Skip to main content

IceCTF 2018 – Cave [Binary Exploitation]

Binary Exploitation – 2. Cave
Author: 5k33tz, valrkey

Worth: $50
Description: You stumbled upon a cave! I've heard some caves hold secrets.. can you find the secrets hidden within its depths?
The start of the challenge establishes an SSH connection for you. The only directory you're presented with is a directory called "cave". CD'ing into the cave directory shows the following files:

The challenge is nice enough to leave the original source code used to compile the binary:

This appears to be a standard buffer-overflow question, but I notice that the shell function will need to be called separately.
Running the following command we can see the the shell() function is called at a static address (0x0804850b):
objdump -d ./shout | grep -A25 shell
0804850b <shell>:
 804850b: 55                    push   %ebp
 804850c: 89 e5                mov    %esp,%ebp
 804850e: 53                    push   %ebx
 804850f: 83 ec 14              sub    $0x14,%esp
 8048512: e8 29 ff ff ff        call   8048440 <__x86.get_pc_thunk.bx>
 8048517: 81 c3 e9 1a 00 00    add    $0x1ae9,%ebx
 804851d: e8 7e fe ff ff        call   80483a0 <getegid@plt>
 8048522: 89 45 f4              mov    %eax,-0xc(%ebp)
 8048525: 83 ec 04              sub    $0x4,%esp
 8048528: ff 75 f4              pushl  -0xc(%ebp)
 804852b: ff 75 f4              pushl  -0xc(%ebp)
 804852e: ff 75 f4              pushl  -0xc(%ebp)
 8048531: e8 ba fe ff ff        call   80483f0 <setresgid@plt>
 8048536: 83 c4 10              add    $0x10,%esp
 8048539: 83 ec 0c              sub    $0xc,%esp
 804853c: 8d 83 70 e6 ff ff    lea    -0x1990(%ebx),%eax
 8048542: 50                    push   %eax
 8048543: e8 88 fe ff ff        call   80483d0 <system@plt>
 8048548: 83 c4 10              add    $0x10,%esp
 804854b: 90                    nop
 804854c: 8b 5d fc              mov    -0x4(%ebp),%ebx
 804854f: c9                    leave  
 8048550: c3                    ret    


Next we validate that overloading the buffer will result in a seg fault:

Then we can place the location of the shell() function in hex, in little-endian. Creating the overflow condition, spawning our shell, then reading the flag:
Echo-ing out the string worked out fine in this case since we were overflowing a small buffer of 16 characters. For larger overflows, you may want to use Python for more powerful string formatting such as multiplication ("A"*28 becomes a string of 28 A's):

Flag = IceCTF{i_dont_think_cavemen_overflowed_buffers}

Comments

Post a Comment

Popular posts from this blog

Emotet Downloader Write-Up

This write-up is for a macro embedded doc used as a downloader for Emotet. Author: 5k33tz MD5: 43d2a3df73fdcb10b9429a480d96ddcf This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to imdavidlee.com/9493MG/biz/US After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works. Running file against the sample: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0 We can see it's a Word Doc, but probably the
Post a Comment
Read more

IceCTF 2018 - Picasso [Forensics]

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used https://ezgif.com/split. After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an
Post a Comment
Read more

IceCTF 2018 – Anticaptcha [Miscellaneous]

Miscellaneous – 2. Anticaptcha Author: valrkey Worth: $250 Description:  Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me! As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats: What is the # word in the following line: ...? Is # a prime number? What is the greatest common divisor of # and #? For each of these question formats, I wrote a PowerShell function to determine the answer. Word in Line This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any
Post a Comment
Read more