ctf php 讀取flag,中等難度CTF 提權擷取flag 小白已經嘗試的思路

本帖最後由 wwr2128 于 2019-3-8 09:09 編輯

題目要求：在僅使用程式允許輸入的情況下擷取高權限shell并擷取flag。(不允許使用radare2或者其他可更改程式流的軟體，可以注入shellcode)

已經嘗試的思路：

根據初步觀察，應該不屬于格式化字元串的bufferoverflow類問題，且檔案裡面包含一個已經存在的debug function (000006c4 )(詳見底下objdump)，不知道如何通過更改對應的值使程式執行流到達debug的function。

曾經想通過格式化字元串運作高權限shell擷取flag，但是payload不知道應該如何寫。通過IDA看出程式執行會更改一個hashtable:

ctf php 讀取flag,中等難度CTF 提權擷取flag 小白已經嘗試的思路

ida_1.png (69.61 KB, 下載下傳次數: 0)

2019-3-8 08:49 上傳

Linux下運作程式:

ctf php 讀取flag,中等難度CTF 提權擷取flag 小白已經嘗試的思路

Annotation.png (35.38 KB, 下載下傳次數: 0)

run

2019-3-8 08:52 上傳

objdump:

./be1: file format elf32-i386

Disassembly of section .init:

00000494 <_init>:

494: 53 push %ebx

495: 83 ec 08 sub $0x8,%esp

498: e8 f3 00 00 00 call 590 <__x86.get_pc_thunk.bx>

49d: 81 c3 83 16 00 00 add $0x1683,%ebx

4a3: 8b 83 f4 ff ff ff mov -0xc(%ebx),%eax

4a9: 85 c0 test %eax,%eax

4ab: 74 05 je 4b2 <_init>

4ad: e8 96 00 00 00 call 548 <__gmon_start__>

4b2: 83 c4 08 add $0x8,%esp

4b5: 5b pop %ebx

4b6: c3 ret

Disassembly of section .plt:

000004c0 <.plt>:

4c0: ff b3 04 00 00 00 pushl 0x4(%ebx)

4c6: ff a3 08 00 00 00 jmp *0x8(%ebx)

4cc: 00 00 add %al,(%eax)

...

000004d0 :

4d0: ff a3 0c 00 00 00 jmp *0xc(%ebx)

4d6: 68 00 00 00 00 push $0x0

4db: e9 e0 ff ff ff jmp 4c0 <.plt>

000004e0 :

4e0: ff a3 10 00 00 00 jmp *0x10(%ebx)

4e6: 68 08 00 00 00 push $0x8

4eb: e9 d0 ff ff ff jmp 4c0 <.plt>

000004f0 :

4f0: ff a3 14 00 00 00 jmp *0x14(%ebx)

4f6: 68 10 00 00 00 push $0x10

4fb: e9 c0 ff ff ff jmp 4c0 <.plt>

00000500 :

500: ff a3 18 00 00 00 jmp *0x18(%ebx)

506: 68 18 00 00 00 push $0x18

50b: e9 b0 ff ff ff jmp 4c0 <.plt>

00000510 <__libc_start_main>:

510: ff a3 1c 00 00 00 jmp *0x1c(%ebx)

516: 68 20 00 00 00 push $0x20

51b: e9 a0 ff ff ff jmp 4c0 <.plt>

00000520 :

520: ff a3 20 00 00 00 jmp *0x20(%ebx)

526: 68 28 00 00 00 push $0x28

52b: e9 90 ff ff ff jmp 4c0 <.plt>

00000530 :

530: ff a3 24 00 00 00 jmp *0x24(%ebx)

536: 68 30 00 00 00 push $0x30

53b: e9 80 ff ff ff jmp 4c0 <.plt>

Disassembly of section .plt.got:

00000540 <__cxa_finalize>:

540: ff a3 f0 ff ff ff jmp *-0x10(%ebx)

546: 66 90 xchg %ax,%ax

00000548 <__gmon_start__>:

548: ff a3 f4 ff ff ff jmp *-0xc(%ebx)

54e: 66 90 xchg %ax,%ax

Disassembly of section .text:

00000550 <_start>:

