-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
221 lines (204 loc) · 33 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
<!DOCTYPE html><html lang="en" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0,viewport-fit=cover"><title>133NSON's space</title><meta name="author" content="133NSON"><meta name="copyright" content="133NSON"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta property="og:type" content="website">
<meta property="og:title" content="133NSON's space">
<meta property="og:url" content="https://133nson.github.io/index.html">
<meta property="og:site_name" content="133NSON's space">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://133nson.github.io/img/1.jpg">
<meta property="article:author" content="133NSON">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://133nson.github.io/img/1.jpg"><link rel="shortcut icon" href="/img/website_logo.png"><link rel="canonical" href="https://133nson.github.io/index.html"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox/fancybox.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="/font/logofonts.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: {"appId":"E6F6HJNVKT","apiKey":"b16c6b49a43f4e7a83f8041e6fe7ad46","indexName":"my-hexo-blog","hits":{"per_page":6},"languages":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}.","hits_stats":"${hits} results found in ${time} ms"}},
localSearch: undefined,
translate: {"defaultEncoding":2,"translateDelay":0,"msgToTraditionalChinese":"繁","msgToSimplifiedChinese":"簡"},
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: 'Copy successfully',
error: 'Copy error',
noSupport: 'The browser does not support'
},
relativeDate: {
homepage: false,
post: false
},
runtime: 'days',
date_suffix: {
just: 'Just',
min: 'minutes ago',
hour: 'hours ago',
day: 'days ago',
month: 'months ago'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isAnchor: false,
percent: {
toc: true,
rightside: false,
}
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
title: '133NSON\'s space',
isPost: false,
isHome: true,
isHighlightShrink: false,
isToc: false,
postUpdate: '2023-11-18 13:00:29'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.getCSS = (url,id = false) => new Promise((resolve, reject) => {
const link = document.createElement('link')
link.rel = 'stylesheet'
link.href = url
if (id) link.id = id
link.onerror = reject
link.onload = link.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
link.onload = link.onreadystatechange = null
resolve()
}
document.head.appendChild(link)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
const detectApple = () => {
if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
document.documentElement.classList.add('apple')
}
}
detectApple()
})(window)</script><link rel="stylesheet" href="/css/font.css"><script src="/js/sakura.js"></script><meta name="generator" content="Hexo 6.3.0"></head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/1.jpg" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/archives/"><div class="headline">Articles</div><div class="length-num">20</div></a><a href="/tags/"><div class="headline">Tags</div><div class="length-num">11</div></a><a href="/categories/"><div class="headline">Categories</div><div class="length-num">1</div></a></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw iconfont icon-article"></i><span> Articles</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></li><li><a class="site-page child" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></li><li><a class="site-page child" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw iconfont icon-about"></i><span> About</span></a></div></div></div></div><div class="page" id="body-wrap"><header class="full_page" id="page-header" style="background-image: url('/img/yukino.png')"><nav id="nav"><span id="blog-info"><a href="/" title="133NSON's space"><span class="site-name">133NSON's space</span></a></span><div id="menus"><div id="search-button"><a class="site-page social-icon search" href="javascript:void(0);"><i class="fas fa-search fa-fw"></i><span> Search</span></a></div><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw iconfont icon-article"></i><span> Articles</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></li><li><a class="site-page child" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></li><li><a class="site-page child" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw iconfont icon-about"></i><span> About</span></a></div></div><div id="toggle-menu"><a class="site-page" href="javascript:void(0);"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">133NSON's space</h1><div id="site-subtitle"><span id="subtitle"></span></div><div id="site_social_icons"><a class="social-icon" href="mailto:[email protected]" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/11/17/blackhatmea2023/" title="BlackHat MEA 2023 - vec">BlackHat MEA 2023 - vec</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-11-17T11:18:26.000Z" title="Created 2023-11-17 19:18:26">2023-11-17</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a><span class="article-meta-link">•</span><a class="article-meta__tags" href="/tags/BlackHat/">BlackHat</a></span></div><div class="content">The vulnerability is in this part, we can bypass the if statement by integer overflow. Therefore, we are able to achieve out-of-bounds writing in the heap area.
