Binary Exploitation (Pwn) Challenge Walkthroughs - Killer Queen CTF 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the phone challenges from the killer queen ctf you can see the challenge with the most solves at the moment is a kind of magic with 186 but i'm gonna solve these in order of the pwn challenge type rather than the number of solves so let's start off with hammer to fall and the description says dynamically sized images her we've got this hammer twofold.py file to download so let's just go and take a look at it you can open up with your ide of choice or text editor i'm using codium here or vs code and we open up we see that we've got numpy has been imported we've got a numpy array being declared here with a data type of int we have a input here so it's taking an input from the user it's going to ask us to it says this hammer hits so hard it creates negative matter which is a hint as was the challenge description this is to do with an integer overflow and it asks for the input it converts to an n it will check to make sure it doesn't equal minus one if it does it's going to exit and if it doesn't equal minus one it's going to assign the first element of the array to the value we entered it's gonna multiply it by seven and add one print out the result of that multiplication and if it now equals -1 it's going to print the flag otherwise it won't print the flag so we basically need to try and find out what number we need to enter to get it to print the flag and that's going to be our flag so let's just have a play around with it first of all we can try and run the program let's enter -1 and as expected it'll exit the program let's run it again and try and enter a normal value we get nine three six zero four one three three seven so it's multiplying one two three seven by seven it's adding one and it's getting nine three six zero we could try and enter a large number and we'll see here we get an overflow error the python is too large to convert to a c long so let's go and find out what the range of this data type is if we go and search for python into data type range and i'll probably run this in i'm going to search this in google because duckduckgo never seems to give me a nice instant result if we search this in google we very quickly find this is the range for a 32-bit data type we're using a 64-bit here so let's change this to 64-bit and here we get our range here so the range of the 64-bit goes from negative nine uh whatever this number is all the way to the same positive um basically minus one so let's take a copy of that value um let's get rid of the commas that are in it and the spaces and we know that this is going to be multiplied by seven so we want it and it's going to add one as well so we want to try and divide it by seven first of all let's um let's well let me just first of all show if we open this in python three and try to do divided by seven and the result that we get isn't what we want um and we can use like the format print to um print the full value or we can convert in but it's not going to give us the correct value like the same value you'd get in a calculator i actually saw this in windows calculator whenever i was solving originally but we can just use python 2 that'll give us the correct value for this let's try it again divided by seven and you can see the value we get here which is not the value we got here so we'll take a copy of this let's run the script again and enter that and this time we get negative nine two two three three seven let me go back here so we're actually getting negative we're getting the maximum value there right this was the max this is the lowest negative value so if we were to add this value here to this negative value it's going to give us negative one so let's go and try to do that let's do let me go back here and i'm going to do i'm going to add these together i'm going to take this value instead but we also need to divide this by 7 now because we know it's going to still be multiplied by 7 it's still going to add one so let's do the value that we've just got there divided by seven let's take a copy of this and then try to submit that instead we enter that value and this time we get negative one so the value that we need to submit as our flag is this value right here so the flag is simply going to be this the next challenge we're gonna take a look at is called i want to break free and the description says i want to break free from this python jail we've got the source codes download and uh netcat service connect to once we've got things working locally so let's go and open up the uh let me open all this up i'm not sure what the mac os x stuff is so we've got this jail public with a jail.py script and we have a blacklist.txt as well so there's a server function here you can see it's going to print the message you are in jail can you escape and then while true it's going to take input from us it's going to set safe to true it's going to make sure that the characters in the data we submit are all within this range so greater than 33 less than or equal to 126 if not it's going to say it's not safe or if any of the words that we've input in our data are in this blacklist.txt which you can see here um it's also going to say it's not safe so for the words in bad words which is that blacklist it's going to say if bad word is in data or if data is in bad word safe equals false and then if safe equals true at this stage so if we've not entered any blacklisted words and