mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
big change
This commit is contained in:
parent
16a73d2286
commit
f4d7e24a24
18
README.md
18
README.md
@ -67,12 +67,16 @@
|
|||||||
- [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
- [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||||
|
|
||||||
- [六、题解篇](doc/6_writeup.md)
|
- [六、题解篇](doc/6_writeup.md)
|
||||||
- [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
- pwn
|
||||||
- [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
|
- [6.1.1 pwn HCTF2016 brop](doc/6.1.1_pwn_hctf2016_brop.md)
|
||||||
- [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
|
- [6.1.2 pwn NJCTF2017 pingme](doc/6.1.2_pwn_njctf2017_pingme.md)
|
||||||
- [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md)
|
- [6.1.3 pwn XDCTF2015 pwn200](doc/6.1.3_pwn_xdctf2015_pwn200.md)
|
||||||
- [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md)
|
- [6.1.4 pwn BackdoorCTF2017 Fun-Signals](doc/6.1.4_pwn_backdoorctf2017_fun_signals.md)
|
||||||
- [6.6 re xhpctf2017 dont_panic](doc/6.6_re_xhpctf2017_dont_panic.md)
|
- [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
|
||||||
|
- [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
|
||||||
|
- [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
|
||||||
|
- re
|
||||||
|
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
|
|
||||||
- [七、附录](doc/7_appendix.md)
|
- [七、附录](doc/7_appendix.md)
|
||||||
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||||
@ -80,7 +84,7 @@
|
|||||||
- [7.3 更多资源](doc/7.3_books&blogs.md)
|
- [7.3 更多资源](doc/7.3_books&blogs.md)
|
||||||
- [7.4 习题 write-up](doc/7.4_writeup.md)
|
- [7.4 习题 write-up](doc/7.4_writeup.md)
|
||||||
- [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md)
|
- [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md)
|
||||||
- [7.6 PPT](doc/7.6_ppt.md)
|
- [7.6 幻灯片](doc/7.6_slides.md)
|
||||||
|
|
||||||
|
|
||||||
合作和贡献
|
合作和贡献
|
||||||
|
18
SUMMARY.md
18
SUMMARY.md
@ -63,16 +63,20 @@
|
|||||||
* [5.6 LLVM](doc/5.6_llvm.md)
|
* [5.6 LLVM](doc/5.6_llvm.md)
|
||||||
* [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
* [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||||
* [六、题解篇](doc/6_writeup.md)
|
* [六、题解篇](doc/6_writeup.md)
|
||||||
* [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
* pwn
|
||||||
* [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
|
* [6.1.1 pwn HCTF2016 brop](doc/6.1.1_pwn_hctf2016_brop.md)
|
||||||
* [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
|
* [6.1.2 pwn NJCTF2017 pingme](doc/6.1.2_pwn_njctf2017_pingme.md)
|
||||||
* [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md)
|
* [6.1.3 pwn XDCTF2015 pwn200](doc/6.1.3_pwn_xdctf2015_pwn200.md)
|
||||||
* [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md)
|
* [6.1.4 pwn BackdoorCTF2017 Fun-Signals](doc/6.1.4_pwn_backdoorctf2017_fun_signals.md)
|
||||||
* [6.6 re xhpctf2017 dont_panic](doc/6.6_re_xhpctf2017_dont_panic.md)
|
* [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
|
||||||
|
* [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
|
||||||
|
* [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
|
||||||
|
* re
|
||||||
|
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
* [七、附录](doc/7_appendix.md)
|
* [七、附录](doc/7_appendix.md)
|
||||||
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||||
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
