PWN

De1CTF 2020|PWN

如何 binary dump

Posted by Elli0t on 2020-05-05

Life is like a box of chocolates:you never know what you are gonna get.

这道题目第一步是用脚本爆破出一个三位字符串,但是后面发现还含有不可见字符,所以脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
import time
import hashlib

context.terminal=["tmux","sp","-h"]
context.log_level='debug'

DEBUG = 0
LOCAL = True
#BIN = 'bin'
HOST = '106.53.114.216'
PORT = 9999

def loop(fuck,guess_all):
for a in guess_all:
for b in guess_all:
for c in guess_all:
guess = a + b + c
result = hashlib.sha256(guess).hexdigest()
if fuck == result:
print hexdump(guess)
return guess

def exploit(sh):
sh.recvuntil("=========Pow========\n")
hash_value = sh.recvuntil("\"\n", drop=True).split("== \"")[1]
length = int(sh.recvuntil("\n", drop=True).split("== ")[1])
sh.recvuntil(">")
guess_all = list(chr(x) for x in range(0x0, 0x100))
guess = loop(hash_value,guess_all)
sh.sendline(guess)
sh.interactive()
return

if __name__ == '__main__':
# elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
sh = remote(HOST,PORT)
exploit(sh)
else:
LOCAL = True
# sh = process(BIN)
log.info('PID: ' + str(proc.pidof(sh)[0]))
# pause
if DEBUG:
gdb.attach(sh)
exploit(sh)

binary dump

dump 的时候一直出错,后面知道了,原来是要将所有(题目分了好几次发的)的题目发过来的 b64 编码的字符串都放到 test 文件中,然后再
base64 -d test > output
file output
知道了它是 .gz 文件,再解压即可得到 binary

开始以为只有后面一段才是 base64 编码的,导致没有复制完整,一直报错