Day 4 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the challenges from day four of the hack the box cyber santa capture flag competition so each day we've got five new challenges being released one from each category and i'm doing these videos in order of the number of solves so normally web has the most solves by the stage but this time around is forensics we've got this challenge called giveaway and the description says santa's sock team is working overtime during december due to christmas fishing campaigns a new team of malicious actors is targeting mainly those affected by the holiday spirit could you analyze a document and find the command and control server so we have a document obviously to download it is a doc m microsoft word 2007 plus so we could go and open it up and take a look at it sometimes if there's macros and stuff you might need to use windows or use a sandbox with windows to try and access some of the to try and run some of the scripts on it we can go into macros here edit macros go and take a look through okay so here at the auto open you can see that we have some stuff we've got some obfuscated code in here which we could go through and try to de-obfuscate there are some tools that can help us do this so i actually used ole vba as a tool here but there are other tools like viper monkey which sometimes is a bit more successful for me let's try and run ole vba where you can do ole vba 3 as well i'm not really sure i'm not really noticed much of a difference to be honest but if we do that with the christmas giveaway doc it comes back with some of the macros here so some of the same code that we were seeing but it's also given a list of suspicious indicators and some auto exec functions and we've got some indicators of compromise here so an ip address an exe name some suspicious base 64 strings and it's telling us it might download more files from the internet so you can see here that we've got an option to decode to de-obfuscate some of the strings or we can just go and try to base64 decode them ourselves let's try and run it again with decode we run again we actually get some strings this time so you can see it looks like saying inject we have hell here uh do we have anything else decoded it's quite a lot more code up here you can see that this is selecting characters some of them by decimal some of them by their ascii code let's see a bit more about what it's doing up here so there'd be quite a lot to decode manually here let's let's run this again we also had another option here to de-obfuscate so we can decode we can also de-obfuscate specific strings let's try that as well missing a space try that again and we can see we've got some more stuff here this time and it's concatenating some of these characters and it's given us these results over on the left so that looks like we're starting to build up a flag let's go and start to put this together so we have this is and we have another underscore here and then once four and then there was another closing bracket now obviously that isn't our flag it's not uh doesn't make any sense and it's ending with an underscore so we need to go and at least decode some of this manually let's go up to some of this code up here and we can see a few keywords here we can see everybody present and christmas if we go back to our flag here this is something once for christmas so we're still missing some of this um we got a present okay so this is a present everybody wants for christmas uh but that's not our flag there's also some other stuff happening here we don't really need to understand all of it but we can see it's doing some replacements here so in this case we've got present it's replacing the ease with threes so we'll just go and do that and then for everybody it's doing the same thing replacing that with threes and the string that it assigns so it's assigning this string to be equal to everybody with the e's replaced by three and then it's taking the same string and doing the same thing again but with an o and a number o number zero so let's do that as well so three three and then zero and then we're just missing christmas once so it's gonna replace i with a one and then a with a four that's our flag um be interested to hear how other people solve this one whether you kind of combined this tool and some manual analysis of this section of code or did you go through the full macro or run it in some kind of sandbox to try and get the flag the next challenge is called elf directory it's a web challenge and the description says can you infiltrate elf directory to get a foothold inside santa's data warehouse in the north pole so we've got a we don't have any source codes downloaded for this one unlike the previous challenges we've just got a docker instance to connect to so let's go and take a look at it we're going to have a look we've got a login form because we don't have any source code this time we'll have a quick look at the page source nothing much here really maybe we could look at the javascript it just seems to be some kind of form validation on the email so nothing interesting happening there let's try and log in with some default credentials you could try admin admin admin password etc we could try and do some sql injection here so let me make this visible so if we do something like oh and maybe i need to set that to oh type there we go uh so yeah if we do something like this close off whatever sql statements being done to grab the password and then say or one equals one or you could do something like one equals one and then make sure you comment out the rest of the statement however that's done in that language in whatever language you're looking at but yeah this doesn't work for us we get invalid uh but we do have an option to go and create an account let's create an account i always normally try to see if we can add the admin user just to see whether there's already one present with that username or not and in this case there isn't so we can try to log in now so we've got through to this profile page we've got our username here admin we've got some details which we can try to fill in here but we don't have any option to send off a form sometimes that'll just be a case of maybe we need to inspect the element and maybe there's it's just disabled or something like that maybe there's some script which is disabling it and maybe there's still maybe we can still use the form without any client side controls so maybe the php file that allows you to update these or upload images or files or stuff like that is still accessible and you could go and create a post request in burp suite or something just to try and send that off in this case what we'll do is hit f12 again let's go and have a look at our storage and we've got a php session id so we can go in base64 decode this you can take it to cybershare