This writeup has been collected to my pwn notebook. Link
WPICTF 2020 🇺🇸
Sat, 18 April 2020, 05:00 CST — Mon, 20 April 2020, 05:00 CST
Linux
LynxVE (50pt)
Description
ssh ctf@lynxve.wpictf.xyz
pass:
lynxVE
made by: acurless
Analysis
Lynx is a text Web-Browser
We can visit local files in this browser by file://
protocol:
1 | file://localhost/etc/fstab |
Examples from wikipedia
Solution
Type G
and input URL=file:///
to visit local files:
Finally we can find flag
in folder /home/ctf/
and then read it:
WPI{lynX_13_Gr8or_Th@n_Chr0m1Um}
Suckmore Shell 2.0 (200pt)
Description
After its abysmal performance at WPICTF 2019, suckmore shell v1 has been replaced with a more secure, innovative and performant version, aptly named suckmore shell V2.
ssh smsh@smsh.wpictf.xyz
pass:suckmore>suckless
made by: acurless
Solution
Here are some kinds of cmd can use to leak content of files:
- file viewer (
more
) - compress/decompress cmd (
xz
,tar
,bzip2
) - Language interpreter/assembler (
perl
,as
)
File viewer
Use more
command to view flag directly:
1 | > more flag |
Compress/decompress
Some cmd (with or without options) can print content of file during compress/decompress process
1 | > xz flag |
1 | > tar cvf a.tar flag |
1 | > bzip2 flag |
Language interpreter/assembler
Error information of language interpreter/assembler may print the content of files:
1 | > perl flag |
1 | > as flag |
Pwn
dorsia1 (100pt)
Description
http://us-east-1.linodeobjects.com/wpictf-challenge-files/dorsia.webm The first card.
nc dorsia1.wpictf.xyz 31337 or 31338 or 31339
made by: awg
Hint: Same libc as dorsia4, but you shouldn’t need the file to solve.
Attachment
dorsia1 (not given, I download it after getshell)
Analysis
We can get source code of this challenge from the first card:
system+765772
is the address of one gadget in libc2.27
, and there is a buffer overflow in stack. So we can overwrite the return address with address of one gadget.
Solution
We can’t get the precise offset between buffer a
and return address, but we know the approximate range. So try it:
1 | for i in range(4,20): |
final offset is 77
More
you can download full exp from my github
dorsia3 (250pt)
Description
http://us-east-1.linodeobjects.com/wpictf-challenge-files/dorsia.webm The third card.
nc dorsia3.wpictf.xyz 31337 or 31338 or 31339
made by: awg
Attachment
Analysis
The third card:
system-288
is an address of one gadget
in libc and a
is a buffer in stack. There is a format string vulnerability and we can use it to modify return address to the address of one gadget
.
Solution
very common fmtstr attack:
1 | stack = eval(p.recv(10)) |
More
you can download full exp from my github