# [資安實務] Pwn ## 什麼是Pwn? 找程式漏洞，取得伺服器shell控制權，進而獲取、修改資料。 ## pwntools 基於Python開發，用來Pwn的工具。 ### [Python程式語言](https://hackmd.io/@hyu/ryLkaDOHF) ### remote() 函數 ```py 連線名稱 = remote(“IP address”, port) ``` ### pwntools常見函式 ```py= from pwn import * r = remote('xxx.com', <port>) print(r.recvuntil(b'').decode()) r.sendline(b'') print(r.recvline().decode()) r.close() ``` ## PPC_Ez 解題 ### 注意 不要硬爆你爆不完w 而且PPC題目會有時間限制，暴力解題是沒用的= ### hello world 50 nc 就會有 flag 囉 owo ### count 50 [題目] ``` ===== Welcome to counting game ===== You just need to count from 1 to 100 and get the flag I will help you, just repeat after me ----- wave 1/100 ----- I say 1 you say? ``` 這時輸入會繼續跳出後續 ``` ----- wave 2/100 ----- I say 2 you say? ``` 了解題目規律，寫出以下程式 ```python= from pwn import * r = remote('120.114.62.209', 2403) r.recvlines(3) for i in range(100): r.recvline() l = r.recvline().split() r.sendline(l[2]) r.interactive() r.close() ``` CTF{gOOD4tMatHYOUarE} ### calendar 50 [題目] ``` ===== Welcome to Calendar Calculator ===== Can you help me determine which year is leap year in Gregorian Calendar? According to Wikipedia : Every year that is exactly divisible by four is a leap year, except for years that are exactly divisible by 100, but these centurial years are leap years if they are exactly divisible by 400. For example, the years 1700, 1800, and 1900 are not leap years, but the years 1600 and 2000 are. ----- Example ----- year : 2019 answer : ordinary ----- Example ----- year : 2020 answer : leap ----- wave 1/100 ----- year : 1676 #數字隨機產生 answer : ``` 題目的year如果是平年就打ordinary，閏年輸入leap 以下為程式碼： ```python= from pwn import * r = remote('120.114.62.209', 2402) r.recvlines(9) for i in range(100): r.recvline() l = r.recvline().split() n = int(l[2]) if (n % 4 == 0 and n % 100 != 0): r.sendline('leap') elif (n % 400 == 0): r.sendline('leap') else: r.sendline('ordinary') r.interactive() r.close() ``` CTF{2O20HapPY1e4pYE4r!!!} ### beautify 50 [題目] 規則1 : 把所有 ' -_' 換成 ' ' 規則2 : 把所有英⽂文字母換成小寫 ``` ===== Welcome to pretty shop ===== Can you help me beautify these sentences? Rule 1 : change all ' -_' to ' ' Rule 2 : change all alphabet to lower case ----- Example ----- sentence : ThiS-iS_tEst tRY to BeautIfY_mE answer : this is test try to beautify me ----- Now You Turn ----- sentence : dEFeat_cigaReTtE-payMeNT_NECK_iNNocEnt_giFT_coNTEMPt_dip-HANd-traP miSs-cONfRONTATIOn_QUainT_PeN_reFEreE #隨機產生 answer : ``` 程式碼： ```python= from pwn import * r = remote('120.114.62.209', 2401) r.recvlines(8) r.recvuntil(': ') s = "" for j in r.recvline(): n = chr(j) if (n == '-' or n == '_'): s += ' ' else: s += n.lower() r.sendline(s) r.interactive() r.close() ``` CTF{NoWYoUKNoWhOWt0STRinG} ### 3rd 50 ```python= from pwn import * r = remote('120.114.62.204', 2400) r.recvlines(7) r.recvuntil(': ') l = r.recvline().split() n = sorted(l,reverse = True) r.sendline(n[2]) r.interactive() r.close() ``` CTF{yoUaReInth33RdpL4c3} ### money 50 ``` ===== Welcome to money game ===== Can you help me calculate bank interest Give you total amount of money (will be multiple of 100) and annual interest rate Give me the total amount of money I will have next year ----- Example ----- money : 10000 interest : 5% answer : 10500 ----- wave 1/100 ----- money : 748800 #隨機產生 interest : 54% #隨機產生 answer : ``` ```python= from pwn import * r = remote('120.114.62.204', 2407) r.recvlines(8) for i in range(100): r.recvline() r.recvuntil(': ') m = int(r.recvline()) r.recvuntil(': ') i = int(r.recvline()[:-2]) a = str((m + (m * i // 100))) r.sendline(a) r.interactive() r.close() ``` CTF{mAk3kAohsIUNgFoRTuN3} 注意：因為r.recvline()會擷取到換行字元，故要多刪除一位。 ### temperature 200 ``` ===== Welcome ===== I need you to transform from Fahrenheit to Celsius ----- wave : example ----- Fahrenheit : 10 (guarantee to be integer) Celsius : -110/9 ----- wave : 1/100 ----- Fahrenheit : -86 #隨機產生 Celsius : ``` ```python= from pwn import * r = remote('120.114.62.204', 5127) r.recvlines(5) for i in range(100): r.recvline() r.recvuntil(': ') s = '' s += str((int(r.recvline())-32)*5) s += '/9' r.sendline(s) r.interactive() r.close() ``` MyFirstCTF{h4rRy potTer anD tHe phiL0sOph3r's TeMper4tuRe} ### lambda 200 ``` ===== Welcome to lambda ===== give you x, help us calculate f(x) here is some functions f f0(x) = 3x^2 + x + 3 f1(x) = 5x^2 + 8 f2(x) = 4x^3 + 6x + 6 f3(x) = 7x^3 + 5x^2 f4(x) = x^2 + 4x + 3 ----- wave : example ----- function : 1 x = 2 f(x) = 28 ----- wave : 1/100 ----- function : 4 #隨機產生 x = 541 #隨機產生 ``` 輸入行為空白，推測可能是要自己輸入'f(x) = ' （實際操作發現不用） ```python= r.recvlines(12) for i in range(100): r.recvline() r.recvuntil(': ') f = int(r.recvline()) r.recvuntil('= ') x = int(r.recvline()) fx = 0 if (f == 0): fx = 3* pow(x,2) + x + 3 elif (f == 1): fx = 5 * pow(x,2) + 8 elif (f == 2): fx = 4 * pow(x,3) + 6 * x + 6 elif (f == 3): fx = 7 * pow(x,3) + 5 * pow(x,2) elif (f == 4): fx = pow(x,2) + 4 * x + 3 r.sendline(str(fx)) r.interactive() r.close() ``` MyFirstCTF{R0gUe on3 - A st4r wARs LamBd4} ###### tags: `資安`