Shino
Shino
Shino

Shino Channel

$ sudo echo Shino >> YourHeart

网鼎杯2022总决赛-Secret 全栈CTFer的自我修养(?)

Shino Shino published on
碎碎念 ​ 本来没想着网鼎杯能进总决赛的,毕竟青龙组100+个队就给了12个晋级名额。结果 RHG 一开快手+强运+队友给力直接飞到前十躺进了总决赛,半决赛两个 pwn 防御也是水得不行,本想着逆向手进场观摩队友做题结果意外和 Photon 大哥合力把 pwn 基本 ak 了,只能说运气很好。
Read More

NKCTF2023ezstack - SROP初探

Shino Shino published on
1 2 3 4 5 Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 鉴定为,没有保护。 核心代码很短: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 .text:00000000004011B9 vuln proc near ; CODE XREF: main+17↓p .text:00000000004011B9 .text:00000000004011B9 buf = byte ptr -10h .text:00000000004011B9 .text:00000000004011B9 ; __unwind { .text:00000000004011B9 endbr64 .text:00000000004011BD push rbp .text:00000000004011BE mov rbp, rsp .text:00000000004011C1 mov rax, 1 .text:00000000004011C8 mov rdx, 26h ; '&' ; count .text:00000000004011CF lea rsi, nkctf ; "Welcome to the binary world of NKCTF!\n" .text:00000000004011D7 mov rdi, rax ; fd .text:00000000004011DA syscall ; LINUX - sys_write .text:00000000004011DC xor rax, rax .text:00000000004011DF mov rdx, 200h ; count .text:00000000004011E6 lea rsi, [rsp+buf] ; buf .text:00000000004011EB mov rdi, rax ; fd .text:00000000004011EE syscall ; LINUX - sys_read .text:00000000004011F0 mov eax, 0 .text:00000000004011F5 pop rbp .text:00000000004011F6 retn .text:00000000004011F6 ; } // starts at 4011B9 .text:00000000004011F6 vuln endp 一开始以为是ret2libc,本想想办法leak地址,发现无法控制rax为1调用输出的syscall。ROPgadget发现了一些奇怪的东西:
Read More

Hitcon2022-Checker Windows驱动文件分析

Shino Shino published on
with Katzebin 就不传附件了 附件有checker.exe和check_drv.sys两个文件 checker.exe逻辑十分简单 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 int __cdecl main(int argc, const char **argv, const char **envp) { HANDLE FileW; // rax char *v4; // rcx char OutBuffer[4]; // [rsp+40h] [rbp-18h] BYREF DWORD BytesReturned; // [rsp+44h] [rbp-14h] BYREF FileW = CreateFileW(L"\\\\.\\hitcon_checker", 0xC0000000, 0, 0i64, 3u, 4u, 0i64); qword_140003620 = (__int64)FileW; if ( FileW == (HANDLE)-1i64 ) { sub_140001010("driver not found\n"); exit(0); } OutBuffer[0] = 0; DeviceIoControl(FileW, 0x222080u, 0i64, 0, OutBuffer, 1u, &BytesReturned, 0i64); v4 = "correct\n"; if ( !OutBuffer[0] ) v4 = "wrong\n"; sub_140001010(v4); system("pause"); return 0; } https://www.cnblogs.com/lsh123/p/7354573.html 具体可以参照这篇文章,程序整体逻辑是检测设备hitcon_checker并与该设备的驱动交互。可以发现这里的交互操作只有读取,可以知道整体逻辑应该是由hitcon_checker设备发送IRP(I/O Request Package)包由驱动程序处理,根据处理结果返回正误。 但是我们没有这个设备….
Read More

[BlockChain] Ethernaut做题笔记(更新中)

Shino Shino published on
Before Start 其实很早就开始想学区块链安全了,但是因为环境炸了、Ropsten测试链关了和懒等等原因直到Hackergame的链上记忆大师题才开始上手实操区块链题。后来在强网拟态和N1CTF等比赛中由于不熟悉ctf区块链题的交互方式也是一直在鸽子。
Read More
0%