Step 1, leak the heap address. The vector of template class will allocate for twice the current memory size when the current memory is not enough. In the first two times, it will ask for 8 bytes and 16 bytes of memory from the heap allocator, which will return a chunk of size 0x20(In the following text, we refer to them as chunk a and c ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/11/06/tsg2023/" title="TSG CTF 2023">TSG CTF 2023</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-11-06T02:21:04.000Z" title="Created 2023-11-06 10:21:04">2023-11-06</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a><span class="article-meta-link">•</span><a class="article-meta__tags" href="/tags/TSG-CTF/">TSG CTF</a></span></div><div class="content">摸了两道PWN就下号补作业去了(悲
converter2c32rtomb 函数若传入的的UTF-32字符非法会返回-1,利用这点可以使指针指向数组负下标的位置。往 utf32_hexstr[3] 的尾部写一组UTF-32字符的数据,使其解析 utf32_hexstr[3] 时解析多一组数据,在后续 printf 时就能将flag带出来
123456789101112131415161718192021222324252627282930#!/usr/bin/python2from pwn import *# io = process('./chall')io = remote('34.146.195.242', 40004)ru = lambda x : io.recvuntil(x, drop = True)sa = lambda a, b : io.sendafter(a, b)sla = lambda a, b : io.sendlineafter ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/11/01/SEETF2023/" title="SEETF 2023 PWN">SEETF 2023 PWN</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-11-01T05:08:30.000Z" title="Created 2023-11-01 13:08:30">2023-11-01</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a><span class="article-meta-link">•</span><a class="article-meta__tags" href="/tags/SEETF/">SEETF</a></span></div><div class="content">总共5道PWN,上号的时候队里的师傅已经出了1道了,然后我把剩下的4道出了
Great Expectations读入浮点数部分写rbp,然后栈迁移+ret2libc
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364#!/usr/bin/python2from pwn import *context.binary = 'chall'libc = ELF('libc.so.6', checksec = False)sa = lambda a, b : io.sendafter(a, b)sla = lambda a, b : io.sendlineafter(a, b)ia = lambda : io.interactive()uu64 = lambd ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/10/16/MapleCTF2023/" title="MapleCTF 2023 lost-in-space">MapleCTF 2023 lost-in-space</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-10-16T02:32:13.000Z" title="Created 2023-10-16 10:32:13">2023-10-16</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a><span class="article-meta-link">•</span><a class="article-meta__tags" href="/tags/MapleCTF/">MapleCTF</a></span></div><div class="content">index为200的页没有被mprotect调整权限,syscall指令被沙箱限制在这个页内执行,编写shellcode搜索出这个地址即可
因为是在不规则图(存在两条有向边指向同一个点的情况和环之类的)内搜索,直接进行 深搜/广搜 的效率会很低并且有可能会出现死循环(一直在一个环内的点循环搜索),所以在搜索过的页面上做个标记可以提高成功率,但比赛时懒得写了,直接广搜多跑几次也能通(
还有就是最后在搜索出地址可以执行syscall后,直接执行 execve("/bin/sh", 0, 0) 会崩溃(猜测原因是程序内munmap掉了太多地址,本来合法的地址也变成了非法,sh进程里对这些munmap的非法地址进行了读写操作导致崩溃)。后面换成orw的shellcode就能正常读取flag了
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172#! ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/10/16/xsb2023/" title="香山杯 2023 PWN">香山杯 2023 PWN</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-10-16T02:13:06.000Z" title="Created 2023-10-16 10:13:06">2023-10-16</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a></span></div><div class="content">Move栈迁移+ret2libc
1234567891011121314151617181920212223242526272829303132333435363738394041#!/usr/bin/python2from pwn import *io = remote('123.56.25.124', 22278)context.binary = 'pwn'libc = ELF('libc.so.6', checksec = False)rc = lambda n : io.recv(n)sa = lambda a, b : io.sendafter(a, b)ia = lambda : io.interactive()uu64 = lambda x : u64(x.ljust(8, b'\x00'))pop_rdi = 0x0000000000401353got = ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/10/12/blb2023/" title="柏鹭杯 2023 PWN">柏鹭杯 2023 PWN</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-10-11T16:08:28.000Z" title="Created 2023-10-12 00:08:28">2023-10-12</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a></span></div><div class="content">一开始直接忘了这个比赛,早上课上到一半看队友在说才想起来(
