I was surprised whan I saw that we will start from... the Kali :)
According to 'readme page' we can start from level0 user. Let's do that:
Ok I think we should be a little bit 'familiar' with this desktop ;)
Let's start console window to find our target binary:
So far so good, let's run command file for the binary (sometimes you will use it during "other activities" as well ;)):
Ok, now I think it's time to open levelOne in gdb:
* before you'll do that, you can check in $HOME directory for .gdbinit file:
That's good. I also like to add set pagination off:
Ok I think we are ready to go:
Checking all call's should bring the idea of how it should be done.
I copied binary to my local Windows to check it in Ida:
Checking:
As you can see you can change 'hex' (for uid) to decimal:
Right-click and click 'H':
Now, let's see this code:
I think you are already familiar with 'those basics' ... ;) So (with bp set to strcpy - main+71 in my case):
Now, next guess:
Almost ;)
Cool but we are still level0 user (privs dropped?)
I decided to leave gdb and recreate steps in shell again:
Great! :) Now we are ready to get the flag (it will be our password for the next 'level'):
Level1:
From now - if you want - you can (re)log in as level1 user. We should be here, checking our new binary with file - like before:
So now (I again copied target binary to Ida) we should be somewhere here - function hello():
(As you can see I changed src to our_payload (click 'n' on variable or righclick to 'rename').)
Let's try this:
Ok, now back to Kali:
Now open it in gdb (and set bp to *main):
Now it should be easier. To find a string for our system() function I used:
gdb> x/100s $esp
...after we started process with b *main. ;)
Checking:
Now we need to calculate:
Checking:
So, checking again:
Calling:
Wrong. Again Neo.
Wrong. Again.
Good. Preparing to run without gdb:
(Let's say that 'during CTF') root shell means you won. But let's not cheat here. There are 3 more flags to grab:
Cool. Switching to user level2. We will start here:
Next:
Should be fun. :)
Hints from x/500wx $esp:
Ok. So I think we need to overflow variable with our new location (so BBBB becomes <start of our CCCC-shellcode-addr> and we will then be able to run 'shellcode'...).
To generate my 'sample shellcode' I used my old script:
Checking:
Nope.
Again.
Checking again:
Now looks good. Let's check the address of our shellcode again:
After little rewrite ;) we can try x/300wx $esp again:
Again. :)
...but maybe this time I will open that 444/tcp port on my Kali box? ;)
Looks better. ;]
I think it's enough for the 'part 1' of this CTF. We need to check what's going on with those last 2 flags so stay tuned... ;)
See you next time.
Cheers
P.S.
(Updated at 25.03.2019 @23:30)
Ok, it's time for some updated (I decided to add those last 2 challenges here, not in the new post, so...) ;)
Let's start here - levelFour:
Now we are here, preparing our payload:
Searching...
Next:
Next:
Cool :) Last stage (because we 'already got root' ;))
Next, get the flag:
Cool. Time to check the binary:
I used shellcode from shell-storm.org - thanks! - when I saw gets() it reminded me one CTF I played in the past:
Rewriting payload:
Next, I rewrited my payload (few more times... ;))
Again...
I decided to use this address:
And the reason is:
Cool :) I think it was very nice CTF. You should try it :)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz