12345678910111213141516└─$ sudo nmap -sS -sV -O 10.129.36.46 -p22,80 --min-rate=3000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 04:57 EDTNmap scan report for bucket.htb (10.129.36.46)Host is up (0.61s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.41Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 4.1...

12345678910111213141516└─$ sudo nmap -sS 10.129.96.167 --min-rate=3000 -p22,2379,2380,8443,10249,10250,10256, -sV -OStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 04:21 EDTStats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 85.71% done; ETC: 04:22 (0:00:08 remaining)Nmap scan report for 10.129.96.167 (10.129.96.167)Host is up (0.22s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.9p1 Debian...

说实话我感觉64的比32的难不少..应该是我笨的关系。 其中比较逆天的是bextr我着实找不到太多资料最后debug了半天发现了规律 举个栗子比如这里bextr rbx,rcx,rdx rcx = 0b100010100 rdx = 302 rbx的值就是rcx>>2,或者说是忽略掉低位的两位 123100010100 >>2#变成1000101 然后取低位开始数3位 1231000101#取3位101 于是rbx = 0b101 = 5 再举个例子比如：2300就可以拆为 23 00 代表从第0位开始取23位 xlat获取在[rbx]的地址+al的偏移的内容，然后再赋值给到al 1xlat BYTE PTR ds:[rbx] 这里stosb是根据df的值来决定，给al值赋给rdi后，目的地址，或是说这里的rdi的地址会+1或者-1，可以看作是前进或者后退，这样的话仅通过操作df就可以控制指针方向了，不过这里用不到df来做指向呢 XD 120x00400639 aa stosb byte [rdi], al0x0040...

如果知道这几个汇编指令的情况下这题其实还算是蛮简单，问题指令利用部分学到了xchg和bswap以及pext，自己做出来了很开心o(￣▽￣)ブ。 123//ecx flag.txt address0x08048558 : pop ecx ; bswap ecx ; ret0x08048555 : xchg byte ptr [ecx], dl ; ret xchg例子 这里引用的https://www.felixcloutier.com/x86/xchg 123TEMP := DEST;DEST := SRC;SRC := TEMP; bswap则是大小端序之间互相转换 1234567891011121314151617TEMP := DESTIF 64-bit mode AND OperandSize = 64 THEN DEST[7:0] := TEMP[63:56]; DEST[15:8] := TEMP[55:48]; DEST[23:16] := TEMP[47:40]; DEST[31:24] := TEM...

朋友发了个zentao新报的漏洞，研究了一下利用起来还蛮简单，就写了下poc 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859import requestsimport randomimport stringUA = "flower Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 flower/majyo-party"headers = { "User-Agent": UA, "Accept": "*/*", "Accept-Encoding": "gzip, deflate", }def generate...

userNMAP 1234567891011└─$ sudo nmap -sS -p- 10.129.207.139 --min-rate=3000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 03:07 EDTNmap scan report for 10.129.207.139 (10.129.207.139)Host is up (0.38s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh80/tcp open http8000/tcp open http-altNmap done: 1 IP address (1 host up) scanned in 59.67 seconds 关注了一下8000端口 123456789101112131415└─$ sudo nmap -sS -p8000 runner.htb --min-rate=3000 -sV -O[s...

usernmap 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:...

信息收集部分nmap 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198...

初始化创建了一个Creature的类，加以调用，这个部分没啥 1234567891011121314151617// SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;import {Creature} from "./Creature.sol";contract Setup { Creature public immutable TARGET; constructor() payable { require(msg.value == 1 ether); TARGET = new Creature{value: 10}(); } function isSolved() public view returns (bool) { return address(TARGET).balance == 0; }} 需要关注的的是这个类...

USER 信息收集 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374└─$ sudo nmap -sS -sV -T4 -A $IP -p$(sudo nmap -sS -p- $IP --min-rate=5000|grep -i open |awk -F '/' '{print $1}'|tr -s '\n' ',') --min-rate=5000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-19 06:28 ESTNmap scan report for DC.office.htb (10.10.1x.x)Host is up (0.45s latency).PORT STA...