Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

for every dojo、module、level add DESCRIPTION.md #39

Merged
merged 1 commit into from
Jan 16, 2024
Merged

for every dojo、module、level add DESCRIPTION.md #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
### CSE SCS2081 - Fall 2023 - 软件安全
> 绝对安全的软件系统现在不存在,将来也不会存在。
18 changes: 18 additions & 0 deletions buffer-overflow/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
利用缓冲区溢出漏洞,可以在栈、全局、堆等内存区域上输入精心构造的数据载荷(即,Payload),覆盖关键数据(如,局部变量,函数指针,返回地址等)。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**
\
\
**关卡等级分布:**
- Level 1.0 - 利用栈溢出覆盖局部变量,通过检查后读取 /flag
- Level 1.1 - 利用栈溢出覆盖局部函数指针变量,劫持控制流来读取 /flag
- Level 1.2 - 利用栈溢出覆盖局部数据指针变量,劫持控制流来读取 /flag
- Level 1.3 - 利用栈溢出覆盖返回地址,劫持控制流来读取 /flag
- Level 1.4 - 利用栈溢出覆盖局部布尔变量,翻转逻辑来读取 /flag
- Level 2.0 - 利用堆缓冲区溢出覆盖堆上数据变量,劫持控制流来读取 /flag
- Level 2.1 - 利用堆缓冲区溢出覆盖堆上函数指针,劫持控制流来读取 /flag
- Level 3.0 - 利用 Off-By-One 漏洞覆盖栈上数据,通过检查后读取 /flag
- Level 3.1 - 利用 Off-By-Null 漏洞覆盖栈上关键变量,劫持控制流后读取 /flag
- Level 4.0 - 利用 cylic 和 coredump 来自动计算返回地址的位置,劫持控制流后读取 /flag

References
- [Use pwntools for your exploits](https://mudongliang.github.io/2021/05/11/use-pwntools-for-your-exploits.html)
1 change: 1 addition & 0 deletions buffer-overflow/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握栈布局知识覆盖局部变量,通过检查后读取 /flag。
1 change: 1 addition & 0 deletions buffer-overflow/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握栈布局知识覆盖局部函数指针变量,劫持控制流后通过后门函数读取 /flag。
1 change: 1 addition & 0 deletions buffer-overflow/level-1-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握栈布局知识覆盖局部数据指针变量,利用后门函数后读取 /flag。
1 change: 1 addition & 0 deletions buffer-overflow/level-1-3/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握栈布局知识覆盖函数返回地址,劫持控制流后利用后门函数后读取 /flag。
1 change: 1 addition & 0 deletions buffer-overflow/level-1-4/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握栈布局知识覆盖局部布尔变量,翻转逻辑后利用后门函数后读取 /flag。
1 change: 1 addition & 0 deletions buffer-overflow/level-2-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握堆溢出知识覆盖堆上数据变量,利用后门函数 edit_notebook 和 read_notebook 后读取 /flag。
1 change: 1 addition & 0 deletions buffer-overflow/level-2-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握堆溢出知识覆盖堆上数据变量,利用后门函数 edit_notebook 覆盖堆上函数指针后读取 /flag。
1 change: 1 addition & 0 deletions buffer-overflow/level-3-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握 Off-By-One 知识覆盖栈上关键变量, 通过暴力破解利用后门函数读取 /flag
1 change: 1 addition & 0 deletions buffer-overflow/level-3-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握 Off-By-Null 知识覆盖栈上关键变量, 利用后门函数读取 /flag
1 change: 1 addition & 0 deletions buffer-overflow/level-4-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡在没有源码辅助的基础上,使用 cylic 和 coredump 基础知识自动化寻找返回地址,利用栈溢出来读取 /flag。
16 changes: 16 additions & 0 deletions elf-crackme/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
学习并修改 ELF 可执行文件格式
**注:为了更有效地解决这些挑战关卡,你首先需要执行 utility.py 查看关卡提示,根据提示信息利用 utility.py 修改关卡可执行文件,通过检查后即可获取 flag。**
\
\
**关卡等级分布:**
- Level 1.0 - 学习并理解 ELF 文件头,修复关卡可执行文件,通过检查后读取 /flag
- Level 1.1 - 学习并理解程序头表,修复关卡可执行文件,通过检查后读取 /flag
- Level 1.2 - 学习并理解节头表,修复关卡可执行文件,通过检查后读取 /flag
- Level 2.0 - 学习并理解 .text 段,修复关卡可执行文件,通过检查后读取 /flag
- Level 2.1 - 学习并理解 .data 段,修复关卡可执行文件,通过检查后读取 /flag
- Level 2.2 - 编写程序进行遍历,修复关卡可执行文件,通过检查后读取 /flag
- Level 3.0 - 学习并理解 plt 跳转,修复关卡可执行文件,通过检查后读取 /flag
- Level 3.1 - 学习并理解 plt,got 跳转,修复关卡可执行文件,通过检查后读取 /flag