heap自己写的堆管理器,洞是堆溢出。小于0x80的堆块类似于cache可以用于劫持next指针实现任意地址分配,大于0x80的堆块在free之后堆头会写上elf段的地址可以用于泄露elf基址,最后利用可控的容易地址分配劫持malloc中里调用的函数指针为backdoor即可
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100#!/usr/bin/python2from pwn import *# io = process('./heap')io = remote('8.130.86.205', 20199)context.binary = 'hea ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/09/27/hitcon2023/" title="HITCON CTF 2023 - SUBformore">HITCON CTF 2023 - SUBformore</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-09-27T10:32:59.000Z" title="Created 2023-09-27 18:32:59">2023-09-27</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a><span class="article-meta-link">•</span><a class="article-meta__tags" href="/tags/HITCON/">HITCON</a></span></div><div class="content">一开始想打dl的link_map,结果本地通了,远程调了半天。。。中间还以为是libc版本的问题用各种版本的libc都试了,还用他给的dockfile起了docker然后本地docker打通了结果远程还是不行。最后通过单字节的泄露发现远程和本地的libc除了got表上的数据其它好像都一样(被远程环境坑的最惨的一次,在一血出来前两个小时本地就通了,但就因为远程和本地libc的got表数据不一样把一血给玩没了……
早知道一开始就老实打io_file了(
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859#!/usr/bin/python2from pwn import *# io = process(['./lessequalmore', 'chal.txt'])io = remote('chal-lessequalmore.chal.hitconctf.com', ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/07/31/tfc2023/" title="TFC CTF 2023 - INJ">TFC CTF 2023 - INJ</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-07-31T03:39:13.000Z" title="Created 2023-07-31 11:39:13">2023-07-31</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a></span></div><div class="content">上去看的时候队里的其他师傅已经把PWN写的只剩一题了,然后就半摆烂地把PWN最后那道INJ写了,最后也是被队里的大佬们带飞拿了第一
题目的沙箱
利用shellcode切换至32位进行ORB,需要注意的是远程open返回的文件描述符可能不是3,需要用 mov ebx, eax 来设置read的fd
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081#!/usr/bin/python2from pwn import *context.binary = 'inj'sd = lambda x : io.send(x)sa = lambda a, b : io.sendafter(a, b)def pwn(ch): global io glob ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/07/21/dfjk2023/" title="巅峰极客 2023 初赛">巅峰极客 2023 初赛</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-07-21T10:49:34.000Z" title="Created 2023-07-21 18:49:34">2023-07-21</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a></span></div><div class="content">赛后半小时出题,我是傻逼。
PWNlinkmap将got表上的指针写到bss段上,然后部分写 read 的函数指针为 write ,需要爆破一个16进制数位
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899#!/usr/bin/python2from pwn import *context.binary = 'ezzzz'elf = ELF('ezzzz', checksec = False)libc = ELF('libc.so.6', checksec = False)rc = lambda n : io.recv(n)sd = lambda x ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/07/17/hws2023summer/" title="HWS2023夏令营选拔赛">HWS2023夏令营选拔赛</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-07-17T14:28:54.000Z" title="Created 2023-07-17 22:28:54">2023-07-17</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/writeup/">writeup</a><span class="article-meta-link">•</span><a class="article-meta__tags" href="/tags/HWS/">HWS</a></span></div><div class="content">AK了PWN,一个2血+一个3血
PWNfmt格串
12345678910111213141516171819202122232425262728293031323334353637383940#!/usr/bin/python2from pwn import *context.binary = 'fmt'libc = ELF('libc.so.6', checksec = False)io = remote('60.204.140.184', 30137)ru = lambda x : io.recvuntil(x, drop = True)sla = lambda a, b : io.sendlineafter(a, b)ia = lambda : io.interactive()uu64 = lambda x : u64(x.ljust(8, '\x00'))lib ...