-
DIMICTF 2017 RIDDLE정보보안/포너블 2018. 5. 21. 00:05
root@goorm:/workspace/JunhoYeo# python riddle_exploit.py [*] Trying first key A [*] Trying first key B [*] FLAG : Ring Setting(AAA-ZZZ): Plain Text(Only Uppercase and space): JUOXDHELILEP LPCFLAG PJPTFLERDXL BHRJLXRQ PK TEILYFAD RF BEQN CV IZOUPK WBC NJXHYOQ HZZCJFSND OG ZZO RTTDOELQAL ZD TSALSJ JBIDL KWMRXFR JZG SCJOMDG QYLTN VWMWCWQ FNH GSMIXJ OWIY PWP QKPXU XSDS WK CHXFMB EEIEFC BMV MHB NWBB BB SGPXFMLFEJCDYJUMYWRUHI [*] KEY : BIL [*] Trying first key C [*] Trying first key D [*] Trying first key E [*] Trying first key F [*] Trying first key G [*] Trying first key H [*] Trying first key I [*] Trying first key J [*] Trying first key K [*] Trying first key L [*] FLAG : Ring Setting(AAA-ZZZ): Plain Text(Only Uppercase and space): OUMSMPHFXPTB ELEWLUF TRKTQCZJELB ZLBFLAGV RC BXVBVOHG OM GSVY RO HEYXNN OFN ZGCQLLE QZKERPBDT RF GIM TEIKSHCZBJ TH NOJVOS MBMGR XYIHBRC SYL QUYTLRU XB AQA ICDHZTN CWT XVRGZR GJZL QIOMDVNB QIJE RN MZSEJN EZ YYVX DAB OMU KWCZ YQ QKQGIJIRMIHJAFSIRGSZBR [*] KEY : LOI [*] Trying first key M [*] Trying first key N [*] Trying first key O [*] Trying first key P [*] Trying first key Q [*] Trying first key R [*] Trying first key S [*] Trying first key T [*] Trying first key U [*] Trying first key V [*] Trying first key W [*] FLAG : Ring Setting(AAA-ZZZ): Plain Text(Only Uppercase and space): ZPSODJNSSFPR TEEYGDF MEZGWGSOZLP RTRLVKZS QY IXIFJQSJ CD GKDF TS OGXFNX OTE ULPJOEG AXHTNNFSI LR WBH EQJDOKOHAR PA XEVOUL NYFHT EPFZIBF ONQ FLAGLFT JH GNK CMIBGWS XIA VVTHSZ QDKC QFW LCCMI XYAF NW TMRBFE JP MXSD XRK GQK TPKA GA VPMRVAOJOIMHGUGTBDPHTJ [*] KEY : WES [*] FLAG : Ring Setting(AAA-ZZZ): Plain Text(Only Uppercase and space): CONFIDENTIAL WEATHER INFORMATION TOMORROW IS EXPECTED TO RISE TO AROUND TEN DEGREES THEREFORE IT WAS INSTRUCTED TO ATTACK SEOUL THROUGH THE RELEASE OF THE WEATHER THE SIGNAL THAT THE WHOLE ARMY GO ATTACK IS FLAG AND THE FLAG IS IPAYHOMAGETOALANTURING [*] KEY : WHO [*] Trying first key X [*] Trying first key Y ^CTraceback (most recent call last): File "riddle_exploit.py", line 13, in <module> (val, output) = (commands.getstatusoutput(payload)) File "/usr/lib/python2.7/commands.py", line 60, in getstatusoutput text = pipe.read() KeyboardInterruptFlag is
IPAYHOMAGETOALANTURINGDIMICTF 2017년 문제 하나씩 풀어보려고 한다. 바이너리는 깃허브에서 구했다.
지금 보니 exploit code의 맨 마지막 줄에
break를 왜 썼는지 의문이다.
import commands alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' data = 'WKXVJIXWPQJX YVPRDIV BCDBEJXUQEX GFXVHLSL NH CQKPDNUZ KZ NQCC ND LTSZST QWR VQUEKKR BGOYKTCXZ SC QFW KLDWQTADJU BZ KDYRGA KXYVZ ZOGVVKW XTB UGZZIGO VJ QPV YORGPPY RQN ZNDART HYCV DRG NLKYN SQWG VX DUAHQU CW UTOT ZGA INI BFYC SO FEVNOBDGJUGYPGMJOYTEJY' for key_1 in alphabet: print '[*] Trying first key %s' % key_1 for key_2 in alphabet: for key_3 in alphabet: # print 'Trying key %s' % str(key_1)+str(key_2)+str(key_3) payload = '(python -c \'print "' payload += str(key_1)+str(key_2)+str(key_3) payload += '\\n' + data + '\\n"\') | ./RIDDLE' (val, output) = (commands.getstatusoutput(payload)) if 'FLAG' in output: print '[+] FLAG : ' + output print '[+] KEY : ' + str(key_1)+str(key_2)+str(key_3)RIDDLE 바이너리는 영대문자 3자리로 구성된 키와 암호화된 값을 받아서 복호화한 값을 출력한다.
하나씩 브포 때려주면 된다.
사용하고 있는 노트북은 Windows이고 VM은 32비트라 구름 IDE에서 돌렸는데, 실행이 조금 느리니 인내심을 가지며 기다려야 한다 :)
'정보보안 > 포너블' 카테고리의 다른 글
Pyjail에서 플러스와 공백이 필터링되어 있을 때 (0) 2018.06.20 GOT Overwrite 공부 2 (0) 2018.05.20 GOT Overwrite 공부 1 (0) 2018.05.18 RTL Chaining 공부 1 (0) 2018.05.18 pwnable.kr 3번 bof : pwntools로 자동으로 브포 때리면서 풀기 (0) 2018.05.17