References
- [Concrete Value for fields in ELF format](https://github.com/WolfgangSt/libelf/blob/master/lib/elf_repl.h)
1 change: 1 addition & 0 deletions elf-crackme/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要掌握 ELF 文件头中 x86 和 x64 之间的区别,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
1 change: 1 addition & 0 deletions elf-crackme/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要掌握程序头表中 Offset,VirtAddr,PhysAddr 字段含义,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
1 change: 1 addition & 0 deletions elf-crackme/level-1-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要掌握节头表中 Offset,VirtAddr,PhysAddr 字段含义,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
1 change: 1 addition & 0 deletions elf-crackme/level-2-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要掌握 .text 段,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
1 change: 1 addition & 0 deletions elf-crackme/level-2-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要掌握 .data 段,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
1 change: 1 addition & 0 deletions elf-crackme/level-2-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要编写程序,爆破相应位置,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
1 change: 1 addition & 0 deletions elf-crackme/level-3-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要掌握 plt 表的跳转,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
1 change: 1 addition & 0 deletions elf-crackme/level-3-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要掌握 plt 表和 got 表的跳转,使用 utility.py 修复关卡可执行文件后,执行即可获得flag。
9 changes: 9 additions & 0 deletions integer-overflow/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
整数溢出出现于数值无法被对应的数据类型所表示,通常,整数溢出可能导致缓冲区溢出。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**
\
\
**关卡等级分布:**
- Level 1.0 - 利用整数溢出中的宽度溢出读取 /flag
- Level 1.1 - 结合整数溢出中的宽度溢出与缓冲区溢出读取 /flag
- Level 2.0 - 利用整数溢出中的计算溢出读取 /flag
- Level 3.0 - 利用整数溢出中的符号溢出读取 /flag
1 change: 1 addition & 0 deletions integer-overflow/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡利用整数溢出中的宽度溢出,通过检查后读取 /flag。
1 change: 1 addition & 0 deletions integer-overflow/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡利用整数溢出中的宽度溢出,结合缓冲区溢出,最终利用后门函数读取 /flag。
1 change: 1 addition & 0 deletions integer-overflow/level-2-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡利用整数溢出中的计算溢出,通过检查后读取 /flag。
1 change: 1 addition & 0 deletions integer-overflow/level-3-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡利用整数溢出中的计算溢出,通过检查后读取 /flag。
7 changes: 7 additions & 0 deletions other-vulnerabilities/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
学习一些其他安全漏洞,如格式化字符串,未初始化漏洞,信息泄露漏洞。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**
\
\
**关卡等级分布:**
- Level 1.0 - 关于格式化字符串读取
- Level 1.1 - 关于格式化字符串写入
1 change: 1 addition & 0 deletions other-vulnerabilities/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡利用格式化字符串漏洞,泄露栈上存放的 flag 内容
1 change: 1 addition & 0 deletions other-vulnerabilities/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡利用格式化字符串漏洞,修改内存中的值,从而通过判断获取flag内容
21 changes: 21 additions & 0 deletions pwntools-tutorials/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
Pwntools 是一个工具包(包含各种好用的小工具)与软件库,旨在尽可能简化 CTF 比赛的渗透攻击过程,同时尽可能攻击代码的可读性。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**