550: 31 ed xor %ebp,%ebp

552: 5e pop %esi

553: 89 e1 mov %esp,%ecx

555: 83 e4 f0 and $0xfffffff0,%esp

558: 50 push %eax

559: 54 push %esp

55a: 52 push %edx

55b: e8 22 00 00 00 call 582 <_start>

560: 81 c3 c0 15 00 00 add $0x15c0,%ebx

566: 8d 83 f0 ec ff ff lea -0x1310(%ebx),%eax

56c: 50 push %eax

56d: 8d 83 90 ec ff ff lea -0x1370(%ebx),%eax

573: 50 push %eax

574: 51 push %ecx

575: 56 push %esi

576: ff b3 f8 ff ff ff pushl -0x8(%ebx)

57c: e8 8f ff ff ff call 510 <__libc_start_main>

581: f4 hlt

582: 8b 1c 24 mov (%esp),%ebx

585: c3 ret

586: 66 90 xchg %ax,%ax

588: 66 90 xchg %ax,%ax

58a: 66 90 xchg %ax,%ax

58c: 66 90 xchg %ax,%ax

58e: 66 90 xchg %ax,%ax

00000590 <__x86.get_pc_thunk.bx>:

590: 8b 1c 24 mov (%esp),%ebx

593: c3 ret

594: 66 90 xchg %ax,%ax

596: 66 90 xchg %ax,%ax

598: 66 90 xchg %ax,%ax

59a: 66 90 xchg %ax,%ax

59c: 66 90 xchg %ax,%ax

59e: 66 90 xchg %ax,%ax

000005a0 :

5a0: e8 e4 00 00 00 call 689 <__x86.get_pc_thunk.dx>

5a5: 81 c2 7b 15 00 00 add $0x157b,%edx

5ab: 8d 8a 4c 00 00 00 lea 0x4c(%edx),%ecx

5b1: 8d 82 4c 00 00 00 lea 0x4c(%edx),%eax

5b7: 39 c8 cmp %ecx,%eax

5b9: 74 1d je 5d8

5bb: 8b 82 ec ff ff ff mov -0x14(%edx),%eax

5c1: 85 c0 test %eax,%eax

5c3: 74 13 je 5d8

5c5: 55 push %ebp

5c6: 89 e5 mov %esp,%ebp

5c8: 83 ec 14 sub $0x14,%esp

5cb: 51 push %ecx

5cc: ff d0 call *%eax

5ce: 83 c4 10 add $0x10,%esp

5d1: c9 leave

5d2: c3 ret

5d3: 90 nop

5d4: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi

5d8: f3 c3 repz ret

5da: 8d b6 00 00 00 00 lea 0x0(%esi),%esi

000005e0 :

5e0: e8 a4 00 00 00 call 689 <__x86.get_pc_thunk.dx>

5e5: 81 c2 3b 15 00 00 add $0x153b,%edx

5eb: 55 push %ebp

5ec: 8d 8a 4c 00 00 00 lea 0x4c(%edx),%ecx

5f2: 8d 82 4c 00 00 00 lea 0x4c(%edx),%eax

5f8: 29 c8 sub %ecx,%eax

5fa: 89 e5 mov %esp,%ebp

5fc: 53 push %ebx

5fd: c1 f8 02 sar $0x2,%eax

600: 89 c3 mov %eax,%ebx

602: 83 ec 04 sub $0x4,%esp

605: c1 eb 1f shr $0x1f,%ebx

608: 01 d8 add %ebx,%eax

60a: d1 f8 sar %eax

60c: 74 14 je 622

60e: 8b 92 fc ff ff ff mov -0x4(%edx),%edx

614: 85 d2 test %edx,%edx

616: 74 0a je 622

618: 83 ec 08 sub $0x8,%esp

61b: 50 push %eax

61c: 51 push %ecx

61d: ff d2 call *%edx

61f: 83 c4 10 add $0x10,%esp

622: 8b 5d fc mov -0x4(%ebp),%ebx

625: c9 leave

626: c3 ret

627: 89 f6 mov %esi,%esi

629: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi

00000630 <__do_global_dtors_aux>:

630: 55 push %ebp

631: 89 e5 mov %esp,%ebp

633: 53 push %ebx

634: e8 57 ff ff ff call 590 <__x86.get_pc_thunk.bx>

639: 81 c3 e7 14 00 00 add $0x14e7,%ebx

63f: 83 ec 04 sub $0x4,%esp

642: 80 bb 54 00 00 00 00 cmpb $0x0,0x54(%ebx)

