Blog – Perseverance

ROP Emporium – Fluff

Published by Arvandy on March 19, 2019

Fluff 32 Bit Overall the objective still same as write4 but in this binary the ROP gadget in the binary is limited. We need to find the ROP chain to achieve the objective. First, let’s find the EIP offset using Radare2.


root@Perseverance:~/rop_emporium/fluff32# r2 -de dbg.profile=profile.rr2 fluff32
Process with PID 1818 started...
= attach 1818 1818
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
[0xf7f470b0]> dc
fluff by ROP Emporium
32bits

You know changing these strings means I have to rewrite my solutions...
> child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0
[0x41415041]> wopO `dr eip`
44

root@Perseverance:~/rop_emporium/fluff32# r2 -de dbg.profile=profile.rr2 fluff32

Process with PID 1818 started...

= attach 1818 1818

bin.baddr 0x08048000

Using 0x8048000

asm.bits 32

glibc.fc_offset = 0x00148

[0xf7f470b0]> dc

fluff by ROP Emporium

32bits

You know changing these strings means I have to rewrite my solutions...

> child stopped with signal 11

[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0

[0x41415041]> wopO `dr eip`

EIP offset is 44. Find the writable memory section using readelf command.


root@Perseverance:~/rop_emporium/fluff32# readelf --sections fluff32
There are 31 section headers, starting at offset 0x1970:

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        08048154 000154 000013 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            08048168 000168 000020 00   A  0   0  4
  [ 3] .note.gnu.build-i NOTE            08048188 000188 000024 00   A  0   0  4
  [ 4] .gnu.hash         GNU_HASH        080481ac 0001ac 000030 04   A  5   0  4
  [ 5] .dynsym           DYNSYM          080481dc 0001dc 0000d0 10   A  6   1  4
  [ 6] .dynstr           STRTAB          080482ac 0002ac 000081 00   A  0   0  1
  [ 7] .gnu.version      VERSYM          0804832e 00032e 00001a 02   A  5   0  2
  [ 8] .gnu.version_r    VERNEED         08048348 000348 000020 00   A  6   1  4
  [ 9] .rel.dyn          REL             08048368 000368 000020 08   A  5   0  4
  [10] .rel.plt          REL             08048388 000388 000038 08  AI  5  24  4
  [11] .init             PROGBITS        080483c0 0003c0 000023 00  AX  0   0  4
  [12] .plt              PROGBITS        080483f0 0003f0 000080 04  AX  0   0 16
  [13] .plt.got          PROGBITS        08048470 000470 000008 00  AX  0   0  8
  [14] .text             PROGBITS        08048480 000480 000282 00  AX  0   0 16
  [15] .fini             PROGBITS        08048704 000704 000014 00  AX  0   0  4
  [16] .rodata           PROGBITS        08048718 000718 000083 00   A  0   0  4
  [17] .eh_frame_hdr     PROGBITS        0804879c 00079c 00003c 00   A  0   0  4
  [18] .eh_frame         PROGBITS        080487d8 0007d8 00010c 00   A  0   0  4
  [19] .init_array       INIT_ARRAY      08049f08 000f08 000004 00  WA  0   0  4
  [20] .fini_array       FINI_ARRAY      08049f0c 000f0c 000004 00  WA  0   0  4
  [21] .jcr              PROGBITS        08049f10 000f10 000004 00  WA  0   0  4
  [22] .dynamic          DYNAMIC         08049f14 000f14 0000e8 08  WA  6   0  4
  [23] .got              PROGBITS        08049ffc 000ffc 000004 04  WA  0   0  4
  [24] .got.plt          PROGBITS        0804a000 001000 000028 04  WA  0   0  4
  [25] .data             PROGBITS        0804a028 001028 000008 00  WA  0   0  4
  [26] .bss              NOBITS          0804a040 001030 00002c 00  WA  0   0 32
  [27] .comment          PROGBITS        00000000 001030 000034 01  MS  0   0  1
  [28] .shstrtab         STRTAB          00000000 001865 00010a 00      0   0  1
  [29] .symtab           SYMTAB          00000000 001064 000510 10     30  50  4
  [30] .strtab           STRTAB          00000000 001574 0002f1 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

root@Perseverance:~/rop_emporium/fluff32# readelf --sections fluff32

There are 31 section headers, starting at offset 0x1970:

Section Headers:

[Nr] Name Type Addr Off Size ES Flg Lk Inf Al

[ 0] NULL 00000000 000000 000000 00 0 0 0

[ 1] .interp PROGBITS 08048154 000154 000013 00 A 0 0 1

[ 2] .note.ABI-tag NOTE 08048168 000168 000020 00 A 0 0 4

[ 3] .note.gnu.build-i NOTE 08048188 000188 000024 00 A 0 0 4

[ 4] .gnu.hash GNU_HASH 080481ac 0001ac 000030 04 A 5 0 4

[ 5] .dynsym DYNSYM 080481dc 0001dc 0000d0 10 A 6 1 4

[ 6] .dynstr STRTAB 080482ac 0002ac 000081 00 A 0 0 1

[ 7] .gnu.version VERSYM 0804832e 00032e 00001a 02 A 5 0 2

[ 8] .gnu.version_r VERNEED 08048348 000348 000020 00 A 6 1 4

[ 9] .rel.dyn REL 08048368 000368 000020 08 A 5 0 4

[10] .rel.plt REL 08048388 000388 000038 08 AI 5 24 4

[11] .init PROGBITS 080483c0 0003c0 000023 00 AX 0 0 4

[12] .plt PROGBITS 080483f0 0003f0 000080 04 AX 0 0 16

[13] .plt.got PROGBITS 08048470 000470 000008 00 AX 0 0 8

[14] .text PROGBITS 08048480 000480 000282 00 AX 0 0 16

[15] .fini PROGBITS 08048704 000704 000014 00 AX 0 0 4

[16] .rodata PROGBITS 08048718 000718 000083 00 A 0 0 4

[17] .eh_frame_hdr PROGBITS 0804879c 00079c 00003c 00 A 0 0 4

[18] .eh_frame PROGBITS 080487d8 0007d8 00010c 00 A 0 0 4

[19] .init_array INIT_ARRAY 08049f08 000f08 000004 00 WA 0 0 4

[20] .fini_array FINI_ARRAY 08049f0c 000f0c 000004 00 WA 0 0 4

[21] .jcr PROGBITS 08049f10 000f10 000004 00 WA 0 0 4

[22] .dynamic DYNAMIC 08049f14 000f14 0000e8 08 WA 6 0 4

[23] .got PROGBITS 08049ffc 000ffc 000004 04 WA 0 0 4

[24] .got.plt PROGBITS 0804a000 001000 000028 04 WA 0 0 4

[25] .data PROGBITS 0804a028 001028 000008 00 WA 0 0 4

[26] .bss NOBITS 0804a040 001030 00002c 00 WA 0 0 32

[27] .comment PROGBITS 00000000 001030 000034 01 MS 0 0 1

[28] .shstrtab STRTAB 00000000 001865 00010a 00 0 0 1

[29] .symtab SYMTAB 00000000 001064 000510 10 30 50 4

[30] .strtab STRTAB 00000000 001574 0002f1 00 0 0 1

Key to Flags:

W (write), A (alloc), X (execute), M (merge), S (strings), I (info),

L (link order), O (extra OS processing required), G (group), T (TLS),

C (compressed), x (unknown), o (OS specific), E (exclude),

p (processor specific)

The .data section is writable. …

ROP Emporium – Badchars

Published by Arvandy on February 13, 2019

Badchars 32 Bit Overall the objective still same, write “/bin/sh” string into memory and then execute system command with “/bin/string” as the argument, but we need to handle the Badchars (Bad Characters) in this challenge. Badchars are any character(s) that can terminate our crafted payload, such as null character (“\x00”), carriage return (“\x0D”), newline (“\x0A”), etc. So we need to make …

ROP Emporium – Write4

Published by Arvandy on January 26, 2019

Write4 32 Bit In this challenge, there’s no more “/bin/cat flag.txt” string that can be used to get the flag. We can either try to write those string or “/bin/sh” string into memory to get a shell. The steps to achieve it are: 1. Find the writable memory section inside the binary. 2. Find the …

ROP Emporium – Callme

Published by Arvandy on January 22, 2019

Callme 32 Bit In this challenge, we need to execute callme_one(), callme_two() and callme_three() function sequentially in that order. Each function must contains arguments 1,2,3 e.g. callme_one(1,2,3) to get the flag. Let’s find the EIP offset using Radare2.


root@Perseverance:~/rop_emporium/callme32# r2 -de dbg.profile=profile.rr2 callme32 
Process with PID 4926 started...
= attach 4926 4926
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
[0xf7fa10b0]> dc
callme by ROP Emporium
32bits

Hope you read the instructions...
> child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0
[0x41415041]> wopO `dr eip`
44

root@Perseverance:~/rop_emporium/callme32# r2 -de dbg.profile=profile.rr2 callme32

Process with PID 4926 started...

