๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
  • Tried. Failed. Logged.
728x90

๐ŸดCTF/DreamHack35

DreamHack - blind-command ํ’€์ด https://dreamhack.io/wargame/challenges/73 blind-command Read the flag file XD Reference Server-side Basic Server-side Advanced - Command Injection dreamhack.io ํ•ด๊ฒฐ ์กฐ๊ฑด ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ GET Method๋ฅผ ์š”์ฒญ๋ฐ›์•„์•ผ ํ•จ cmd๋ผ๋Š” GET ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ ์ „๋‹ฌ๋ฐ›์•„์•ผ ํ•จ request.method๊ฐ€ GET์ด ์•„๋‹ˆ์–ด์•ผ ํ•จ ํ•ด๊ฒฐ ์กฐ๊ฑด 1๋ฒˆ๊ณผ 3๋ฒˆ์ด ์ข€ ๋ชจ์ˆœ์ด ๋œ๋‹ค. ์ฝ”๋“œ์˜ 7๋ฒˆ์งธ ๋ผ์ธ @app.route('/' , methods=['GET'])์— ์ธํ•ด GET ์™ธ์— ๋‹ค๋ฅธ Method๋ฅผ ์ „์†กํ•˜๋ฉด 405(METHOD NOT ALLOWED) ์—๋Ÿฌ๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค. ํ•˜์ง€๋งŒ 14๋ฒˆ์งธ ๋ผ์ธ if๋ฌธ์— ์˜ํ•ด .. 2023. 9. 7.
DreamHack - Robot Only ํ’€์ด https://dreamhack.io/wargame/challenges/680/ Robot Only Description ๋กœ๋ด‡๋งŒ ์ด์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๋„๋ฐ•์žฅ์ด์—์š”. ๋กœ๋ด‡์ž„์„ ์ธ์ฆํ•˜๊ณ  ๊ฒฝ๊ธฐ์—์„œ ์ด๊ฒจ ํ”Œ๋ž˜๊ทธ๋ฅผ ๊ตฌ๋งคํ•˜์„ธ์š”! dreamhack.io ์ฃผ์š” ํ•จ์ˆ˜ - verify() def verify(): global verified if verified is True: print('you have already been verified as a robot :]') return randn224 = (get_randn() | get_randn() ')) print('answer is [{0}]!'.format(answer)) if user_answer == answer: print('you earned ${0}.'.for.. 2023. 5. 24.
DreamHack - Mitigation: Stack Canary ์‹ค์Šต ๋ฌธ์ œ(์นด๋‚˜๋ฆฌ ๊ฐ’ ๊ตฌํ•˜๊ธฐ) https://learn.dreamhack.io/112#p2477 ๋กœ๊ทธ์ธ | Dreamhack dreamhack.io ์šฐ์„  a๋ฅผ 8๊ฐœ ์ดํ•˜๋กœ ์ž…๋ ฅํ•  ๊ฒฝ์šฐ ์•„๋ฌด๋Ÿฐ ๋ฌธ์ œ๋Š” ์—†์–ด ๋ณด์ธ๋‹ค. ๋งŒ์ผ a๋ฅผ 9๊ฐœ๋ฅผ ์ž…๋ ฅํ•˜๊ฒŒ ๋œ๋‹ค๋ฉด ๋’ท๋ถ€๋ถ„์— tTc(xU8๋ผ๋Š” ์ด์ƒํ•œ ๊ฐ’์ด ๋ถ™๋Š”๋‹ค. ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ๋ˆˆ์œผ๋กœ ํ™•์ธํ•˜๋ฉด ์นด๋‚˜๋ฆฌ ์˜์—ญ์—๋Š” ์ €๋Ÿฐ ์‹์œผ๋กœ ๊ฐ’์ด ์ €์žฅ๋ผ์žˆ๋Š” ๊ฒƒ์ด๋‹ค. ์™œ a๋ฅผ 8๊ฐœ๋ฅผ ์ž…๋ ฅํ•˜๋ฉด ์นด๋‚˜๋ฆฌ ๊ฐ’์ด ์ถœ๋ ฅ์ด ๋˜์ง€ ์•Š๋Š”๊ฐ€? ๊ทธ ์ด์œ ๋Š” ์นด๋‚˜๋ฆฌ์— ๋ฌธ์ž ๋ ๋ถ€๋ถ„์—๋Š” \x00์ธ ์ฆ‰ NULL์„ ๊ฐ€์ง€๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— printf ์ถœ๋ ฅ์„ ํ•˜๋ฉด ๋ฌธ์ž์˜ ๋์œผ๋กœ ์ธ์‹์ด ๋˜์–ด ์นด๋‚˜๋ฆฌ ๊ฐ’์ด ํ•จ๊ป˜ ์ถœ๋ ฅ๋˜์ง€ ์•Š์€ ๊ฒƒ์ด๋‹ค. ๊ทธ๋Ÿฌ๋ฏ€๋กœ ์นด๋‚˜๋ฆฌ๋ฅผ ์œ ์ถ”ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” \x00 ๋ถ€๋ถ„์„ ๋‹ค๋ฅธ ๋ฌธ์ž๋กœ ๋ฎ์–ด ์”Œ์–ด์„œ ๋‚˜๋จธ์ง€ 7๋ฐ”์ดํŠธ๋ฅผ ๊ฐ€์ ธ์˜ค๊ณ  \x00์„ ๊ทธ ์•ž์—๋‹ค ๋ถ™์ด๋ฉด ์ง„.. 2023. 5. 1.
DreamHack - Return to Shellcode ํ’€์ด r2s.c // Name: r2s.c // Compile: gcc -o r2s r2s.c -zexecstack #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int main() { char buf[0x50]; init(); printf("Address of the buf: %p\n", buf); printf("Distance between buf and $rbp: %ld\n", (char*)__builtin_frame_address(0) - buf); printf("[1] Leak the canary\n"); printf("Input: "); fflush(stdout); read(0, buf, 0x1.. 2023. 5. 1.
DreamHack - Quiz: x86 Assembly 1 ๋ฌธ์ œ end๋กœ ์ ํ”„ํ•˜๋ฉด ํ”„๋กœ๊ทธ๋žจ์ด ์ข…๋ฃŒ๋œ๋‹ค๊ณ  ๊ฐ€์ •ํ•˜์ž. ํ”„๋กœ๊ทธ๋žจ์ด ์ข…๋ฃŒ๋์„ ๋•Œ, 0x400000 ๋ถ€ํ„ฐ 0x400019๊นŒ์ง€์˜ ๋ฐ์ดํ„ฐ๋ฅผ ๋Œ€์‘๋˜๋Š” ์•„์Šคํ‚ค ๋ฌธ์ž๋กœ ๋ณ€ํ™˜ํ•˜๋ฉด ์–ด๋Š ๋ฌธ์ž์—ด์ด ๋‚˜์˜ค๋Š”๊ฐ€? [Register] rcx = 0 rdx = 0 rsi = 0x400000 ======================= [Memory] 0x400000 | 0x67 0x55 0x5c 0x53 0x5f 0x5d 0x55 0x10 0x400008 | 0x44 0x5f 0x10 0x51 0x43 0x43 0x55 0x5d 0x400010 | 0x52 0x5c 0x49 0x10 0x47 0x5f 0x42 0x5c 0x400018 | 0x54 0x11 0x00 0x00 0x00 0x00 0x00 0x00 =============.. 2023. 5. 1.
DreamHack - Return Address Overwrite rao.c // Name: rao.c // Compile: gcc -o rao rao.c -fno-stack-protector -no-pie #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } void get_shell() { char *cmd = "/bin/sh"; char *args[] = {cmd, NULL}; execve(cmd, args, NULL); } int main() { char buf[0x28]; init(); printf("Input: "); scanf("%s", buf); return 0; } ๋ฒ„ํผ์˜ ์‚ฌ์ด์ฆˆ๋Š” 0x28(40 bytes)์ด๋ฉฐ, get_shell() ํ•จ์ˆ˜๋กœ return ํ•˜.. 2023. 4. 30.