all of our characters are in the correct range then it's going to execute the data we've supplied otherwise it's going to say we've used a bad word or if there's a an error it's just going to crash out so the words that it's blacklist in here as well these are kind of standard command line words grep um cat nano import well some of these are python and some of them are command line commands uh so let's go and have a look at some techniques that we can use let's search for python sandbox escape we can go and find some cheat sheets or some previous write-ups and stuff like that um there's the hat tricks link let me open this up and we can go through here and just try and find some basic examples to test out there should be some methods here of bypassing some of the techniques here like encoding in hex or encoding in octal base64 etc and here's what we want to do so if you can access the built-ins object you can import libraries notice you could also use here other string repetitions shown in the last section so this hex stuff and we can run commands like this so let me try and take a copy of this let's just go and test this out first of all and see what happens we'll run python let me go into the jail directory python jail we just paste that in and we get we used a bad word so what i found interesting here is the built-ins doesn't actually trigger any issues i thought it would find built-ins let me just go back and demonstrate that if we run this again and just do enter that we get no problems at all and what we can do then is say os we could do os in capitals and then say lower because it we can run that in python and then we could try and call a system in the systems not in the bad words so we can do system and then let's try and do ls as well ls i don't think is in the words so if you do that then we are able to list files in the directory the problem is going to be if we try and do the same thing again let me take a copy of that and do flag catflag.txt we get we used a bad word we could try and do the same thing again but do the lower as we did there let's do cat flag dot txt and dot lower but we get we use the bad word again so what i'm going to do here is go to cyber chef and let's grab the hex equivalent of that um let's actually yeah okay let's do two hex and we'll say catflag.txt we want it in backslash x so we're just going to change the format here take a copy of that and okay i can't use the up command here so let me just take a copy of this again and copy this okay mr quote i missed a unexpected token what am i missing oh i didn't run the program after i'm missing okay yeah this time we get catfly.txt there's no such directory so we could do echo um fake flag to flag.txt we could run it again and this time we get our fake flag so everything's working properly all we need to do now is go and test this against the server let's go and grab that server and port number we run it again let's just take a copy of the of what we just entered and submit that and we get the same thing again catflag.txt no such file or directory so let's take a copy of the ls command that we run and we'll see that actually the flag is in this long file name so we need to go and convert that to hex and we need to take a copy of that but let me first of all just take a copy of this stuff here submit that and then we get our flag back so that's how we were able to bypass the black list by we could have actually done that all with hex encoding so here we did os dot 2 lower or 2 os.lower we could also just use os in hex there as well the next challenge going to take a look at is called zoom to win and the description says what would ctfs be without our favorite rep to win so again we've got a service connector we've got a file to download let's download it here and we have zoom to win so we'll make executable first of all we want to have a look at the protections on this so this is a standard return to win style challenge which basically means the goal of the challenge is going to be to overflow the buffer and overwrite the return address of the program to redirect execution to a function of our choice so there's likely to be a function called win or flag or something like that and we want to redirect the program towards that function and we can have a look and see what protections are enabled on the binary first of all let's check that out so check circle let us know what protections we have here there's no pi enabled which means the addresses in the program the function addresses the gadgets and things like that are all going to be hard-coded so they'll be the same on the server as they are locally and they're not going to change each time the program loads we have nx is enabled which basically means we're not going to be able to execute any shell code so we can't just inject our own shell code onto the stack and execute it it'll be marked as data basically there are no stacking areas which basically just means we'll be able to overflow the buffer we don't need to worry about tripping off any canaries which we'll we'll we'll look at later in another challenge and partial railroad just um relates to the writeability of the global offset table and stuff which we're not going to need to worry about for this one either so we can open this up in geardroid and have a look at it let's first of all open up gdb i'm using the pong debug plugin here but you can there are some other plugins like jeff or pedr that you might want to use we can open that up and we can have a look at the functions in the program uh we actually get no okay we need to select the file first of all info functions and we'll get the functions here so we can see we've got this main function we've got a flag function let's disassemble the main function and it's pretty short we can see that it's going to call puts um so it's going to print out some text to us and then it's going to call gets it's going to read in some data from us but at no point does it call this function here called flag so it looks like that's going to be the function that we want to return to let's disassemble flag and note that we have the address here as well so you could actually use this address to go and put the exploit together and we can see then the flag function is going to call system it's going to place something into the rdi first so maybe a shell or cat flag.txt or something like that let's open this up first of all we'll open it up in uh in geardrop as well just have a look at it i kind of wish you could just set these as a default like always just click ok and analyze all and stuff on gearjoe because i don't think there's any times i've ever opened it and not needed to click those things so it kind of seems like you could just remove the clicks but uh yeah we'll open this up analyze yes analyze we have our functions here on the left so the same sort of stuff here we've got our main function what's nice about geardra is that we can actually see the disassembled code sorry the disassembled code here on the left and then the decompiled code on the right so it tries to basically give us a kind of c like syntax for the code so we can see we've got our main function here it defines a buffer of 32 bytes it's going to print out let's not overcomplicate it just zoom to win and then it's going to read in input into our local 28 variable but it's not checking whether the input that we provide is going to fit which is what's going to lead to our buffer overflow and you can actually see if you're going to have a look at man gets um you should see in here somewhere saying that the function is dangerous and should not be used yeah never use gets uh so it basically tells us here to use f gets which will ensure that you specify how many bytes you want to read in so there's no bounds checking here so yeah if we can enter in more than 32 bytes and then overwrite the return address on the stack so that whenever it returns instead of returning wherever it would have returned it's going to return to our function of choice which in this case is going to be that flag function and you can see that flag is in a core system catflag.txt so let's go and although we can see that there's a 32 byte buffer there let's go and see how we could identify the exact offset in gdb we can generate a cyclic pattern in this is using the i guess the phone tools function um i'm going to do cyclic 100 it's going to generate a pattern of 100 bytes i'm going to run the program it asks us to put in an input i'm going to put in the input that we just generated and here the program's crashed and we can actually see what the state of the stack is and the registers and stuff as the program crashes and the value that we have here in the rsp the first four bytes is is our offset so if this was a valid address this would have made it into the rip into the instruction pointer um but on 64-bit processors because if this isn't a valid memory address it just won't even try to execute it basically but this is what would have made it in so we can have a look at cyclic l to look up the offset and see that it was 40 bytes in so if we write 40 bytes and then write a a memory address it's going to overwrite this return address with that memory address and that's where it's going to return to and we know that we have a uh we can do that again disassemble flag we know that we have this flag function which is right here so presumably if we write 40 a's for example and then this address will be able to return to that function so let's um let's try that out we can do python dash c actually let's do python 2 because if you do python 3 it has some problems with printing bytes and we'll do print a times 40 plus and then this is where we're going to want to put in that memory address but um we need to do it in little endian format so it's gonna be reversed basically so backslash x nine six backslash x one one backslash x four zero now you can see that's the other way around and then we need to do some padding as well because it's 64 bit so we'll add five of these null bytes let's try and run that uh this isn't gonna be something we can copy and paste as you can see here so i'm gonna send that to a file called payload i'm also going to create a fake flag again so let's do echo fake flag oh to flag.txt and now let's try and run this program again but sending that payload we run it we send in the payload it has crashed did it give us a flag it actually didn't what's in the return address okay these zeros are on the wrong side let me do this again a little endian format what am i doing um you can see how rarely i do things manually now let's do this again let's send it the same input and this time we get our fake flag so we could actually just run this locally now we could do um dot slash what's the program called zoom to win and then just send in the payload and here we get our fake flag we've got a segmentation fault because it we overwrote the return address didn't know where to go next basically