RCTF 2017 供養(Writeup)
RCTF 2017に参加。185ptで176位。
Sign In (Misc 32)
Please join #rctf2017 on Freenode. And the flag is in topic.
Format: RCTF{...}
RCTF{Welcome_To_RCTF_2017}
easyre (Reverse 153)
32 bit ELF実行ファイル。
$ file easy_re easy_re: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, corrupted section header size
straceすると別のELF実行ファイルを書き出していることがわかる。
$ strace -i ./easy_re
[00007f29d9c1dbc7] execve("./easy_re", ["./easy_re"], [/* 20 vars */]) = 0
strace: [ Process PID=6426 runs in 32 bit mode. ]
[080482a9] getpid() = 6426
[080482f1] open("/proc/6426/exe", O_RDONLY) = 3
[08048314] lseek(3, 1588, SEEK_SET) = 1588
[08048238] read(3, "w\24\7\0t\35\0\0t\35\0\0", 12) = 12
[08048379] gettimeofday({2057282240221484, 3762246642832666671}, NULL) = 0
[080483ad] unlink("AAAAAAAAAW3PZK1AGI0") = -1 ENOENT (No such file or directory)
[080483d2] open("AAAAAAAAAW3PZK1AGI0", O_WRONLY|O_CREAT|O_EXCL, 0700) = 4
[080483e2] ftruncate(4, 7540) = 0
[080483f8] mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf776b000
[08048238] read(3, "t\35\0\0\220\n\0\0", 8) = 8
[08048238] read(3, "\177?d\371\177ELF\1\0\2\0\3\0\r@\205\4\377o\263\335\0104\7p\21\27\v \0\10"..., 2704) = 2704
[08048484] write(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0@\205\4\0104\0\0\0"..., 7540) = 7540
[08048238] read(3, "\0\0\0\0UPX!", 8) = 8
[080484a5] unlink("AAAAAAAAAW3PZK1AGI0") = 0
[080484b1] exit(127) = ?
[????????] +++ exited with 127 +++
gdbでunlink直前まで実行して、ファイルを得る。
$ objdump -D -b binary -m i386 easy_re | grep -C3 '4a5:'
499: b8 0a 00 00 00 mov eax,0xa
49e: bb 08 96 04 08 mov ebx,0x8049608
4a3: cd 80 int 0x80
4a5: bb 7f 00 00 00 mov ebx,0x7f
4aa: b8 01 00 00 00 mov eax,0x1
4af: cd 80 int 0x80
4b1: eb f2 jmp 0x4a5
$ gdb ./easy_re
Reading symbols from ./easy_re...(no debugging symbols found)...done.
(gdb) b *0x080484a3
Breakpoint 1 at 0x80484a3
(gdb) r
Starting program: /home/user/tmp/20170521_rctf/easy_re
Breakpoint 1, 0x080484a3 in ?? ()
1: x/i $pc
=> 0x80484a3: int 0x80
(gdb) quit
A debugging session is active.
Inferior 1 [process 6485] will be killed.
Quit anyway? (y or n) y
$ ls -al
total 24056
drwxr-xr-x 4 user user 4096 May 21 22:10 ./
drwxr-xr-x 9 user user 4096 May 21 04:25 ../
-rwx------ 1 user user 7540 May 21 22:10 AAAAAAAAA0H0BOBAGKV*
$ file AAAAAAAAA0H0BOBAGKV
AAAAAAAAA0H0BOBAGKV: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=f4ac362f7b89fbd142b55e02d1cc4906d669be44, not stripped
アセンブリコードを読むと、lol関数でflagが出力されていることが推測できる。
$ python ~/tmp/minipwn/objdump.py AAAAAAAAA0H0BOBAGKV (snip) 080485f4 <lol>: sub_80485f4: 80485f4: 55 push ebp 80485f5: 89 e5 mov ebp,esp ... 80486b0: c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0 80486b7: 83 7d f4 01 cmp DWORD PTR [ebp-0xc],0x1 80486bb: 75 16 jne 80486d3 <lol+0xdf> 80486bd: b8 c0 88 04 08 mov eax,0x80488c0 ; '%s' 80486c2: 8d 55 ed lea edx,[ebp-0x13] 80486c5: 89 54 24 04 mov DWORD PTR [esp+0x4],edx 80486c9: 89 04 24 mov DWORD PTR [esp],eax 80486cc: e8 ff fd ff ff call 80484d0 <printf@plt> 80486d1: eb 0d jmp 80486e0 <lol+0xec> loc_80486d3: 80486d3: b8 c3 88 04 08 mov eax,0x80488c3 ; 'flag_is_not_here' 80486d8: 89 04 24 mov DWORD PTR [esp],eax 80486db: e8 f0 fd ff ff call 80484d0 <printf@plt> loc_80486e0: 80486e0: c9 leave 80486e1: c3 ret (snip) loc_80487bc: 80487bc: b8 24 89 04 08 mov eax,0x8048924 ; '\nYou got the key\n ' 80487c1: 89 04 24 mov DWORD PTR [esp],eax 80487c4: e8 07 fd ff ff call 80484d0 <printf@plt> 80487c9: 8d 44 24 2e lea eax,[esp+0x2e] 80487cd: 89 04 24 mov DWORD PTR [esp],eax 80487d0: e8 1f fe ff ff call 80485f4 <lol> (snip)
gdbでlol関数を実行し、最後の分岐の直前で止め、分岐の片方で出力される文字列を得る。
$ gdb ./AAAAAAAAA0H0BOBAGKV
Reading symbols from ./AAAAAAAAA0H0BOBAGKV...(no debugging symbols found)...done.
(gdb) set follow-fork-mode parent
(gdb) b *0x80486bb
Breakpoint 1 at 0x80486bb
(gdb) r
Starting program: /tmp/AAAAAAAAA0H0BOBAGKV
OMG!!!! I forgot kid's id
Ready to exit
^C
Program received signal SIGINT, Interrupt.
0xf7fd8be9 in __kernel_vsyscall ()
1: x/i $pc
=> 0xf7fd8be9 <__kernel_vsyscall+9>: pop ebp
(gdb) shell
$ ps auxf | grep AAAA
user 6666 0.5 0.9 63772 20072 pts/0 S 22:20 0:00 | \_ gdb -q -nh -x /home/user/.gdbinit ./AAAAAAAAA0H0BOBAGKV
user 6668 0.0 0.0 2192 612 pts/0 t 22:20 0:00 | \_ /tmp/AAAAAAAAA0H0BOBAGKV
user 6672 0.0 0.0 0 0 pts/0 Z 22:20 0:00 | | \_ [AAAAAAAAA0H0BOB] <defunct>
user 6684 0.0 0.0 11284 900 pts/0 S+ 22:20 0:00 | \_ grep --color=auto AAAA
$ exit
(gdb) c
Continuing.
6672
You got the key
Breakpoint 1, 0x080486bb in lol ()
1: x/i $pc
=> 0x80486bb <lol+199>: jne 0x80486d3 <lol+223>
(gdb) x/s $ebp-0x13
0xffffdb45: "rhelheg"
(gdb) quit
A debugging session is active.
Inferior 1 [process 6668] will be killed.
Quit anyway? (y or n) y
これがフラグだった。
RCTF{rhelheg}
所感
低得点問題1問しか解けず厳しい。他に解きたかった問題は以下。
