3, 2020

PWN 环境搭建清单

LINUX ubuntu18、16 pwntools edb 调试栈好 vim libcsearcher pwndbg 调试堆好 seccomp-tools 查看seccomp proxychains4 apt get的快 WIN/MAC IDA 反汇编 die 查看32/64 和壳等 一些常用指令 [可供参考e

Posted by Mr.Be1ieVe on Monday, February 3, 2020

堆的基础知识

get_shell 修改某个函数的got表 为 system 的地址,然后参数准备为binsh 就可以 修改free函数为puts函数,然后某个堆里参数准备为某个函数的got表地

Posted by Mr.Be1ieVe on Monday, February 3, 2020

avatar

安全运营,兼任应用安全、基础安全。

FEATURED TAGS
awd buu ctf hackthebox linux使用 xray 专业学习 基础知识 学习笔记