for base64decode.com or you can go to decoder here in burp suite decode as base64 and you can see here we've got this username admin approved it's actually got some issues here because of the url encoding so we can there's our decode as okay that doesn't have a url safe base64 let's go to hyperverter hackverter is doing a url code so you can see here that it's decoded it properly and now we're going to want to url encode a new version so let's see if we can change this approved to true okay we can't we can't update that there let me oh that's very hard to take a copy of that it would be good if you could just update this and it would automatically update the other side maybe you can do that if somebody can let me know uh otherwise i'm just gonna double click this or just click that and then paste this in this is gonna give us a url safe encoded value we want to update this to true to say we are approved replace that hit enter and then let's try and refresh the page okay so now we've got the option to upload our profile picture we can choose a picture here and try to upload it what i'm going to do is go and grab a web shell let me just locate shell.php i'm going to grab this one copy it to our local directory and this is just literally the most basic shell you can get it's just going to take a command from us and then it's going to call system on that command so let me try to upload that and see if it allows it we hit upload and we get an error it's hard to actually see here but we get an error saying invalid image only png images are supported so i'm going to go over to burp suite i'm going to go to the proxy tab and the post request that we just made so that's the repeater and now we can go and play around with this request first thing you might want to do is try and change the content type so it says we're not allowed to upload anything but a png image what if we change this to image slash png or image slash jpeg whatever it needs to be but we still get a message saying no it's invalid so we could try and change the extension to png send that off and we also get a message saying it's invalid and note that this wouldn't have actually worked for us anyway if it was just searching for a png extension maybe you could try something like dot png.php but we do need php at the end if this is going to be interpreted so the other thing i was thinking here was the magic bytes as we did on another challenge we can look for the magic bytes for png and we could literally go and modify our php shelves so if we just open up shell.php we need to add like eight lines uh sorry eight bytes in here so one two three four one two three four i think that was four that might have been nine but anyway i'm not gonna do this because this didn't work for me i did try to you can insert some here and then do save and then hex edit and then just modify these first eight bytes with the png header in fact let's go ahead and do it anyway we'll try it out so let's look for png it's this one here i'm going to take a copy of that and let's paste this in let's replace those first eight bytes let's save it yes okay and now if we print this out we've actually got this png header at the beginning i thought it would actually would have actually said png though maybe i've done that wrong 0 a 1 a 0 a is that what we had 0 a 1 a 0 a that's not what we have okay let's try this eight nine maybe you can't copy and paste that five zero four e four seven zero d zero a one a oops one a zero a save that and that's looking better maybe i did this wrong earlier then let's try this out and see if it works i found another way to do it anyway but let's try it upload it seems to have come back with the same error let's go and double check that it might still be yeah it's invalid all right well let's send it to the repeater this one do the same sort of stuff here let's change this to image slash png no invalid let's try and add the png in here and still invalid so we need a valid image and what i did here was open this image up here we're going to need to know this location anyway so let's go and open this up it's in uploads directory all right we'll save this image save it to the same location and let's try and let's go back and upload this just make sure it works first of all it does it says it's updated and this is going to be our new profile image then so let's go back to the repeater oh well let's go back to our burp suite let's send that new request to the repeater and because we've got a valid jp png image here what i'm going to do is i'm going to rename this to dot php because we want to interpret as a php file but we need some php code in there as well so we're going to grab this shell i'm just going to paste this in anywhere i'm going to hit send all right follow the redirections all looks good let's try and reload the page still looks okay let's go and open this and here we go it's php well it's still it has our php in it should i say so because our php shell is looking for a command it's looking for a get parameter called cmd let's do question mark cmd equals ls and you can see here then it's listed out the files in the directory so now we just need to traverse the directory i'm just going to maximize this so we can see a little bit better so this is where our output is going to be let's do ls dot dot slash and now we can see all of our files in the web directory let's do another dot slash and now we can see this flag something dot txt so we can just take a copy of this and say we want to cut that flag file and it should have printed our flag where's it printed it oh sorry we need to make sure we still do dot slash dot dot slash and there we get back our flag hack the box break or get shells the next challenge is called upgraded it's a reversing challenge and the description says the elves have learned from their mistakes and i now use military grade encryption to protect their secrets but they've made a critical error so we download the files in this case we have output.txt and upgraded make sure upgrade is executable and let's print out the output.txt we've got some bytes in here um we could go and try and find out how many we've got i think it was actually 46 or 48 48 bytes i think and if this is encrypted as they mentioned in the description presumably with this file because that would is what would make the most sense we know that the first four bytes of whatever's been encrypted is gonna is likely to be hack the box and the curly brace so that opens up potential for some brute forcing but we need to go and have a look at the program and try and work out exactly what it's doing let's try and run upgraded entering secrets retrieving wish list wrapping up gift all right so we enter in some input and it encrypts it uh let me try that again let's do hack the box i want to see whether the beginning bites match up