649: 75 27 jne 672 <__do_global_dtors_aux>

64b: 8b 83 f0 ff ff ff mov -0x10(%ebx),%eax

651: 85 c0 test %eax,%eax

653: 74 11 je 666 <__do_global_dtors_aux>

655: 83 ec 0c sub $0xc,%esp

658: ff b3 2c 00 00 00 pushl 0x2c(%ebx)

65e: e8 dd fe ff ff call 540 <__cxa_finalize>

663: 83 c4 10 add $0x10,%esp

666: e8 35 ff ff ff call 5a0

66b: c6 83 54 00 00 00 01 movb $0x1,0x54(%ebx)

672: 8b 5d fc mov -0x4(%ebp),%ebx

675: c9 leave

676: c3 ret

677: 89 f6 mov %esi,%esi

679: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi

00000680 :

680: 55 push %ebp

681: 89 e5 mov %esp,%ebp

683: 5d pop %ebp

684: e9 57 ff ff ff jmp 5e0

00000689 <__x86.get_pc_thunk.dx>:

689: 8b 14 24 mov (%esp),%edx

68c: c3 ret

0000068d :

68d: 55 push %ebp

68e: 89 e5 mov %esp,%ebp

690: 83 ec 04 sub $0x4,%esp

693: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)

69a: eb 1f jmp 6bb

69c: 8b 45 fc mov -0x4(%ebp),%eax

69f: 8d 14 85 00 00 00 00 lea 0x0(,%eax,4),%edx

6a6: 8b 45 08 mov 0x8(%ebp),%eax

6a9: 01 c2 add %eax,%edx

6ab: 8b 45 fc mov -0x4(%ebp),%eax

6ae: 8b 04 85 50 1b 00 00 mov 0x1b50(,%eax,4),%eax

6b5: 89 02 mov %eax,(%edx)

6b7: 83 45 fc 01 addl $0x1,-0x4(%ebp)

6bb: 83 7d fc 06 cmpl $0x6,-0x4(%ebp)

6bf: 7e db jle 69c

6c1: 90 nop

6c2: c9 leave

6c3: c3 ret

000006c4 :

6c4: 55 push %ebp

6c5: 89 e5 mov %esp,%ebp

6c7: 6a 00 push $0x0

6c9: 6a 00 push $0x0

6cb: 6a 00 push $0x0

6cd: 6a 00 push $0x0

6cf: 68 30 08 00 00 push $0x830

6d4: e8 fc ff ff ff call 6d5

6d9: 83 c4 14 add $0x14,%esp

6dc: 90 nop

6dd: c9 leave

6de: c3 ret

000006df :

6df: 55 push %ebp

6e0: 89 e5 mov %esp,%ebp

6e2: 83 ec 28 sub $0x28,%esp

6e5: 83 7d 08 02 cmpl $0x2,0x8(%ebp)

6e9: 7f 21 jg 70c

6eb: a1 00 00 00 00 mov 0x0,%eax

6f0: 50 push %eax

6f1: 6a 10 push $0x10

6f3: 6a 01 push $0x1

6f5: 68 38 08 00 00 push $0x838

6fa: e8 fc ff ff ff call 6fb

6ff: 83 c4 10 add $0x10,%esp

702: b8 ff ff ff ff mov $0xffffffff,%eax

707: e9 9e 00 00 00 jmp 7aa

70c: 8d 45 d8 lea -0x28(%ebp),%eax

70f: 50 push %eax

710: e8 78 ff ff ff call 68d

715: 83 c4 04 add $0x4,%esp

718: 8b 45 0c mov 0xc(%ebp),%eax

71b: 83 c0 04 add $0x4,%eax

71e: 8b 00 mov (%eax),%eax

720: 6a 0a push $0xa

722: 6a 00 push $0x0

724: 50 push %eax

725: e8 fc ff ff ff call 726

72a: 83 c4 0c add $0xc,%esp

72d: 89 45 fc mov %eax,-0x4(%ebp)

730: 8b 45 0c mov 0xc(%ebp),%eax

733: 83 c0 08 add $0x8,%eax

736: 8b 00 mov (%eax),%eax

738: 6a 10 push $0x10

73a: 6a 00 push $0x0

73c: 50 push %eax

73d: e8 fc ff ff ff call 73e

742: 83 c4 0c add $0xc,%esp

745: 89 45 f8 mov %eax,-0x8(%ebp)

748: 8b 45 fc mov -0x4(%ebp),%eax

74b: 8b 44 85 d8 mov -0x28(%ebp,%eax,4),%eax

74f: 50 push %eax

750: ff 75 f8 pushl -0x8(%ebp)

