RCTF 2017 供養(Writeup)
RCTF 2017に参加。185ptで176位。
Sign In (Misc 32)
Please join #rctf2017 on Freenode. And the flag is in topic.
Format: RCTF{...}
RCTF{Welcome_To_RCTF_2017}
easyre (Reverse 153)
32 bit ELF実行ファイル。
$ file easy_re easy_re: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, corrupted section header size
straceすると別のELF実行ファイルを書き出していることがわかる。
$ strace -i ./easy_re [00007f29d9c1dbc7] execve("./easy_re", ["./easy_re"], [/* 20 vars */]) = 0 strace: [ Process PID=6426 runs in 32 bit mode. ] [080482a9] getpid() = 6426 [080482f1] open("/proc/6426/exe", O_RDONLY) = 3 [08048314] lseek(3, 1588, SEEK_SET) = 1588 [08048238] read(3, "w\24\7\0t\35\0\0t\35\0\0", 12) = 12 [08048379] gettimeofday({2057282240221484, 3762246642832666671}, NULL) = 0 [080483ad] unlink("AAAAAAAAAW3PZK1AGI0") = -1 ENOENT (No such file or directory) [080483d2] open("AAAAAAAAAW3PZK1AGI0", O_WRONLY|O_CREAT|O_EXCL, 0700) = 4 [080483e2] ftruncate(4, 7540) = 0 [080483f8] mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf776b000 [08048238] read(3, "t\35\0\0\220\n\0\0", 8) = 8 [08048238] read(3, "\177?d\371\177ELF\1\0\2\0\3\0\r@\205\4\377o\263\335\0104\7p\21\27\v \0\10"..., 2704) = 2704 [08048484] write(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0@\205\4\0104\0\0\0"..., 7540) = 7540 [08048238] read(3, "\0\0\0\0UPX!", 8) = 8 [080484a5] unlink("AAAAAAAAAW3PZK1AGI0") = 0 [080484b1] exit(127) = ? [????????] +++ exited with 127 +++
gdbでunlink直前まで実行して、ファイルを得る。
$ objdump -D -b binary -m i386 easy_re | grep -C3 '4a5:' 499: b8 0a 00 00 00 mov eax,0xa 49e: bb 08 96 04 08 mov ebx,0x8049608 4a3: cd 80 int 0x80 4a5: bb 7f 00 00 00 mov ebx,0x7f 4aa: b8 01 00 00 00 mov eax,0x1 4af: cd 80 int 0x80 4b1: eb f2 jmp 0x4a5 $ gdb ./easy_re Reading symbols from ./easy_re...(no debugging symbols found)...done. (gdb) b *0x080484a3 Breakpoint 1 at 0x80484a3 (gdb) r Starting program: /home/user/tmp/20170521_rctf/easy_re Breakpoint 1, 0x080484a3 in ?? () 1: x/i $pc => 0x80484a3: int 0x80 (gdb) quit A debugging session is active. Inferior 1 [process 6485] will be killed. Quit anyway? (y or n) y $ ls -al total 24056 drwxr-xr-x 4 user user 4096 May 21 22:10 ./ drwxr-xr-x 9 user user 4096 May 21 04:25 ../ -rwx------ 1 user user 7540 May 21 22:10 AAAAAAAAA0H0BOBAGKV* $ file AAAAAAAAA0H0BOBAGKV AAAAAAAAA0H0BOBAGKV: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=f4ac362f7b89fbd142b55e02d1cc4906d669be44, not stripped
アセンブリコードを読むと、lol関数でflagが出力されていることが推測できる。
$ python ~/tmp/minipwn/objdump.py AAAAAAAAA0H0BOBAGKV (snip) 080485f4 <lol>: sub_80485f4: 80485f4: 55 push ebp 80485f5: 89 e5 mov ebp,esp ... 80486b0: c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0 80486b7: 83 7d f4 01 cmp DWORD PTR [ebp-0xc],0x1 80486bb: 75 16 jne 80486d3 <lol+0xdf> 80486bd: b8 c0 88 04 08 mov eax,0x80488c0 ; '%s' 80486c2: 8d 55 ed lea edx,[ebp-0x13] 80486c5: 89 54 24 04 mov DWORD PTR [esp+0x4],edx 80486c9: 89 04 24 mov DWORD PTR [esp],eax 80486cc: e8 ff fd ff ff call 80484d0 <printf@plt> 80486d1: eb 0d jmp 80486e0 <lol+0xec> loc_80486d3: 80486d3: b8 c3 88 04 08 mov eax,0x80488c3 ; 'flag_is_not_here' 80486d8: 89 04 24 mov DWORD PTR [esp],eax 80486db: e8 f0 fd ff ff call 80484d0 <printf@plt> loc_80486e0: 80486e0: c9 leave 80486e1: c3 ret (snip) loc_80487bc: 80487bc: b8 24 89 04 08 mov eax,0x8048924 ; '\nYou got the key\n ' 80487c1: 89 04 24 mov DWORD PTR [esp],eax 80487c4: e8 07 fd ff ff call 80484d0 <printf@plt> 80487c9: 8d 44 24 2e lea eax,[esp+0x2e] 80487cd: 89 04 24 mov DWORD PTR [esp],eax 80487d0: e8 1f fe ff ff call 80485f4 <lol> (snip)
gdbでlol関数を実行し、最後の分岐の直前で止め、分岐の片方で出力される文字列を得る。
$ gdb ./AAAAAAAAA0H0BOBAGKV Reading symbols from ./AAAAAAAAA0H0BOBAGKV...(no debugging symbols found)...done. (gdb) set follow-fork-mode parent (gdb) b *0x80486bb Breakpoint 1 at 0x80486bb (gdb) r Starting program: /tmp/AAAAAAAAA0H0BOBAGKV OMG!!!! I forgot kid's id Ready to exit ^C Program received signal SIGINT, Interrupt. 0xf7fd8be9 in __kernel_vsyscall () 1: x/i $pc => 0xf7fd8be9 <__kernel_vsyscall+9>: pop ebp (gdb) shell $ ps auxf | grep AAAA user 6666 0.5 0.9 63772 20072 pts/0 S 22:20 0:00 | \_ gdb -q -nh -x /home/user/.gdbinit ./AAAAAAAAA0H0BOBAGKV user 6668 0.0 0.0 2192 612 pts/0 t 22:20 0:00 | \_ /tmp/AAAAAAAAA0H0BOBAGKV user 6672 0.0 0.0 0 0 pts/0 Z 22:20 0:00 | | \_ [AAAAAAAAA0H0BOB] <defunct> user 6684 0.0 0.0 11284 900 pts/0 S+ 22:20 0:00 | \_ grep --color=auto AAAA $ exit (gdb) c Continuing. 6672 You got the key Breakpoint 1, 0x080486bb in lol () 1: x/i $pc => 0x80486bb <lol+199>: jne 0x80486d3 <lol+223> (gdb) x/s $ebp-0x13 0xffffdb45: "rhelheg" (gdb) quit A debugging session is active. Inferior 1 [process 6668] will be killed. Quit anyway? (y or n) y
これがフラグだった。
RCTF{rhelheg}
所感
低得点問題1問しか解けず厳しい。他に解きたかった問題は以下。