with that output it doesn't look like it no okay so we could try to run this with l trace with gdb or something like that i prefer to go and take a look at the coding gear first of all i don't have this imported let me skip through the process it takes a little while okay so with this opened up we can go and have a look first of all our functions see if we've got a main which we do and what's going on here we know that it was taking an input from us this i o scan f it's then going to print out a couple of times just to say just some print statements with some sleeps in between them so nothing important the real interesting stuff is going to be down here with our encrypt function so encrypt is being called and then we have this cipher which has been created a new cipher it's going to be it's an aes 256 bit cbc cipher block chaining mode and we've got initialization for the encrypter and we've got an update and we've got a final x so if we highlight some of these things here let's see what it's taken in you can see that whenever whenever it's initialized let me take my hand off the mouse it's very sensitive um whenever it's initialized it's going to take in this cipher it's going to take the type of implementation it's going to take the key and the iv so the key and the iv sound particularly interesting which is in rdx and in rcx what we might want to do here is set up a breakpoint at this function and see what's actually happening when it's called so we can just take a copy pi is on here so we're not going to be able to just provide the actual address of this function but we can we can we know what the offset is to that function in the binary so if we go gdb pwn debug pass in what's it called upgraded have a look at our functions here we could disassemble here if we need to find offsets and things like that so these addresses are just offsets to the different functions but as soon as we run the program and then let me just do info functions again it's going to show a lot of functions but essentially it will now have resolved these addresses let's do disassemble main so you can see it now has the actual addresses but the offsets are still the same each time anyway we wanted to do that break rva which if you just i didn't mean to do that let me delete breakpoints i meant to bring up the help so if you do break rva help this is just gonna set a break point at a offset from the pi base and we just provide the offset here so we say break rva 0x and then that address that we copied that's where the encrypt is going to initialize we'll hit run just type something in here test and it's going to run through and whenever it gets to that address we're going to hit this breakpoint and we can see we've got test here we've got some values which look to be of interest but let's go and see here the actual parameters so we can actually see here the values that we had in gear drill let me maximize that so we can see that in the background um so what was being passed in here that in rdx and in rcx was our key and our iv and we have the key and the iv right here we've got the implementation of cipher and all that sort of stuff so we could grab this here but that's not going to be the full length of the key so let me try and do let's print this out here let's try and do x over uh gx we'll print a bit bigger let's do x over 4g x and that'll print out some more information here and we can basically hopefully go and just plug these values in to cyber chef and get it to decrypt we could also go and set up some breakpoints and see what's happening in these other stages as well which i did actually do whenever i was doing this because i did run into some problems using the values that we have in gdb but we can also identify this manually as well let's go back to the main function we know this has taken the in rdx and the nrcx so let's go and see what's in the rdx and the rcx before the crypt function is called so we have encrypt right here and just before encrypt you can see our code our assembly code over here so just before encrypt is called we have this value which is being placed into the rdx value to the offset of 40. that's been placed in rdx and then the rdx is being moved into the rcx and then the rdx is being loaded with this value 1 at the offset of 20. so our rcx it looks like is the rcx was the key right so our key is beginning at the offset of 40 here you can see all these hex bytes six piece d5 five two seven seven let's go back here to gdb six b d five five two so this is why this wasn't working for me it's the order of this needs to be reversed 6b d552 is the endianness which i did actually try to do in cyber chef but i had some problems doing it so i'll show how i grabbed these addresses in a second but essentially we know this is the offset here that we're going to be interested in and then for the other one we can go and have a look at value 1 the offset 20 and that's going to be our was that our key that's going to be our key yeah and then this one's going to be our iv so let's go and see how we could do this another tool going to open up radar and do r2 upgraded aaa afl to list the functions we don't really need to list the functions as the sections we're going to be interested in here so i then capital s for the sections let's go back here this is probably in the data section uh okay i'm just going to take the address let's go and get the address for the first one was value 240 this one right here so we can actually just grab this offset again and say that we want to access this offset we can do px 0x paste that in do i want to print all the lines no okay well yes i do but we're gonna have to scroll up here a bit all right uh this i'm not very good with right there there'll be a way to just print what you need to there but what was the what was the offset that we just wanted to look for four one four eight so just have a look up here four one four zero so it's going to be here isn't it five eight seven etcetera and we're gonna go stop plugging this stuff into cyber chef so and open cyber chef let's do aes decrypts we know it's cbc mode we'll go and get our output.txt which is our ciphertext paste this in here and then our key is going to be i think this is our key that we're doing first let me just go back there to let's start with our key so encrypt we've got our rdx is going to be this value value 1 20 so 4 0 b 4 4 0 b 0 so four zero b four is this nine nine eight two onwards so let's grab this paste that in there hopefully it's not gonna minus spaces grab this as well 44 okay that's too many let's go back so we've got 32 all right looking good let's get the iv as well the iv then is go back to our encrypt here this is value to 40. so is 4148 eight it's beginning with six b four one four eight beginning with six b so right here take a copy of that paste that in there do the