DreamHack - basic_exploitation_000 ํ’€์ด basic_exploitation_000.c #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } int main(int argc, char *argv[]) { char buf[0x80]; initialize(); printf("buf = (%p)\n", buf); scanf("%141s", buf); return 0; } ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ 141 ๋ฐ”์ดํŠธ ํฌ๊ธฐ์˜ ๋ฌธ์ž์—ด์„ ์ž….. 2023. 4. 26.
DreamHack - basic_exploitation_001 ํ’€์ด checksec์œผ๋กœ ํŒŒ์ผ ๋ณดํ˜ธ ๊ธฐ๋ฒ•๋“ค ํ™•์ธ NX(No-eXecute) ๋ณดํ˜ธ ๊ธฐ๋ฒ•์ด ํ™œ์„ฑํ™”๋˜์–ด ์žˆ์œผ๋ฏ€๋กœ, ์‰˜ ์ฝ”๋“œ๋Š” ์‹คํ–‰๋˜์ง€ ์•Š์ง€๋งŒ, Stack Canary๊ฐ€ ํ™œ์„ฑํ™”๋˜์ง€ ์•Š์€ ๊ฒƒ์œผ๋กœ ๋ณด์•„ Return Address Overwrite์— ์ทจ์•ฝํ•˜๋‹ค๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค. basic_exploitation_001.c ๋ถ„์„ #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } vo.. 2023. 4. 25.
DreamHack - login-1 ํ’€์ด ๊ด€๋ฆฌ์ž ๋ ˆ๋ฒจ ์œ ์ € ์•„์ด๋”” ์ฐพ๊ธฐ http://host3.dreamhack.games:20947/user/1 = MAXRESETCOUNT: ์ด๋ ‡๊ฒŒ ์ž‘์„ฑํ–ˆ์œผ๋ฉด ์ด๋Ÿฐ ์ทจ์•ฝ์ ์€ ์—†์—ˆ์„ ๊ฒƒ. ์„œ๋ฒ„ ์—๋Ÿฌ 500์„ ์ด์šฉ ์‹ ๊ทœ ๊ณ„์ •์„ ๋งŒ๋“ค๊ฒŒ ๋˜๋ฉด resetCount ์˜์—ญ์—๋Š” NULL์ด ์ƒ๊ธฐ๊ฒŒ ๋˜๋ฉด์„œ ์•„๋ž˜์˜ resetCount = resetCount + 1 ๊ตฌ๋ฌธ์—์„œ ์˜ค๋ฅ˜๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค. ๊ฒฐ๊ตญ ๋ฆฌ์…‹ ์นด์šดํŠธ๋Š” ์ฆ๊ฐ€ ๋ชปํ•œ ์ฑ„ ์„œ๋ฒ„ ์ธก ์—๋Ÿฌ(500)๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค. updateSQL = "UPDATE user set resetCount = resetCount+1 where idx = ?" cur.execute(updateSQL, (str(user['idx']))) msg = f"Wrong BackupCode ! Left Count : .. 2023. 3. 27.
DreamHack - node-serialize (nodejs ์ง๋ ฌํ™” ์ทจ์•ฝ์ ) ํ’€์ด node-serialize ์ทจ์•ฝ์  ์˜ˆ์‹œ var serialize = require('node-serialize'); var x = { rce : function(){ require('child_process').exec('echo serialize exploited!', function(error, stdout, stderr) { console.log(stdout) }); }(), } serialize.serialize(x); var y = '{"username": "guest", "country": "Korea", "exec": "_$$ND_FUNC$$_function(){ require(\'child_process\').exec(\'echo unserialize exploited!\', functio.. 2023. 3. 27.
