워게임/pwnable.kr

문제 설명을 보면 ROP로 푸는 문제인거 같다. 서버에 접속하면 readme와 바이너리만 주어진다. horcruxes@pwnable:~$ cat readme connect to port 9032 (nc 0 9032). the 'horcruxes' binary will be executed under horcruxes_pwn privilege. rop it to read the flag. readme를 읽어보면 9032포트에서 프로그램이 실행중이고 rop를 이용해 flag를 읽으라고 한다. c코드가 없으니 바이너리를 분석해야 한다. gdb로 분석하는건 에바니 scp로 다운받아서 ghidra를 이용해 분석했다. void main(void) { undefined4 uVar1; setvbuf(stdout,(ch..
#include #include #include #include char flag[100]; char password[100]; char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+"; void calc_flag(char* s){ int i; for(i=0; i 0x0 RSI: 0xf02261 --> 0x0 RDI: 0x6010c1 --> 0x0 RBP: 0x7ffc41f8be90 --> 0x4008c0 (:push r15) RSP: 0x7ffc41f8be10 --> 0x7ffc41f8bf88 --> 0x7ffc41f8cdb2 ("XDG_SESSION_ID=184263") RIP: 0x40083a (:..
#include #include #include #include #include #include #include #include #define LENGTH 128 void sandbox(){ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) { printf("seccomp error\n"); exit(0); } seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); seccomp_..
nc로 접속해보면 --------------------------------------------------- - Shall we play a game? - --------------------------------------------------- You have given some gold coins in your hand however, there is one counterfeit coin among them counterfeit coin looks exactly same as real coin however, its weight is different from real one real coin weighs 10, counterfeit coin weighes 9 help me to find the ..
#include #include int filter(char* cmd){ int r=0; r += strstr(cmd, "=")!=0; r += strstr(cmd, "PATH")!=0; r += strstr(cmd, "export")!=0; r += strstr(cmd, "/")!=0; r += strstr(cmd, "`")!=0; r += strstr(cmd, "flag")!=0; return r; } extern char** environ; void delete_env(){ char** p; for(p=environ; *p; p++)memset(*p, 0, strlen(*p)); } int main(int argc, char* argv[], char** envp){ delete_env(); pute..
#include #include int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, "tmp")!=0; return r; } int main(int argc, char* argv[], char** envp){ putenv("PATH=/thankyouverymuch"); if(filter(argv[1])) return 0; system( argv[1] ); return 0; } 소스를 보면 꽤 간단하다. 메인을 보면 putenv로 PATH를 /thankyouverymuch로 초기화해버린다. 그리고 filter함수를 보면 argv[1]로 넣은 값에 flag,sh,tmp문자열..
kimg00n
'워게임/pwnable.kr' 카테고리의 글 목록