same again oh there we go all right so we got back our flag it was hack the box hard coding keys rookie mistake the next challenge is called meet me halfway it's a crypto challenge and the description says evil elves have deployed their own cryptographic service the keys are unknown to everyone but them fortunately their encryption algorithm is vulnerable can you help santa break the encryption and read their secret message so we've got a service connected this time we've also got a downloadable script i've just modified the script slightly just to include some comments but i haven't changed anything else in it so let's trace this from the beginning where the challenge is called here it's going to generate two keys key one key two and if we have a look at the generate key function it's using an alphabet of 16 bytes so hex value is a hex range here but these are the bytes that's using the characters it's got a const variable here which is set up 12 byte password and then it's basically going to loop through here so it's saying for i in range of 16 minus the length of const which is 12 so it's looping through four times and each time it's selecting a random character out of these 16 possible characters it's then going to return the key plus the const or the const plus the key depending which key is as we can see here it passes a one the second time it doesn't pass any parameters the first time so it's just going to use zero as the option so essentially we've got two keys one is going to be this const followed by four characters selected from here and the other is going to be four characters selected from here and the const which means we've only got a range of 32 bits which are actually random for each of the two keys it's then gonna perform an encryption it's actually encrypting the flag you can see we've got a dummy flag here so it's encrypting that it's gonna print that out to us so we know what the encrypted flag is and then it's going to take some input from us it takes it in json format and the dictionary key is pt for plain text and then we paste in the value which is in hex as well from hex it's been converted from so we supply that it's going to encrypt our plain text with those same two keys that it's encrypted the flag with and then it's going to print the result back to us in terms of the actual encryption here if we have a look at the function it's simply doing two rounds of aes so it's going to create this aes cipher with key one and it's going to encrypt our data making sure it's padded to 16 bytes it's then going to create this cipher with key two and then it's going to encrypt our data again the one that's already been encrypted the key one it's going to encrypt it with key two you can see i put a comment here with the address of a meet in the middle attack so that's the vulnerability we're going to be looking at here but if you weren't too sure what to look for let's go and just search for two round aes fun we'll see very quickly there's a link here where somebody asks is there any issues doing two rounds of aes 128 and somebody has responded here saying double encryption with aes 128 bit with two different keys does not give 256 bit security in particular classic meet in the middle attack applies with the expected 2 to the power of 128 encryptions and 2 to the power of 127 decryptions as is the attack requires ridiculously large amounts of memory but improvements using blah blah blah can improve their speed basically so we can go and have a look at this in wikipedia if you're interested in all this maths and stuff you can go and have a look through some examples there's some good videos and stuff out there as well but what i did here i found once you know what the attack type is we can go and search something like meet in the middle ctf write up and find some similar challenges so i went and had a look through a couple of similar ones in fact this bandits one is the one that helped me the most but what i'm going to do is open up the write-up that i went to because it had quite a lot of good background on this so if we just scroll down a little bit similar sort of code it's got two rounds of aes and their key generation is kind of similar as well it's basically using a small range of random bytes i'm not able to use the exact same script but we will be able to go and modify this a little bit we have a little bit of an explanation here just explaining what we just read that using two rounds of encryption doesn't double the security and then in terms of the attack that we're going to be using this meet in the middle attack attempts to find keys by using both the range of the ciphertext and the domain of the plain text of the composition of several functions or block ciphers such that forward mappings through the first functions is the same as backward mapping inverse image to the last function is quite literally meeting in the middle of the composed function so in simple terms we need to encrypt the plain text with all possible keys obtaining a set of cipher text let's call that cs we now start from the ciphertext and try to decrypt it by brute forcing all possible keys until we find a decrypted ciphertext that is in the cs set once we found a match we can stop brute forcing since we've already got our two keys and it's just saying here to say brute forcing takes time no remember the poor choice of keys so in terms of the range of characters that we have available here so essentially we can go and brute force through this character range of we've got four possible bytes for key one and then four possible bytes for key two and they put together a script to do this i basically took this script and went and adapted it a little bit so let's go and take a look at the script that i put together so we've defined some of the same values here we've got our alphabet we've got our const i've put in some plain text which we're going to encrypt and this is going to this is the encrypted version this is going to be different each time so we need to go and run the program again to get this output and then this is the output of the encrypted flag as well so we're basically going to use this plain text we know the plain text because we're encrypting it and we know the ciphertext because the program's returning it we're going to use that to kind of kind of brute force our way through those four possible bytes and identify what the key is and once we've recovered the key all we need to do is just decrypt the flag which we know is encrypted with the same key that we encrypt our plain text with so we've got two loops here we've created a ciphertext dictionary we're going to loop through this this product is basically just saying for the alphabet we have here create um all possible permutations of four bytes of these so that's just a quick way of doing that i had some problems