From a55becf22617b6f75195a8cf5b22b054a292ae67 Mon Sep 17 00:00:00 2001 From: firmianay Date: Tue, 26 Dec 2017 13:37:26 +0800 Subject: [PATCH] add 6.1.9 --- README.md | 1 + SUMMARY.md | 1 + doc/6.1.9_rhme3_exploitation.md | 22 ++++++++++++++++++ doc/6_writeup.md | 1 + src/writeup/6.1.9_rhme3_exploitation/main.elf | Bin 0 -> 19560 bytes 5 files changed, 25 insertions(+) create mode 100644 doc/6.1.9_rhme3_exploitation.md create mode 100644 src/writeup/6.1.9_rhme3_exploitation/main.elf diff --git a/README.md b/README.md index 54413b6..a1cad69 100644 --- a/README.md +++ b/README.md @@ -107,6 +107,7 @@ - [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md) - [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md) - [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) + - [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) - re - [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/SUMMARY.md b/SUMMARY.md index ca11297..6fdd15c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -97,6 +97,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md) * [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md) * [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) + * [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) * re * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/doc/6.1.9_rhme3_exploitation.md b/doc/6.1.9_rhme3_exploitation.md new file mode 100644 index 0000000..05f9886 --- /dev/null +++ b/doc/6.1.9_rhme3_exploitation.md @@ -0,0 +1,22 @@ +# 6.1.9 pwn RHme3 Exploitation + +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.9_rhme3_exploitation) + +## 题目解析 +``` +$ file main.elf +main.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped +``` +``` +$ checksec -f main.elf +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.elf +``` + + +## 参考资料 +- [Exploitation](https://ctftime.org/task/4528) diff --git a/doc/6_writeup.md b/doc/6_writeup.md index f806ebe..36c00f6 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -9,6 +9,7 @@ - [6.1.6 pwn DefconCTF2015 fuckup](6.1.6_pwn_defconctf2015_fuckup.md) - [6.1.7 pwn 0CTF2015 freenote](6.1.7_pwn_0ctf2015_freenote.md) - [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md) + - [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md) - re - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/src/writeup/6.1.9_rhme3_exploitation/main.elf b/src/writeup/6.1.9_rhme3_exploitation/main.elf new file mode 100644 index 0000000000000000000000000000000000000000..a0c1d763c3325f03c41bd607dfc526369ee93aa4 GIT binary patch literal 19560 zcmeHPdvsLQx!;ozo*@YjH4?=G2*wAKfPjd$o&*L47buc|w2G4 z>;7@q>V}zbf4}dszrD|XoU_mD+~HcWG|%B+D&?^+GUB?6bPkDc#`Z4Zti%?wF-&I{ zu?yHpAO-m7TtZaj6djbV6&)@0@nc8d1Oz!X*Wqq@7CCe(B z{2La`t7!7gZt@4BZL`}JE||Swo--VD&gJzc|D?O@hBdq-)s7lCig_|V)YK#&`1Z2{ z!(0!%)V44J;e3 z<-nKaz@N*3-<1P@Fb9594m>|c{Bv{YKa~T&ItPA54m_R%e?14jCkOsv4*ZcE_}Cov z)pO{7B?mqYel*B3)6W59yY7c_;OFPSH{`(mIq-LK;9WWJvpMiT=D^>|fxnsqUzh{m znghQi2R<$bz9I)sZJ(|E{~h=QHigyAsY8x2HGeY9FZDE?EMQ?H67~C7I9R{Qh_Hr+ zrf9g4g(IQ*mMzR^^G8@?Bp7Jo-(ePR3Hbw&1{U^j40xMZOEeN@4Z+YR=JA9h-ug|R z`o>M32Cu&f1%x9;fQ1ZiQ&X^>Z8Rb+n*-ivo@t@-BB3V8n~i1!z&7{;K33o8^M}X+ zQX{f46pXfnnJ?Nh7s|e1G(sqa8ElELX5lv4>X;gC1r3pO)vB#Nyn3-`u5+H5 zo9mp9_RO>W%eQfMS*EUCsyGKcV2ClbeoXfJ$J0z+36QYp6#p3Vw1||D1}o|~r8)du zo)cf{ded4?^Snx>m32Hj3g6NN=QRsXYlBMV7TjFAA*{6EYKbE3qD1GpnVp+%z`H^xb=qOlm)-gqCaTCr&@3(=P&9b7g_Mp7F@I7B^G>|1uwPW z(=E7W!Dm?TatnU31+TQ=GcEW+3qH$&>lU2me3jg>fzj@cf?v(hn0se;q#*fKj6Qel z$mqjDV`%;h5Dm>dg74ysbmWL{Bw?y=2x;a4;%O+SdO80z@p;5|bN(sfY3Qc*asIo+ z(~wQ=;rzqI(@;%yasGbdX^5uUIe!oF)a!a0`#67qcT{*Rf^A8hG zT{zXn`RZvJYv=;c)0}sf$6vb59siR%cH-2k+T}gnl{0ka?m5&wok-7P({z^n8Uj7j zP<+u6#`b&A(bu?VuLE(%28-PBH(Sg0lPl`p6V@k4Fw_U-9o+x=!_=!AoQgk4@-^-| z-{lSteU=Xg?)WM9q2zUL$5Ho7pGD3wy^T}eiZ5d84~z2KzwrJv4a?+&H84yD&|vG2 z7Q6w-ahjKu(3}+5bu3!Y|4rDL&fX`3q2BeWt+1gyMyBSDZ%Zb>h1$gi9T8tLfn3}* z7~3|;wv0{Cm`mPELh#$iCcv`fKY>r)jE0Q6&c?Q#HT8VJg~mM)x;tD+cf2Qg-`Sy| zo!wi;318G-x_)t(7k=jet@!Tv^Tz=C+#Mrk(kkvo>2tc>9Xkmn2eZjpd}or_*z-hK zR7UmzFXut7*}3x+LJU}9Wg_l1m|ryN<`U9XBgB2@vtosqhHZ z!-%27b(b|-wZgw2Hs*lG8D&yM*-0^5%yf?n`_}#8# zkBgqq7z%dR_oB!2xjPHC=Ah}#PGN*SL;{OUZP%yK@x{ zu|Bt>xA-}>$d!!#TPA*#mtwYsW(M;4qS*NtTNJwxl#C)<>CgVX(uei^Q`8J%IM&Y4 z#VnQVMWJ!mnb@{7W-l0zf_q#8q}^YM?w9OvojD-7Id#7`1`%d#FkiLS8}NXsXO8Ps z%r)SMZ5tT9{g)lCQ_y_o<1Axz2w=L2XfljPPYjFo3@?4IyVG@AUZ)lf{rPNG^w$^i})YP1Q$19s7{C$d9IorW!**4Uixq z1iPi+6dWi1N`fba;0`JH9SKSPL2`(W)LRxe8v)7AZkL9zVj02^?SG>vZSVP_AsCeg z#g3LjPTaUt2e)bjC#))d3f8Ml>j}d8c4_?rST)n#IiNWh%eWNo9=@Q`=;_&cf|hQi z{!uZWcf_72Xzb=m9h}Dr_x&HB4u3Z7uNLucO{AK5u=PoqMMd0K1JYumYa)v_N~Y#R*=&@!s!<2^d%m$ z{Vw-;sF*X)->B{@!j)6H+C{Fc)osIKL;!Wq6oi=PuzK_AV*XE04YIl;g}XmY7S+89 z7X6F(QXy621^)$EVjWfEwfA`2JS~;S@@f?PSh7c{2W4Euw_zb_RpY*Mpgd!0OU~&| z_{|IXiSS-4-Ti)hFg(RNS`^hfwQ$1$p(pDf~sarG<6NM3>(La#pDx=~t_=5>U1 zu5v(igsIAhutCMd#bZ*8KSQx-Sz;?y_vE_}brc+)B-*A7n*9|3ULc@DJTLJHrC=XN zFrjolNb$*MM(7yLW<3UuKmB=5xiEb813op?UoAK4A^*tNDEl?H&|tzLB0BFuwQ0Y^V<&9sO&B)^9^r~AeJnIiud<x+<}D zU%u^7@F-bec`ZvM$xmozBlxBCs zPmgPm8bdx1_OHSWWSQq8*P>l8@Z)RF;`U}de27ZkCmg+9EGl*#99a!9d_Kk{jkyN# z>@zsF^(l3K#;?