**关卡等级分布:**
- Level 1.0 - 利用 pwntools 生成特定输入绕过检查,并读取 /flag
- Level 1.1 - 利用 pwntools 生成特定输入绕过检查,并读取 /flag
- Level 2.0 - 利用 pwtools asm 生成特定指令来设置特定寄存器,通过检查后获取 /flag
- Level 2.1 - 利用 pwtools asm 生成特定指令来交换特定寄存器,通过检查后获取 /flag
- Level 2.2 - 利用 pwtools asm 生成特定指令来计算特定公式,结果通过检查后获取 /flag
- Level 2.3 - 利用 pwtools asm 生成特定指令来设置特定全局数据区域,通过检查后获取 /flag
- Level 2.4 - 利用 pwtools asm 生成特定指令来设置特定栈内存区域,通过检查后获取 /flag
- Level 2.5 - 利用 pwtools asm 利用 if 语句来计算特定公式,结果通过检查后获取 /flag
- Level 2.6 - 利用 pwtools asm 利用 for 循环来计算特定公式,结果通过检查后获取 /flag
- Level 3.0 - 利用 pwtools 循环生成特定输入绕过检查,并读取 /flag
- 除此之外,pwntools 还有一些其他功能,如EFL解析(elf-crackme 关卡会用到),cyclic(缓冲区溢出关卡会用到)and ,GDB调试等。


References
- [Pwntools Tutorials](https://github.com/Gallopsled/pwntools-tutorial)
- [Pwntools Documentation](https://docs.pwntools.com/en/stable/index.html)
- [GDB Cheat Sheet](https://darkdust.net/files/GDB%20Cheat%20Sheet.pdf)
1 change: 1 addition & 0 deletions pwntools-tutorials/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置了一些条件,只有通过这些条件才能获得 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置了一些条件,只有通过这些条件才能获得 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-2-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡编写一些汇编指令,设置特定寄存器(如,rax),通过检查后获取 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-2-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡编写一些汇编指令,交换特定寄存器的值(如,rax,rbx),通过检查后获取 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-2-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡编写一些汇编指令,计算一个特定公式,结果通过检查后获取 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-2-3/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡编写一些汇编指令,设置特定全局数据区域,结果通过检查后获取 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-2-4/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡编写一些汇编指令,设置特定栈内存区域,结果通过检查后获取 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-2-5/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡编写 if 语句,设置特定栈内存区域,结果通过检查后获取 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-2-6/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡编写 for 循环,计算特定公式,结果通过检查后获取 /flag。
1 change: 1 addition & 0 deletions pwntools-tutorials/level-3-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置了一些条件,只有循环输入后通过这些条件才能获得 /flag。
12 changes: 12 additions & 0 deletions return-oriented-programming/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
ROP(Return Oriented Programming) 通过控制程序栈上数据串连 gadgets(如,末尾为 ret 指令的微小代码片段)来达到图灵完备的功能。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**
\
\
**关卡等级分布:**
- Level 1.0 - 本关卡需学习利用栈溢出,构造 ROP 链控制函数参数,来读取 /flag
- Level 1.1 - 本关卡需学习 ret2syscall 劫持控制流,构造 ROP 链来读取 /flag
- Level 2.0 - 本关卡需学习 ret2libc,利用 ELF 现有函数劫持控制流,构造 ROP 链来读取 /flag
- Level 2.1 - 本关卡需学习 ret2libc,利用 libc 函数,构造 ROP 链来读取 /flag
- Level 2.2 - 本关卡需学习 ret2libc,泄露并利用 libc 函数,构造 ROP 链来读取 /flag
- Level 2.3 - 本关卡需学习 ret2libc,利用缓冲区溢出和格式化字符串漏洞,构造 ROP 链来读取 /flag
- Level 2.4 - 本关卡需学习 ret2libc,仅利用格式化字符串漏洞,绕过保护机制,构造 ROP 链来读取 /flag
1 change: 1 addition & 0 deletions return-oriented-programming/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需利用基础的 ROP 知识控制后门函数参数来读取 /flag。
1 change: 1 addition & 0 deletions return-oriented-programming/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需利用基础的 ROP 知识 ret2syscall 劫持控制流来读取 /flag。
1 change: 1 addition & 0 deletions return-oriented-programming/level-2-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需学习 ret2libc,利用 ELF 现有函数劫持控制流,构造 ROP 链来读取 /flag。
1 change: 1 addition & 0 deletions return-oriented-programming/level-2-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需学习 ret2libc,利用 libc 函数,构造 ROP 链来读取 /flag
1 change: 1 addition & 0 deletions return-oriented-programming/level-2-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需学习 ret2libc,泄露并利用 libc 函数,构造 ROP 链来读取 /flag
1 change: 1 addition & 0 deletions return-oriented-programming/level-2-3/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需学习 ret2libc,利用缓冲区溢出和格式化字符串漏洞,构造 ROP 链来读取 /flag
1 change: 1 addition & 0 deletions return-oriented-programming/level-2-4/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需学习 ret2libc,仅利用格式化字符串漏洞,绕过保护机制,构造 ROP 链来读取 /flag
20 changes: 20 additions & 0 deletions setuid-backdoor/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
SUID 允许任何拥有文件执行权限的用户,以当前文件所属者(通常是 root)的权限执行该文件。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**


