![[pwnable.kr] uaf(8 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcuUmyq%2FbtqFNQcLvEq%2Fe6oJ3eOZkykr5c9mpAxuHk%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] uaf(8 pts) :: Write-Up
Mommy, what is Use After Free bug? ssh uaf@pwnable.kr -p2222 (pw: guest) Use After Free라.... bof만 다루다가 바로 heap문제가 나와서 당황스럽지만, 아무튼 해봅시다. Use After Free에 대한 글: https://dokhakdubini.tistory.com/35?category=809542 [Heap Exploit] UAF(Use After Free)기법 이론설명 Heap Exploit UAF(Use After Free)기법 이론설명 당분간은 Heap의 취약점 분석을 할 것인데요, 오늘은 UAF(Use After Free)기법입니다. UAF기법을 들어가기 전에, Heap구조가 무엇인지 알아야겠죠? 모른다면, 공부. dok..
![[pwnable.kr] cmd2(9 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fshjb8%2FbtqFNsJ6flG%2Fd4QxEOIkeTRg8nQN8WLwK1%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] cmd2(9 pts) :: Write-Up
Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission... but I wanna play anytime I want! ssh cmd2@pwnable.kr -p2222 (pw: flag of cmd1) cmd1 플래그 복사 안해놔서 한참 고생했네요. 아무튼 들어가면 대충 cmd1과 비슷한 맥락이네요. 우선 delete_env()함수를 통해 외부 환경변수를 모두 제가하고, PATH를 /no_command_execution_until_you_become_a_hacker로 바꾸고, filter함수로 =, PATH, export, /, `, flag를..
![[해커스쿨 LOB] Level7: Darkelf >> Orge 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FoLpsH%2FbtqFNDSTUcb%2FnQoH7Gg1QXasWvM19z9VD1%2Fimg.png)
War Games/해커스쿨 LOB
[해커스쿨 LOB] Level7: Darkelf >> Orge
Level 7. Darkelf >> Orge Theme: Check argv[0] (Symbolic Link) 로그인 id: darkelf pw: kernel crashed bash2 필수필수~ [darkelf@localhost darkelf]$ bash2 [darkelf@localhost darkelf]$ nl orge.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - orge 4 - check argv[0] 5 */ 6 #include 7 #include 8 extern char **environ; 9 main(int argc, char *argv[]) 10 { 11 char buffer[40]; 12 int i; 13 if(argc < 2)..
![[pwnable.kr] cmd1(1 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FEyOc5%2FbtqFOMUUTiY%2FFPBPa7dKTP5vi5oPJNGlk0%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] cmd1(1 pts) :: Write-Up
Mommy! what is PATH environment in Linux? ssh cmd1@pwnable.kr -p2222 (pw: guest) 환경변수 관련한 문제인가 보네요. 접속합시다. 우선 PATH라는 환경변수에다가 /thankyouverymuch를 집어넣고, argv[1]을 filter함수에 넣어서 함수의 리턴값이 0이여야 하네요. filter함수는 들어온 문자열에 flag, sh, tmp가 있는지 확인합니다. 그러면 putenv("PATH=/thankyouverymuch");가 실행되면서 일어나는 일에 대해서 생각해봅시다. 우선 왜 환경변수를 이용할까요? 환경변수는 일종의 즐겨찾기입니다. 우리가 가장 많이 쓰는 리눅스 명령어인 cat, ls, 등등은 모두 bin이라는 폴더 안에있는 명령입니다...
![[해커스쿨 LOB] Level6: Wolfman >> Darkelf 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcMXjpm%2FbtqFLsJ0pWE%2FKtgo9pnw7fKUizXjqPFAT1%2Fimg.png)
War Games/해커스쿨 LOB
[해커스쿨 LOB] Level6: Wolfman >> Darkelf
Level 6. Wolfman >> Darkelf Theme: Egghunter + Buffer Hunter + check length of argv[1] 로그인! id: wolfman pw: love eyuna bash2 잊지 마시고, 코드 분석해봅시다. [wolfman@localhost wolfman]$ bash2 [wolfman@localhost wolfman]$ nl darkelf.c 1 /* 2 The Lord of the BOF : The Fellowship of the BOF 3 - darkelf 4 - egghunter + buffer hunter + check length of argv[1] 5 */ 6 #include 7 #include 8 extern char **environ; 9 ..
![[pwnable.kr] lotto(2 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdbPPxA%2FbtqFDxYmMy8%2FTfWSikQ2Tc479HbPN5CkoK%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] lotto(2 pts) :: Write-Up
Mommy! I made a lotto program for my homework. do you want to play? ssh lotto@pwnable.kr -p2222 (pw: guest) lotto@pwnable:~$ nl lotto.c 1#include 2#include 3#include 4#include 5unsigned char submit[6]; 6void play(){ 7 8int i; 9printf("Submit your 6 lotto bytes : "); 10fflush(stdout); 11int r; 12r = read(0, submit, 6); 13printf("Lotto Start!\n"); 14//sleep(1); 15// generate lotto numbers 16int fd..