Dreamhack - ์›Œ๊ฒŒ์ž„, Mango ํ’€์ด https://dreamhack.io/wargame/challenges/90/ Mango Description ์ด ๋ฌธ์ œ๋Š” ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ์ €์žฅ๋œ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜๋Š” ๋ฌธ์ œ์ž…๋‹ˆ๋‹ค. ํ”Œ๋ž˜๊ทธ๋Š” admin ๊ณ„์ •์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ ์ž…๋‹ˆ๋‹ค. ํ”Œ๋ž˜๊ทธ์˜ ํ˜•์‹์€ DH{...} ์ž…๋‹ˆ๋‹ค. {'uid': 'admin', 'upw': 'DH{32alphanumeric}'} Reference Serv dreamhack.io NOSQL Injection์— ๊ด€ํ•œ ๋ฌธ์ œ๋‹ค. ํŽ˜์ด์ง€๋กœ ๋“ค์–ด๊ฐ€๋‹ˆ๊น ๋‹ค์งœ๊ณ ์งœ /login์—์„œ ๋กœ๊ทธ์ธ์„ ํ•˜๋ผ๊ณ  ๋œฌ๋‹ค. ์ฃผ์†Œ์— ๋ณต์‚ฌ ๋ถ™์—ฌ๋„ฃ๊ธฐ๋ฅผ ํ•ด๋ณด๋‹ˆ guest๋กœ ๋กœ๊ทธ์ธ์ด ๋๋Š”์ง€ ํ™”๋ฉด์—๋Š” guest๋งŒ ๋œธ ๋งŒ์•ฝ์— uid ๊ฐ’์œผ๋กœ admin์„ ์ฃผ๊ฒŒ ๋˜๋ฉด ํŽ˜์ด์ง€์—๋Š” filter๋ผ๊ณ  ๋œจ๊ฒŒ ๋œ๋‹ค. ๋ฌธ์ œ์—์„œ ์ œ๊ณตํ•˜๋Š” ์„œ๋ฒ„ ํŒŒ์ผ์„ ํ™•์ธํ•ด๋ณด๋ฉด .. 2021. 12. 9.
Dreamhack - ์›Œ๊ฒŒ์ž„, rev-basic-2 ํ’€์ด https://dreamhack.io/wargame/challenges/16/ rev-basic-2 Reversing Basic Challenge #2 ์ด ๋ฌธ์ œ๋Š” ์‚ฌ์šฉ์ž์—๊ฒŒ ๋ฌธ์ž์—ด ์ž…๋ ฅ์„ ๋ฐ›์•„ ์ •ํ•ด์ง„ ๋ฐฉ๋ฒ•์œผ๋กœ ์ž…๋ ฅ๊ฐ’์„ ๊ฒ€์ฆํ•˜์—ฌ correct ๋˜๋Š” wrong์„ ์ถœ๋ ฅํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ์ด ์ฃผ์–ด์ง‘๋‹ˆ๋‹ค. ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋ถ„์„ํ•˜์—ฌ correct๋ฅผ ์ถœ dreamhack.io ์ด๋ฒˆ์—๋Š” ๋ฐฐ์—ด์„ ๋น„๊ตํ•ด๊ฐ€๋ฉด์„œ ๋‚ด๊ฐ€ ์ž…๋ ฅํ•œ ๋ฌธ์ž์—ด์ด ์žฅ๋‹ต ๋ฐฐ์—ด์ด ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ๋ฌธ์ž์™€ ๋˜‘๊ฐ™์€์ง€๋ฅผ ๋น„๊ตํ•˜๋Š” ์›๋ฆฌ์˜€๋‹ค. ์ด๋ ‡๊ฒŒ ์ฃผ์„์„ ์ ์–ด๊ฐ€๋ฉด์„œ ํ•˜๋ฉด ์ดํ•ดํ•˜๊ธฐ๊ฐ€ ์‰ฝ๋‹ค. ํ”„๋กœ๊ทธ๋žจ์ด ๊ณ„์†ํ•ด์„œ ์ฐธ์กฐํ•˜๋Š” ์ € ๋ฐฐ์—ด์˜ ์ฃผ์†Œ๋ฅผ ๋คํ”„ ์ฐฝ์—์„œ ๋”ฐ๋ผ๊ฐ€ ๋ณด์•˜๋”๋‹ˆ "Comp4re_the_arr4y"๋ผ๊ณ  ๋ฐฐ์—ด์ด ๊ฐ 4๋ฐ”์ดํŠธ ๋–จ์–ด์ง„ ๊ฐ„๊ฒฉ์œผ๋กœ ์ €์žฅ์ด ๋˜์–ด์žˆ์—ˆ๋‹ค. ๊ทธ๋ ‡๊ธฐ ๋•Œ๋ฌธ์— cmp .. 2021. 12. 3.
728x90

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”