pwnable.kr-random

题目描述: Daddy, teach me how to use random value in programming! ssh [email protected] -p2222 (pw:guest) 其中random.c的代码为: 代码很简单,一开始以为是需要通过key溢出覆盖random的值,结果经过调试发现每次random()生成的数值是固定的,因为在本题的代码中并没有制定随机数种子(seed),导致每次生成的第一个数都是固定的。 第一个数为:0x6b8b456,最后的结果要求是(key ^ random) == 0xdeadbeef, 所以key的值应该为:0xdeadbeef^0x6b8b4567=3039230856 输入之后,获得flag: [email protected]:~$ ./random 3039230856 Good! Mommy, I thought libc random is unpredictable… 所以flag为: Mommy, I thought libc random is unpredictable…

pwnable.kr-passcode

依然是题目描述: Mommy told me to make a passcode based login system. My initial C code was compiled without any error! Well, there was some compiler warning, but who cares about that? ssh [email protected] -p2222 (pw:guest) 连上后,目录下有c源码和可执行文件, 首先查看下程序开了那些防护措施: gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial 这里开启了canary,所以我们只能够利用一次任意内存写的功能,无法通过写入shellcode […]

pwnable.kr-flag

题目描述: Papa brought me a packed present! let’s open it. Download : http://pwnable.kr/bin/flag This is reversing task. all you need is binary 下载下来之后file一下: ➜ Desktop file flag flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped 64位的ELF,直接拖到IDA里面看看,发现只有三个函数,而且并不能正常打开,目测是加壳了。于是在里面瞎翻,发现了upx的关键字,果断upx -d flag把壳脱了。重新拖进IDA,发现代码很简单: malloc申请了一个100LL的地址,然后把flag复制进去了,直接查看flag的值,发现直接出现flag了: UPX…? sounds like a delivery service 🙂

pwnable.kr-bof

首先还是题目描述: Nana told me that buffer overflow is one of the most common software vulnerability. Is that true? Download : http://pwnable.kr/bin/bof Download : http://pwnable.kr/bin/bof.c Running at : nc pwnable.kr 9000 给了c的源文件还有编译好的elf文件,c源码为: 很明显,根据注释,在gets函数的地方进行栈溢出,将key的数值覆盖为0xcafebabe,那么接下来需要计算出key和overflowme的地址差。一开始看到提供的elf文件,我觉得没有用,因为给了c源码,完全可以自己编译。现在知道编译完成后,变量的地址已经相对固定了。我们用IDA打开elf文件,看到key的地址为[bp+8h],overflowme的地址为[bp-2Ch],两者相差了8h+2Ch=52,所以我们用52个字符填充就可以了,其后用cafebabe进行填充。最后的payload为: (python -c “print ‘a’*52 + ‘\xbe\xba\xfe\xca’”;cat -) | nc pwnable.kr 9000 直接获取了shell,然后读取flag文件: ls -al total 16512 drwxr-x—  3 root bof      4096 Sep 10  […]

pwnable.kr-col

首先是题目描述: Daddy told me about cool MD5 hash collision today. I wanna do something like that too! ssh [email protected] -p2222 (pw:guest) 看下文件: [email protected]:~$ ls -al total 32 drwxr-x—  4 root col  4096 Aug 20  2014 . dr-xr-xr-x 66 root root 4096 Jul  1 02:14 .. d———  2 root root 4096 Jun 12  2014 .bash_history -r-sr-x—  […]

pwnable.kr-fd

题目描述: Mommy! what is a file descriptor in Linux? ssh [email protected] -p2222 (pw:guest) 连上后查看下信息: [email protected]:~$ ls -al total 36 drwxr-x—  4 root fd   4096 Jul  1 02:36 . dr-xr-xr-x 66 root root 4096 Jul  1 02:14 .. d———  2 root root 4096 Jun 12  2014 .bash_history -r-sr-x—  1 fd2  fd   7322 Jun 11  2014 fd […]