#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
char flag[100];
char password[100];
char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+";
void calc_flag(char* s){
int i;
for(i=0; i<strlen(s); i++){
flag[i] = s[i] ^ key[i];
}
printf("%s\n", flag);
}
int main(){
FILE* fp = fopen("/home/blukat/password", "r");
fgets(password, 100, fp);
char buf[100];
printf("guess the password!\n");
fgets(buf, 128, stdin);
if(!strcmp(password, buf)){
printf("congrats! here is your flag: ");
calc_flag(password);
}
else{
printf("wrong guess!\n");
exit(0);
}
return 0;
}소스코드를 보면 password파일을 열어 내용을 읽은뒤 입력을 받아 입력과 password의 값이 일치하면
password와 key값으로 xor연산을 수행해 플래그를 뱉어낸다.
gdb-peda$ ni
[----------------------------------registers-----------------------------------]
RAX: 0x6010a0 ("cat: password: Permission denied\n")
RBX: 0x0
RCX: 0x6e6f697373696d72 ('rmission')
RDX: 0xf020f0 --> 0x0
RSI: 0xf02261 --> 0x0
RDI: 0x6010c1 --> 0x0
RBP: 0x7ffc41f8be90 --> 0x4008c0 (<__libc_csu_init>: push r15)
RSP: 0x7ffc41f8be10 --> 0x7ffc41f8bf88 --> 0x7ffc41f8cdb2 ("XDG_SESSION_ID=184263")
RIP: 0x40083a (<main+64>: mov edi,0x400982)
R8 : 0xf02261 --> 0x0
R9 : 0x0
R10: 0x7efe629ea700 (0x00007efe629ea700)
R11: 0x246
R12: 0x400690 (<_start>: xor ebp,ebp)
R13: 0x7ffc41f8bf70 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x40082b <main+49>: mov esi,0x64
0x400830 <main+54>: mov edi,0x6010a0
0x400835 <main+59>: call 0x400640 <fgets@plt>
=> 0x40083a <main+64>: mov edi,0x400982
0x40083f <main+69>: call 0x4005f0 <puts@plt>
0x400844 <main+74>: mov rdx,QWORD PTR [rip+0x200835] # 0x601080 <stdin@@GLIBC_2.2.5>
0x40084b <main+81>: lea rax,[rbp-0x70]
0x40084f <main+85>: mov esi,0x80
[------------------------------------stack-------------------------------------]
0000| 0x7ffc41f8be10 --> 0x7ffc41f8bf88 --> 0x7ffc41f8cdb2 ("XDG_SESSION_ID=184263")
0008| 0x7ffc41f8be18 --> 0xf02010 --> 0xfbad2488
0016| 0x7ffc41f8be20 --> 0x1
0024| 0x7ffc41f8be28 --> 0x7ffc41f8bf88 --> 0x7ffc41f8cdb2 ("XDG_SESSION_ID=184263")
0032| 0x7ffc41f8be30 --> 0x1
0040| 0x7ffc41f8be38 --> 0x7ffc41f8beb0 --> 0x1629fbca0
0048| 0x7ffc41f8be40 --> 0x7efe629fd168 --> 0x0
0056| 0x7ffc41f8be48 --> 0xf0b5ff --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x000000000040083a in main ()
gdb-peda$ q
warning: Could not rename /home/blukat/.gdb_history-gdb140220~ to /home/blukat/.gdb_history: No such file or directory
blukat@pwnable:~$ ./blukat
guess the password!
cat: password: Permission denied
congrats! here is your flag: Pl3as_DonT_Miss_youR_GrouP_Perm!!
blukat@pwnable:~$gdb로 분석중에 fgets함수를 실행한 후 RAX에 메시지가 저장되어있다.
그리고 그 메시지를 넣어봤더니 플래그가 출력된다.
flag: Pl3as_DonT_Miss_youR_GrouP_Perm!!
이렇게 푸는게 맞나해서 찾아보니 저 메시지가 정말로 password파일에 저장되어있는 메시지였고,
처음부터 blukat유저에는 password파일을 볼수있는 그룹 권한(blukat_pwn)이 있다고한다. ㅋㅋㅋㅋ
그냥 cat password로 내용을 보려고하면
정말로 읽히는 거지만 cat: password: Permission denied라는 메시지가 나오니까 낚이는 거다...
어쨌든 password파일의 내용은 저게 맞다!
