Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80

Key Takeaways

in this video I will show three exploitation challenges from the internet vak CTF which happened already a while back but I didn't get around editing it so here is it now the first level is exploitation 50 Ruby's count hi my name is Ruby I like converting characters and asky values and then calculating the sum and we have here a server given uh with an IP inable it wants us to provide some SK values of 10 characters we didn't enter enough and you see also matching only a to F so when we type in 10 A's we get the sum of 970 now let's type in the sum of uh 10 FS that's uh 1,20 but that's not enough we need to get higher than 1,20 but how can we get a higher sum if we are only allowed to use maximum of 10 FS well there's a weirdness to Ruby regular Expressions which you have to be very careful with and this is what we going to exploit here so if we use debug X to look at the regular expression we can see that it looks for the start of a string then 10 times the characters a until F but be by default Ruby's regular expression match multi-lines so as you can see here a a line with the fs and then a new line with ASD afterwards still matches so the idea is clear we want to just inject two lines into the whatever we are sending to the server uh and we can do this with using Echo but when I use Echo and the fffs I somehow don't see the result uh that I expect to send back from the server and I don't understand why so now I get really really frustrated and play around with it and get confused why whatever I'm sending I never see the result and you can see me here angrily just sending the same command over and over again well I play around with sleeves and whatever just like to see if I can wait for the response but then I was thinking similarly to with exploit to leave the um the input kind of open I use cut and that seems to do the trick now I'm able to get the response properly back from the server and yes we get the flag Ruby RX fail the next challenge is the exploitation 70 Flex store here's the ultimate Flex store and retrieves the flag whenever you want we have a zip and again a service given with IP and Port let's have a look at this server so we take the IP and the port and connect to it with netcat welcome to the flex store choose an action register log in get flag sore flag uh okay so we don't type in the word but the number please log in first so let's have a look at this in the source code so in main we see here an endless while loop where it says choose an action print the menu followed by a huge switch case statement depending on which value you choose and to get do something we first have to log in but if we look at the get flag option we also see that there's a case in where it checks if you are admin is admin so we have to log in first but there was it a menu for registration so logging in might be easy but there's this another variable is admin so somehow we have to be admin to as you can see here print the flag for the login you use a username and password and when we look at the variable definitions we see that the username is 500 bytes long then afterwards come the is admin flag and after that the password and if we look in the case for the the log in we see that here's a safe scan F that only reads up to 499 characters so that seems to be safe but the other case the registration seems to use scan F and not have a set length so the idea is to register an account with a super long username which might overflow into the is admin flag so we use Python to just generate a super long string and then we select registration and enter a password uh but uh the password was too short so select a longer one and we registered now an account now the admin flag should be set and if we have a valid login we should be admin so we have to specify username ASD ASD but those are the wrong credentials obviously um so we register another account uh that has an shorter username we loog into that one but with the registration we have already overwritten the admin flag and and if we now select the menu item get flag we get the flag why you know has flag okay we solved those two challenges pretty fast so now we move on to the last exploitation challenge XP 80 which uh requires a little bit of more time but it's super fun too so remote printer print are very very important for office especially for remote Printing and there is again a zip file available that we can download and a service an IP and a port so let's first connect to this servers and see what is happening this is the remote printer enter an ipv4 address we enter an address and a port thank you I'm trying to print this address now hm okay so it has something to do with an address and a port so we might need a server with an IP that is reachable from the service also we should start analyzing this file so we open it in Hopper so let's first look for Strings this is a remote printer that is the first string printed so we can quickly find the main menu and you see here so this is probably the main function where it asks you to enter an ipv4 address and a port by using scanf after you have entered those addresses it tells you that it's trying to connect there and Calla this other function here and you see here already that it like opens a socket and uh creates the struct for the uh connection and then tries to receive some data from it and call Print F and this print F looks already pretty bad if you have seen my format string exploited vulnerabilities you may remember that if you're able to control the uh format part the first parameter of print F then it's um it's pretty bad there is another interesting string saying yay flag uh that is probably printing then the successfully flag and if you look at the function where this is from it tries to open a file with f open and um that points to another string which is not properly uh analyzed here so it tries to read the f.txt and then print this content of this file after it opened it so this is obviously the function we want to call because this will then print the flag okay we know now that this tries to connect to an IP and Port you specify receive some data and print F that which obviously leads to a format string exploit so we need a public IP address to test this I'm using digital ocean to quickly spin up a server just for an hour or so during the CTF which I can then later throw away and only pay this uh one hour and this why I can get a public IP to play with and it's a Linux machine so it's great so so it takes a little bit to set up um uh just just a few seconds or a minute maybe and then you are able to connect to it via SSH and then we can test that cool done let's copy the IP and use SSH to connect to this new server okay cool we are on the server now we open we listen on one port uh 880 and we pipe in ASD into it so if something connects to this IP now on port 8080 it should print it so let's connect to servers we type in our IP in our port and we can see that it prints the ASD and we think that it might be a format string exploit so let's play around with this let's add or let's use Python inline to print a lot of percentage P or percentage X or whatever you want to see if we can in fact control