Home 0P3N Blog CTF Insomnihacking Teaser 2017 Challenge Write-up
Ready to Start Your Career?
Create Free Account
By: Motasem
February 7, 2017

CTF Insomnihacking Teaser 2017 Challenge Write-up

By: Motasem
February 7, 2017
By: Motasem
February 7, 2017
This challenge requires skills both in exploit development, reverse engineering and writing scripts using python. In this challenge we got a file named“baby-6971f0aeb454444a72cb5b7ac92524cd945812c2.tgz”After extracting this file we’ll be presented with two files; “baby” and “libc.so”. Our targeted file that we’re required to exploit is “baby”. As we get used to doing when analyzing and reversing binaries and files especially in the Linux environment of both 32 and 64 bit, we would like to get some information about the file.img-1As shown in the picture we got a DLL file which needs to be checked against the enabled security measures. We will use a tool called “checksec.sh” developed by “ slimm609”.img-2As we see above, we have PIE and NX enabled and that means that we cannot overwrite EIP using stack overflow simply because this file has ASLR and DEP enabled thus randomizing EIP each time. So we should leak some pointers and addresses by checking if there is a probability of “format string” vulnerability in place then we will leverage that to take advantage of libc base address and use that information to construct or ROP chain to bypass DEP and ASLR in order to drop our shell and pwn the system. First, let me show some approach on how to search for ROP gadgets and get them. If you have an executable file then use immunity debugger and use “mona” plugin developed by “corelanc”.Use the following command in immunity debugger to get ROP Gadgets in separated “rop.txt” file!mona modules!mona ropfunc -m some.dll -cpb '\x00\x09\x0a'Now “some.dll”  in the command is a DLL which has non-rebase, non-ASLR and no bad characters to make sure that the generated ROP chains are proper and effective to conduct the attack.Now, in our case, we can use edb-debugger with ROP plugin to get’em. Basically, ROP chains end with “RET”img-3 img-4Now the interesting part which is the python scriptimg-5Now let’s execute our pwn.py python script to see if we get the shellimg-6...and voila, we got it.
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry