Okay, Okay, Alright, Alright, I heard you! You must be looking for something more technical, not only just a story or journey. This is the last part which contains my methodology and resources that I found useful for anyone that currently planning and taking the AWAE. Methodology Everyone has to come up with the …
AWAE / OSWE – Journey
Here come the journey part, some people like a journey/story including myself since it show how and why the author start it, the challenges, the issues and situation that could be faced by the others too. For the author itself, it could be a source of motivation and great flashback in the future. TLDR; this …
AWAE / OSWE – 5W1H
WHAT Advanced Web Attacks and Exploitation (AWAE) is a security course from Offensive-Security that focused on advanced web application security. The course content focus more on the WhiteBox approach of web application penetration testing and a bit of BlackBox approach. The student will spend most of time understanding the underlying source code and debugging the …
ROP Emporium – Fluff
Fluff 32 Bit Overall the objective still same as write4 but in this binary the ROP gadget in the binary is limited. We need to find the ROP chain to achieve the objective. First, let’s find the EIP offset using Radare2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@Perseverance:~/rop_emporium/fluff32# r2 -de dbg.profile=profile.rr2 fluff32 Process with PID 1818 started... = attach 1818 1818 bin.baddr 0x08048000 Using 0x8048000 asm.bits 32 glibc.fc_offset = 0x00148 [0xf7f470b0]> dc fluff by ROP Emporium 32bits You know changing these strings means I have to rewrite my solutions... > child stopped with signal 11 [+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0 [0x41415041]> wopO `dr eip` 44 |
EIP offset is 44. Find the writable memory section using readelf command.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
root@Perseverance:~/rop_emporium/fluff32# readelf --sections fluff32 There are 31 section headers, starting at offset 0x1970: Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 08048154 000154 000013 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 08048168 000168 000020 00 A 0 0 4 [ 3] .note.gnu.build-i NOTE 08048188 000188 000024 00 A 0 0 4 [ 4] .gnu.hash GNU_HASH 080481ac 0001ac 000030 04 A 5 0 4 [ 5] .dynsym DYNSYM 080481dc 0001dc 0000d0 10 A 6 1 4 [ 6] .dynstr STRTAB 080482ac 0002ac 000081 00 A 0 0 1 [ 7] .gnu.version VERSYM 0804832e 00032e 00001a 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 08048348 000348 000020 00 A 6 1 4 [ 9] .rel.dyn REL 08048368 000368 000020 08 A 5 0 4 [10] .rel.plt REL 08048388 000388 000038 08 AI 5 24 4 [11] .init PROGBITS 080483c0 0003c0 000023 00 AX 0 0 4 [12] .plt PROGBITS 080483f0 0003f0 000080 04 AX 0 0 16 [13] .plt.got PROGBITS 08048470 000470 000008 00 AX 0 0 8 [14] .text PROGBITS 08048480 000480 000282 00 AX 0 0 16 [15] .fini PROGBITS 08048704 000704 000014 00 AX 0 0 4 [16] .rodata PROGBITS 08048718 000718 000083 00 A 0 0 4 [17] .eh_frame_hdr PROGBITS 0804879c 00079c 00003c 00 A 0 0 4 [18] .eh_frame PROGBITS 080487d8 0007d8 00010c 00 A 0 0 4 [19] .init_array INIT_ARRAY 08049f08 000f08 000004 00 WA 0 0 4 [20] .fini_array FINI_ARRAY 08049f0c 000f0c 000004 00 WA 0 0 4 [21] .jcr PROGBITS 08049f10 000f10 000004 00 WA 0 0 4 [22] .dynamic DYNAMIC 08049f14 000f14 0000e8 08 WA 6 0 4 [23] .got PROGBITS 08049ffc 000ffc 000004 04 WA 0 0 4 [24] .got.plt PROGBITS 0804a000 001000 000028 04 WA 0 0 4 [25] .data PROGBITS 0804a028 001028 000008 00 WA 0 0 4 [26] .bss NOBITS 0804a040 001030 00002c 00 WA 0 0 32 [27] .comment PROGBITS 00000000 001030 000034 01 MS 0 0 1 [28] .shstrtab STRTAB 00000000 001865 00010a 00 0 0 1 [29] .symtab SYMTAB 00000000 001064 000510 10 30 50 4 [30] .strtab STRTAB 00000000 001574 0002f1 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), I (info), L (link order), O (extra OS processing required), G (group), T (TLS), C (compressed), x (unknown), o (OS specific), E (exclude), p (processor specific) |
