migraine-sudo / how2pwn Public

Notifications You must be signed in to change notification settings
Fork 0
Star 1

do some libc challenges to learn new skills...

1 star 0 forks Branches Tags Activity

Name		Name	Last commit message	Last commit date
Latest commit History 14 Commits
BJDCTF		BJDCTF
CISCN2017-babydriver		CISCN2017-babydriver
EONEW		EONEW
HackZone/read_glibc		HackZone/read_glibc
House of Roman		House of Roman
PATCH		PATCH
ctf-wiki pwn		ctf-wiki pwn
xmctf		xmctf
攻防世界		攻防世界
高校战役		高校战役
README.md		README.md

Repository files navigation

HOW2PWN

记录各个比赛或者平台的pwn题解题思路和EXP。

做题中的知识点会逐渐汇总起来.

--From 2020 By Migraine

POINT

shellcode

EONEW平台的shellcode
- Linux沙盒机制
- 通过open来读取flag

数据泄露

EONEW平台的EASYSTACK
- 字符串拼接泄露libc
- ret2__libc_start_main函数的操作
xmctf平台的BabyStack
- 字符串拼接泄露canary

No leak

攻防世界的Noleak
- Partial Write
- House of Roman(方法二)
高校战役的easyheap
- UAF
- got表覆盖->leak
高校战役woodenhouse
- House of Roman
- Partial Write+IO_FILE地址泄露(方法二)
HackZoneread_glibc
- 只通过read来实现RCE（可以用于解Ret2Dl类的问题）

overlap

xmctf平台的BabyHeap
- global_max_fast的利用(unsortbin attack)
- free_hook的覆盖
攻防世界的babyheap
- overlap的切割法泄露地址
- realloc调整栈使得one_gadget可用

root

BJDCTF的diff
- 提权入门
- bss段写

Send Word

Stay hungry ，Stay Foolish