📂
이동현 Donghyun Lee
  • Welcome!
  • Wargame
    • Webhacking.kr
      • old-01 (200)
      • old-02 (500)
      • old-03 (350)
      • old-04 (300)
      • old-05 (300)
      • old-06 (100)
      • old-07 (300)
      • old-08 (350)
      • old-09 (900)
      • old-10 (250)
      • old-11 (300)
      • old-12 (250)
      • old-13 (1000)
      • old-14 (100)
      • old-15 (50)
      • old-16 (100)
      • old-17 (100)
      • old-18 (100)
      • old-19 (150)
      • old-20 (200)
      • old-21 (250)
      • old-22 (500)
      • old-23 (200)
      • old-24 (100)
      • old-25 (150)
      • old-26 (100)
      • old-27 (150)
      • old-28 (500)
      • old-29 (400)
      • old-30 (350) : UNSOLVED
      • old-31 (150)
      • old-32 (150)
      • old-33 (200)
      • old-34 (400)
      • old-35 (350)
      • old-36 (200)
      • old-38 (100)
      • old-39 (100)
      • old-40 (500)
      • old-41 (250)
      • old-42 (200)
      • old-43 (250)
      • old-44 (500)
      • old-45 (550)
      • old-46 (300)
      • old-47 (150)
      • old-48 (350)
      • old-49 (300)
      • old-50 (450)
      • old-51 (250)
      • old-52 (400)
      • old-53 (350)
      • old-54 (100)
      • old-55 (400)
      • old-56 (250)
      • old-57 (600)
      • old-58 (150)
      • old-59 (200)
      • old-60 (300)
      • old-61 (200)
    • Lord of SQLInjection
      • gremlin
      • cobolt
      • goblin
      • orc
      • wolfman
      • darkelf
      • orge
      • troll
      • vampire
      • skeleton
      • golem
      • darkknight
      • bugbear
      • giant
      • assassin
      • succubus
      • zombie_assassin
      • nightmare
      • xavis
      • dragon
      • iron_golem
      • dark_eyes
      • hell_fire
      • evil_wizard
      • green_dragon
      • red_dragon
      • blue_dragon
      • frankenstein
      • phantom
      • ouroboros
      • zombie
      • alien
      • cthulhu
      • death
      • godzilla
      • cyclops
      • chupacabra
      • manticore
      • banshee
      • poltergeist
      • nessie
      • revenant
      • yeti
      • mummy
      • kraken
      • cerberus
      • siren
      • incubus
    • Pwnable.kr
      • Toddler's Bottle
        • fd - 1 pt
        • collision - 3 pt
        • bof - 5 pt
        • flag - 7 pt
        • passcode - 10 pt
  • CTF
    • AlexCTF 2017
      • [Crypto] CR3: What is this encryption?
      • [Crypto] CR4: Poor RSA
    • BSides San Francisco CTF 2017
      • [Crypto] []root
  • project
    • How to Find Container Platform Escape Bug
      • Docker
        • Install Docker
        • Run Container
        • Docker Basic Commands
        • Docker Compose
        • Build Docker Image
        • Docker Hub
        • Private Docker Registry
      • Kubernetes
        • Introduction to Kubernetes
        • Kubernetes Practice
      • PoC
  • Donghyun's Lifelog
Powered by GitBook
On this page

Was this helpful?

  1. Wargame
  2. Pwnable.kr
  3. Toddler's Bottle

flag - 7 pt

Previousbof - 5 ptNextpasscode - 10 pt

Last updated 5 years ago

Was this helpful?

Papa brought me a packed present! let's open it.

Download :

This is reversing task. all you need is binary

아래와 같이 flag 파일을 실행했다.

kali@kali:~$ ls -l flag
-rw-r--r-- 1 kali kali 335288 Mar 14 10:55 flag
kali@kali:~$ chmod u+x flag
kali@kali:~$ ./flag
I will malloc() and strcpy the flag there. take it.

flag 파일을 다운받아 Exeinfo PE로 확인해보니 UPX 패킹이 되어 있음을 알 수 있다.

언패킹한다.

kali@kali:~$ upx -d flag
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    883745 <-    335288   37.94%   linux/amd64   flag

Unpacked 1 file.

flag 파일을 Exeinfo PE로 다시 확인하면 아래와 같이 언패킹 된 것을 볼 수 있다.

GDB로 main을 살펴보면 아래와 같다.

(gdb) disas main
Dump of assembler code for function main:
   0x0000000000401164 <+0>:     push   %rbp
   0x0000000000401165 <+1>:     mov    %rsp,%rbp
   0x0000000000401168 <+4>:     sub    $0x10,%rsp
   0x000000000040116c <+8>:     mov    $0x496658,%edi
   0x0000000000401171 <+13>:    callq  0x402080 <puts>
   0x0000000000401176 <+18>:    mov    $0x64,%edi
   0x000000000040117b <+23>:    callq  0x4099d0 <malloc>
   0x0000000000401180 <+28>:    mov    %rax,-0x8(%rbp)
   0x0000000000401184 <+32>:    mov    0x2c0ee5(%rip),%rdx        # 0x6c2070 <flag>
   0x000000000040118b <+39>:    mov    -0x8(%rbp),%rax
   0x000000000040118f <+43>:    mov    %rdx,%rsi
   0x0000000000401192 <+46>:    mov    %rax,%rdi
   0x0000000000401195 <+49>:    callq  0x400320
   0x000000000040119a <+54>:    mov    $0x0,%eax
   0x000000000040119f <+59>:    leaveq 
   0x00000000004011a0 <+60>:    retq                                                                                                                                           
End of assembler dump.

0x6c2070이 플래그가 있는 주소 값인 것으로 유추하였다.

아래와 같디 해당 주소의 값을 출력한다.

(gdb) x/s *0x6c2070
0x496628:       "UPX...? sounds like a delivery service :)"

플래그가 나온다.

Flag? : UPX...? sounds like a delivery service :)

http://pwnable.kr/bin/flag