# BCTF 2017 BOJ

This is a very interesting challenge for me.

We were given a working oj on http://oj.bctf.xctf.org.cn, there was only a single classical problem a + b
on it. I tried several times to play with it, only to found that nothing can
solve this a+b problem. :)

# Solve

I lost a lot of time during the game on this challenge. Actually I could do better since I’ve been really close.

The first thought is to try to find out which header is blocked by this online judge system. So I tried use some
dangerous functions like “system”, “socket” etc. And all it just reported “Wrong Answer”. This means we can try
to use socket to communicate, and get what is actually going on on that server.

On my server, I opened a nc.Like this:

nc -lvv 32222 -k

So when I open a socket, and connect it back to my own server, I can get info.

Use this technique, I got the file directories on the server, only to find that under /usr/bin/ we have only 6
bins. That means we were under chroot environment. So, my thought here, was to get out.

But the next thing coming was that when I tried something like chroot function, the socket communication was down.
I tried several other functions, chroot and system not working, but many other functions like read or write works.
So, blocked. I looked up on Internet a little, found out there were some similar situations. They blocked this
functions using some systemcall filter technique. To get through this, we used X32 ABI. This is a series of system calls
that has been brought out on linux 3.4. It’s kinda like a series of system calls doing the same thing as the original
ones but with different system call numbers. Since the filter uses the system call numbers to block system calls, with
this X32 ABI, we are able to pass. Thus, we used X32 ABI to chroot. Using the very basic chroot breakage technique, we
were able to get out.

The breakage in short, is like this:

mkdir("fakeroot");
x32_chroot("fakeroot"); // I don't know how libc support x32 abi, so I wrote my own x32_chroot
chdir("../../../"); // now, we are out!

And just to be clear, x32_chroot is like this:

int x32_chroot(const char *new_root) {
return syscall(0x400000a1, new_root);
}

After we got out, we were able to see things about this oj. After digging a little, we
found the binary of the online judge. There is a “sandbox” binary and a “cr” binary.

And under root, there was a file named “flag”. But, unfortunately, we didn’t have the

Use read and socket, we were able to download these two binary. With IDA, we found that
in cr, it uses system to pass sandbox an argument. This argument is the name of out file.

Since we were able to use open system call, we can actually create a file with any name.

Now, if we inject shell commands in file name, the system function call in cr will
run our command.

Since cr is basically running all the time, and, cr is runned by the user who owns the file, this command can read the flag.

So, by inject a command to read the file, and nc it back to our own server, we were able to get flag.

I haven’t solve this challenge until last 5 minutes, and there was no time left for me
to make a right command. And the website now is down, I can’t say if my exp is right.
Thus there is no exp here. :P

# Some interesting thoughts

During the game, I havn’t solved this challenge. This was a big mistake since I already found
the strange file name unser state/ directory. So, if you seek under state directory you
will get a huge hint.

And, aside of that, I managed to use apache process to try to read the flag. This is
me a lot of time.

Well, I think I just should try to understand what normall people should think next time.
:)

# 总结(What I’ve learned)

1. x32 abi是一套与普通系统调用号不一样，但是功能极其类似的一套完整的系统调用，可以用来解决过滤系统调用的问题
2. system里的字符串不应该是由用户可以控制的，否则将会导致由文件名带来的命令注入。

02-13 29万+

02-03 18万+

01-05 27万+

04-19 768

07-27 421

04-09 493

04-14 253

04-17 2206

07-22 4834

01-27 12万+

07-27 655

09-27 1189

03-19 81万+

04-14 58万+

03-13 14万+

03-01 13万+

03-04 13万+

03-05 5257

03-05 5万+

03-08 4万+

03-08 7万+

03-10 12万+

03-10 18万+

03-12 10万+

03-13 11万+

03-16 10万+

03-18 8170

03-19 8万+

03-20 6932

03-22 4万+

03-24 3万+

03-25 3万+

05-08 4万+

03-25 8万+

03-26 1万+

03-27 4万+

03-29 21万+

03-29 9万+

03-30 15万+

05-28 4790

05-28 1万+

04-01 6677

04-02 1万+

04-02 4万+

04-06 7万+

04-07 5万+

04-09 7万+

04-09 2万+

05-17 7000

04-11 3万+

04-15 5万+

04-18 4万+

04-20 4万+

04-24 3万+

04-29 5450

04-30 7260

05-16 5万+

05-06 1万+

05-08 4万+

05-11 3万+

05-12 2256

05-12 1万+

05-14 5257

05-16 2908

05-16 1万+

05-18 7236

05-24 3613

05-18 2620

05-19 9247

05-24 2569

05-25 1221

05-21 5058

05-21 5036

05-23 4031

05-23 1万+

05-23 5388

05-23 7925

#### 用 Python 把你的朋友变成表情包

©️2019 CSDN 皮肤主题: 大白 设计师: CSDN官方博客