||||||
* [7.3 更多资源](doc/7.3_books&blogs.md)
|
* [7.3 更多资源](doc/7.3_books&blogs.md)
|
||||||
* [7.4 习题 write-up](doc/7.4_writeup.md)
|
* [7.4 习题 write-up](doc/7.4_writeup.md)
|
||||||
* [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md)
|
* [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md)
|
||||||
* [7.6 PPT](doc/7.6_ppt.md)
|
* [7.6 幻灯片](doc/7.6_slides.md)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 6.1 pwn hctf2016 brop
|
# 6.1.1 pwn HCTF2016 brop
|
||||||
|
|
||||||
- [题目复现](#题目复现)
|
- [题目复现](#题目复现)
|
||||||
- [BROP 原理及题目解析](#brop-原理及题目解析)
|
- [BROP 原理及题目解析](#brop-原理及题目解析)
|
||||||
@ -368,7 +368,7 @@ firmy
|
|||||||
|
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1_pwn_hctf2016_brop)相应文件夹中:
|
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.1_pwn_hctf2016_brop)相应文件夹中:
|
||||||
```python
|
```python
|
||||||
from pwn import *
|
from pwn import *
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
# 6.2 pwn njctf2017 pingme
|
# 6.1.2 pwn NJCTF2017 pingme
|
||||||
|
|
||||||
- [题目复现](#题目复现)
|
- [题目复现](#题目复现)
|
||||||
- [Blind fmt 原理及题目解析](#blind-fmt-原理及题目解析)
|
- [Blind fmt 原理及题目解析](#blind-fmt-原理及题目解析)
|
||||||
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
|
|
||||||
## 题目复现
|
## 题目复现
|
||||||
在 6.1 中我们看到了 blind ROP,这一节中则将看到 blind fmt。它们的共同点是都没有二进制文件,只提供 ip 和端口。
|
在 6.1.1 中我们看到了 blind ROP,这一节中则将看到 blind fmt。它们的共同点是都没有二进制文件,只提供 ip 和端口。
|
||||||
|
|
||||||
checksec 如下:
|
checksec 如下:
|
||||||
```
|
```
|
||||||
@ -200,7 +200,7 @@ firmy
|
|||||||
|
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.2_pwn_njctf2017_pingme)相应文件夹中:
|
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.2_pwn_njctf2017_pingme)相应文件夹中:
|
||||||
```python
|
```python
|
||||||
from pwn import *
|
from pwn import *
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
# 6.3 pwn xdctf2015 pwn200
|
# 6.1.3 pwn XDCTF2015 pwn200
|
||||||
|
|
||||||
- [题目复现](#题目复现)
|
- [题目复现](#题目复现)
|
||||||
- [ret2dl-resolve 原理及题目解析](#ret2dlresolve-原理及题目解析)
|
- [ret2dl-resolve 原理及题目解析](#ret2dlresolve-原理及题目解析)
|
||||||
@ -941,7 +941,7 @@ firmy
|
|||||||
|
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.2_pwn_xdctf2015_pwn200)相应文件夹中:
|
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.3_pwn_xdctf2015_pwn200)相应文件夹中:
|
||||||
```python
|
```python
|
||||||
from pwn import *
|
from pwn import *
|
||||||
|
|
@ -1,31 +1,13 @@
|
|||||||
# 6.4 pwn njctf2017 233
|
# 6.1.4 pwn BackdoorCTF2017 Fun-Signals
|
||||||
|
|
||||||
- [题目复现](#题目复现)
|
- [SROP 原理](#srop-原理)
|
||||||
- [SROP 原理及题目解析](#srop-原理及题目解析)
|
|
||||||
- [Linux 系统调用](#Linux 系统调用)
|
- [Linux 系统调用](#Linux 系统调用)
|
||||||
- [signal 机制](#signal-机制)
|
- [signal 机制](#signal-机制)
|
||||||
- [BackdoorCTF2017 Fun Signals](#backdoorctf2017-fun-signals)
|
- [BackdoorCTF2017 Fun Signals](#backdoorctf2017-fun-signals)
|
||||||
- [njctf2017 233](#233)
|
|
||||||
- [Exploit](#exploit)
|
|
||||||
- [参考资料](#参考资料)
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
## 题目复现
|
## SROP 原理
|
||||||
在 6.1 中我们看到了 blind ROP,这一节中再来看一种 ROP 技术,Sigreturn Oriented Programming。
|
|
||||||
|
|
||||||
checksec 如下:
|
|
||||||
```
|
|
||||||
$ checksec -f 233
|
|
||||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
|
||||||
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 233
|
|
||||||
```
|
|
||||||
把程序运行起来:
|
|
||||||
```
|
|
||||||
$ socat tcp4-listen:10001,reuseaddr,fork exec:./233 &
