Digital Overdose 2021 Autumn CTF 复盘

Posted on

Time

看了国外大佬的WP,学会了如何替换libc的函数:

假设我们有程序test1

1
2
3
4
5
6
7
8
#include <time.h>
#include <stdio.h>

int main() {
    time_t tt = time(NULL);
    printf("%li\n", tt);
    return 0;
}

我们知道time(NULL)可以返回当前时间戳,那如果我们想不论何时都让函数返回固定值,就可以先写一个libtime.so库:

1
2
3
4
5
#include <stdlib.h>

time_t time(time_t *t) {
    return atoi(getenv("TIMETHING"));
}

那么当我们用以下方法运行程序:

1
2
export TIMETHING=12345678
LD_PRELOAD=./libtime.so ./test1

那么无论何时运行多少次test1都会输出12345678

那我们将libtime.so用于time程序,即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import subprocess
import os

os.environ["LD_PRELOAD"] = "./libtime.so"

twodays = 86400*2
perseverance = 1613606400  # 2021-02-18

for t in range(perseverance+twodays, 0, -1):
    os.environ["TIMETHING"] = str(t)
    out = subprocess.check_output("./time", env=os.environ)
    if b'Decryption failed' not in out:
        print("flag: %s" % out)

顺便说一下,英语真的要学好= =,题目描述的 Perseverance Arrives at Mars! 是毅力号到达火星的意思,在google上搜到了:

Perseverance, the centerpiece of NASA’s $2.7 billion Mars 2020 mission, touched down inside the Red Planet’s Jezero Crater on Feb. 18, 2021.

其中 Feb. 18, 2021. 时间戳就是1613606400