but uh we got our flag anyway we could try that against the remote server let me just grab the server and port number here and see what happens let's try and do the same thing and just send in that payload we run it and we don't actually get the flag this time and that's due to a stack alignment issue which we'll have a look at shortly what i'm going to do is we've seen how we can identify the offset the offset was 40. we did that kind of manually in gdb let's go and put together a phone tool script to do this for us including finding that instruction pointer value so let me go to my github and let's go into ctf um this poem templates all over the place but there's one here just in the phone and i'm going to take a copy of this let's say just name this something as long as you don't name it pwn because that will cause some problems with the import in the pro tools library i'm going to paste this in here and this is basically just a template i used so let me just run through this if you've watched any of my poem videos before you'll be sick of hearing me explain this template but just for people that are new this can look a bit daunting whenever you open up to begin with so let me just explain this here we've got a start function here and this just basically means whenever we run the program we can quite easily set it to debug mode by providing a gdb parameter and quite easily set it to remote or we can just run it locally so it's very handy for swapping between local and remote and i'll demonstrate that later but uh nothing you really need to worry about you never change this code here we also have a find instruction pointer function which is gonna basically just do what we did in gdb it's gonna generate a cyclic pattern and you can see here cyclic find it's going to look for that in the it's going to run the program it's going to crash the program and it's going to then read the core dump and have a look for the offset of the the bytes that we're interested in so basically exactly what we did in gdb we also have a gdb script here so if you are running in debug mode you can go and add breakpoints here so you might want to set a breakpoint at main or provide an address of some something that you're interested in looking at and then we need to provide our file names so our file name is zoom to win it's going to identify the architecture so it's going to know that it's 64-bit it's gonna know that it's linux etc and that'll make things a lot easier for us later we can also set the log level i set this to debug mostly but you can change it to info or warn depending on how much information you want to see debug is quite nice because you can see what's going back and forward between the server and um identify any problems quite easily but most of the stuff we don't need to change anyway so it's just down here we have our actual exploit and initially we're going to try and find the offset of the instruction pointer let me actually just comment all of this stuff out so whenever we run the program it doesn't actually ask us for anything so i'm going to just modify this function slightly to send line it's going to send the payload we know that the offset was 40 right because we did that manually so this is just going to find out the same thing for us hopefully let's try and run python exploit yes it runs through it's basically sent this big cyclic pattern uh it's crashed the program it's read the core dump file and then it's found in that core dump that the bytes that we were interested in were at the offset of 40. so this is literally the equivalent of me just doing that in gdp and then just type in 40 here but you know it's quite easy just to use the same function on other buffer overflows so that's how we can automate that part uh let's then look at the actual exploits so here we're gonna start the program we're creating a payload here and this offset is the offset that we provided here so this is basically gonna say at 40 bytes in we want to overwrite the return address and what do we want to overwrite the return address with well we could overwrite it with the address that we grabbed here so where was it this address of the flag function so i could just go and paste in here this address we could also take out these zeros because it knows that we're dealing with a 64-bit architecture because we set the context up here so it'll do all that for for us um in this case i'm going to take out this list because all we want to do is send the function address but because we've actually got the func the binary defined here it knows where that function is so we can just say here elf dot symbols or you can do elf dot functions as well and then we do elf dot symbols dots and then the name of the function the name of the function is flag we're going to write the payload to file just in case we ever want to send it off manually or something like that and then this is just gonna it doesn't ask us for any input so again here we're just gonna send the line and we don't get a shell on this one we get given the flag so i'm gonna take that out comment this out and hopefully this will give us a flag we run through that we don't get the flag but i think it's just because there was it gives us another line of input so let me do i o receive line run that again and this time we get our fake flag so that worked as it as hoped now the cool thing about using this template is that we can just go and grab this server address and port number and we can run the same