[name=FlyDragon]
Step.1
By observing output.txt and executing the code, it can be inferred that the program flag.exe will output the flag after shuffling it.
Step.2
By examining main() using Ghidra, it can be discovered that this program reads in the contents of flag.txt and outputs them after performing specific swaps in a particular order.
order = [5, 13, 0, 12, 1, 16, 3, 2, 8, 7, 15, 4, 6, 17, 11, 10, 9]
Flydragon changed 2 years agoView mode Like Bookmark
[name=Curious]
Train of Thought & Solution
Continuing from the previous question's Writeup, after downloading app.py, you can find the following piece of code:
@app.get('/1d538e83d6f6b08f')
def secret():
try:
with open('/proc/sys/kernel/random/boot_id') as f:
hint = f.readline().strip()
Curious changed 2 years agoView mode Like Bookmark
[name=FlyDragon]
Step.1
Download passwd and shadow
They are related to a linux account
Step.2
Challenge name Johnny , which let you know this challenge can be solved with John the ripper
$ unshadow passwd shadow > unshadow
Flydragon changed 2 years agoView mode Like Bookmark
[name=Curious]
Train of Thought & Solution
From chal.c, we can see that this problem has a BOF in read(0, buf, 0x40), and there is a FMT in printf(buf). Additionally, flag is a global variable, meaning it shares the same base address as main.
We know that there will be some useful addresses left on the stack at runtime, and when this binary is executed:
If we use objdump -t chal to check the offset of flag and main, we get:
Furthermore, the problem provides the last two bytes of the main address. So, all we need to do is to use BOF to overwrite the last two bytes of the main address with those of flag, and then use FMT to print out the flag."
Curious changed 2 years agoView mode Like Bookmark
[name=Curious]
Train of Thought & Solution
First, put chal into IDA
It can be observed that this challenge can utilize an FMT leak to obtain an address, and then utilize a One Gadget to gain shell access. Therefore, it is necessary to leak the address of the libc
Next, let's take a look at the conditions for the One Gadget
If you carefully examine the asm of main, you can notice that at the end, there are xor rsi, rsi and xor rdx, rdx instructions. Therefore, the conditions for the One Gadget boil down to requiring rbp - 0x78 to be writable. Since we've already leaked the libc address, we can directly use an address from the writable segment of libc to write to rbp
Curious changed 2 years agoView mode Like Bookmark
[name=FlyDragon]
Step.1
http://lotuxctf.com:20008
It is a image uploader.
Upload a test.png , and you will get this message.
Uploaded at : uploads/64fd8aff877ba_test.png
Flydragon changed 2 years agoView mode Like Bookmark
[name=Curious]
Train of Thought & Solution
Continuing from the previous question LoTuX CTF Min 0, you can obtain the code for this website.
Upon analyzing, you can see in profile.php that:
$query = "SELECT * FROM users WHERE username = '" . $_SESSION["username"] . "'";
This can lead to SQL Injection, so we need to register a user with a username as a payload.
Curious changed 2 years agoView mode Like Bookmark
[name=Curious]
Train of Thought & Solution
Firstly, it can be observed that the website has a Git leak.
Thus, the leaked files are retrieved using GitHacker
githacker --url http://lotuxctf.com:20006/.git/ --output-folder result
After inspecting the downloaded files and not finding the flag, we revert to a specific commit to examine
Curious changed 2 years agoView mode Like Bookmark
[name=Curious]
Train Of Thought & Solution
Upon entering the challenge, it was noticed that there was an image. Upon closer inspection, it was observed that this image was loaded from /uploads?file=BlankSite.png. It was hypothesized that it might be possible to exploit the file parameter to read files from the server.
If an arbitrary filename is inputted
It can be observed that the server returns an error message. Within the error message, the presence of the /app/app.py file is visible. By using ../../../../app/app.py, it is possible to download this file and obtain the flag.
Flydragon changed 2 years agoView mode Like Bookmark