</div></div></div><nav id="pagination"><div class="pagination"><span class="page-number current">1</span><a class="page-number" href="/page/2/#content-inner">2</a><a class="extend next" rel="next" href="/page/2/#content-inner"><i class="fas fa-chevron-right fa-fw"></i></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/1.jpg" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">133NSON</div><div class="author-info__description"></div></div><div class="card-info-data site-data is-center"><a href="/archives/"><div class="headline">Articles</div><div class="length-num">20</div></a><a href="/tags/"><div class="headline">Tags</div><div class="length-num">11</div></a><a href="/categories/"><div class="headline">Categories</div><div class="length-num">1</div></a></div><div class="card-info-social-icons is-center"><a class="social-icon" href="mailto:[email protected]" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>Announcement</span></div><div class="announcement_content">Welcome to contact me via email~</div></div><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>Recent Post</span></div><div class="aside-list"><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2023/11/17/blackhatmea2023/" title="BlackHat MEA 2023 - vec">BlackHat MEA 2023 - vec</a><time datetime="2023-11-17T11:18:26.000Z" title="Created 2023-11-17 19:18:26">2023-11-17</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2023/11/06/tsg2023/" title="TSG CTF 2023">TSG CTF 2023</a><time datetime="2023-11-06T02:21:04.000Z" title="Created 2023-11-06 10:21:04">2023-11-06</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2023/11/01/SEETF2023/" title="SEETF 2023 PWN">SEETF 2023 PWN</a><time datetime="2023-11-01T05:08:30.000Z" title="Created 2023-11-01 13:08:30">2023-11-01</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2023/10/16/MapleCTF2023/" title="MapleCTF 2023 lost-in-space">MapleCTF 2023 lost-in-space</a><time datetime="2023-10-16T02:32:13.000Z" title="Created 2023-10-16 10:32:13">2023-10-16</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2023/10/16/xsb2023/" title="香山杯 2023 PWN">香山杯 2023 PWN</a><time datetime="2023-10-16T02:13:06.000Z" title="Created 2023-10-16 10:13:06">2023-10-16</time></div></div></div></div><div class="card-widget card-categories"><div class="item-headline">
<i class="fas fa-folder-open"></i>
<span>Categories</span>
</div>
<ul class="card-category-list" id="aside-cat-list">
<li class="card-category-list-item "><a class="card-category-list-link" href="/categories/CTF/"><span class="card-category-list-name">CTF</span><span class="card-category-list-count">12</span></a></li>
</ul></div><div class="card-widget card-tags"><div class="item-headline"><i class="fas fa-tags"></i><span>Tags</span></div><div class="card-tag-cloud"><a href="/tags/DASCTF/" style="font-size: 1.3em; color: rgb(10, 138, 49)">DASCTF</a><a href="/tags/writeup/" style="font-size: 1.45em; color: rgb(185, 36, 140)">writeup</a><a href="/tags/VNCTF/" style="font-size: 1.15em; color: rgb(15, 132, 109)">VNCTF</a><a href="/tags/MapleCTF/" style="font-size: 1.15em; color: rgb(70, 181, 23)">MapleCTF</a><a href="/tags/BlackHat/" style="font-size: 1.15em; color: rgb(49, 101, 192)">BlackHat</a><a href="/tags/SEETF/" style="font-size: 1.15em; color: rgb(131, 25, 19)">SEETF</a><a href="/tags/CISCN/" style="font-size: 1.3em; color: rgb(112, 78, 142)">CISCN</a><a href="/tags/life/" style="font-size: 1.3em; color: rgb(88, 191, 154)">life</a><a href="/tags/HITCON/" style="font-size: 1.15em; color: rgb(135, 46, 192)">HITCON</a><a href="/tags/HWS/" style="font-size: 1.15em; color: rgb(9, 79, 75)">HWS</a><a href="/tags/TSG-CTF/" style="font-size: 1.15em; color: rgb(153, 116, 73)">TSG CTF</a></div></div><div class="card-widget card-archives"><div class="item-headline"><i class="fas fa-archive"></i><span>Archives</span></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/11/"><span class="card-archive-list-date">November 2023</span><span class="card-archive-list-count">3</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/10/"><span