thing again but we'll just add here remote in capital letters we paste in that server and the port number get rid of the netcat bit and that'll run on the remote server it didn't work but that's basically due to a stack alignment issue so in some cases more often than not these days you have to ensure that that there's a 16 by alignment and we can do that by grabbing a rep gadget uh return gadget so i'm going to use ropper and say wrapper file zoom to win and you can just run that that'll give you all the gadgets you can actually see here there's a rep gadget we could also do search reps and that'll give us this gadget specifically and i'm going to go and basically add this to our code so we're just going to say up here ret is equal to and that address and then we're just going to add this to our payload so i'm going to put this in a list so at this offset of 40 we're going to inject first of all a rep gadget and then that elf.symbol.flag and we'll test this again remotely and this time we get back our flag uh we also have our payload as well so we've got that payload there so now we could also just do a netcat and send in that payload and that should okay that doesn't give us a flag oh well um it works fine with the with phone tools anyway while we're here as well let me just show another quick trick that we could do here we could use uh rop objects here so you can create a rope object and say rop equals rop and you can see here the description of it so it's a class which simplifies generation of rock chains and there's quite a lot you can do with this there's some good documentation on the phone tools site for this but essentially we're going to pass in the elf it's going to create this rough object and then what we can do is just say rob dot and what function do we want to call we want to call rob dot flag and we don't need to provide any parameters if we did we could just supply the parameters here and that's basically it so we can do now rop dot chain and that'll that'll let me see the uh that'll create the string containing the raw bytes and then right at our opposite here we can just go ahead and say well let me actually just i'll do rob.chain here instead in fact yeah no i will let's take this out let's try that again try it locally first of all locally it works let's try it remotely remotely it doesn't work so it looks like it still needs the rec gadget here as well so let's try that yeah remotely it still needs direct gadget um in terms of finding the wreck gadget though you could also use a rope dot search as well so you can do rop dot or is it rub dot gadgets let me just oh we've only declared it here uh rock.gadgets yes so let me actually do do pretty print rob dot gadgets run that again and you can see all the gadgets that are available here we have this rec gadget here so you can actually use rub.search in here to just search for the gadget rather than specifying the address manually um but yeah that's just you can do a lot more with this with the rope objects as well if you check out some of my other pwn videos where we're doing kind of more complex exploits you'll see how how handy this can be in automating exploits the next challenge is called a kind of magic and the description says you're a magic man aren't you well can you show me and we have the netcast service download i've already got the file downloaded locally and opened up in geardrop i've also made it executable already so one thing we will do is check the security protections which are enabled and uh quite similar to the last one we have nx enabled this time we actually have pi enabled so the the addresses are the functions and basically they're going to change each time their program loads will only be able to know where the functions are once the program started running so they'll have the same offsets each time but just different addresses different base addresses should just say um still no canaries but we have full railroad here uh not really concerning because we're not going to be trying to override any entries in the global offset table or anything uh let me open this up in radar actually um a kind of magic we can do a a afl and this will show us the functions that we have here and the addresses of the functions notice that they begin with these zeros so we're actually just finding out what the offset is rather than the actual address so um we know that the main function will always have this offset of 1 1 c 9 but the base address before that is going to be different each time we can select s main and then pdf again to disassemble that code and go and have a look through this this is just quite similar to what we would have seen in uh in gdb whenever we were checking the last time we can also have a look here at the sections in the code as well and get an idea what size the sections are what we've got available to us and whether they're readable or writeable not really needed for this one i just thought i'd just demonstrate another tool that we can use to go through that what i will do is open this up in gdb phone debug again so we can have a look at the offsets and stuff it's called a kind of magic okay we'll open it up yep we've got our info functions we have our so we don't have a flag function this time let's go to the let's go over to geardraw and have a look here at the functions so we've got our main function uh and you can see the code for this here and so we have a 44 byte buffer of chars which is declared then we have a unsigned