boston-key-party-2017/pwn/signed-shell-server-200

ํ’€ ์ด

2018.08.14 10:32

pwn/sss-200

I'll only execute shell commands that are authenticated with my hmac-sha1 key. I'll sign a few benign commands for you, but after that, you're on your own!

THERES A NEW IP NOW (1:22 am EST sat)
ITS ON A NEW PORT NOW...

54.202.7.144 9875

sss

ํ’€์ด

๋ถ„์„

๋‚ฎ์€ ์ ์ˆ˜์˜ ๋ฌธ์ œ๋‹ต๊ฒŒ logic์ด ๊ต‰์žฅํžˆ ๊ฐ„๋‹จํ•˜๋‹ค. ๋ฌธ์ œํŒŒ์ผ์€ 2๊ฐ€์ง€ ๊ธฐ๋Šฅ์ด ์žˆ๋Š”๋ฐ ํ•˜๋‚˜๋Š” ๋ช…๋ น์–ด์— ๋Œ€ํ•œ hash์ƒ์„ฑ๊ณผ ๋ช…๋ น์–ด๋ฅผ ์ˆ˜ํ–‰ํ•˜๋Š” ๊ธฐ๋Šฅ, 2๊ฐ€์ง€๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ๋‹ค.

Welcome to Secure Signed Shell
1) sign command
2) execute command
>_ 1
what command do you want to sign?
>_ ls
signature: 
400a8a913b3c591d9eb5e14404e8ceeb
1) sign command
2) execute command
>_ 2
what command do you want to run?
>_ ls
gimme signature:
>_ 400a8a913b3c591d9eb5e14404e8ceeb
flag	 runme		     sss      sss.id0  sss.id2	sss.til
pos.cpp  SCTF2018_Quals.zip  sss.i64  sss.id1  sss.nam

sign_itํ•จ์ˆ˜๋ฅผ ๋ถ„์„ํ•˜๋ฉด hash๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋Š” ๋ช…๋ น์–ด๊ฐ€ ์ •ํ•ด์ ธ ์žˆ๋Š”๋ฐ ์‹คํ–‰๊ฐ€๋Šฅํ•œ ๋ช…๋ น์–ด๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

  1. ls
  2. pwd
  3. id
  4. whoami
ํ•˜์ง€๋งŒ ๋ช…๋ น์–ด๋ฅผ ์ˆ˜ํ–‰ํ•˜๋Š” execute_itํ•จ์ˆ˜๋Š” white-filtering์„ ๊ฑฐ์น˜์ง€ ์•Š์œผ๋ฏ€๋กœ ์›ํ•˜๋Š” ๋ช…๋ น์–ด์˜ Hash๊ฐ’๋งŒ ๊ตฌํ•œ๋‹ค๋ฉด ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค. ํ•„์ž๋Š” GDB๋ฅผ ํ™œ์šฉํ•ด์„œ ์‹คํ–‰๋กœ์ง์„ ๋ฐ”๊ฟ” white-filtering ๊ฒ€์‚ฌ๋ฅผ ์šฐํšŒํ•˜์—ฌ Hash๊ฐ’์„ ๋งŒ๋“ค๋„๋ก ํ•˜์˜€๋‹ค. cat flag์˜ Hash๋Š” 76de49789cda59147f8b276889e8bcdf ์ด๋ฏ€๋กœ 2๋ฒˆ ๋ฉ”๋‰ด๋ฅผ ํ†ตํ•ด์„œ ์‹คํ–‰ํ•˜๋ฉด flag๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.