**关卡等级分布:**
- Level 1.0 - 利用设置了 SUID 的 /usr/bin/cat 命令读取 /flag
- Level 1.1 - 利用设置了 SUID 的 /usr/bin/vim 命令读取 /flag
- Level 1.2 - 利用设置了 SUID 的 /usr/bin/hexedit 命令读取 /flag
- Level 2.0 - 理解 /usr/bin/rev 功能,并通过设置了 SUID 的该命令获取 /flag
- Level 2.1 - 理解 /usr/bin/gzip 功能,并通过设置了 SUID 的该命令获取 /flag
- Level 2.2 - 理解 /usr/bin/date 功能,并通过设置了 SUID 的该命令获取 /flag
- Level 3.0 - 学习 /usr/bin/chmod 命令设置文件权限,并通过设置了 SUID 的该命令获取 /flag
- Level 3.1 - 学习 /usr/bin/chown 命令设置文件权限,并通过设置了 SUID 的该命令获取 /flag
- Level 3.2 - 学习 /usr/bin/cp 命令设置文件权限,并通过设置了 SUID 的该命令获取 /flag
- Level 4.0 - 学习 /usr/bin/python 解释器的语法,并编程实现获取 /flag
- Level 4.1 - 学习 /usr/bin/perl 解释器的语法,并编程实现获取 /flag
- Level 4.2 - 学习 /usr/bin/ruby 解释器的语法,并编程实现获取 /flag