![[pwnable.kr] blackjack(1 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbkqBpV%2FbtqFBX3rCpp%2FsAxCsxHpKvpzPVS0p1LXjk%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] blackjack(1 pts) :: Write-Up
Hey! check out this C implementation of blackjack game! I found it online * cboard.cprogramming.com/c-programming/114023-simple-blackjack-program.html I like to give my flags to millionares. how much money you got? Running at : nc pwnable.kr 9009 https://cboard.cprogramming.com/c-programming/114023-simple-blackjack-program.html Simple Blackjack Program Replies: 5 Last Post: 12-19-2006, 06:06 PM ..
![[pwnable.kr] coin1(6 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbDBpED%2FbtqFzHHA2KZ%2FWQ2CRyFCWleZzuBjtApBx0%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] coin1(6 pts) :: Write-Up
Mommy, I wanna play a game! (if your network reponse time is too slow, try nc 0 9007 inside pwnable.kr server) Running at : nc pwnable.kr 9007 보니까 진짜 동전은 무게가 10이고, 가짜 동전은 무게가 9인데, 무게의 합을 통해 가짜 동전을 찾아달라는 게임이네요. 두개씩 비교를 한다면 N/2번 비교를 해야하지만, 주어지는 C는 N/2보다 터무니없이 값이 작습니다. 따라서 이원탐색, Binary Search를 사용하면 좋을 것 같네요. Binary Search에 대한 기본적인 내용은 다음과 같습니다: https://dokhakdubini.tistory.com/175?category=847037 [..
![[pwnable.kr] shellshock(1 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdFDoxJ%2FbtqFtxyY5Cq%2F49ZiGJJfw4eUgcgiar9DU0%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] shellshock(1 pts) :: Write-Up
Mommy, there was a shocking news about bash. I bet you already know, but lets just make it sure :) ssh shellshock@pwnable.kr -p2222 (pw:guest) bash에 대한 문제인가봅니다. #include int main(){ setresuid(getegid(), getegid(), getegid()); setresgid(getegid(), getegid(), getegid()); system("/home/shellshock/bash -c 'echo shock_me'"); return 0; } 단순히 bash를 실행시킨 후, 명령어를 실행합니다. shellshock를 실행시켜 얻은 bash권한으로 flag를..
![[pwnable.kr] mistake(1 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FR8U8l%2FbtqFrVeEIyz%2FyjinEHQkXGr25c0oMvIe21%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] mistake(1 pts) :: Write-Up
We all make mistakes, let's move on. (don't take this too seriously, no fancy hacking skill is required at all) This task is based on real event Thanks to dhmonkey hint : operator priority ssh mistake@pwnable.kr -p2222 (pw: guest) mistake@ubuntu:~$ cat mistake.c #include #include #define PW_LEN 10 #define XORKEY 1 void xor(char* s, int len){ int i; for(i=0; i 0)){ printf("read error\n"); close(f..
![[pwnable.kr] leg(2 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fk5wll%2FbtqCinRStPF%2Ffd6PnyCqjayKtER4Cy8JO0%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] leg(2 pts) :: Write-Up
Daddy told me I should study arm. But I prefer to study my leg! Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ssh leg@pwnable.kr -p2222 (pw:guest) 우선 c코드를 봅시다. #include #include int key1(){ asm("mov r3, pc\n"); } int key2(){ asm( "push{r6}\n" "addr6, pc, $1\n" "bxr6\n" ".code 16\n" "movr3, pc\n" "addr3, $0x4\n" "push{r3}\n" "pop{pc}\n" ".code32\n" "pop{r6}\n" );..
![[pwnable.kr] input(4 pts) :: Write-Up 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbScOHM%2FbtqChFkydaB%2F7dNE9C61sraKK28J31iPK0%2Fimg.png)
War Games/pwnable.kr
[pwnable.kr] input(4 pts) :: Write-Up
Mom? how can I pass my input to a computer program? ssh input2@pwnable.kr -p2222 (pw:guest) input2@pwnable:~$ cat input.c #include #include #include #include #include int main(int argc, char* argv[], char* envp[]){ printf("Welcome to pwnable.kr\n"); printf("Let's see if you know how to give input to program\n"); printf("Just give me correct inputs then you will get the flag :)\n"); // argv if(ar..
독학두비니
절.대.독.학.해
📚 평소 공부한 걸 올리는 공간입니다. 💻 보안에 관심있는 대학생입니다! 🎨 Photoshop for fun. 🎭 틀린 내용이 있다면 댓글 부탁드릴게요~