with this because i was actually using the permutations before that and permutations will only use one of each character so for example a key like f f e e wouldn't be possible it would only use like c d e f and etc only use each character once which our program isn't doing so that took me a little while to get that fixed uh but essentially then this is for our key one which is the const plus the four random characters it's gonna create it's gonna go through each possible four characters it's gonna append that to the const it's gonna create a key and then it's gonna encrypt our plain text and it's gonna add the result to this ciphertext dictionary so by the time this is finished it's gonna have looped through our plain text here it's gonna have encrypted this with every possible variation of four of these alphabet characters and it's going to put each of the keys in a it's going to put each of the cipher text into this dictionary as a key with the value being the suffix ie the four random bytes that it was encrypted with and then we're gonna do the same thing for the second key obviously we do it the other way around so we're using the prefix then const rather than constant suffix we'll do the decryption in this case of our ciphertext because we know we've got a ciphertext here as well and we'll keep going through and see whether the decrypted ciphertext is in any of the ciphertext we generated using those keys which it will be because we're covering all possible keys and once we found that that means we found both our key one and key two so we just say this is our winning suffix this is the four bytes which were used to encrypt using key one and these were the four bytes used to encrypt using key2 and then we can just go ahead and do the decryption on the flag using those keys so let's test this out locally first i'm going to run python challenge and it gives us our encrypted fake flag it asks us to encrypt some text we need to enter this in as the json format with the plain text like this as our key and then our cipher text sorry our plain text as the value so i'm going to go here and say hex cryptocat get the hex values here and we'll submit that as the plain text we send that off and we get back our ciphertext so in our script we just update this and say that the ciphertext for cryptocut this time around was this this value here and the flag which it gave us oh no sorry the flag's up here the flag was this one so we paste that in as well and now if we run our solve scripts it's going to loop through you can see that it's found the suffix and the prefix the correct ones and it's got back our dummy flag that's it we just need to do the same thing against the remote server let's take a copy of the server and a port number let's connect to it with netcat and we need to here's our flag anyway so let's grab a copy of that first of all that's our encrypted flag and then we need to provide that hex value as well so it is pt paste that in and there we go so there's our encrypted crypto card we'll put that in as well and let's try to run the solve scripts and the script returned there we got back a youtube link which i didn't bother clicking it's probably another rick roll and we got back our flag the next challenge is called minimal fistic it's a pwn challenge and the description says the elves finally understood what went wrong with their plans they were too fancy and obvious but this one is different it's a security system but the alarm rings whenever santa's house is vulnerable to an attack will you manage to deactivate it ps sound on so i've already got the file downloaded and we've got the server up and running so that once we've got things working locally we'll go and test it remotely we've got a lib c library again like we did with yesterday's challenge which is a bit of a hint that we're gonna that we're gonna need libsy and we've also got the minimal fistic so let's have a look at the binary protections and see what we've got this time so notable things here we've got four railroad so we're not able to overwrite entries in the global offset table we've got no stacking areas so we don't need to worry about tripping those off if we're doing a buffer overflow if we are doing a buffer flow we're not going to be able to inject shell code onto the stack and expect it to be executed and we've got no pi so the program address is going to be the same every time it loads so without the way let's make it executable and let's try and run it just to get an idea what the program does you can see it's repeating this message center is not home it asks us do you want to turn off the something or other let's say yes if your safety will not be deactivated then it goes back to the santa is not home says santa returned this time oh it said that last time as well so you had four times that santa is not home and this time we've got it three times so let's say no this time and pretty similar but it just came back with santa is not home we could try to see if we can do a buffer overflow here can we enter in some really long input and actually it didn't seem to do anything let's try with a longer input again and nothing so it doesn't seem to be a buffer overflow at this stage we're going to need to go and have a look at the code and work out where the vulnerability is so let's close this down and let's go and take a look at this in geardrop we'll go straight over to our main function here and see what's going on we've got some variables declared here plenty of variables on the stack we've got our setup which we don't need to worry about just setting up an alarm and stuff like that which you can patch out very easily in fact i don't think i've done that yet in this uh hack the box santa series so let me just show very quickly if we take a copy of this um template i have for patching binaries i'm going to copy that here i'm going to open it up and you can use this to very easily patch out alarms or in this case i think i have this set up to patch out p trace so p trace can stop you from using debuggers sometimes and you can basically just replace any calls to p trace with a return instructions so it's never called and in this case we could basically go and say uh what's the binary name so we can just grab the binary name enter in here say we want to get rid of the alarm which will basically set the program to exit like every two minutes or something like that and if we do python patch binary it produces this patched binary which will not have that alarm in it uh it's not really important for us here but i just thought it showed that very quickly if you ever come across that where you the alarms annoying you or you want to you need to patch something out to enable debugging or something like that it's very easy to do with phone tools uh you can do that with gear drawing even hex editor and stuff