= attach 4926 4926

bin.baddr 0x08048000

Using 0x8048000

asm.bits 32

glibc.fc_offset = 0x00148

[0xf7fa10b0]> dc

callme by ROP Emporium

32bits

Hope you read the instructions...

> child stopped with signal 11

[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0

[0x41415041]> wopO `dr eip`

EIP offset is 44. Let’s find the callme_one, callme_two, and callme_three function address using objdump.


root@Perseverance:~/rop_emporium/callme32# objdump -d callme32 | grep callme
callme32:     file format elf32-i386
080485b0 <callme_three@plt>:
080485c0 <callme_one@plt>:
08048620 <callme_two@plt>:
 804881b:       e8 90 fd ff ff          call   80485b0 <callme_three@plt>
 804882c:       e8 ef fd ff ff          call   8048620 <callme_two@plt>
 804883d:       e8 7e fd ff ff          call   80485c0 <callme_one@plt>

root@Perseverance:~/rop_emporium/callme32# objdump -d callme32 | grep callme

callme32: file format elf32-i386

080485b0 <callme_three@plt>:

080485c0 <callme_one@plt>:

08048620 <callme_two@plt>:

804881b: e8 90 fd ff ff call 80485b0 <callme_three@plt>

804882c: e8 ef fd ff ff call 8048620 <callme_two@plt>

804883d: e8 7e fd ff ff call 80485c0 <callme_one@plt>

…

ROP Emporium – Split

Published by Arvandy on January 18, 2019

Split 32 Bit In this challenge, the ret2win function is being split into system call and /bin/cat flag.txt string. The objective is to use ROP gadget to execute system call with “/bin/cat flag.txt” string as the argument. Lets find the EIP offset using Radare2.


root@Perseverance:~/rop_emporium/split32# r2 -de dbg.profile=profile.rr2 split32 
Process with PID 4841 started...
= attach 4841 4841
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
[0xf7f4b0b0]> dc
split by ROP Emporium
32bits

Contriving a reason to ask user for data...
> child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0
[0x41415041]> wopO `dr eip`
44

root@Perseverance:~/rop_emporium/split32# r2 -de dbg.profile=profile.rr2 split32

Process with PID 4841 started...

= attach 4841 4841

bin.baddr 0x08048000

Using 0x8048000

asm.bits 32

glibc.fc_offset = 0x00148

[0xf7f4b0b0]> dc

split by ROP Emporium

32bits

Contriving a reason to ask user for data...

> child stopped with signal 11

[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0

[0x41415041]> wopO `dr eip`

EIP offset is 44. Find the system@plt address using objdump command. …

ROP Emporium – Ret2Win

Published by Arvandy on January 14, 2019

Ret2Win 32 Bit In this challenge, we need to redirect the program flow to execute the ret2win address. This can be achieved by overwriting EIP (Instruction Pointer) with the ret2win address. This challenge can be done using simple echo command or pwntools. I use Radare2 and pwntools to solves this challenge. First thing first, lets …

PentesterLab Intro-Unix-Essential Badge

Published by Arvandy on October 20, 2018

So far I completed three badges from PentesterLab which are Introduction, Unix, and Essential Badge. Introduction Badge As you can guess from the name, this badge is an introduction on how the exercise works in PentesterLab. This badge consists of four exercises on how to submit key to complete the exercise, how to find …

PentesterLab Introduction

Published by Arvandy on October 6, 2018

After completing OSCP, I went back to HackTheBox. Overall, HackTheBox is fun even though the majority of the challenges are CTF-ish. There are some challenges/machines that have real-world scenarios such as Endgame, Active and Reel which are pretty good learning places. Beside playing CTF, I think I also need to balance it with learning …

OSCP Journey – Seventh Week (Exam)

Published by Arvandy on August 18, 2018

Date: 12 August – 18 August 2018 Amazing Week! My exam scheduled on Wednesday, 15 August 2018 15:00 (Asia/Jakarta). One day before the exam, I take a rest from exploiting any machines and just making sure all the scripts, tools, notes and provisions are ready to use. I also prepare the contingency plan such as second …

OSCP Journey – Sixth Week

Published by Arvandy on August 11, 2018

Date: 05 August – 11 August 2018 PDF: 380/380 Videos: 149/149 Exercises: 42/42 Exploited Machines: 53 (Alice, Alpha, Barry, Beta, Bethany, Bob, Brett, Carol, Carrie, Core, Cory, DJ, Dotty, FC4, Gamma, Gh0st, Helpdesk, Hotline, Humble, Internal, JD, Jack, James, Jeff, Joe, John, Kevin, Kraken, Leftturn, Luigi, Mail, Mario, Master, Mike, Niky, Nina, Observer, Oracle, Pain, …