Try โ€‚โ€‰HackMD
tags: pwnable.kr tutorials CTF hacking beginner flag binary exploitation pwn Toddlers' Bottle

flag From Pwnable.kr

Category : Toddler's Bottle

The challenge flag was of reverse engineering category. Reverse Engineering is a handy skill to have while pwning binaries. The challenge gives only a binary and which mentions that it has allocated a malloc and saved the flag in that. So let's start the challenge.

Let's read the prompt and download the important files to our box.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’ 

wget http://pwnable.kr/bin/flag
chmod +x flag

Dry Run

Let's give the binary a dry run and see what happens.

./flag
I will malloc() and strcpy the flag there. take it.

The binary says its has stored the contents of flag in the malloc that it created. So this should be easy, we open the binary in gdb and grab the contents that its strcpy to the malloc.

gdb ./flag
info fun

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

There are no functions or calls in the binary. This is weird. On first glance this weird behaviour is difficult to analyze.

One of the reasons that the binary shows no function in the gdb could be it is packed with upx. The man page of upx states that:-

UPX is a portable, extendable, high-performance executable packer for several different executable formats. It achieves an excellent compression ratio and offers *very* fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression.

Unpack the binary

Now let's unpack the binary with upx and analyse it in the gdb again.

upx -d flag -o flag2

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Now when you open it in gdb and check for functions you'll be able to see more data than earilier.

gdb ./flag2
info fun

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

That being said, now all we need to get the flag from the malloc.

Getting the flag.

  1. Set a breakpoint at main
  2. Run the binary with command r
  3. Run the binary step by step and see the memory (command ni).

We see that, first a malloc is being created with argument 0x64 i.e 100.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

And we see the flag being passed to malloc occupied memory.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Flag is:

UPX...? sounds like a delivery service :)
Last changed by 
โ€‰
duckie
i hack whatever i can
0
1008

Read more

WriteUp for CodeFest

These will include the challenges I was able to do in the last 2 hours of the 24 hour ctf @ CodeFest 2021. I was able to solve the entire pwn category which was easy and beginner friendly and one forensics challenge which was very practical and straight-forward. Pwn Category C is Hard Download files from here This was the first challenge which has stack overflow vulnerability and the goal was to overflow the buf and call a hidden function called print_flag. Let's start by analyzing the function in radare2. r2 -R'stdin=input.txt' ./source_fixed.

May 14, 2021
Start from Pwnable.tw

Points: 100 This is the writeup for the challenge start from pwnable.tw. This is the very first challenge on the website and a simple one for that matter. There is a simple buffer overflow on the binary but no jmp to esp gadget, so we need to create a rop chain to find the address of esp and then jmp to it in order to make the binary execute our shellcode. That being said let's get started. Analyzing the binary We can download the binary from the site and throw it in gdb to get a closer look. gdb ./start

May 14, 2021
bof From Pwnable.kr

Category : Toddler's Bottle The third challenge from the pwnable.kr is the bof. But the twist here is , it's not vanilla bof that we see everywhere. The vanilla bof is simple: we overflow the buffer, overwrite the eip and then make it execute the payload. Here we need to overwrite a specific variable in order to gain command execution on the server. So let's get started. Setup GDB I will be using the gdb debugger with peda extension to exploit this challenge. So you can install gdb from your linux repositories and download peda from here. Let's start by reading the challenge prompt and download the important files to our box. wget "http://pwnable.kr/bin/bof" wget "http://pwnable.kr/bin/bof.c"

Sep 1, 2020
fd from Pwnable.kr

Category : Toddler's Bottle This blog post will be part of the binary exploitation series. I am new to this kind of stuff and will be posting about them as I learn. In this series we will be hacking pwnable.kr challenges. I heard that is a great resource to learn from. Toddler's Bottle So the first category is Toddler's Bottle. They are supposed to be easy beginner level binary exploitation challenges. Thus we will be starting from there. fd The first challenge name is fd and it talks about Linux file descriptors in the challenge prompt. Lets login into the server and check the binary. We ssh into the server with a password guest.

Sep 1, 2020
Read more from duckie
Published on HackMD