未完成❎ information Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-30 18:51 CST Nmap scan report for Simple (192.168.1.193) Host is up (0.0081s latency). Not shown: 994 closed tcp ports (conn-re...

information ╭─bamuwe@Mac ~ ╰─$ nmap -sVC 10.10.11.41 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-30 00:01 CST Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan...

information ╭─bamuwe@Mac ~/Documents ╰─$ nmap -sVC 10.10.11.42 Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-29 18:50 CST Nmap scan report for 10.10.11.42 Host is up (0.13s latency). Not show...

information 端口扫描 ╭─bamuwe@Mac ~/Desktop ╰─$ cat port_scan RT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 3...

反编译分析 int __fastcall main(int argc, const char **argv, const char **envp) { char buf[32]; // [rsp+0h] [rbp-20h] BYREF init(); printf("%s", "please input your name: "); read(0, buf, 0x48uL...

一，信息收集 端口扫描 ╰─$ nmap -F instant.htb Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-27 15:36 CST Nmap scan report for instant.htb (10.10.11.37) Host is up (0.45s latency). Not show...

一，信息收集 端口扫描 ╰─$ nmap -F alert.htb Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-25 20:05 CST Nmap scan report for alert.htb (10.10.11.44) Host is up (1.1s latency). Not shown: 98...

Problem: [SUCTF 2018 招新赛]unlink 思路 unlink到heap_list修改chunk0的指针指向got_free,修改chunk0的内容，即修改got_free的内容为system，劫持got表getshell EXP from pwn import * context.log_level = 'debug' context.terminal = [...

Problem: [LitCTF 2024]heap-2.31 思路 填满tacahe，利用unsortbin泄漏出free_hook,利用uaf修改tacahe的fd实现任意内存地址读写，劫持free_hook EXP from pwn import * context.log_level = 'debug' context.terminal = ['tmux','splitw'...

Problem: [LitCTF 2024]heap-2.27 思路 通过unsortbin泄漏libc地址，根据地址找到free_hook函数所在。 delete函数中存在uaf，使得我们能够修改已经释放的堆块，因此，我们可以通过修改堆块的fd申请到任意内存位置的堆块，实现free_hook劫持。 需要了解unsortbin生成条件，free_hook劫持原理。 EXP from ...