}Ltn2S3)U5-)&D)lDPhu_5s0t4t2Whh``DX|ubw4T~;#xvWrPvTE zexUnq*T=ZHBRAh7FK!(i(8c}O(Z50H_aMstwIbh(slWevk^eDPz5XwX{DX9%=ZgIG zba7{i{9}}#lBlMrK1=baepe*gqXJQNwQu_vSK5awov0z5-wT}|OPz7h;f{X6_sgno zu3B3aAF5hYRlA~d<`>6l*qrN}O|)it{G;XZS5{m~J7uHYhd#|uR*U|mEQk5eVAc;4*uj8IK2<6 z!27<6kUv}>4H*?P!>qz*v{pprD?jQbNR`gnnu}gm&OxTi=hIr6yjzSAn+tZe(Hv|w z6mlhy8l%amk0@jw+4}q@Kc6%jgPWCnf#M?u-d}zx7!7IljX{6Cu}I_PE(>ZK@amHn z&Hdmtr@>3EF(R5bLhnVjmLT4nhM6cmqWO#lBM?SV0;Uj1Iox6xKE?w8*Ag=7{b7GF zz{cDFmy5KS;jwH?RmGBunu=B6d{?Od<}0t2-Zp=8v{?&8n>QFCE!ZF{5!UcpwZ75t zO=C-g(ST2*mz-L-DHtI?W7*GplJLco}T8fmScQp80S{b{A9^GuDT9!WPzx>?egq{AJ{pm}$pj)UsRpsBs_ zE}Z+n*=VW{HXB+bsBNK+RSV6P-hg)_n!dbt<)!K9FbL2SrcGlt-Yvm^H{_j04lbLn z6JeFpbt3HA={gbSo~{#NwbOMXtZuqagf&gqi7-c5{xv5+%kbIz=FkxBHkT*y3<^3G z!+0I&BcN@dU&GwC8}uwq4WM^mT0I6j8tcX&=q}LGJjO1^+DN}Qdk%CR=pS*f&<1)M zw^+MD{kXH-54s(XN5?>$G0P2tF2*uZn$Os+xDV7pUk9Z(R<~g0>mnX>Kk=CT`amzh zEh+uT=?+j0bPOI8bS;&2W%h1+*+s>4~ZOV5*{x;-Mw5@5M-{K$zis5m5uEjNpftvEX?WX+^ zz~6y9ZjE&f?% z{664b^qGk^`FK;l19%PkP^-=VS4{tpL;iip&p}@>>z`kePYTpNM<9O`eeFG){YlgQ z1mw+l0({jbe~HU41~vlMcLrAM^Py+@cgOPc3welS#rwk*(3_0Ddw5$nUYqcbf7mAU_0onYEqr&*hD@1U4%m@5Wd*$iBL$lWxL)_MFblB&wk5Tc|g{Xl|}R;Y72o_{koZ-(H{m%RFYHLc^6=!Y4UrU=4Hopn4% z^8qC#|M0V+Ao08NbRy<&zITrl{78;s{N@Q>-C!=20jl3pl}f#HBvk}MR;0>0PSx0@ z^_-GgXGaN^(GM&rb&b|JRd}7`Ros64N^C+Sg1UzPMNNk5WwkcYO1f6k z21#2b-6iQml0GTvbCMpF^i@gUlJp}nK#Nn0h|CFw(wJ}GHt z`z>3%c#&4VWwLS{s?ni+4T#|@npwGGBxh(_$ZdGzvg2UtA1|RAH&pmvEyUS zab?HHne&SsFJ!vxPj-Af+n42f zKA%l8&zV?-`IueQyl2PHVf6E#%#@E`&So2@`Iwc|?`y3#`3$p;oY(C5`OH11&I<8- zzUBAVR$)GW`m!Qo{vW~K=kEfol0q;JHavb>2lCMVr!uY!tp|ixW~?(#iD#}qbid|6 zoQ*PmHE-5%e0Y0qm44KE29~E?_;zHuF7zystzJI_PH{dbRC6xFL=LnoXqe6By_dk5TD&_jhI8Cp}fnS#cza?L&IdFQ2 z%jSO)`e8PFW)6G_$BWpxWje3Xd$L}uC4SyCf!`zXTY*zQ$(*14Twf|#$hI8#H-T#w zJ(c}#4*h3=)3~GGZctjszZrX;@VxWcDv3*&{gUga*T)f3@EZ4D#Lk#41(Ug4q=_@TM_aFkbwADPp2bx4km#>pdjcF?oDcBLoXqO~g*Q+w8WH#8aY zh@V|woI=dN3^WRVr^Zho4im})f|)qI@bk!*f;a%^F<&|{1F!x(%|;-~JciF3@v<=9 z{h6x#l%m}kKc;AhGEYCIrSs^xA^Gbk5O^gy~%%#VX&TiG!GS9dUfp zj?n>1oEkU8Nl3d4?!>vuVK7cc+A(rtM}{4hw2OUs85c3kmZMhWZ%i>-(5&Jpr93!l zH&kas?P$gcOn%bSt|2ZbACBRmrx9mB(T_aKZ$wc(f4~zBqy4BB9_$kMn>+#DnEd6e zdi!VX$TS+{u~K_6;z+C=6Q^74Sh^_Dr_A0KYBfAKBx|(dg*24t1*_fCGZ4}q3fJ^LFq{BFfEUG)w5bobc>t3 z;V@=7aeCHnK__f85FdgQFWcqeV7r_yF3$VfK{{7#M?41;k zzAeoGXSG-RauMn9Vw*NS``gnJuy~b4k7GRT&eJ93guln59BvXVM!ed0CtXV9!b(KkQ=4Vl-v^A^L^hYXuc^_-8IpP*BDmq#pPr|z_IjbtRds34-}x(J&=Q$f z^a1czd$muxuSh7Wc%_*czv920VXyu^P`9)XO;(zMs&W43T%rl_G