-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal-search.xml
88 lines (42 loc) · 6.86 KB
/
local-search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>西湖论剑2023-决赛复现</title>
<link href="/2023/04/29/%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%912023-%E5%86%B3%E8%B5%9B%E5%A4%8D%E7%8E%B0/"/>
<url>/2023/04/29/%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%912023-%E5%86%B3%E8%B5%9B%E5%A4%8D%E7%8E%B0/</url>
<content type="html"><![CDATA[<h1 id="西湖论剑决赛-2023"><a href="#西湖论剑决赛-2023" class="headerlink" title="西湖论剑决赛 2023"></a>西湖论剑决赛 2023</h1><span id="more"></span><blockquote><p>本届西湖论剑比赛延续了在IoT真实硬件设备上进行解题的竞赛风格,采用了 AWD 攻防赛模式,比赛期间为每个参赛队伍提供一个海特开源路由设备(HatLab Gateboard-One)作为靶标环境。该设备预设若干系统漏洞,参赛队伍可利用不同漏洞对其他队伍得设备发起攻击以获得分数,同时对该设备进行加固防护,避免被其他参赛队伍攻击成功而丢失分数。<br>比赛提供了四份固件(其中一份是备份固件,比赛时暂未放出),每个固件提供了若干道赛题,下面是各个固件的赛题WriteUp。</p></blockquote><h2 id="一号固件"><a href="#一号固件" class="headerlink" title="一号固件"></a>一号固件</h2><h3 id="easybluetooth"><a href="#easybluetooth" class="headerlink" title="easybluetooth"></a>easybluetooth</h3><p>蓝牙连接工具可以使用<code>ble-serial</code>。</p><blockquote><p><a href="https://github.com/Jakeler/ble-serial">https://github.com/Jakeler/ble-serial</a></p></blockquote><p>通过<code>ble-scan</code>扫描周围蓝牙设备,带有HZCSSC的就是目标设备。然后用<code>ble-serial -d</code>进行连接,连接之后会将蓝牙串口映射到本地</p>]]></content>
<categories>
<category>CTF</category>
<category>PWN</category>
</categories>
<tags>
<tag>复现</tag>
</tags>
</entry>
<entry>
<title>DASCTF-2023-4月赛</title>
<link href="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/"/>
<url>/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/</url>
<content type="html"><![CDATA[<h1 id="DASCTF-2023-四月赛"><a href="#DASCTF-2023-四月赛" class="headerlink" title="DASCTF 2023 四月赛"></a>DASCTF 2023 四月赛</h1><span id="more"></span><h2 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h2><h3 id="four"><a href="#four" class="headerlink" title="four"></a>four</h3><p>逆向过程不多赘述,官方WP写的很清晰了。</p><h4 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h4><p>主要就是一个可以控制三个参数的<code>read</code><br><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426153056822.png"><br>以及这个<code>open</code><br><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426153158193.png"></p><h4 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h4><h5 id="覆盖"><a href="#覆盖" class="headerlink" title="覆盖"></a>覆盖</h5><p>在此处可以写入大量<code>flag</code>字符串,来让open是打开的就是flag</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs python">p.recvuntil(<span class="hljs-string">b"You can give any value, trust me, there will be no overflow"</span>)<br>p.sendline(<span class="hljs-built_in">str</span>(<span class="hljs-number">0x5f04</span>))<br>p.recvuntil(<span class="hljs-string">b"Actually, this function doesn't seem to be useful"</span>)<br>p.sendline(<span class="hljs-string">b"aa"</span> + <span class="hljs-string">b"flag\x00"</span> * <span class="hljs-number">0x1300</span>)<br>p.recvuntil(<span class="hljs-string">"Really?"</span>)<br>p.send(<span class="hljs-string">"n"</span>)<br></code></pre></td></tr></table></figure><p><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426154457318.png"></p><p>传入后</p><p><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426154542414.png"></p><h5 id="打开"><a href="#打开" class="headerlink" title="打开"></a>打开</h5><p>再使用open<br><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426154825175.png"><br>可以看到未初始化的open参数变成了<code>flag</code>,算一下差值,可以看到是<code>0x5de0</code>是小于传入的<code>0x5f04</code>,所以栈空间发生了重叠。</p><h5 id="读取"><a href="#读取" class="headerlink" title="读取"></a>读取</h5><p>来到可控read的部分<br>传入payload</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python">payload = <span class="hljs-string">b"~3>:"</span>+<span class="hljs-string">b"\x60\x21\x21"</span>+<span class="hljs-string">b">"</span>+<span class="hljs-string">b"@a*>"</span><br></code></pre></td></tr></table></figure><p>就把<code>flag</code>读到了<code>bss</code>段上。<br><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426155133407.png"></p><p><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426155219650.png"></p><h5 id="获取flag"><a href="#获取flag" class="headerlink" title="获取flag"></a>获取flag</h5><p>此时再去触发<code>__stack_chk_fail</code></p><p><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426155343242.png"></p><p><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426155443393.png"></p><p>就可以获取flag啦</p><p><img src="/2023/04/26/DASCTF-2023-4%E6%9C%88%E8%B5%9B/image-20230426155528963.png"></p>]]></content>
<categories>
<category>CTF</category>
<category>PWN</category>
</categories>
<tags>
<tag>复现</tag>
</tags>
</entry>
<entry>
<title>CTF-PWN一些题目的随记</title>
<link href="/2023/04/19/test-blog/"/>
<url>/2023/04/19/test-blog/</url>
<content type="html"><![CDATA[<blockquote><p>记录一些知识点,需要的时候回来看看</p></blockquote><span id="more"></span><h3 id="NSSCTF-Round9"><a href="#NSSCTF-Round9" class="headerlink" title="NSSCTF Round9"></a>NSSCTF Round9</h3><h4 id="MyMem"><a href="#MyMem" class="headerlink" title="MyMem"></a>MyMem</h4>]]></content>
<categories>
<category>CTF</category>
<category>PWN</category>
</categories>
<tags>
<tag>随记</tag>
</tags>
</entry>
</search>