as well but okay that other way let's get back to the code so we'll go back to our main function here with the interest and stuff and we've got this local variable set to one at the beginning and it's saying while it doesn't equal zero keep going through this code and the code we've got here local 18 has been set to this dot data section variable this is just going to print out then the hello do you want to turn off the alarm and it's the sec alarm function which is basically this looks a bit complicated it's really not it's just setting up a random variable based on the time and it's going to loop through based on these random variables and print santa is not home until santa returns and then it's going to write that back out so not really too much of interest to us there was no input or anything for us to overflow the buffer so let's keep going through we've got this right i think this is again okay yeah so that's just writing out the the message to us and then we have these variables set up all set to zero and it's going to read in some data from us so here's a chance for us to actually overflow the buffer and you can see here 7f 0 that's reading in 2032 bytes and you can see here it's reading it into local 48 local 48 well we can see here on the stack we don't have too much here that we would need to overwrite before we would make it down to the return address so we can overwrite the instruction pointer so we should be able to overflow the buffer here and note that it says here if char local 48 equals nine it's gonna say goodbye santa it's gonna write that to the screen and then it's gonna set local c to zero i quite often like to go and rename some of these variables so that you can so that you know exactly what's happening so you could even rename some of these data sections and say that that is you know the prompt or something like that we could rename variables like this maybe set the loop counter to bi if that's what you used to see it in your code and you can keep working your way through and doing that i'll not do that here but um if you're dealing with particularly complex codes sometimes that can help so the issue is here all right we know there's a buffer overflow because there's not enough space on the stack for this 2032 bytes that's reading in from us but the problem is even if we overflow the buffer if we never make it down to the return it's not actually going to overwrite the rip so we need to make sure we exit this infinite loop and to exit that we need to supply a 9 as the local 48 variable then it's going to go through here it's going to set this to zero so the while loop ends and that way we'll get down to this return address why don't we go and just test it out in gdb and we can try and enter a cyclic pattern and just go and verify things that way 2032 bytes i'm gonna do three thousand although there's only like a few items on the stack anyway let's try and run it i hope we need to select it and then now we can run it we can we need to wait for it to ask us for an input we'll say nine and then we want to put in our cyclic pattern so the first character is going to be a nine which is going to make sure that we are going to exit the loop but then we also want to overflow the buffer as well we entered that in it said it's exited gone back to the return address which is good because it means it's overflowed the buffer and this time we have s-a-a-a here notice there's an a at the beginning that's just because we had a nine at the beginning of our cyclic pattern so we actually want to say let's do cyclic l look that up and it's actually 72 bytes so we want to write a 9 and then 71 bytes and then the address in the program that we want to return to so before we go and explore how we're going to put this payload together and we want to do something similar to the last challenge right the last challenge we looked at we were given a libsy library we wanted to leak one of those addresses and then we want to find our way back to the start of libsy so that we can then call system with the bin sh string in it so last time we did that we went and grabbed a script from my github which was called rockstar i'm going to go get that again the same one just to show that we can always kind of use these templates or quite often use these templates and change relatively little so let's go here pawn library rock star and i'm going to open this up in codium let me just grab the file name because i forget how to spell it i'm going to update this let's try and run through this quite quickly i'm going to get rid of this find instruction pointer offset this time i'm just going to type in 72 because we know it's 72 we just found it in gdb and if we don't really need to look in gdb if we go over to our stack here and have a look here so we've got all our items on the stack you can actually see the size of each item and then where it is on the stack so this is in hex but you see here minus 48 which is 72 in hex so 16 times 4 plus 8 is 72 and we can we can basically work out what we need to overwrite and our offsets and stuff just by looking at this but yeah we've got that 72 we've updated we haven't updated our binary name let's do that now and let's go and see what else we might want to change let's get that return address instruction going to do wrapper again just to look up the gadgets get the offset this time it's four zero zero six one six you can also because we're using drop objects in here you can actually use this and say rob dot gadgets and print them all out or you can use the find gadget search to actually search for gadget switch it's fine it basically just uses the same functionality the robot uses so and this time i'm going to build up the payload manually instead of just sending it here because we need to think a bit more about how we do our offsets here and what we send rather than just sending a cyclic pattern we need to send the nine to begin with so we can do this flat here again and instead of using a dictionary i'm going to use a list instead and instead of saying the offset was here we will say we're going to do a rock chain still but we're going to say send nine plus offset um no plus we'll do no operation instruction not nope not nope not times and then we want to do length of offset minus one because we're i think the offset is the offset of decimal let's see all right minus one and then the next element in our list is going to be the rock chain so yeah this is just another way to put these together let's see if that formats all right it does looks good uh we could also just say 71 here but yeah this is fine hopefully this will work for us it's going to do a nine it's going to do 71 no operation instructions and then it's going to call rock chain on whatever we supply here and again we're looking to do the same thing we're looking to leak an item