HackMDTryHackMe | Dear QA writeup
Hello, This is a writeup for TryHackMe room Dear QA
Let's dive into it.
Task 1 Binary download
Download the task binary so that we can analyze it locally.
Task 2 Challenge Flag
On downloading it, we can run file to see what we are dealing with.
we run strings to see if we can find anyhting there.
In strings we see a line /bin/bash, maybe it implies that there is a call to system which will execute bash? We'll find out.
let's run the binary to see what it does.
chmod +x DearQA.DearQA
./DearQA.DearQA
On running it, we see the following , which asks us for our name which I entered 0xepitome, then it exits.
We can check the binary protections.
NB: you should have python pwntools installed in your system
for this to work
let's use checksec:
checksec DearQA.DearQA
We see that the binary has no protections i.e PIE and also no canary. So we can perform a buffer overflow easily.
Next Lets use cyclic 100 to see if we provide a large string(100 random characters) to the binary if it will crash.
Nice!! We get a segmentation fault.
We can now debug the code. You can use any tool of your choice but for this writeup, I'll debug it in cutter, which is a GUI for the famous radare2.
Type cutter in terminal and it should execute.
Select the binary you want to run, in our case is DearQA.DearQA and select OK. In the next window, select OK also and it should take some few seconds to analyze. In Cutter we see the following:
In the left panel, we see the functions in our binary.
I forgot to add that in strings we also see some functions that
is main and vuln functions.
Let's debug the main function.
You can see it perform several puts.
It uses the scanf function to retrieve user input.
Scanf is a dangerous function since it performs no bound checking i.e one can input as many bytes as possible, like the instance we used the resultof cyclic 100.
In the main function we see that the scanf is reading var_20h and storing the data in rbp-0x20 and the next printf is reading exactly what scanf has.
and there we have our vulnerability. Since scanf does not limit the bound checking.
In cutter also there is a function called vuln which seems to call /bin/bash. That's what we want, right?
We can use that information to develop our exploit and make the main function ret(return to the vuln function).
Developing the exploit
I used sublime and this was the exploit:
In the payload:
since we found that the scanf was reading from rbp-0x20 we write 20 bytes in the binary so that we can reach rbp, and overwrite the rbp with 8 bytes plus the vuln address of where we the shell is executed.
in vuln_address we got the value of vuln function in cutter and used p64(0x00400686) since machine understand little endian, hence we use p64 to convert the address to little endian.
we first set to run the target locally to see if our exploit is successful.
We see that our exploit is successful.
We ran it remotely now.
NB:when running remotely, use:
target = remote("IP_OF_TARGET_MACHINE", 5700)
The port number we already given in the task.On running it we get a shell.
But when trying to ls there is no output.
I then figured how about I use a reverse shell to connect to my machine locally.
I then Used Revshells to develop the "exploit" and pasted it in the remote machine.
Connected using netcat in my machine and yes! we got a successful connection.
Now we can read the contents of the flag easily.
Happy Hacking peeps!
