PWN collision [pwnable.kr]CTF writeup题解系列2
程序员文章站
2022-05-15 14:58:56
...
题目地址:http://pwnable.kr/play.php
先看看题目
都是简单题目,我直接把过程贴出来
aaa@qq.com:/ctf/work/reverse# ssh aaa@qq.com -p2222
aaa@qq.com's password:
____ __ __ ____ ____ ____ _ ___ __ _ ____
| \| |__| || \ / || \ | | / _] | |/ ]| \
| o ) | | || _ || o || o )| | / [_ | ' / | D )
| _/| | | || | || || || |___ | _] | \ | /
| | | ` ' || | || _ || O || || [_ __ | \| \
| | \ / | | || | || || || || || . || . \
|__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|
- Site admin : aaa@qq.com
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Tue Dec 31 23:39:30 2019 from 125.238.93.17
aaa@qq.com:~$ ls -la
total 36
drwxr-x--- 5 root col 4096 Oct 23 2016 .
drwxr-xr-x 116 root root 4096 Nov 12 21:34 ..
d--------- 2 root root 4096 Jun 12 2014 .bash_history
-r-sr-x--- 1 col_pwn col 7341 Jun 11 2014 col
-rw-r--r-- 1 root root 555 Jun 12 2014 col.c
-r--r----- 1 col_pwn col_pwn 52 Jun 11 2014 flag
dr-xr-xr-x 2 root root 4096 Aug 20 2014 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
aaa@qq.com:~$ exit
logout
Connection to pwnable.kr closed.
aaa@qq.com:/ctf/work/reverse# scp aaa@qq.com:/home/col/col ./
ssh: connect to host pwnable.kr port 22: Connection refused
aaa@qq.com:/ctf/work/reverse# scp -P 2222 aaa@qq.com:/home/col/col ./
aaa@qq.com's password:
col 100% 7341 26.7KB/s 00:00
aaa@qq.com:/ctf/work/reverse#
下载之后打开ida做反编译,代码如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
if ( argc > 1 )
{
if ( strlen(argv[1]) == 20 )
{
if ( check_password((int)argv[1]) == hashcode )
system("/bin/cat flag");
else
puts("wrong passcode.");
result = 0;
}
else
{
puts("passcode length should be 20 bytes");
result = 0;
}
}
else
{
printf("usage : %s [passcode]\n", *argv);
result = 0;
}
return result;
}
int __cdecl check_password(int *arr_dwPasscode)
{
signed int i; // [esp+4h] [ebp-Ch]
int v3; // [esp+8h] [ebp-8h]
v3 = 0;
for ( i = 0; i <= 4; ++i )
v3 += arr_dwPasscode[i];
return v3;
}
还有一个关键变量定义
.data:0804A020 public hashcode
.data:0804A020 hashcode dd 21DD09ECh
然后就是要让下面这个判断成立
if ( check_password((int)argv[1]) == hashcode )
system("/bin/cat flag");
那就根据题目的意思写入5个32位的整数,因为不能有null(\x00),我就设置了4个p32(0x01010101),这样就没有null了。
具体的python脚本如下:
#coding:utf8
#!/usr/bin/env python
from pwn import *
context.log_level = 'debug'
process_name = './col'
passcode = 0x21DD09EC
payload = p32(passcode-4*0x01010101) + p32(0x01010101)*4
p = process(argv=[process_name, payload], env={'LD_LIBRARY_PATH':'./'})
# p = process([process_name], env={'LD_LIBRARY_PATH':'./'})
# elf = ELF(process_name)
p.recv()
p.interactive()
服务器上不能写文件,但是可以打开python,执行情况如下:
aaa@qq.com:~$ python
Python 2.7.12 (default, Nov 12 2018, 14:36:49)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> #coding:utf8
... #!/usr/bin/env python
...
... from pwn import *
>>>
... context.log_level = 'debug'
>>> process_name = './col'
>>> passcode = 0x21DD09EC
>>> payload = p32(passcode-4*0x01010101) + p32(0x01010101)*4
>>> p = process(argv=[process_name, payload], env={'LD_LIBRARY_PATH':'./'})
[x] Starting local process './col' argv=['./col', '\xe8\x05\xd9\x1d\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01'] env={'LD_LIBRARY_PATH': './'}
[+] Starting local process './col' argv=['./col', '\xe8\x05\xd9\x1d\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01'] env={'LD_LIBRARY_PATH': './'} : pid 319647
>>> # p = process([process_name], env={'LD_LIBRARY_PATH':'./'})
... # elf = ELF(process_name)
...
>>> p.recv()
[DEBUG] Received 0x34 bytes:
'daddy! I just managed to create a hash collision :)\n'
'daddy! I just managed to create a hash collision :)\n'
>>> p.interactive()
[*] Switching to interactive mode
[*] Process './col' stopped with exit code 0 (pid 319647)
[*] Got EOF while reading in interactive
[DEBUG] Sent 0x1 bytes:
'\r' * 0x1
[*] Got EOF while sending in interactive
推荐阅读
-
level2 [XCTF-PWN]CTF writeup系列6
-
cgpwn2 [XCTF-PWN]CTF writeup系列10
-
stack2 [XCTF-PWN][高手进阶区]CTF writeup攻防世界题解系列15
-
PWN uaf [pwnable.kr]CTF writeup题解系列13
-
PWN bof [pwnable.kr]CTF writeup题解系列3
-
PWN collision [pwnable.kr]CTF writeup题解系列2
-
PWN passcode [pwnable.kr]CTF writeup题解系列5
-
PWN flag [pwnable.kr]CTF writeup题解系列4