class="card-archive-list-date">October 2023</span><span class="card-archive-list-count">3</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/09/"><span class="card-archive-list-date">September 2023</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/07/"><span class="card-archive-list-date">July 2023</span><span class="card-archive-list-count">3</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/06/"><span class="card-archive-list-date">June 2023</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/05/"><span class="card-archive-list-date">May 2023</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/04/"><span class="card-archive-list-date">April 2023</span><span class="card-archive-list-count">6</span></a></li></ul></div><div class="card-widget card-webinfo"><div class="item-headline"><i class="fas fa-chart-line"></i><span>Info</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">Article :</div><div class="item-count">20</div></div><div class="webinfo-item"><div class="item-name">Run time :</div><div class="item-count" id="runtimeshow" data-publishDate="2023-04-04T16:00:00.000Z"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">Last Push :</div><div class="item-count" id="last-push-date" data-lastPushDate="2023-11-18T05:00:29.057Z"><i class="fa-solid fa-spinner fa-spin"></i></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">©2023 By 133NSON</div><div class="framework-info"><span>Framework </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>Theme </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div><div class="footer_custom_text">The sky above the port was the color of television, tuned to a dead channel.</div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="translateLink" type="button" title="Switch Between Traditional Chinese And Simplified Chinese">繁</button><button id="darkmode" type="button" title="Switch Between Light And Dark Mode"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="Toggle between single-column and double-column"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="Setting"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="Back To Top"><span class="scroll-percent"></span><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="/js/tw_cn.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox/fancybox.umd.min.js"></script><div class="js-pjax"><script>window.typedJSFn = {
init: (str) => {
window.typed = new Typed('#subtitle', Object.assign({
strings: str,
startDelay: 300,
typeSpeed: 150,
loop: true,
backSpeed: 50,
}, null))
},
run: (subtitleType) => {
if (true) {
if (typeof Typed === 'function') {
subtitleType()
} else {
getScript('https://cdn.jsdelivr.net/npm/typed.js/lib/typed.min.js').then(subtitleType)
}
} else {
subtitleType()
}
}
}
</script><script>function subtitleType () {
if (true) {
typedJSFn.init(["苍い风の中で","キミがいる","眠れない悲しい夜なら","届かない恋","あなたを想いたい"])
} else {
document.getElementById("subtitle").innerHTML = '苍い风の中で'
}
}
typedJSFn.run(subtitleType)</script></div><div id="algolia-search"><div class="search-dialog"><nav class="search-nav"><span class="search-dialog-title">Search</span><button class="search-close-button"><i class="fas fa-times"></i></button></nav><div class="search-wrap"><div id="algolia-search-input"></div><hr/><div id="algolia-search-results"><div id="algolia-hits"></div><div id="algolia-pagination"></div><div id="algolia-info"><div class="algolia-stats"></div><div class="algolia-poweredBy"></div></div></div></div></div><div id="search-mask"></div><script src="https://cdn.jsdelivr.net/npm/algoliasearch/dist/algoliasearch-lite.umd.min.js"></script><script src="https://cdn.jsdelivr.net/npm/instantsearch.js/dist/instantsearch.production.min.js"></script><script src="/js/search/algolia.js"></script></div></div></body></html>