pwnalbe.kr –collision
由题可知和MD5哈希算法有关。
1.连接 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ┌──(root💀kali)-[/home/kali/桌面] └─# ssh col@pwnable.kr -p2222 130 ⨯ col@pwnable.kr's password: Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. ____ __ __ ____ ____ ____ _ ___ __ _ ____ | \| |__| || \ / || \ | | / _] | |/ ]| \ | o ) | | || _ || o || o )| | / [_ | ' / | D )| _/| | | || | || || || |___ | _] | \ | / | | | ` ' || | || _ || O || || [_ __ | \| \ | | \ / | | || | || || || || || . || . \ |__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_| - Site admin : daehee87@gatech.edu - IRC : irc.netgarage.org:6667 / #pwnable.kr - Simply type "irssi" command to join IRC now - files under /tmp can be erased anytime. make your directory under /tmp - to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal You have mail. Last login: Sun Feb 6 23:54:49 2022 from 14.108.156.37 col@pwnable:~$ ls -al total 36 drwxr-x--- 5 root col 4096 Oct 23 2016 . drwxr-xr-x 116 root root 4096 Nov 11 14:52 .. d--------- 2 root root 4096 Jun 12 2014 .bash_history -r-sr-x--- 1 col_pwn col 7341 Jun 11 2014 col -rw-r--r-- 1 root root 555 Jun 12 2014 col.c -r--r----- 1 col_pwn col_pwn 52 Jun 11 2014 flag dr-xr-xr-x 2 root root 4096 Aug 20 2014 .irssi drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
接下来有两种方法
直接在连接的ssh打开col.c文件。
1 col@pwnable:~$ cat col.c
通过scp指令下载文件到虚拟机。
1 2 ┌──(root💀kali)-[/home/kali/桌面] └─# scp -P2222 col@pwnable.kr:col.c .
两种方法都可以用,scp指令以后可能会用到。
2. 分析文件 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 #include <stdio.h> #include <string.h> unsigned long hashcode = 0x21DD09EC ;unsigned long check_password (const char * p) { int * ip = (int *)p; int i; int res=0 ; for (i=0 ; i<5 ; i++){ res += ip[i]; } return res; } int main (int argc, char * argv[]) { if (argc<2 ){ printf ("usage : %s [passcode]\n" , argv[0 ]); return 0 ; } if (strlen (argv[1 ]) != 20 ){ printf ("passcode length should be 20 bytes\n" ); return 0 ; } if (hashcode == check_password( argv[1 ] )){ system("/bin/cat flag" ); return 0 ; } else printf ("wrong passcode.\n" ); return 0 ; }
由源文件可以知道该文件是将接受命令行参数并将其转换为整数形式。
1 2 3 if (strlen (argv[1 ]) != 20 ){ printf ("passcode length should be 20 bytes\n" ); return 0 ;
且限定命令行参数为20个字符。
1 2 3 4 5 6 7 8 9 10 unsigned long hashcode = 0x21DD09EC ;unsigned long check_password (const char * p) { int * ip = (int *)p; int i; int res=0 ; for (i=0 ; i<5 ; i++){ res += ip[i]; } return res; }
通过分析check_password函数可知,将20字节的命令行参数转换为五个4字节的整数后。再相加为hashcode即可。
3. 解题
vim编写python脚本
1 2 3 4 5 6 from pwn import * str3 = p32(0x01010101 )*4 + p32(0x1DD905E8 ) s = ssh(host='pwnable.kr' , port=2222 , user='col' , password='guest' ) s.connected() cn = s.process(argv=['col' , str3], executable='./col' ) print cn.recv()
代码中的p32是将括号里的字符转换为32位小端字节序的格式,32位格式下为4bit,同样的,还有p16,p64这样的函数,p32 转换4bit. p64 和 p16 则分别转换 8 bit 和 2 bit 数字。
process是开启一个进程
将hashcode拆解为4个0x01010101和一个0x1DD905E8.
再接受返回的flag。
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(root💀kali)-[/home/kali/桌面] └─# python col.py 1 ⨯ /usr/local/lib/python2.7 /dist-packages/paramiko/transport.py:33 : CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. from cryptography.hazmat.backends import default_backend [+] Connecting to pwnable.kr on port 2222 : Done [*] col@pwnable.kr: Distro Ubuntu 16.04 OS: linux Arch: amd64 Version: 4.4 .179 ASLR: Enabled [+] Starting remote process bytearray (b'./col' ) on pwnable.kr: pid 325538 daddy! I just managed to create a hash collision :)
