Here's something encrypted, password is required to continue reading.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 13 Nov 2021
IP: 10.10.11.124

• 

• 

Here's something encrypted, password is required to continue reading.

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 30 Oct 2021
IP: 10.10.11.120

• 

• 

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 16 Oct 2021
IP: 10.10.11.118

• 

• 

introduce

OS: Windows
Difficulty: Easy
Points: 20
Release: 02 Oct 2021
IP: 10.10.11.106

• 

• 

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 25 Sep 2021
IP: 10.10.11.114

• 

• 

为了用sys_execve syscall执行/bin/sh，需要解决一些障碍，根据参考，需要设置寄存器如下;

EAX = 11 (or 0x0B in hex) – The execve syscall number
EBX = Address in memory of the string “/bin/sh”
ECX = Address of a pointer to the string “/bin/sh”
EDX = Null (可选的指向描述环境的结构的指针)

一旦所有这些都设置好了，执行int 0x80指令应该会生成一个shell。

基于上个ROP exploit建立的,学习编写ROP chains的另一种方法, 而不是using sys_execve to spawn a shell, 用sys_mprotect关掉NX保护, 并执行shellcode。

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 11 Sep 2021
IP: 10.10.11.111

• 

•