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## SROP 原理及题目解析
|
|
||||||
#### Linux 系统调用
|
#### Linux 系统调用
|
||||||
在开始这一切之前,我想先将一下 Linux 的系统调用。64 位和 32 位的系统调用表分别在
|
在开始这一切之前,我想先将一下 Linux 的系统调用。64 位和 32 位的系统调用表分别在
|
||||||
`/usr/include/asm/unistd_64.h` 和 `/usr/include/asm/unistd_32.h` 中,另外还需要查看 `/usr/include/bits/syscall.h`。
|
`/usr/include/asm/unistd_64.h` 和 `/usr/include/asm/unistd_32.h` 中,另外还需要查看 `/usr/include/bits/syscall.h`。
|
||||||
@ -112,8 +94,9 @@ $ ldd /usr/bin/ls
|
|||||||
```
|
```
|
||||||
32 位程序则会显示 `linux-gate.so.1`,都是一个意思。
|
32 位程序则会显示 `linux-gate.so.1`,都是一个意思。
|
||||||
|
|
||||||
#### BackdoorCTF2017 Fun Signals
|
|
||||||
我们先来看一个简单的例子,一个 64 位静态链接的 srop,可以说是什么都没开。。。
|
## BackdoorCTF2017 Fun Signals
|
||||||
|
这是一个 64 位静态链接的 srop,可以说是什么都没开。。。
|
||||||
```
|
```
|
||||||
$ checksec -f funsignals_player_bin
|
$ checksec -f funsignals_player_bin
|
||||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||||
@ -185,40 +168,9 @@ fake_flag_here_as_original_is_at_server\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
|
|||||||
```
|
```
|
||||||
如果连接的是远程服务器,`fake_flag_here_as_original_is_at_server` 会被替换成真正的 flag。
|
如果连接的是远程服务器,`fake_flag_here_as_original_is_at_server` 会被替换成真正的 flag。
|
||||||
|
|
||||||
#### njctf2017 233
|
其他文件放在了[github](../src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals)相应文件夹中。
|
||||||
这是一个 32 位的程序。
|
|
||||||
```
|
|
||||||
gdb-peda$ disassemble main
|
|
||||||
Dump of assembler code for function main:
|
|
||||||
0x0000063b <+0>: push ebp
|
|
||||||
0x0000063c <+1>: mov ebp,esp
|
|
||||||
0x0000063e <+3>: push ebx
|
|
||||||
0x0000063f <+4>: and esp,0xfffffff0
|
|
||||||
0x00000642 <+7>: sub esp,0x20
|
|
||||||
0x00000645 <+10>: call 0x510 <__x86.get_pc_thunk.bx>
|
|
||||||
0x0000064a <+15>: add ebx,0x197e
|
|
||||||
0x00000650 <+21>: mov DWORD PTR [esp+0x8],0x400
|
|
||||||
0x00000658 <+29>: lea eax,[esp+0x16]
|
|
||||||
0x0000065c <+33>: mov DWORD PTR [esp+0x4],eax
|
|
||||||
0x00000660 <+37>: mov DWORD PTR [esp],0x0
|
|
||||||
0x00000667 <+44>: call 0x480 <read@plt>
|
|
||||||
0x0000066c <+49>: lea eax,[esp+0x16]
|
|
||||||
0x00000670 <+53>: mov DWORD PTR [esp],eax
|
|
||||||
0x00000673 <+56>: call 0x4c0 <atoi@plt>
|
|
||||||
0x00000678 <+61>: mov ebx,DWORD PTR [ebp-0x4]
|
|
||||||
0x0000067b <+64>: leave
|
|
||||||
0x0000067c <+65>: ret
|
|
||||||
End of assembler dump.
|
|
||||||
```
|
|
||||||
这个程序看起来很简单,就是使用 read 函数读取 `0x400` 个字节到 `[esp+0x16]` 的地方,然后将其传给 atoi。很明显的栈溢出:
|
|
||||||
```
|
|
||||||
gdb-peda$ pattern_offset 0x41284141
|
|
||||||
1093157185 found at offset: 22
|
|
||||||
```
|
|
||||||
|
|
||||||
|
这一节我们详细介绍了 SROP 的原理,并展示了一个简单的例子,在后面的章节中,会展示其更复杂的运用,包扩结合 vDSO 的用法。
|
||||||
## Exploit
|
|
||||||
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.4_pwn_njctf2017_233)相应文件夹中:
|
|
||||||
|
|
||||||
|
|
||||||
## 参考资料
|
## 参考资料
|
6
doc/6.1.5_pwn_grehackctf2017_beerfighter.md
Normal file
6
doc/6.1.5_pwn_grehackctf2017_beerfighter.md
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# 6.1.5 pwn GreHackCTF2017 beerfighter
|
||||||
|
|
||||||
|
- [题目解析](#题目解析)
|
||||||
|
|
||||||
|
|
||||||
|
## 题目解析
|
15
doc/6.1.6_pwn_defconctf2015_fuckup.md
Normal file
15
doc/6.1.6_pwn_defconctf2015_fuckup.md
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# 6.1.6 pwn DefconCTF2015 fuckup
|
||||||
|
|
||||||
|
- [ret2vdso 原理](#ret2vdso-原理)
|
||||||
|
- [题目解析](#题目解析)
|
||||||
|