753: ff 75 fc pushl -0x4(%ebp)

756: 68 4c 08 00 00 push $0x84c

75b: e8 fc ff ff ff call 75c

760: 83 c4 10 add $0x10,%esp

763: 8b 45 fc mov -0x4(%ebp),%eax

766: 8b 55 f8 mov -0x8(%ebp),%edx

769: 89 54 85 d8 mov %edx,-0x28(%ebp,%eax,4)

76d: 68 8d 08 00 00 push $0x88d

772: e8 fc ff ff ff call 773

777: 83 c4 04 add $0x4,%esp

77a: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)

781: eb 1c jmp 79f

783: 8b 45 fc mov -0x4(%ebp),%eax

786: 8b 44 85 d8 mov -0x28(%ebp,%eax,4),%eax

78a: 50 push %eax

78b: ff 75 fc pushl -0x4(%ebp)

78e: 68 a3 08 00 00 push $0x8a3

793: e8 fc ff ff ff call 794

798: 83 c4 0c add $0xc,%esp

79b: 83 45 fc 01 addl $0x1,-0x4(%ebp)

79f: 83 7d fc 06 cmpl $0x6,-0x4(%ebp)

7a3: 7e de jle 783

7a5: b8 00 00 00 00 mov $0x0,%eax

7aa: c9 leave

7ab: c3 ret

7ac: 66 90 xchg %ax,%ax

7ae: 66 90 xchg %ax,%ax

000007b0 <__libc_csu_init>:

7b0: 55 push %ebp

7b1: 57 push %edi

7b2: 56 push %esi

7b3: 53 push %ebx

7b4: e8 d7 fd ff ff call 590 <__x86.get_pc_thunk.bx>

7b9: 81 c3 67 13 00 00 add $0x1367,%ebx

7bf: 83 ec 0c sub $0xc,%esp

7c2: 8b 6c 24 28 mov 0x28(%esp),%ebp

7c6: 8d b3 e8 fe ff ff lea -0x118(%ebx),%esi

7cc: e8 c3 fc ff ff call 494 <_init>

7d1: 8d 83 e4 fe ff ff lea -0x11c(%ebx),%eax

7d7: 29 c6 sub %eax,%esi

7d9: c1 fe 02 sar $0x2,%esi

7dc: 85 f6 test %esi,%esi

7de: 74 25 je 805 <__libc_csu_init>

7e0: 31 ff xor %edi,%edi

7e2: 8d b6 00 00 00 00 lea 0x0(%esi),%esi

7e8: 83 ec 04 sub $0x4,%esp

7eb: 55 push %ebp

7ec: ff 74 24 2c pushl 0x2c(%esp)

7f0: ff 74 24 2c pushl 0x2c(%esp)

7f4: ff 94 bb e4 fe ff ff call *-0x11c(%ebx,%edi,4)

7fb: 83 c7 01 add $0x1,%edi

7fe: 83 c4 10 add $0x10,%esp

801: 39 fe cmp %edi,%esi

803: 75 e3 jne 7e8 <__libc_csu_init>

805: 83 c4 0c add $0xc,%esp

808: 5b pop %ebx

809: 5e pop %esi

80a: 5f pop %edi

80b: 5d pop %ebp

80c: c3 ret

80d: 8d 76 00 lea 0x0(%esi),%esi

00000810 <__libc_csu_fini>:

810: f3 c3 repz ret

Disassembly of section .fini:

00000814 <_fini>:

814: 53 push %ebx

815: 83 ec 08 sub $0x8,%esp

818: e8 73 fd ff ff call 590 <__x86.get_pc_thunk.bx>

81d: 81 c3 03 13 00 00 add $0x1303,%ebx

823: 83 c4 08 add $0x8,%esp

826: 5b pop %ebx

827: c3 ret

連結：https://pan.baidu.com/s/1W1I32Viaf4Avw6XbhhNLWw

提取碼：8dq0

ctf php 讀取flag,中等難度CTF 提權擷取flag 小白已經嘗試的思路

2019-3-8 08:47 上傳

點選檔案名下載下傳附件

下載下傳積分: 吾愛币 -1 CB

4.47 KB, 下載下傳次數: 4, 下載下傳積分: 吾愛币 -1 CB

ctf php 讀取flag,中等難度CTF 提權擷取flag 小白已經嘗試的思路

繼續閱讀

ctf php 讀取flag,BugkuCTF flag.php(反序列化)