Reference
- [Why You Can't Un-Root a Compromised Machine](https://gist.github.com/mudongliang/7b68290c2b4d5da0b7140c8b0e1827d0)
1 change: 1 addition & 0 deletions setuid-backdoor/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置一些实用程序(如,/usr/bin/cat),帮助读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置一些实用程序(如,/usr/bin/vim),帮助读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-1-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置一些实用程序(如,/usr/bin/hexedit),帮助读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-2-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要理解一些实用程序(如,/usr/bin/rev),并巧妙利用该程序获取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-2-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要理解一些实用程序(如,/usr/bin/gzip),并巧妙利用该程序获取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-2-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要理解一些实用程序(如,/usr/bin/date),并巧妙利用该程序获取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-3-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要通过一些实用程序(如,/usr/bin/chmod)巧妙地设置文件权限来读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-3-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要通过一些实用程序(如,/usr/bin/chown)巧妙地设置文件权限来读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-3-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要通过一些实用程序(如,/usr/bin/cp)巧妙地设置文件权限来读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-4-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置一些程序解释器(如,/usr/bin/python),并需要结合相应编程知识来读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-4-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置一些程序解释器(如,/usr/bin/perl),并需要结合相应编程知识来读取 /flag。
1 change: 1 addition & 0 deletions setuid-backdoor/level-4-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡设置一些程序解释器(如,/usr/bin/ruby),并需要结合相应编程知识来读取 /flag。
10 changes: 10 additions & 0 deletions shellcode-injection/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
通过注入精心构造的 shellcode,获得程序原有行为以外的破坏性能力。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**
\
\
**关卡等级分布:**
- Level 1.1 - 本关卡需掌握重复宏汇编的shellcode的编写方法
- Level 2.0 - 本关卡需掌握栈赋值的shellcode的编写方法
- Level 3.0 - 本关卡需掌握可见字符的 shellcode 的编写方法
- Level 3.1 - 本关卡需掌握敏感字符绕过的 shellcode 的编写方法
- Level 3.2 - 本关卡需掌握读取 /flag 的 shellcode 的编写方法
1 change: 1 addition & 0 deletions shellcode-injection/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需要直接构造读取flag的shellcode,注入并执行 shellcode 来读取 /flag。
1 change: 1 addition & 0 deletions shellcode-injection/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需构造重复宏编程,执行 shellcode 来读取 /flag。
1 change: 1 addition & 0 deletions shellcode-injection/level-2-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡过滤空字符,需利用栈赋值,执行 shellcode 来读取 /flag。
1 change: 1 addition & 0 deletions shellcode-injection/level-2-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

1 change: 1 addition & 0 deletions shellcode-injection/level-3-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡过滤了不可见字符串,需要利用可见字符串构建,并执行 shellcode 来读取 /flag。
1 change: 1 addition & 0 deletions shellcode-injection/level-3-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡过滤了syscall,int 80,sysenter,需要绕过并执行 shellcode 来读取 /flag。
1 change: 1 addition & 0 deletions shellcode-injection/level-3-2/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需利用栈溢出漏洞,注入并执行 shellcode 来读取 /flag。
6 changes: 6 additions & 0 deletions simple-demo/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
本模块包含一些简单的演示关卡,帮助学生更快地熟悉当前平台[https://pwn.hust.college](https://pwn.hust.college)。
**注:为了更有效地解决这些挑战关卡,首先运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**

**关卡等级分布:**
- Level 1.0 - 直接读取 /flag,并将其打印出来(Python)
- Level 1.1 - 直接读取 /flag,并将其打印出来(C)
1 change: 1 addition & 0 deletions simple-demo/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡直接读取 /flag,并将其打印出来。
1 change: 1 addition & 0 deletions simple-demo/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡直接读取 /flag,并将其打印出来。
7 changes: 7 additions & 0 deletions use-after-free/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
释放后使用这一漏洞类型属于实践类内存错误,在一个对象被释放后之后重新使用导致。此处还包含 Invalid Free 和 Double Free。
**注:为了更有效地解决这些挑战关卡,你首先需要运行 /challenge 目录下的挑战题目,随后根据提示完成挑战。**
\
\
**关卡等级分布:**
- Level 1.0 - 利用悬垂指针读取 /flag
- Level 1.1 - 利用悬垂指针,结合 ptmalloc2 tcache bin 分配堆内存的基本原理,劫持堆块分配后,读取 /flag
1 change: 1 addition & 0 deletions use-after-free/level-1-0/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡利用释放后未置空的悬垂指针读取 /flag 的内容
1 change: 1 addition & 0 deletions use-after-free/level-1-1/DESCRIPTION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
本关卡需掌握 ptmalloc2 tcache bin 分配堆内存的基本原理,利用释放后使用漏洞覆盖堆上关键变量,泄露堆上 /flag 的内容