from the global offset table and then we're going to find our way back to the libsy base address and then from there we're going to do another payload where we want to call system uh but let's go and have a look at some potential issues here because you can see we're calling rob.puts here but if we go back to our code you'll notice that it's been using rights and reads throughout this rather than puts so we can go and have a look at a global offset table and we'll find actually there is no puts here there's no puts and there's no printf which there are two pretty common functions that we would use to print out one of these addresses so we'd be looking to use then right instead you can see whenever we're writing stuff to the terminal here what it does is it loads the item it wants to write from the dot data section into local 18 in fact let me just update this let's say data and then this is the data length and so what it's doing here it's calling right and you can see the file descriptor is first which is going to specify one is going to specify that it's going to output to us in the terminal and then the data is second and then the which is the buff and then n is the length of the data so we can we can do something like this to leak out our global offset table address but we need to specify these three parameters the way that i did this was to simply try to update our drop object and say instead of wrapped up puts do rob dot right and we want to write out the right address and let's try and say the same thing so one is the file descriptor and the length is going to be eight bytes so let's do we want to get the first eight bytes and then as usual we'll go back to the main function so we can go and do this again and actually do our second payload uh we need to make sure we send this off as well let's just put in here payload and let's test this out i always like to comment out as much as possible so that we can just focus on whatever's at hand and not see a flood of errors and stuff like that so we'll send that out we'll go into i o interactive and see what's happening let's try and run python rockstar we run through that and we've got an error okay it has no okay yes so just some minor syntax error there let's go and do oh okay so offset is already in so i'm just to do times offset minus one we run through that again and we can't concatenate bytes and strings okay so let me just change this to a byte we run that again and we've got another error but this one's actually this is a different one so this is saying could not satisfy set registers rdi 1 rsi this is the global offset table address for the right and rdx8 and the problem is this rdx8 we could go and have a look with ropper and you can do ropper file we can search for oh we can search for pop or we can search for move we can do different things like that but basically there's no way if there was a way for it to satisfy this condition it would have found it and there isn't so we could go and we could try to remove that and run it again just without the size and that works it was able oh payload is not defined okay so this should work but it's not going to leak us the address and the reason for that is essentially that we've not provided a length so we're saying we want you to write zero bytes from of the global offset table right address to this file descriptor one now admittedly this took me quite a while to work out how to solve this but if we go back to our code we have this banner function which we're used to seeing in all these challenges and i normally ignore it because it's normally just printing out the banner and doing nothing else but in this case we right click it and go to show references to will find that it's never actually called so it never actually prints the banner so if we have a look at the banner here we'll see all it's doing is it gets the string length of this variable here in the data section it gets sets that to n and then it's gonna call right to with the file descriptor once it's right into the terminal the banner uh but it's never actually called so let's go and try it out instead of doing rob dot main let's do rop dot banner we'll run it again and this time it printed the banner okay debug mode on it looks a bit hard to read but you can see this banner here it's basically a lock inside like a heart or a balloon or something and this is something that we can use so we're not able to set the rax to the length that we want so that we can recall the right operation but if we can call this banner function let's have a look here this is gonna this is gonna set the rax to the length of this dot data section it's then going to call right and then return so if we were to call our write immediately after that the rax will still have this length parameter in it so the only things we'll need to fill will be the one and then the address of the global offset table function which we're able to do in our script as you can see okay so just to reiterate that we're gonna call the banner first and then we're going to call rob.right so once it's finished running the banner it's still going to have the length in this parameter here still going to have the rax populated with the length of the banner so we don't need to worry about not being able to fulfill that condition so we'll just call right immediately after with our parameter and it'll try to obviously ideally we'd only want to do 0x8 bytes in this case it's going to print out the full length of the banner whatever that is you know something like that probably 256. so we're going to need to receive a lot of these lines before it actually receives our payload here let's just demonstrate that as well we also need to go back to main because if we don't it's just going to close the program so let's try that out runs through and there we go so it's printed out the banner first of all and then right after it's printed out the global offset table address for right and then it's printed out all this other stuff that we don't need because we asked it to print out that much data so a couple of things to mention we are going to need to update the rest of this section here so a section here was currently subtracting the puts address from the got put so we just need to update this and say actually the address we were leaking this time is right but it could be very easily read or something else as long as you're updated the offsets here that should be fine and we need to receive all these lines we'd also want to remove that debug situation there so that we can just see a bit clearer what's going on i already went through and did this i'm just going to copy over my script rather than typing it all out on screen and let me just go through what i've changed here then which really isn't too much we've got uh we call banner we're going to call right we're going to call