INTRO
A few days back, Hacktivitycon CTF was hosted by Hackerone. it is not live right now. but I joined it and did some challenges. Challenges were such hard to finish. If I remember correctly, there was a challenge of the web. it was such hard to finish. not doubt, it was powered by Hackerone. but by finishing it, one could easily get the highest points. there were Binary exploitation, web, steganography, warm-ups, forensics etc challenges.
Today, we are going to do a Binary exploitation challenge. as I said, challenges are not live now. I have already downloaded the required file. but we will not be able to perform it on a host. We will try to perform it on our local system.
I think it was easy and fun doing this challenge. I wanted to share it with you guys. But before reading this further you should know that Binary Exploitation requires some basics of Assembly language and the language in which the code was written. if you don’t know these, you may not be able to understand this article.
Remember that I am using Kali Linux. because it has all the required tools for Binary Exploitation. If you are using some other Linux distribution. you will need to install it all those tools that we are going to use for this binary.
ATTACK
First of all, if you want to download the binary, you can download it from here.
Check the binary with file command. Type this command:
file pancakes
Screenshot:
the result is pretty obvious. it says ELF 64bit binary and dynamic linked. so, we will have to work with 64-bit registers.
Now we will check this binary file via checksec tool. Type this command:
so, the output shows that NX bit is enabled but there is no canary in the stack.
let’s enumerate more with some other tools. now we are going to use objdump to disassemble all functions of this binary file. type this command:
objdump -d -M intel pancakes
The result is too big to show you here. but if you will try that, you will find a function secret function. let’s just keep it in mind that binary has this function.
Screenshot:
I think its time for opening this binary in some debugger. let’s open it in GDB. type this command:
gdb -q pancakes
I am using gef with my GDB so my output might be different from yours. disassemble the main function in gdb. type this in gdb:
disassemble main
Screenshot:
Look at the highlighted text where it is calling gets function. and gets means we have found a classic buffer overflow vulnerability.
Now we need to run this file and give a very long input to see if it gets crashed or not. Type this command:
python -c 'print "A"*200' | ./pancakes
Screenshot:
and that’s what we can call a buffer overflow. after looking more with GDB we saw that the binary is never using the secret_recepie function. that’s when we took a look at the secret_recpie function.
Screenshot:
so, we can see it is reading something from a file. fopen requires a file name to read it. there are arguments that are being moved into rsi and rdi registers. if we try to look for strings at this address.
Screenshot:
and we have the file name flag.txt. it means that we can get the flag by running this function. but first, we need to find the padding value to overwrite the saved RIP. I know two simple methods for that.
let’s do it with both. the first method is to create a cyclic string. type this command:
msf-pattern_create -l 200
Screenshot:
copy the string and paste it when the binary asks for input.
now type this command to see the overwritten rip register:
dmesg
Screenshot:
Copy the IP value and use it with msf-pattern-offset command.
msf-pattern_offset -q 0x40098a
Screenshot:
so it couldn’t find the exact value. let’s move on to the manual method. open the binary in gdb again. and set a breakpoint before return instruction of the main function.
now run it and input a normal length string. and wait till it gets stop at the breakpoint.
Screenshot:
so, now we will need to subtract the stack address values. the first value is our saved RIP register and the second value is the address of our string. we can see the saved RIP with i frame command in GDB.
Screenshot:
Now to perform such operations we use print command in GDB. type this command:
print 0x7fffffffdfd8 - 0x00007fffffffdf40
Screenshot:
so we have the hex value 0x98 which means 152 in decimal. now we will create 152 chars long string and then we will put the address of secret_recpie function. you can find the address of secret_recpie with objdump too.
objdump -t pancakes | grep secret
Screenshot:
We know that we are running it on our local system. so flag.txt isn’t present there. we can create flag.txt in the same directory where the pancakes binary is present. type this command to overwrite saved RIP withsecret_recpie function.
python -c 'import pwn; print "A"*152+pwn.p64(0x000000000040098b)' | ./pancakes
Screenshot:
And that’s it. we have the flag.
Thanks For Visiting.
