pwnable.kr - Levels: fd, collision, bof, flag
Key Takeaways
The video demonstrates how to solve the first four levels of the pwnable.kr challenge, including fd, collision, bof, and flag, using tools such as pwnable.kr, SSH, disassembly, md5, hashing algorithm, Python, Hopper, netcat, GDB, SCP, and UPX.
Full Transcript
[Music] welcome to another live CTF recording of pwnable.kr pwnable.kr is a standard war game CTF kind of Challenge and it says here in the rules and tips that you shouldn't post Solutions online but if you insist post the easy ones and do not spill too much so what I'm doing is I only play a couple of the early levels and they are already onl you can find Solutions already online so I don't feel too bad of making a recording of it but definitely play them yourself if you got the time because you will learn a lot more so let's have a look at the first challenge you can see with a doted border of that level that I have already solved it so the but the other levels are new I just thought after solving that one H maybe would be a good idea to record those so I copy the SSH credentials from the channel challenge description and then I log into this machine the first thing I do is obviously look up what files exist and I see that there's a FD program and the source code FD Doc and when we execute it it also tells us that we can pass a number to it and if we look closely in the code we see that the argument that we can pass to it is converted to an integer and then it's substracted hex 1 2 3 4 from that integer and that is stored in FD and then FD is used in the read function call as first parameter which is defile descriptor and it reads 32 characters from buff and afterwards buff is string compare to let me win so what we want to do is somehow we want to get this FD value to one because we want to read from standard input and standard input is the file descriptor one so basically we want to enter a number that is hex 1 2 3 4 + 1 that after the subtractions the result is one and then read is called on file descriptor number one and we can type in whatever we want as a string and that is read and then compared and the it's correct and then we get the flag that was a bit fast but just you know go back and look exactly at it yourself so up to the next level called collision and it says here daddy told me about md5 hash collisions so let's see what it is about we log out of the previous channel Challenge and log in into the next one so let's again check what files are available again there's a program called call and there's source code aail ailable for it as well and let's have a look at it so first the argument count is checked if it's smaller than two because we it needs a passcode to supply and you can see it when you execut it it wants a passcode then it checks if the passcode you entered is 20 bytes long if not it makes an error but if it's 20 bytes long then it will call check password up there which has a little function a little for Loop going over the passcode that you supply and it's calculating some integer value and it's then later compared to the hash code so it's kind of like a simple hashing algorithm not quite md5 but you know some kind of hashing algorithm so we want now to find a way to collide those hashes basically we want to provide an input that will create the same hash code and we can now look at this in disassembly to see maybe to figure it out how exactly this algorithm works the fall Loop does add some values so it makes sense to create a breakpoint at the add instruction to see exactly what kind of values are added on this hash that is generated to see maybe how it works so again well we have to start the program with uh 20 characters so we can just simply use a pattern that we can easily recognize in the function and we H the breakpoint so it's look at the registers and yes the value should be in ax that is added so we see that in the first round it's A's and the second time it's B's so apparently it's just looping over the passcode that we Supply and always for bytes at a time and then just simply adds the hex value or the number representation of those bytes and then the result has to be the hash code so now I try to think away how would be what would be an efficient way to get to this hash Collis those calculations so first make a quick test by passing the pass code via python line script to see if that works I mean I know there works I don't know why I did this at this moment I was probably just you know thinking then I thought I need five pairs of four bytes to add up to this hash code value so w I'm so intelligent why not make all the pairs zero except for one and then we add basically hash code on it and then it's all fine while writing this at some point I realized wait a moment this cannot work because the argument will be checked with string length if it's 20 and if I have zero bytes in there then string length will not have this length anymore because strings end on a zero bite so it would just be zero length so that wouldn't work then I realized I mean I need uh five equal parts so or like I need some equal parts so I just divide this by a number and then I realize I could just you know add the division result of this on on top of each other four times to reach this number at this moment I didn't realize that I made a mistake that it has to be 20 long so it needs to be divided by five and not by four thus my attempt right now of using four times this value doesn't work but you know I will get I will realize that in a second so I think at this moment that four times this string would allow me to pass this test because four times that would add up to the hash code value but obviously the passcode should be 20 bytes and oops I did it with four instead of five so let's check again how can we divide this value by five and I realized damn it's not a it it has a remainder so I cannot simply divide this by five but you know I have to slightly change the single values so that it matches the next idea I have is I could simply add up a certain value like hex 1111 four times and then add the remaining stuff on it to read the hash code but I realized that one1 is already too much and that uh there's a negative value so basically I have to make the value that I add up four times a bit smaller and I decide on I could also just use hex 01 01 01 this means that this is the amount for the fifth 4 byte pair to add up to the hash value so I make hex to get this value so if I have four times 0 1 0 1 01 and then this one DDD at the end one time this those will all add up to the hash code so that's what I'm doing now I'm specifying to print the hex one 0 1 01 01 four times and for the fifth time then I add this value that I calculated with the substraction from the hash code this 1 DD because those will then add up to the hash code that we want and notice here that we have the endianess so we have to basically you know specify the bites from the reverse order and congrats we created a hash Collision so we can use this flag and see if it's correct and yes we receive some points for it next level BF Nana told me that a buff of overflow is one of the most common soft vulnerabilities is that true so let's have a look at this we can apparently this time download the file instead of having a SSH to connect because then we connect with netcat as you can see there in the description so we first we have to analyze the binary locally and then use this to exploit the remote binary so now I open Hopper to load the binary in ER I should have probably looked at the source code first because we did get the source code so I don't know why I opened it up in in Hopper immediately okay so uh I'm still not looking at the source code and yeah that's the netkat we can connect to this server and it says overflow me now okay so let's look at it so main cuse Funk with a certain number and then this key is compared if it's different so it passes dead beef but inside the function Funk it checks if it's Cafe babe so somehow we have to change the key but as you can see this function never changes the key so this is a common buffer overflow we have to overflow a certain value so that we can overwrite the local variable key on the stti I created some more extensive videos about how buff overflow works and how you can how those local VAR Ables are stored on a stack and stuff so check out my hacking instruction um playlist where I go into this in more detail basically what we want we want to throw a lot of characters at it so that it's overflowing the buffer and then overwriting the key with the value that we want I'm now going on this server before just to uh have be on the same system so I can debug this because I obviously am on a Mac machine and I need a Linux machine machine so I can test some stuff and instead of opening up my own virtual machine with Linux I just want to use the machine from pable but I think uh they prevent you from using uh W get or generally connect to services from inside the from inside the um those servers not that you use it for like a b as a botn net to you know do somebody or something so I use SCP to upload the binary to the to the uh server then we can connect to it again and then start analyzing this binary obviously TMP is not readable because there are other users on the system playing the same game and if you could read TMP you could read and see what other people are doing but we know that we created that we uploaded BF so we can now analyze this here so we want to make a break point at the compare of uh the function so that's the disassembly of the function and so we can uh run it and then I failed to make it executable so do it again we set a break point at the compare where we compare the key to the specific number but I get still some weird errors it's executable but still some weird error so I at this moment I'm a bit confused so I create my own directory because TMP is you know not readable and maybe GDB has a problem with it and but but inside our own directory we cannot read so I tried it again yeah and now it seems to work so let's create here our break point in this GDB session first all disassemble the function again just so that we can see it nicely and then we create a breakpoint at this address so we start this and we type something in and now we hit the break point and we can look at the registers and uh in if you look in the disassembly it loads the value from EBP plus hex 8 and that value is compared to Cafe babe so it's still dead beef obviously so it's restarted again and let's um create a pattern so that we can see which what with what part we can overflow maybe the key variable so we hit the breakpoint we can look again at this address and apparently we have all written the key with 4 e 4 e 4E we can use Python to see that 4E is the character n so apparently those many this many characters resulted in and and is the padding or the offset and and then from that on we can write the specific value so what we want is basically we want to write until M and then basically want to write the cafe Bay and again I cannot simply just copy this because I need to do it from backwards so it's it's ending with be then ba Fe and CA and then I throw it against it uh but I forgot the pipe stack smashing detected uh terminated why is that stack smashing detected means that there was a stack Canary a certain