main it's going to overflow the buffer and call these three in order and then we're going to receive 41 lines which is how many lines that banner is the next thing we're going to receive is going to be the global offset table address for the write function we're going to use that to find our way back to the base of the lib c binary and we're updating our lib c library here so that it knows how to find its way to other functions automatically and that means we can just use this rob object again on the lib c library so i've changed very very little from the last challenge that we did realistically you're talking about maybe six seven lines that you know we need to change this we've changed the payload format slightly but really haven't changed too much there and then down here we're just duplicating exactly what we did up here but we're leaving all this sort of stuff the same if we run this just testing it locally first of all with a local libc library i've got this set to info which is why you're seeing very little output you see it's leaked the global offset table right address it's found its way back to the base address and then it calls system we're now logged in with a shell this is just on the local system so if you want to test this out remotely we can go and grab the server address and port number and we can simply add remotes paste that in afterwards and the only thing we need to change in the code is to set it to use the libsy library we downloaded because that's the same one the server is running you could actually update the start function here just to easily swap between the libc libraries as well but i'm not going to bother with that let's try and run it when you run through that we've got no ender files so that's a good sign we can try and run who am i we'll see that with ctf we can try to cut flag.txt and we've got back our flag so yeah this challenge a bit of a step up it did take me a while to solve because our you know you kind of maybe maybe this was maybe there was multiple ways to solve this um or maybe maybe that was the intended solution we'll see one other thing that i forgot to mention that i did mention in a previous video but with these rock chains if you're using the wrap objects you can just go and print out we can do pretty print rob dot dom and i think we did that with the previous example but let's just actually have a look at this payload because this one's slightly more complex let's try and run that this is just on a local server so you can see that whenever we dump that out it's actually dumped out the full chain and just to talk through that a little bit then you can put this together very easily manually so we're calling banner and then we're gonna call pop rdi so the next value is gonna be popped into the rdi the value is one which is the file descriptor that we want to write out to that's right here and then the next thing is the global offset table right address but essentially it couldn't find a pop rsi gadget to just pop this into the rsi the only gadget available was pop rsi pop r15 so it's selected that one and then it's just put in the global offset table right address into the rsi and then padded out the r15 with garbage basically it's then going to call right which is first gonna look into the rdi and see what's the file descriptor i.e where do we want to write it out to and then it's going to look in the rsi and see what we want to write out and then it's going to look into the rdx and see how much do we want to write and that was the reason we had to go through that banner to make sure that the rdx was populated with the string length of this dot data section where the banner is in order to actually make sure it's printed screen otherwise it would just try to read zero bytes we i say right zero bytes out so yeah you could put this together manually and you could you know if you go through ropper and do i really recommend if you if you want to learn more about doing these rock chains if you go back through the rope emporium series that i did well try to go through it yourself and then check out the videos afterwards if you get stuck or if you want to see how i solved them but they really kind of show you the approach of looking for rop gadgets and what orders kind of trace them from how you want to build them up in this case if we said we know we want to find pop rdi because we want to search we don't want to find a pop rdi because we need to make sure the file descriptor is in the rdi register we also know we want to find an rsi because we want to make sure the data is in rsi and we would find there's only one gadget available which is this pop rsi pop r15 and that's why it's padded out the r15 with these values so we could have very easily built this up manually the main reason i didn't really was just to save time and to show that you can if you have a script put together for solving these challenges you can go through and change relatively little and still accomplish the same goals but yeah if you want to see how to do things manually and i recommend that's a great way to learn definitely go and check out the rope emporium series that i put together okay so that's gonna wrap it up for day four of these challenges you can see that day five has actually started now but day five only has uh six hours instead of 24 hours to do the challenges and the difficulties stepped up quite a bit let's see what the solve's looking like at the moment we've got two on forensics we've got 14 on reversing 21 and crypto 13 on music notes and 54 are naughty or nice all right well i'm gonna have a look through these anyway it's a couple of hours left i'm not sure if i'll get a video done for day five maybe let's see how many challenges i get done and how much time i have during the week but if not remember that there will be a live stream on december the 14th with some different content creators going through some of these challenges so hopefully they'll go through some of the harder challenges from day five if i if i don't get a video done for them but yeah i hope you've enjoyed the video any questions or comments leave them down below thanks

Info

Channel: CryptoCat

Views: 994

Rating: undefined out of 5

Keywords: Cyber Santa, HackTheBox, Hack The Box, HTB, Capture The Flag, CTF, base64, phishing, deobfuscation, maldoc, MITM, cryptanalysis, APT, buffer overflow, AES, malware, directory traversal, ROP, lib-c, binary exploitation, pwn, exploit, pwntools, pwndbg, GDB, checksec, canary, PIE, GOT, libc, python, strace, ltrace, debugging, static analyis, dynamic analysis, offsec, radare, r2, crypto, reversing, forensics, DFIR, ethical hacking, web exploit, pentesting, pen-test, bug bounty, writeup, cyberchef, GCHQ, NSA, IDA, xmas, cybersanta

Id: JJD45W-C9mQ

Channel Id: undefined

Length: 61min 45sec (3705 seconds)

Published: Wed Dec 08 2021