the format specifier and we should be able to leak addresses or generally values from the stack so python minus C and then uh print and then the percentage stuff okay now we are listening now let's connect again to the print server we enter our IP and Port yep we see here all these weird characters now let's prepend a few recognizable characters to our string uh maybe just like some A's and then let's do the same thing again but I don't want to type in the IP and Port all the time so I write this in a file and then pipe that into it uh but again I kind of fail again if I just do cat it doesn't work so I have to like uh concatenate two cats so I leave the uh input open and don't close it at least that's what I guess is the reason if I'm wrong here and you know it better please do tell me and if you scroll to the start yep there are are for1 for1 for1 for1 this are those are our 4 A's so now we know the offset of our string on the this means we can place there an address where we want to write to and use percentage n to write to it if you don't know how format string exploits work check out my introduction to hacking videos about format string exploits so first of all let's get a few important addresses for example one of the important addresses are is the address of the goal function that we want to call that is the get flag function and this has the address uh 8867 now if we want to like override for example the global offset table of a certain function we have to figure out what function is called after the print F so we can smash the table so let's go back into the uh function that is reading our string and printing it and we can also you know rename it to to have it better documented and after the print F uh there is a call to close so we can now go to the um to the close call which is the global offset table I've also made recently a video about that one and and uh if we write to this address here the global offset table entry address uh we can specify and redirect the code execution to whatever we write there so our goal is to write the address of G flag at this location so now let's uh modify and enhance our exploit proof concept here a little bit further first of all let's import stru so we can convert between integer numbers and binary strings because we want to write down the address to reference it from the St with percentage n and then we also replace the 500 piece with something that is more reasonable we can count how far away the a AAA is because this is where we want to put instead the address and we can simply count how many values are there before we hit the ace so there are six values before and the ace are the seventh values so we simply want to use uh six different um percentage X's to uh print stuff and then the seventh one hits our address so we can do for example six percentage piece and then at the end the percentage end to reference that uh but instead of the ace we obviously uh want to place there the address so um we can already place here the address and see if that works now I opened the Spiner in GDB and had set a breakpoint before and now I'm using the exact same address obviously with my own binary here uh to connect to my server and get the format string back and we can see that we hit now the breakpoint and now we want to look at the global offset table so the breakpoint was after the print F and we want to check if we successfully have overwritten the global uh the global offset table entry and we did so it's 32 instead of a huge number because we printed already 32 characters now we can calculate how many characters we need to write to um get the address we do this in two writes um like my other format string video so first the lower two bytes and obviously we also have to substract again how many characters we printed that's 32 and uh then we can simply enter the uh decimal version of that number uh before we uh perform the print uh the percentage n that should write at least the two lower bytes successfully in the global offset table um and we are one step closer so we uh execute again our um our exploit code we are listening now and we connect to it with our binary and again check if we have over successfully overwritten uh the amount of characters we run again and we look at the global AET table entry and yes we have the 8867 in there so now we simply need a second ride for that one so we first uh take the address that we have first written to which we have to write at plus two but we also need uh four more bytes in between before we place this address because uh to get the other right working we consume one more element to pad it and after that the percentage ends so we always have this pair of percentage something and percentage and with a pading for a right so that's why we have to make sure we consume two bytes in the address and so if we do this we get now um 887b there and uh that is obviously a little bit too high but we can use this uh trick that I showed you in this other video basically write um up to three bytes which will overflow but it doesn't matter for the global offset table and we can calculate again how much the padding should be to be able to write the correct value and I'm converting again hex Val to decimal with python and we place it in there and then we can test it against the binary I run it and throw it against the binary but it doesn't work the the address seems to be weird and I didn't realize that I because I extended now the characters with the B's um and the new address that I also shift around how many characters are printed for the lower bites and it's just not working and I'm con constantly screwing up how many characters I'm Printing and it's not and I can't hit it anymore so it takes for me a while to realize that uh what my mistake was and when I I noticed it when I wrote my what my goal and where I am right now under it and realized oops my lower bites are higher I accidentally added more bytes and my calculations are completely screwed up so I have to calculate again uh compensate for those errors and eventually I figure out how many characters I have to print to write the correct address almost done compensating for a few more values here and if we try it out now we run it we check again basically now I'm back at the beginning compensate again back here for the second right I run it I check it 08048 867 that looks perfect great so now it seems to work that was annoying because I made mistakes and was not careful with what I am changing so now we should be able to run this against the real servers and override the global offer table entry for close with the flag function and then execute that one to read the flag let's try it ivvo formatted remote printer awesome we got that flag as well now I'm finally done with all my videos about the internet vak CF uh we can look again at the task that I solved I solved three web three crypto and three exploitation challenges and we can look at the scoreboard how I did I think I this R is recorded just shortly before the CTF was over I think so I got plac 254 with 610 points and thanks so much at internet vak for creating such a smooth CTF experience it was a lot of fun and there were some great challenges that I really enjoyed uh working [Music] [Applause] on