Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-02 [2020/10/26 13:16] razvan.deaconescu [3. stripped] |
cns:labs:lab-02 [2022/10/17 19:18] (current) mihai.dumitru2201 [2. Shellcode] |
||
|---|---|---|---|
| Line 780: | Line 780: | ||
| All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
| + | |||
| + | Submit your flags to [[https://cns-lab-ctf21.cyberedu.ro/|the CNS CyberEDU Platform]]. | ||
| ===== 1. Position independent executables ==== | ===== 1. Position independent executables ==== | ||
| Line 862: | Line 864: | ||
| - How do we actually use the data from this .o file? What symbols are exported? | - How do we actually use the data from this .o file? What symbols are exported? | ||
| * <code> | * <code> | ||
| - | $ readelf -s ./mycode.bin.o | + | $ nm ./mycode.bin.o |
| 0000000000000035 D _binary___mycode_bin_end | 0000000000000035 D _binary___mycode_bin_end | ||
| 0000000000000035 A _binary___mycode_bin_size | 0000000000000035 A _binary___mycode_bin_size | ||
| Line 881: | Line 883: | ||
| - The stack is still executable, remove this flag! | - The stack is still executable, remove this flag! | ||
| * ''execstack -c ./my'' | * ''execstack -c ./my'' | ||
| + | |||
| + | <note> | ||
| + | If you're missing the ''execstack'' binary on the Kali VM (or on any Debian-based distribution), manually download and install it: | ||
| + | |||
| + | <code> | ||
| + | # curl -LO http://ftp.de.debian.org/debian/pool/main/p/prelink/execstack_0.0.20131005-1+b10_amd64.deb | ||
| + | # dpkg -i execstack_0.0.20131005-1+b10_amd64.deb | ||
| + | </code> | ||
| + | |||
| + | If installation freezes, cancel it then try again. | ||
| + | |||
| + | </note> | ||
| + | |||
| - Why does ''execstack -c ./*.o'' throw an error? | - Why does ''execstack -c ./*.o'' throw an error? | ||
| * ''execstack'' has to have information about the segments, information which is only available after the linking process | * ''execstack'' has to have information about the segments, information which is only available after the linking process | ||
| Line 1017: | Line 1032: | ||
| ==== 5. Memory Dump Analysis ==== | ==== 5. Memory Dump Analysis ==== | ||
| - | Using your newfound voodoo skills you are now able to tackle the following task. In the middle of two programs I added the following lines: | + | Let's consider the way programs run. |
| + | Consider the length of addresses for a given system and note that: | ||
| + | * there is a 3GB / 1GB user-mode / kernel-mode split for an i386 system | ||
| + | * that split is not the case for a 32bit program running on 64bits, it uses the entire 4GB of required virtual page | ||
| + | |||
| + | In the middle of two programs I added the following lines: | ||
| <code c> | <code c> | ||
| Line 1085: | Line 1105: | ||
| * Which of the values point to the library/mmap zone? | * Which of the values point to the library/mmap zone? | ||
| - | ==== 6. Smash the Stack ==== | + | ==== 6. IO Netgarage ==== |
| - | * Download level01 from Smash the stack and solve it using peda. Break on ''*main'', step through the execution and figure out what it does and how to crack it. | + | |
| + | Download `level01` from [[https://io.netgarage.org/|IO Netgarage]] and solve it using GDB / PEDA. Break on ''*main'', step through the execution and figure out what it does and how to crack it. | ||
| + | |||
| + | Use the command below to copy the ''level01'' executable locally. Use the ''.'' (dot) mark at the end of the command to refer to the current directory. Provide ''level1'' as the password. | ||
| <code> | <code> | ||
| - | $ scp level1@io.netgarage.org:/levels/level01 . # Password is level1 | + | $ scp level1@io.netgarage.org:/levels/level01 . |
| </code> | </code> | ||
| ==== 7. GDB ==== | ==== 7. GDB ==== | ||
| - | * Use GDB and PEDA to run the code provided from ''07-bash-login''. The executable gets input from the user and evaluates it against a static condition. If it succeeds it then calls a ''password_accepted'' function that prints out a success message and spawns a shell. Try to not use a decompiler. | + | |
| + | Use GDB and PEDA to run the code provided from ''07-bash-login/''. The executable gets input from the user and evaluates it against a static condition. If it succeeds it then calls a ''password_accepted'' function that prints out a success message and spawns a shell. Try to not use a decompiler. | ||
| Your task is to use GDB and PEDA to force the executable to call the ''password_accepted'' function. | Your task is to use GDB and PEDA to force the executable to call the ''password_accepted'' function. | ||