Special Value on the stack and if that gets overwritten and the function tries to return it will simply terminate so I have somehow overwritten this uh value which is clear because we have overwritten stuff on the deck but if you look at the source code it we shouldn't return we should have the shell before so we have to use this trick with cat because the echo will close the input and with this cat together we can still have open the input and we can then read the flag you can see the uh same technique used in other videos of mine uh if you don't know that one okay up to the next level and that is called level flag again this is apparently a reversing to um challenge we only have a binary file can check it's a 64-bit elf Linux executable so basically first thing checking the strings maybe the password or the flag is already in it and it says here this file is packed with the upx executable pcker so this is a strong indication that obviously it's upx pack packed and we need to unpack it and that we find so much random garbage is probably because it got uh is packed with upx and it creates a lot of random strings so now I do decide to start my VM because U maybe I need some more debugging or reversing tools so and that's why I need a Linux machine and I go in the share folder the share folder shared between the virtual machine and my Mac so I can place some files in there and work on them on on both machines but I can also simply just download the flag again so now I just install upx because that should allow me to unpack this binary or decompress whatever so I look in the main page and try to find again how exactly you uh decompress or unpack a upx pack binary I search for like unpack and extract and try to find what the parameter was again but I cannot find it so I quickly search online again how maybe it says somewhere else how it works and then decompress and then find Maybe upx minus D so upx minus d andus t is a flag and tested and finds yeah this one is upx packed so if with minus L we can oh no with minus L we can check if the flag is uh if it's packed with upx I think I missed the minus D to decompress that's why I'm looking around here it was right there but I must have missed it so I'm searching again manual unpacking of course that's interesting very interesting I've never done it actually but you know if you know that a tool works then sometimes you just use it okay now I see it it's upx minus D and yeah it unpacked one file cool so we can look at it again and it's not packed with upx anymore so it got unpacked so now we can do a strings on it and yeah that looks much more normal and common for a normal binary so this is weird there's a lot of stuff in this binary that's a bit interesting so maybe let's just execute it first have to make it executable I will MOG a string copy the flag there take it okay so it will string copy the um the flag somewhere this means it will be then later in memory so let's let's Analyze This binary a little bit obviously um we have to we can also open it in Hopper now I'm going to my tools to the vagrant share folder and open the flag okay here's main takes a while to analyze it's a very loaded one I I don't exactly know what's in there what maybe some interpreter or something I don't know so now I'm looking for string copy because it said it would string copy the flag and but we cannot find any references to string copies so not so sure what I'm do now flag is also no results okay so this seems to be the like the main function where it prints the stuff so this the real main here and yeah we can also see the Mello here so that's cool and maybe this one is the string copy the the questionable um call there so we just break at the end of main now we are there so now we can just look around and then I note I'm looking around and I see that on the stack there it looks like that there's a string um because where a RX is pointing too and it says upx s but now I get annoyed because Pon debug or GD cuts the string it doesn't um doesn't display the full string makes me very annoyed right now and I have no idea how to uh tell GDB to please print the whole string so what I do now is I have an idea I could maybe go via the proc file and just cut the process memory but that doesn't work and maybe and I actually don't know if I'm not sure if that work like I thought that you could simply read the the memory uh of a process like that if I mean if you are rude but maybe I have to look into this again now I'm thinking maybe it was not me maybe it was a different um a different file in proc but it says it should be it should be should be me but then I realized ah I have to know where exactly it's mapped in memory and I have to probably seek to those special addresses and stuff so that's not as simple as cat then I think about maybe with print I can something and then I can maybe do print F to just print this as a string but I don't really know exactly the syntax how how that works with GDB maybe like regular printer no forat string missing but luckily there's an example so it is without parenthesis no just the correct parameter and there there it is upx sounds like a delivery service and that's a [Music] FL yeah
Original Description
First 4 levels of: http://pwnable.kr/play.php
fd, collisions, bof, flag
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb
US Store Front:* https://www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#CTF #BinaryExploitation
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 19 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
▶
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Security Basics
View skill →Related AI Lessons
🎓
Tutor Explanation
DeepCamp AI