# 6.1.12 pwn N1CTF2018 vote - [题目复现](#题目复现) - [题目解析](#题目解析) - [参考资料](#参考资料) [下载文件](../src/writeup/6.1.12_n1ctf2018_vote) ## 题目复现 这个题目给了二进制文件和 libc: ``` $ file vote vote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=53266adcfdcb7b21a01e9f2a1cb0396b818bfba3, stripped $ checksec -f vote RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 vote ``` 看起来就是个堆利用的问题: ``` $ ./vote 0: Create 1: Show 2: Vote 3: Result 4: Cancel 5: Exit Action: ``` 然后就可以把它运行起来了: ``` $ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" & ``` 另外出题人在 github 开源了题目的代码,感兴趣的也可以看一下。 ## 题目解析 #### Exploit ## 参考资料 https://ctftime.org/task/5490