GoogleKernelCTF初体验

相关链接

https://google.github.io/security-research/kernelctf/rules.html

https://github.com/google/security-research/tree/master/pocs/linux/kernelctf

https://raw.githubusercontent.com/google/kctf/v1/docker-images/challenge/pow.py

连接

首先确保能够连接外网：（因人而异）

export http_proxy=http://10.201.104.16:18023
export https_proxy=http://10.201.104.16:18023

在本地准备一个server_cert.pem文件：（完整复制全部内容）

-----BEGIN CERTIFICATE-----
MIIBazCCAR2gAwIBAgIUSXiRksvnzRI2WYqh7nDZVoZydOIwBQYDK2VwMCsxKTAn
BgNVBAMMIGtlcm5lbGN0Zi52cnAuY3RmY29tcGV0aXRpb24uY29tMB4XDTIzMDYw
ODIyNDA0MFoXDTMzMDYwNTIyNDA0MFowKzEpMCcGA1UEAwwga2VybmVsY3RmLnZy
cC5jdGZjb21wZXRpdGlvbi5jb20wKjAFBgMrZXADIQCTg2ayrs3BsxUocgbd1eWj
WWVzQQmORR5LT3unlZCzFaNTMFEwHQYDVR0OBBYEFCSsjYgVH8funXWPApo32zpS
NhPgMB8GA1UdIwQYMBaAFCSsjYgVH8funXWPApo32zpSNhPgMA8GA1UdEwEB/wQF
MAMBAf8wBQYDK2VwA0EAxJ+NlnvVYZKj/ctSIzcuPm7+4SlziIHDRW43SrLks15v
KQVTtek3sAifw5NuaXWZrGrX7JAqNqci3QPCMHFEDA==
-----END CERTIFICATE-----

安装socat（略）

连接：

socat - ssl:kernelctf.vrp.ctfcompetition.com:1337,cafile=server_cert.pem

选择好目标环境之后会有一个pow：

能连外网就是爽😀：

内核启动成功：

使用pwntools连接

提前将计算pow的脚本下载下来，命名为pow.py放到当前目录下：

from pwn import *
import sys
import os

sh = process(['socat', '-', 'ssl:kernelctf.vrp.ctfcompetition.com:1337,cafile=server_cert.pem'])

def ru(string):
    sh.recvuntil(string)
def dbg(con=''):
    if len(sys.argv) > 1 and sys.argv[1] == 'r':
        return
    if isinstance(con, int):
        con = "b *$rebase(" + hex(con)+")"
    gdb.attach(sh, con)
    pause()
def sl(content):
    sh.sendline(content)
def itr():
    sh.interactive()

def get_heap():
    res = 0
    res = u64(sh.recvuntil("\x55", timeout=0.2)[-6:].ljust(8, b'\x00'))
    if res == 0:
        res = u64(sh.recvuntil("\x56", timeout=0.2)[-6:].ljust(8, b'\x00'))
    return res
def get_libc():
    res = 0
    res = u64(sh.recvuntil("\x7f", timeout=0.2)[-6:].ljust(8, b'\x00'))
    if res == 0:
        res = u64(sh.recvuntil("\x7e", timeout=0.2)[-6:].ljust(8, b'\x00'))
    return res
def get_tcache():
    res = u64(sh.recvuntil("\x05")[-5:].ljust(8, b"\x00"))
    return res

def send_cmd(cmd):
    ru("$")
    sl(cmd)
def upload():
    lg = log.progress('Upload')
    with open('test', 'rb') as f:
        data = f.read()
    encoded = base64.b64encode(data)
    encoded = str(encoded)[2:-1]
    for i in range(0, len(encoded), 300):
        lg.status('%d / %d' % (i, len(encoded)))
        send_cmd('echo -n "%s" >> /tmp/benc' % (encoded[i:i+300]))
    send_cmd('cat /tmp/benc | base64 -d > /tmp/bout')
    send_cmd('chmod +x /tmp/bout')
    lg.success()

def upa():
    lg = log.progress('Upload')
    with open('a.sh', 'rb') as f:
        data = f.read()
    encoded = base64.b64encode(data)
    encoded = str(encoded)[2:-1]
    for i in range(0, len(encoded), 300):
        lg.status('%d / %d' % (i, len(encoded)))
        send_cmd('echo -n "%s" >> /tmp/abenc' % (encoded[i:i+300]))
    send_cmd('cat /tmp/abenc | base64 -d > /tmp/a.sh')
    send_cmd('chmod +x /tmp/a.sh')
    lg.success()

def func():
    ru('Select a target (or type "deprecated" to see deprecated targets):')
    sl("lts-6.6.87")
    ru("back) back to the target list")
    sl("run")
    ru("options: ['io_uring']")
    sl("")
    ru("You can run the solver with:\n")
    pow = sh.recvline()

    pow = pow[pow.find(b"solve"):-1]
    pow = pow.decode("iso-8859-1")
    print(f"python3 pow.py {pow} > pow_res")
    os.system(f"python3 pow.py {pow} > pow_res")
    f = open("./pow_res", "r")
    pow_res = f.read()
    print(pow_res)
    ru("Solution?")
    sl(pow_res)

    #upload()


    
    context.log_level = 'debug'
    sh.interactive()

if __name__ == "__main__":
    func()

远程环境探索

测试可知远程环境中有scp：

但是笔者没有公网IP，是不是没法用呢？🤔

还有git：😮

有lib库：

如何传文件

方法一

直接用笔者前面的脚本upload；

非常慢……

方法二

先push到一个远程仓库，然后再用git给clone下来；

亲测好用，就是远程上传稍微慢一点，但是要是比base64传肯定快多了，😀

本地git：

git add ./test
git commit -m "1234"
git push origin master

远程：

git clone https://github.com/Qian-YM/KernelExp.git