OneShell

I fight for a brighter tomorrow

0%

[pwnable.kr] flag

Posted on Edited on In ,

根据题目描述,猜测程序可能是被压缩了或者加壳了,关键字:packed

1
2
3
4
5
Papa brought me a packed present! let's open it.

Download : http://pwnable.kr/bin/flag

This is reversing task. all you need is binary

使用checksec查看一下,发现居然可以检测出来是UPX加壳:

1
2
3
4
5
6
7
8
9
$ checksec flag 
[*] '/home/oneshell/PWN/pwnable.kr/flag/flag'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
    Packer:   Packed with UPX

使用strings查看一下,可以获取到UPX的版本是3.08,因此下载对应的源码、编译、然后unpack就可以了。

1
2
3
4
5
6
$ strings flag | grep UPX
UPX!
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.08 Copyright (C) 1996-2011 the UPX Team. All Rights Reserved. $
UPX!
UPX!

我在使用Ubuntu22.04编译upx3.08的时候,总会出错,最后直接编译了最新版本,然后解壳:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ ./build/release/upx -d ../flag
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX git-57ad6b  Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 25th 2023

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    887219 <-    335288   37.79%   linux/amd64   flag

Unpacked 1 file.

WARNING: this is an unstable beta version - use for testing only! Really.

此时可以看到flag已经是not stripped了

1
2
$ file flag
flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=96ec4cc272aeb383bd9ed26c0d4ac0eb5db41b16, not stripped

然后逆向,交叉引用,就可以看到flag的具体值:

1
2
3
4
5
6
7
8
9
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *dest; // [rsp+8h] [rbp-8h]

  puts("I will malloc() and strcpy the flag there. take it.", argv, envp);
  dest = (char *)malloc(100LL);
  strcpy(dest, flag);
  return 0;
}
1
2
3
.rodata:0000000000496628 aUpxSoundsLikeA db 'UPX...? sounds like a delivery service :)',0
.rodata:0000000000496628                                         ; DATA XREF: .data:flag↓o
.rodata:0000000000496652                 align 8

flag = UPX...? sounds like a delivery service :)

知识点小结

查看文件的属性,file、checksec等等,这道题目耗费时间的地方就是UPX编译,其实也可以尝试手动拖。之前在做应急响应的时候,遇到一些样本就会采用UPX加壳,主要是为了减少样本的大小。