in local c which is set to zero uh it's going to put out this statement to us it's going to read some input in so it's reading in these 40 by 64 64 bytes sorry it's 40 in hex um and then it's going to say you entered whatever value your magic is and it's going to print out this local c variable and it's going to check to see if local c equals 0x539 which again we can go and highlight here and see that's actually equal to one three three seven in decimal or nine as a char and if it does it's gonna call catflag.txt now obviously at no point here is localc assigned a value so we input a value but it's never assigned to local c so this is quite similar to the last challenge but in the last challenge we were trying to overwrite everything that was on the stack and get down to the return address we could overwrite the return address and change the flow of the program in this case there's nowhere for us really to go but we want to overwrite the the value that we do control which is this local 38 and then keep going until we overwrite this local c variable with one three three seven or a nine in text uh so we can go through let me just first of all just show we can do the same sort of thing here we can do this sick click um 100 let's take a copy of it run the program paste that in it crashes i mean again we can have a look for the offset of the rip so it would be 56 bytes to overwrite the return address of the rip but that's not what we want to overwrite we want to overwrite the value before that so let's what we'll do here is go and have a look at this comparison we have this comparison here the here it's right here it's doing the compare uh one two five three so we can set a break point there we have to make sure the program's running first because we don't know what the base address the binary is so we can do run you see it's asking us here for the input i'm going to hit control and c to so we can go and set up a breakpoint i'm going to say break rva which is going to basically say let me actually show first of all the pi base we can do pi base here pi base is telling us what the base of the binary is so the address of this um comparison is going to be that pi base address plus one two five three um but we can also just set a breakpoint directly at um zero x one two five three from the pi base so we use break rva to do that that sets the breakpoint up for us we're going to hit continue and we're going to send this 100 bytes cyclic pattern again we send that off we crash the program again but this time what we're interested in is seeing what this comparison is the comparison there is rbp minus 4 so let's do print rbp minus 4 and this is the address of that there so let's do x over s to print as a string and that's going to print the string that's in there and we want to have a look and see what the offset is at the beginning of the string so we can do cyclic dash l paste that in and we get 44. so in this case we need to overwrite 44 bytes before we're going to get to our um local c variable and you might notice that we can see 44 exactly what that should have been there anyway 44. um so we didn't really need to do that but just to show how we can do that in gdb um and that's how we're basically going to put together our exploits so uh if we go over to let me try and go over and do the python 2 again let's do python 2 command print a times 44 and then it was actually looking for a nine wasn't it so let's do plus nine let me take a copy of that let's run the program again we're hitting this break point um so you can see actually we've got in here where's the comparison it's doing yeah let's let's do this oh you can see here okay so aaa a9 let me let me do the same again okay nine but we have this new line in here so this was i wasn't i'm not really sure if there's a if there's a way we can do this here i was kind of thinking if we could do some null bytes but the null bytes don't show up in the in this python string and so if anybody got that working manually let me know i'd be interested to hear what i end up doing here is basically putting this together in a pwn tool script let me create an exploit.py again and i'm just going to copy over the script here because i've kind of explained it pretty well last time i think uh this is exactly the same same template i took out the eip function because we don't need it i've just manually said here that we're looking for 44 which we found manually through geardroid and through gdb uh we're starting the program and then at the offset this time the offset of 44 we're going to send this 0x539 or you could say 1337 as well it's both fine 0x539 it's going to save again to a payload file just we can use it again later and then it's going to send that off after after it gets this colon which you can see if we run the program that's what it asks us for that's why i've got that cool on there uh let's try and run it python exploit dot py we get our fake flag and you can see here then what's being set what's being sent this is what's being sent here but you can see here it actually has the null bytes whereas i didn't have the null bytes there somebody can let me know if if there's a way to do that we have the payload now so we can well let's run this remotely first of all let's do remotes just show how easy it is to swap between these two methods of local and remote take a copy of that server and port number we run it and we get our remote flag we could also then presumably use that payload that we