독학두비니

War Games/pwnable.xyz

[pwnable.xyz] xor(50 pts) :: Write-Up

What can you access and what are you going to write? 음 아마도 xor을 해주는게 아닐까 싶네요. 문제 정보에 대해서 확인해봅시다. 여기서 딱히 볼거는 FULL RELRO때문에 GOT overwrite가 불가능하다는것말고는 딱히 없네요. PIE가 걸려있다는 것도 봐줘야 하는데 음... 이따가 다시 보도록 합시다. 일단 아이다로 까봅시다. 전체적으로 add랑 비슷한 흐름이네요. v4와 v5를 xor한 결과를 result[v6]에 넣어주네요. 이때 v4, v5, v6이 모두 우리가 설정해주는 값이기 때문에 우리가 원하는 곳으로 접근이 가능하네요. 단, v6이 9보다 작아야 하기 때문에 result의 영역보다 주소값이 작은 영역만 접근할 수 있겠네요. 또한 flag를 ..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level15: Giant >> Assassin

Level 14. Bugbear >> Giant Theme: no stack, no RTL 로그인 id : giant pw : one step closer bash2 & 코드확인 [giant@localhost giant]$ bash2 [giant@localhost giant]$ nl assassin.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - assassin 4 - no stack, no RTL 5 */ 6 #include 7 #include 8 main(int argc, char *argv[]) 9 { 10 char buffer[40]; 11 if(argc < 2){ 12 printf("argv error\n"); 13 exit(0); 1..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level14: Bugbear >> Giant

Level 14. Bugbear >> Giant Theme: RTL 로그인 id : bugbear pw : new divide bash2 & 코드확인 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - giant 4 - RTL2 5 */ 6 #include 7 #include 8 #include 9 main(int argc, char *argv[]) 10 { 11 char buffer[40]; 12 FILE *fp; 13 char *lib_addr, *execve_offset, *execve_addr; 14 char *ret; 15 if(argc < 2){ 16 printf("argv error\n"); 17 exit(0); 18 } 19 // gai..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level13: Darkknight >> Bugbear

Level 13. Darkknight >> Bugbear Theme: RTL 로그인 id : darkknight pw : new attacker bash2&코드확인 [darkknight@localhost darkknight]$ bash2 [darkknight@localhost darkknight]$ nl bugbear.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - bugbear 4 - RTL1 5 */ 6 #include 7 #include 8 main(int argc, char *argv[]) 9 { 10 char buffer[40]; 11 int i; 12 if(argc < 2){ 13 printf("argv error\n"); 14 ex..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level12: Golem >> Darkknight

Level 12. Golem >> Darkknight Theme: FPO 로그인 id : golem pw : cup of coffee bash2 & 코드확인 [golem@localhost golem]$ bash2 [golem@localhost golem]$ nl darkknight.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - darkknight 4 - FPO 5 */ 6 #include 7 #include 8 void problem_child(char *src) 9 { 10 char buffer[40]; 11 strncpy(buffer, src, 41); 12 printf("%s\n", buffer); 13 } 14 main(int argc..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level11: Skeleton >> Golem

Level 11. Skeleton >> Golem Theme: Stack Destroyer 로그인 id : skeleton pw : shellcoder bash2 & 코드 확인 [skeleton@localhost skeleton]$ ls golem golem.c [skeleton@localhost skeleton]$ bash2 [skeleton@localhost skeleton]$ nl golem.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - golem 4 - stack destroyer 5 */ 6 #include 7 #include 8 extern char **environ; 9 main(int argc, char *argv[]) 10 {..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level10: Vampire >> Skeleton

Level 10. Vampire >> Skeleton Theme: argv hunter 로그인 id : vampire pw : music world bash2 & 코드확인 [vampire@localhost vampire]$ bash2 [vampire@localhost vampire]$ nl skeleton.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - skeleton 4 - argv hunter 5 */ 6 #include 7 #include 8 extern char **environ; 9 main(int argc, char *argv[]) 10 { 11 char buffer[40]; 12 int i, saved_argc; 13 if(argc..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level9: Troll >> Vampire

Level 9. Troll >> Vampire Theme: Check 0xbfff 로그인 id : troll pw : aspirin bash2 잊지마시고 코드 확인해봅시다. [troll@localhost troll]$ bash2 [troll@localhost troll]$ nl vampire.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - vampire 4 - check 0xbfff 5 */ 6 #include 7 #include 8 main(int argc, char *argv[]) 9 { 10 char buffer[40]; 11 if(argc < 2){ 12 printf("argv error\n"); 13 exit(0); 14 } 15 if..

War Games/해커스쿨 LOB

[해커스쿨 LOB] Level8: Orge >> Troll

Level 8. Orge >> Troll Theme: Check argc + argv hunter 로그인 id : orge pw : timewalker bash2 입력해주시고, 코드를 확인해봅시다. [orge@localhost orge]$ bash2 [orge@localhost orge]$ nl troll.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - troll 4 - check argc + argv hunter 5 */ 6 #include 7 #include 8 extern char **environ; 9 main(int argc, char *argv[]) 10 { 11 char buffer[40]; 12 int i; 13 // here i..

War Games/pwnable.kr

[pwnable.kr] blukat(3 pts) :: Write-Up

Sometimes, pwnable is strange... hint: if this challenge is hard, you are a skilled player. ssh blukat@pwnable.kr -p2222 (pw: guest) 일단 코드 봅시다. #include #include #include #include char flag[100]; char password[100]; char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+"; void calc_flag(char* s){ int i; for(i=0; i

War Games/pwnable.kr

[pwnable.kr] asm(6 pts) :: Write-Up

Mommy! I think I know how to make shellcodes ssh asm@pwnable.kr -p2222 (pw: guest) 쉘코드 만들기..? 일단 들어가봅시다. 플래그 파일이 심상치않네요. 우선 c코드부터 봅시다. asm@pwnable:~$ cat asm.c #include #include #include #include #include #include #include #include #define LENGTH 128 void sandbox(){ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) { printf("seccomp error\n"); exit(0); } seccomp_rule_add(ctx, S..

War Games/pwnable.kr

[pwnable.kr] memcpy(10 pts) :: Write-Up

Are you tired of hacking?, take some rest here. Just help me out with my small experiment regarding memcpy performance. after that, flag is yours. https://pwnable.kr/bin/memcpy.c ssh memcpy@pwnable.kr -p2222 (pw:guest) // compiled with : gcc -o memcpy memcpy.c -m32 -lm #include #include #include #include #include #include #include unsigned long long rdtsc(){ asm("rdtsc"); } char* slow_memcpy(cha..