The .data section is writable. …
ROP Emporium – Badchars
Badchars 32 Bit Overall the objective still same, write “/bin/sh” string into memory and then execute system command with “/bin/string” as the argument, but we need to handle the Badchars (Bad Characters) in this challenge. Badchars are any character(s) that can terminate our crafted payload, such as null character (“\x00”), carriage return (“\x0D”), newline (“\x0A”), etc. So we need to make …
ROP Emporium – Callme
Callme 32 Bit In this challenge, we need to execute callme_one(), callme_two() and callme_three() function sequentially in that order. Each function must contains arguments 1,2,3 e.g. callme_one(1,2,3) to get the flag. Let’s find the EIP offset using Radare2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@Perseverance:~/rop_emporium/callme32# r2 -de dbg.profile=profile.rr2 callme32 Process with PID 4926 started... = attach 4926 4926 bin.baddr 0x08048000 Using 0x8048000 asm.bits 32 glibc.fc_offset = 0x00148 [0xf7fa10b0]> dc callme by ROP Emporium 32bits Hope you read the instructions... > child stopped with signal 11 [+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0 [0x41415041]> wopO `dr eip` 44 |
EIP offset is 44. Let’s find the callme_one, callme_two, and callme_three function address using objdump.
1 2 3 4 5 6 7 8 9 10 |
root@Perseverance:~/rop_emporium/callme32# objdump -d callme32 | grep callme callme32: file format elf32-i386 080485b0 <callme_three@plt>: 080485c0 <callme_one@plt>: 08048620 <callme_two@plt>: 804881b: e8 90 fd ff ff call 80485b0 <callme_three@plt> 804882c: e8 ef fd ff ff call 8048620 <callme_two@plt> 804883d: e8 7e fd ff ff call 80485c0 <callme_one@plt> |
…
ROP Emporium – Split
Split 32 Bit In this challenge, the ret2win function is being split into system call and /bin/cat flag.txt string. The objective is to use ROP gadget to execute system call with “/bin/cat flag.txt” string as the argument. Lets find the EIP offset using Radare2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@Perseverance:~/rop_emporium/split32# r2 -de dbg.profile=profile.rr2 split32 Process with PID 4841 started... = attach 4841 4841 bin.baddr 0x08048000 Using 0x8048000 asm.bits 32 glibc.fc_offset = 0x00148 [0xf7f4b0b0]> dc split by ROP Emporium 32bits Contriving a reason to ask user for data... > child stopped with signal 11 [+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0 [0x41415041]> wopO `dr eip` 44 |
EIP offset is 44. Find the system@plt address using objdump command. …
ROP Emporium – Ret2Win
Ret2Win 32 Bit In this challenge, we need to redirect the program flow to execute the ret2win address. This can be achieved by overwriting EIP (Instruction Pointer) with the ret2win address. This challenge can be done using simple echo command or pwntools. I use Radare2 and pwntools to solves this challenge. First thing first, lets …
PentesterLab Intro-Unix-Essential Badge
So far I completed three badges from PentesterLab which are Introduction, Unix, and Essential Badge. Introduction Badge As you can guess from the name, this badge is an introduction on how the exercise works in PentesterLab. This badge consists of four exercises on how to submit key to complete the exercise, how to find …