This shows you the differences between two versions of the page.
cns:labs:lab-02 [2020/10/19 15:44] dennis.plosceanu [8. Extra: FixME] |
cns:labs:lab-02 [2022/10/17 19:18] (current) mihai.dumitru2201 [2. Shellcode] |
||
---|---|---|---|
Line 780: | Line 780: | ||
All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
+ | |||
+ | Submit your flags to [[https://cns-lab-ctf21.cyberedu.ro/|the CNS CyberEDU Platform]]. | ||
===== 1. Position independent executables ==== | ===== 1. Position independent executables ==== | ||
Line 862: | Line 864: | ||
- How do we actually use the data from this .o file? What symbols are exported? | - How do we actually use the data from this .o file? What symbols are exported? | ||
* <code> | * <code> | ||
- | $ readelf -s ./mycode.bin.o | + | $ nm ./mycode.bin.o |
0000000000000035 D _binary___mycode_bin_end | 0000000000000035 D _binary___mycode_bin_end | ||
0000000000000035 A _binary___mycode_bin_size | 0000000000000035 A _binary___mycode_bin_size | ||
Line 881: | Line 883: | ||
- The stack is still executable, remove this flag! | - The stack is still executable, remove this flag! | ||
* ''execstack -c ./my'' | * ''execstack -c ./my'' | ||
+ | |||
+ | <note> | ||
+ | If you're missing the ''execstack'' binary on the Kali VM (or on any Debian-based distribution), manually download and install it: | ||
+ | |||
+ | <code> | ||
+ | # curl -LO http://ftp.de.debian.org/debian/pool/main/p/prelink/execstack_0.0.20131005-1+b10_amd64.deb | ||
+ | # dpkg -i execstack_0.0.20131005-1+b10_amd64.deb | ||
+ | </code> | ||
+ | |||
+ | If installation freezes, cancel it then try again. | ||
+ | |||
+ | </note> | ||
+ | |||
- Why does ''execstack -c ./*.o'' throw an error? | - Why does ''execstack -c ./*.o'' throw an error? | ||
* ''execstack'' has to have information about the segments, information which is only available after the linking process | * ''execstack'' has to have information about the segments, information which is only available after the linking process | ||
Line 905: | Line 920: | ||
* What other control-flow altering instructions are executed besides ''call'' and ''ret''? | * What other control-flow altering instructions are executed besides ''call'' and ''ret''? | ||
- | <note tip>Normally we use tools such as IDA or Radare2 to reverse engineer binaries. In this case however, we challenge you to use only your brain, a pen and a piece of paper. It's a bit tedious, but the end result should be fun.</note> | + | <note tip>Normally we use tools such as IDA, Ghidra or Radare2 to reverse engineer binaries. In this case however, we challenge you to use only your brain, a pen and a piece of paper. It's a bit tedious, but the end result should be fun.</note> |
<note important>You can dump data from within ''objdump'' using the ''-s'' flag. Use this to figure out what pointers to contents from ''.data'' are put into registers.</note> | <note important>You can dump data from within ''objdump'' using the ''-s'' flag. Use this to figure out what pointers to contents from ''.data'' are put into registers.</note> | ||
Line 1017: | Line 1032: | ||
==== 5. Memory Dump Analysis ==== | ==== 5. Memory Dump Analysis ==== | ||
- | Using your newfound voodoo skills you are now able to tackle the following task. In the middle of two programs I added the following lines: | + | Let's consider the way programs run. |
+ | Consider the length of addresses for a given system and note that: | ||
+ | * there is a 3GB / 1GB user-mode / kernel-mode split for an i386 system | ||
+ | * that split is not the case for a 32bit program running on 64bits, it uses the entire 4GB of required virtual page | ||
+ | |||
+ | In the middle of two programs I added the following lines: | ||
<code c> | <code c> | ||
Line 1085: | Line 1105: | ||
* Which of the values point to the library/mmap zone? | * Which of the values point to the library/mmap zone? | ||
- | ==== 6. Smash the Stack ==== | + | ==== 6. IO Netgarage ==== |
- | * Download level01 from Smash the stack and solve it using peda. Break on ''*main'', step through the execution and figure out what it does and how to crack it. | + | |
+ | Download `level01` from [[https://io.netgarage.org/|IO Netgarage]] and solve it using GDB / PEDA. Break on ''*main'', step through the execution and figure out what it does and how to crack it. | ||
+ | |||
+ | Use the command below to copy the ''level01'' executable locally. Use the ''.'' (dot) mark at the end of the command to refer to the current directory. Provide ''level1'' as the password. | ||
<code> | <code> | ||
- | $ scp level1@io.netgarage.org:/levels/level01 . # Password is level1 | + | $ scp level1@io.netgarage.org:/levels/level01 . |
</code> | </code> | ||
==== 7. GDB ==== | ==== 7. GDB ==== | ||
- | * Use GDB and PEDA to run the code provided from ''07-bash-login''. The executable gets input from the user and evaluates it against a static condition. If it succeeds it then calls a ''password_accepted'' function that prints out a success message and spawns a shell. Try to not use a decompiler. | + | |
+ | Use GDB and PEDA to run the code provided from ''07-bash-login/''. The executable gets input from the user and evaluates it against a static condition. If it succeeds it then calls a ''password_accepted'' function that prints out a success message and spawns a shell. Try to not use a decompiler. | ||
Your task is to use GDB and PEDA to force the executable to call the ''password_accepted'' function. | Your task is to use GDB and PEDA to force the executable to call the ''password_accepted'' function. | ||
Line 1144: | Line 1168: | ||
* [[http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html | Smallest elf file]] | * [[http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html | Smallest elf file]] | ||
* [[https://code.google.com/p/corkami/wiki/ELF101 | Elf Header exploded view]], [[http://i.imgur.com/i6wlE5h.png | direct link (ARM)]], [[http://i.imgur.com/m6kL4Lv.png | direct link i386]] | * [[https://code.google.com/p/corkami/wiki/ELF101 | Elf Header exploded view]], [[http://i.imgur.com/i6wlE5h.png | direct link (ARM)]], [[http://i.imgur.com/m6kL4Lv.png | direct link i386]] | ||
- | * | ||