This Capture the Flag challenge was taken from Root Me (http://root-me.org), which is a platform that offers various hacking challenges ranging from topics like Cryptoanalysis, Web Exploitation, Cracking, Programming, Network & Memory-Dump Forensics along with other challenges to improve hacking and computer security. This was a particularly interesting as it was definitely interesting to learn. As far as this documentation is concerned, It has alot to do with binary exploitation. Binary exploitation is a subset of hacking and computer security which has do with exploiting vulnerabilities in binary executables. Part of the "App-System" category is the Stack buffer overflow basic 1 CTF challenge which is intended to teach the basics of Binary exploitation. Upon doing this challenge you notice that the source code of the challenge as well as an ssh connection to a remote server that we can connect to and exploit the binary and grab the flag. First, we grab the source code and compile the code into a binary we can analyze on our attacker machine to find the vulnerability and exploit it locally so we can have a well crafted exploit to finally exploit the binary in the remote server and grab the flag.
Source Code Analysis
Looking at the source code, we see char which means that a char (character) buffer is being declared to handle a maximum of 40 characters. The fgets() function takes in the input to place into buf[40], although the second parameter, 45, shows that the limit of the input the user can put in is 45, leaving an extra 5 characters we can put in, this makes it more interesting.
Continuing further, 2 "if conditionals" come to play. The first "if conditional" basically checks if the variable "check" is either equal to 0x04030201 or 0xdeadbeef. If the variable "check" is not equal to either, then it prints out to the user "You are on the right way"...(which of course is false encouragement lol.)
The second "If condition" gives us a straight path of what we need to do. The goal of every CTF is to overcome the challenge and capture the flag. Looking further beyond this if conditional, the program tells me that "I've won...Opening my shell...". That is exactly what we want. We want to exploit this binary in order to get a /bin/bash shell in order to capture the flag and complete the challenge. So in order for that to happen, the variable "check" must equal "0xdeadbeef". From here onwards, we know exactly what we want to do.
We will use a buffer overflow attack on the program, specifically on the 'buf[40]' character array so we can overwrite it and insert 0xdeadbeef into the variable "check" and get the flag. Cool.
Exploitation
Now that we have a pathway to exploitation, we firstly have to connect to the SSH server where this challenge is being hosted.
We finally login to the SSH server. The information parsed through while logging onto the server is a script are for additional server called checksec, which is a program used to check for the security mechanisms enabled in a given binary. The only protection enabled is NX, or Non-eXectuable, is a security mechanism that enables the stack in memory to be protected from any shellcode. So basically, if any code was injected into the stack, that code wouldn't be executed.
I have crafted the exploit. Python is lightweight for exploit development for CTFs so I'll use it here. Firstly we need to overflow the buf[40] character array then afterward we add, 0xdeadbeef (represented in hex). As all this is being done, the exploit pipes its input into the vulnerable binary and we get this..."Yeah dude, you win". This is what we want. Initially we see the prompt hang, meaning that the /bin/bash shell has been opened in order for us to find the flag.
Flag: 1w4ntm0r3pr0np1s
No comments:
Post a Comment