created so we can just do netcat to the remote server and just send in the payload oh that doesn't get us a flag either okay well if we were doing this locally we could do a kind of magic and send in the payload and that would get us the flag locally uh you can see that it it changed the value to one three three seven uh but that's that challenge the next challenge is called tweety burb and the description says pretty standard bird protection so we've got the service connect to we've got this downloaded locally as well so let's go and take a look at it first thing we'll do is run checksec and we'll see that pi is disabled so the address is going to be the same each time it loads nx is enabled so we're not going to be injecting shell code onto the stack and in this case the stack canaries are found so let's go and have a look at this in gear draw let me go to functions we've got a it's a return to win style challenge again you can see we've got this win function here which is going to call system cat home user flag.txt we have this main function the issue is here so it's kind of similar to the zoom to win challenge we did the problem is we have the stack canary here so we've got our buffer here of 72 bytes which if we overflow that buffer um let me just show here we have the gets the the dangerous gets call so if we overflow the buffer with more than 72 bytes we'll be able to overwrite the return address the problem is we have this stack canary so you've got this local 10 which is set to a value at the beginning and then it's checked at the end to make sure it still equals that value so if we overwrite all of this local 58 variable we want to keep overwriting we want to overwrite the the rest of the variables on the stack and get all the way down to our return address um to the rip but if we do that we'll obviously overwrite this canary and whenever it gets down here it's going to say you overwrote the canary hang on i'm going to crash um so let's just demonstrate this first of all let me try and run the program tweety burb it asks us for an input let's just put in an input i'm going to put in something over 72 characters here and you'll see here we get stack smashing detected terminated so at some point in this um long string that i entered there should have been a canary and we basically need to try and well the best way to approach this here is going to be to try and leak the value of the canary and then overwrite whenever we do our buffer we overwrite the same variable with that same value so this doesn't trip off and we can leak that variable because we have this our first input asks us about the magpies and it's going to take an input from us and then it's going to print that input back without first making sure that this is formatted correctly so there's basically a format string vulnerability there whereby if we run this again if we do percentage x it's going to print the first value off the stack in hex we can do the same because it's a 64 bit we'll do p for a pointer and that's going to show us the full address um and we can basically do this for we can do that for a lot of different types we can use decimals we can uh use strings although the string will let me do a couple there so you can do let's do three of them okay that works let me do five of them oh that worked as well okay so basically the string rather than trying to represent the data that's on the stack as a string what it's going to do is it's going to go to that address and then represent whatever's at that address as a string the problem is if the value on the stack isn't a valid memory address then it's going to crash out if you try to use the string format but that's not what we want to use anyway we want to use a pointer um so we could do as we saw there like we can do percentage p percentage p we could take a copy of this and then just print a lot of them oops um that didn't work out let me take a copy of this let's go over to sublime oh god um what and now i can't copy that you see that copies actually it's removed the highlight from copy very strange all right so we've got uh values here let me see copy of those let's do you can see i've got some extra spaces in there but who cares uh we run this again we paste all those in oh we didn't run it again things aren't going right for me here all right we paste those in we get back all of these pointers and we can basically have a look and see so things begin with 7f are quite likely to be sometimes you get lipsy address and stuff uh which which you might want to look out for if you're trying to leak a libsy address in our case the stack canary i actually found from uh ironstone canary uh on ironstone's getbook is quite a good let me just copy the link there's quite a good example here of how to leak basic uh canaries and brute force canaries and stuff which i did read through whenever i was solving this challenge so if you're unsure about how these work there's a couple of examples here that you can go and check out and essentially based on the values that we have for the canary we can see in this case we have this one here ending with zero zero if we go back to the this article here it does mention uh they're trying to leak the same values and they point out that i'm pretty sure they point out oh yeah okay so the last value there is canary we can tell because it's roughly 64 bytes after the buffer start we should be close to the end of buffer additionally it ends in zero zero and looks very random unlike the lib c addresses beginning with f7 and ff so we only have one value there that has the zero zero on it we could run the program a couple of times and run this again and see does this change as it should each time well a lot of the other values will remain the same and basically you want to try and find out what offset that's at so another thing to remember whenever you're doing working with these format string vulnerabilities in some cases you won't be able to just enter as many of these p's as you want so there's another syntax you can use you can actually specify here percentage and then we'll say 15 p so we want to print the 15th element off the stack and we want to print it as a pointer so you could change that to s if you wanted to print it as a string we're going to print it as a pointer and that's going to print out our this is our stat canary um so we know that we want to leak our 15th element and we want to save it so we can then go and use it to overwrite again and then after that we're going to input our buffer overflow which we'll have to inject that canary into and then the win address as well so let me just copy over in this case i'm going to copy over the scripts that i put together for this let me go codium exploit.py so we have a rec gadget here we didn't need the rec gadget locally so let me just take that out for now uh you know that we used that on a previous challenge where by the there was a stack alignment issue on the server side and so you should be getting used to this template now you can see i had a break point up here for whenever i was going through and debugging this um trying to work out what was what was where whenever the comparison was being done with the canary we have our 72 bytes so this is the uh let's go up here we've got our 72 bytes right here this is the uh how many bytes you want to write before we can overflow the buffer so there's going to be 72 bytes there and you can see here then in our payload well first of all uh let's take it one step at a time we're um we're going to leak that 15th element off the stack i'm going to leak it as a pointer and then we're going to receive that and just basically convert it into a hex format and then i'm going to put together a payload so a payload is going to print 72 no operation instructions but this could you could just change that to an a or something like that i've just used no operation instructions there sometimes uh using certain characters on the stack might cause it to crash so a no operation instruction can just sometimes be a safer way to do things and then we're going to inject the canary so there's going to be 72 bytes and then there's going to be the canary because if we go back to our code here the 72 bytes and then there's this local 10 on the stack which is our canary so we're going to overwrite it with the correct value we're then just going to overwrite our rbp so we can get down to our so we can get so we can overwrite the rip after that and let's try and run that let's try and run it and see what happens i do python exploit.py it runs through you can see it's tried to print out the flag.txt but that doesn't exist so it's not been able to um not really too much for us to look at here you can see how the payload's been structured together if if that's of interest oh let's go back actually you can also see the canary is here so it's leaked the canary it's assigned as that canary value and then that canary is going to be in the stack whereas as a 57a1 yeah 57a1 you can see here so that's actually in our payload so we've got our new operation instructions which are hex 90 we've got our canary we've got eight more no operation instructions and then we've got our the address of the win function with some padding to make sure some null bytes there so we can go ahead and try this again remotely let's just um well let's try it first of all without adding our slack take a copy of this we'll run python exploit remotes just paste in the server and port number and it runs through we don't get a flag because we don't have that stack alignment so again we're just going to go and insert a rhett's instruction here which we just grabbed from wrapper so rope wrapper dash dash file tweety burb and this was the address of that uh we'll try and run it again remotely and this time we get back on flag tweet tweet did you leak or brute force please don't say you tried brute force and i'm going to wrap it up for the video here i did miss a couple of phone challenges but i want to go and check out another ctf so um i'll leave the scripts on github and the templates up there for anybody who's interested in that if you have any questions or comments or you solve something differently and you've got some tips for me you can let me know down below thanks

Info

Channel: CryptoCat

Views: 1,963

Rating: undefined out of 5

Keywords: CTF, capture the flag, killer queen, KillerQueen, pwn, binary exploitation, python sandbox, pyjail, integer overflow, buffer overflow, pwntools, ret2win, stack canary, canaries, ropper, r2, radare, GDB, pwndbg, ghidra, reversing, reveng, reverse engineering, exploit dev, infosec, tutorial, walkthrough, learn, demo, python, sandbox escape, obfuscation, checksec, binary protections, ELF, piebase, PIE, challenges, hacking, redteam, bug bounty, hacktricks, cyberchef, wargames, hackathon, cyber-security, pwn2own, RE, ctf, re

Id: xOHLniVJsJY

Channel Id: undefined

Length: 50min 45sec (3045 seconds)

Published: Mon Nov 01 2021