Playing offline CTF's

In the middle of time I started some new exercises related to CTF adventures. This time I tried to pass some challenges related to “binarypwn”. Few cases you’ll find described below.

First of all my environment: to solve all of those cases I used Windows 10 with Kali Linux 2.0 on VirtualBox. Challenges to solve I found here. I decided to check them one by one, starting from this archive: /2004/Defcon-Quals/2004-quals.tgz.

Case #01: stage2

Ok, now we will use objdump:

Ok, so now.

I created pattern using pattern_create  tool from Metasploit. Pattern was used as argv[1] in our stage2 application:

Enter. …and we are here:

Let’s find our offset using pattern_offset  from Metasploit again:

Ok, so it looks like our overflow needs 104 characters to appear. Verifying:

Great. Let’s try to go deeper. I found nice (19b) shellcode on exploit-db.com(thanks!). Let’s try to use it in our attack:

So, hm. Yes. Here we are:

:]

Case #02: from Easy CTF 2017

More about Easy CTF you can find here. I found a link to resources (so called ‘problems’) at this location: https://github.com/EasyCTF/easyctf-2017-problems . 

Like before, I was interested ‘only’ those challenges where we need to exploit some kind of vulnerability.  That’s how I found simple-rop challenge.

Let’s get to work. For my testing/learning purposes I created ‘flag.txt’ file on the same directory when simple-rop.c was compiled:

 Ok, flag.txt is ready, app is compiled but comparing some results from objdump and gdb, you will spot one missing line:

Let’s try to complete the task. Idea here is to ‘read the flag’. Let’s disassemble print_flag in gdb:

Generating pattern (pattern_create 100) we will try to overflow our buffer (we know from the source that this is 64b long buff char). Trying:

Ok, crashed. After a while we will see that the best offset should be 76*A+print_flag-addr. Let’s try it:

Cool. ;]

Next.

Case#03: doubly-dangerous : also from EasyCTF 2017:

This was a little surprise for me when I saw in asmcode instruction fxch (afaik possibly some other variants too) instruction ;] anyway... let's try it:

As we can read on the link:

 

Ok. As you can see our goal is to get modified equal to 11.28125, see line 39:

(...) 39    if (modified == 11.28125) {

…then we will run give_flag() function (and hopefully our modified shell). Let’s get to work. During next step we can see that our content is almost ready:

After we will continue:

Now: because we know that we need to compare those two ‘strings’ (st1, st2) we can also check the value we need to compare to:

So far so good. Playing a little bit with lengths and:

 

…and we’re here:

Ok.

Case#04: overflow1.c from EasyCTF 2014:

 

 

I copied my flag.txt from EasyCTF 2017 (case#03 before). Now it looks like this:

I assume that we need 0xc0deface as secret value. Then we will run a shell. Let’s try:

Ok, looks cool. Assuming that we know how to set up our shellcode, we can now proceed with the new shell:

See you next time ;]

Cheers.