- [Exploit](#exploit)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
## ret2vdso 原理
|
||||||
|
|
||||||
|
## 题目解析
|
||||||
|
|
||||||
|
## Exploit
|
||||||
|
|
||||||
|
## 参考资料
|
1
doc/6.1.7_pwn_0ctf2015_freenote.md
Normal file
1
doc/6.1.7_pwn_0ctf2015_freenote.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
# 6.1.7 pwn 0CTF2015 freenote
|
@ -1,4 +1,4 @@
|
|||||||
# 6.6 re xhpctf2017 dont_panic
|
# 6.2.1 re xhpctf2017 dont_panic
|
||||||
|
|
||||||
- [题目解析](#题目解析)
|
- [题目解析](#题目解析)
|
||||||
- [参考资料](#参考资料)
|
- [参考资料](#参考资料)
|
||||||
@ -419,7 +419,7 @@ print("".join(flag))
|
|||||||
|
|
||||||
在最后一篇参考资料里,介绍了怎样还原 Go 二进制文件的函数名,这将大大简化我们的分析。
|
在最后一篇参考资料里,介绍了怎样还原 Go 二进制文件的函数名,这将大大简化我们的分析。
|
||||||
|
|
||||||
另外所有文件放在了[github](../src/writeup/6.6_re_xhpctf2017_dont_panic)相应文件夹中。
|
另外所有文件放在了[github](../src/writeup/6.2.1_re_xhpctf2017_dont_panic)相应文件夹中。
|
||||||
|
|
||||||
|
|
||||||
## 参考资料
|
## 参考资料
|
@ -1 +0,0 @@
|
|||||||
# 6.5 pwn 0ctf2015 freenote
|
|
@ -1,8 +1,12 @@
|
|||||||
# 第六章 题解篇
|
# 第六章 题解篇
|
||||||
|
|
||||||
- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)
|
- pwn
|
||||||
- [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md)
|
- [6.1.1 pwn HCTF2016 brop](./6.1.1_pwn_hctf2016_brop.md)
|
||||||
- [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md)
|
- [6.1.2 pwn NJCTF2017 pingme](./6.1.2_pwn_njctf2017_pingme.md)
|
||||||
- [6.4 pwn njctf2017 233](./6.4_pwn_njctf2017_233.md)
|
- [6.1.3 pwn XDCTF2015 pwn200](./6.1.3_pwn_xdctf2015_pwn200.md)
|
||||||
- [6.5 pwn 0ctf2015 freenote](./6.5_pwn_0ctf2015_freenote.md)
|
- [6.1.4 pwn BackdoorCTF2017 Fun-Signals](./6.1.4_pwn_backdoorctf2017_fun_signals.md)
|
||||||
- [6.6 re xhpctf2017 dont_panic](./6.6_re_xhpctf2017_dont_panic.md)
|
- [6.1.5 pwn GreHackCTF2017 beerfighter](./6.1.5_pwn_grehackctf2017_beerfighter.md)
|
||||||
|
- [6.1.6 pwn DefconCTF2015 fuckup](./6.1.6_pwn_defconctf2015_fuckup.md)
|
||||||
|
- [6.1.7 pwn 0CTF2015 freenote](./6.1.7_pwn_0ctf2015_freenote.md)
|
||||||
|
- re
|
||||||
|
- [6.2.1 re XHPCTF2017 dont_panic](./6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.6 PPT
|
# 7.6 幻灯片
|
||||||
|
|
||||||
这些是我在 XDSEC 做分享的 PPT,主要内容取自 CTF-All-In-One,可作为辅助学习。
|
这些是我在 XDSEC 做分享的 PPT,主要内容取自 CTF-All-In-One,可作为辅助学习。
|
||||||
|
|
@ -5,4 +5,4 @@
|
|||||||
- [7.3 更多资源](doc/7.3_books&blogs.md)
|
- [7.3 更多资源](doc/7.3_books&blogs.md)
|
||||||
- [7.4 习题 write-up](doc/7.4_writeup.md)
|
- [7.4 习题 write-up](doc/7.4_writeup.md)
|
||||||
- [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md)
|
- [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md)
|
||||||
- [7.6 PPT](doc/7.6_ppt.md)
|
- [7.6 幻灯片](doc/7.6_slides.md)
|
||||||
|
BIN
slides/01_fight-with-linux.pdf
Normal file
BIN
slides/01_fight-with-linux.pdf
Normal file
Binary file not shown.
BIN
src/writeup/6.1.6_pwn_defconctf2015_fuckup/fuckup
Normal file
BIN
src/writeup/6.1.6_pwn_defconctf2015_fuckup/fuckup
Normal file
Binary file not shown.
BIN
src/writeup/6.1.7_pwn_0ctf2015_freenote/freenote
Executable file
BIN
src/writeup/6.1.7_pwn_0ctf2015_freenote/freenote
Executable file
Binary file not shown.
BIN
src/writeup/6.1.7_pwn_0ctf2015_freenote/libc.so.6_1
Executable file
BIN
src/writeup/6.1.7_pwn_0ctf2015_freenote/libc.so.6_1
Executable file
Binary file not shown.
Binary file not shown.
@ -1 +0,0 @@
|
|||||||
socat tcp4-listen:10001,reuseaddr,fork exec:./233 &
|
|
Loading…
Reference in New Issue
Block a user