środa, 9 października 2019

PicoCTF 2014 - best shell

Last time I tried to solve few challenges from Pico CTF 2013. This time I decided to check few cases from next edition - 2014. Below we will try to solve "best shell" . Here we go...
We will start here:


Let's simply grep some functions available in the source code:


When we'll read the source we can see setup_handlers() - it will be our 'menu':



Looking for shell_handler in the source:
 

Ok, so there should be an admin variable too, checking:


Indeed. So to run the binary, we should: read the password file, if it's not null then we will proceed with the handlers:


Checking with Ida:



It's always good to check imports. (We can find some interesting/vulnerable functions and references to them.) To do that (in Ida) go to View -> Open subviews and click Imports (but this tab should already be open:)

For example - strcpy:


Function can be found in rename_handler:

Checking pseudocode:

 I changed sub esp,28 to 40 (click to 28 and click letter 'h', the same you can achieve by right-click):


Verifying length:

One more... ;]


Ok, checking with gdb:


Looks good:
 ... but why:

As you can see: JE instruction (yellow) is pretty the same as if(admin) - 'diff' from pseudocode and gdb is presented on the screen below:


(Few more similar cases you can find described here.) Checking outside gdb:


Good. :)

I think there is also another solution to solve this challenge: when you'll open the binary in gdb, before the run set a breakpoint after call setup_handlers. Then if you run the program you will be  stopped here:




It's good, because all 'settings' (see the source of challenge) in main() should already be loaded in memory of the program - checking the 'admin_password' then:


"...just a thought..." ;)


See you next time!

Cheers








Brak komentarzy:

Prześlij komentarz