CTF Insomnihacking Teaser 2017 Challenge Write-up

February 7, 2017 | Views: 5510

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This challenge requires skills both in exploit development, reverse engineering and writing scripts using python. In this challenge we got a file named

“baby-6971f0aeb454444a72cb5b7ac92524cd945812c2.tgz”

After extracting this file we’ll be presented with two files; “baby” and “libc.so”. Our targeted file that we’re required to exploit is “baby”. As we get used to doing when analyzing and reversing binaries and files especially in the Linux environment of both 32 and 64 bit, we would like to get some information about the file.

img-1

As shown in the picture we got a DLL file which needs to be checked against the enabled security measures. We will use a tool called “checksec.sh” developed by “ slimm609”.

img-2

As we see above, we have PIE and NX enabled and that means that we cannot overwrite EIP using stack overflow simply because this file has ASLR and DEP enabled thus randomizing EIP each time. So we should leak some pointers and addresses by checking if there is a probability of “format string” vulnerability in place then we will leverage that to take advantage of libc base address and use that information to construct or ROP chain to bypass DEP and ASLR in order to drop our shell and pwn the system. First, let me show some approach on how to search for ROP gadgets and get them. If you have an executable file then use immunity debugger and use “mona” plugin developed by “corelanc”.

Use the following command in immunity debugger to get ROP Gadgets in separated “rop.txt” file

!mona modules
!mona ropfunc -m some.dll -cpb ‘\x00\x09\x0a’

Now “some.dll”  in the command is a DLL which has non-rebase, non-ASLR and no bad characters to make sure that the generated ROP chains are proper and effective to conduct the attack.

Now, in our case, we can use edb-debugger with ROP plugin to get’em. Basically, ROP chains end with “RET”

img-3 img-4

Now the interesting part which is the python script

img-5

Now let’s execute our pwn.py python script to see if we get the shell

img-6

…and voila, we got it.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 739 / December 14, 2019
How do I Get MTA Certified?
Views: 1311 / December 12, 2019
How much does your PAM software really cost?
Views: 1748 / December 10, 2019
How Do I Get into Android Development?
Views: 2138 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel