# LOGBOOK 6 ## TASK 1 In order to crash the program running in the docker container we send a message with the `%s` formatter. By doing `echo %s` the program will print the memory address in string format, but has the memory address can't be converted into a string the program crashes, as we can see because it didn't print:` (^_^)(^_^) Returned properly (^_^)(^_^)`. ![](https://i.imgur.com/qtkbM4m.png) ## TASK 2.A To discover how many %x we need for the server to print out our input we sent a mesage composed of `@@@@` and many `%x`. We chose `@@@@` because it's easy to recognize in hexadecimal as `40404040`. We discovered our input in the 64th position of the server output. ![](https://i.imgur.com/QzURzgf.png) ![](https://i.imgur.com/mv0PbWV.png) ## TASK 2.B In order to print out the secret message, we modified build_string.py to build our message. The message has the adress of the secret message, taking into account little-endian adresses, followed by 63 `%x` and a `%s` to print the message. In the server container we see that the secret message is `A secret message`. ![](https://i.imgur.com/DzKzZrE.png) ![](https://i.imgur.com/AtqJtp5.png) ## TASK 3.A The original value of the target is 0x11223344. The `%n` formatter assigns a variable the count of the number of characters used in the print statement before the occurrence of it. So we make a badfile similar to the previous task, with the adress of the target variable and a `%n` as the 64th format identifier. This changes the variable's value to 0x000000ef. ![](https://i.imgur.com/Lx6i4hX.png) ![](https://i.imgur.com/Ju6fgp1.png) ## TASK 3.B Since the `%n` assigns a variable the count of the number of characters used in the print, we need to add more bytes before so the value reaches 0x5000. Since 0x5000 is 20480 in decimal we needed to add 20247 more `%x`'s . After changing the python script and sending the new message, the variable's value changed to 0x5000. ![](https://i.imgur.com/jlcZJ6U.png) ![](https://i.imgur.com/Ie8gqjl.png) # CTF - Week 7 - Running the checksec on the program we get the following informations: ``` RELRO STACK CANARY NX PIE Partial RELRO Canary found NX enabled No PIE ``` - So the program has a canary which can difficult stack smashing attacks. - The NX is enabled so so it works with the processor to help prevent buffer overflow attacks by blocking code execution from memory that is marked as non-executable. - PIE is disabled so the program and files are always on the same memory position in every run which means we can locate them easily. Answering the questions: - The line of code with `printf(buffer);` can be exploited by the fact that they don't especify the format strings needed to print the buffer, which means we can print the content how we want to, to get to the flag. - The flag is loaded into the memory so it can be accessed by with string formatters as `%s` which copies the address content of the flag to the output. - By debbuging the program we got the following output: ![](https://i.imgur.com/Socq5n8.png) - So the flag address is 0x804c060 in every execution - So by changing the program ![](https://i.imgur.com/g75zjcw.png) -Running the proram the output is: ![](https://i.imgur.com/5O24ZYf.png) # Challenge 2 - After running checkseck I got the following results: ``` Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000) ``` - Which are the same ones of the previous challenge. - Also the vulnerable line is the same: `printf(buffer)` without the formatting strings. - This time the flag.txt is not loaded into memory but we can access it by typing `cat flag.txt` in the shell called by the system inside the if statement that prints "Backdoor activated" - To reach that we have to find the address corresponding to the key and change its value ![](https://i.imgur.com/vhbtWFD.png) - By debbuging the program like we did before we now know the address of the key which is `0x804c034` and in the little-endian format the address is `\x34\xc0\x04\x08`. - We need to change the key value to `0xbeef` which is `48879` bytes in decimal by reaching the key address position with that value before we use `%n` to change its value and open the shell containing the flag file where we can use `cat flag.txt`. - Using the exploit program from the challenge 1 and making a few changes we can change the program so it writes the output in the terminal. The program will receive until "..." and then send the line. - The buffer is 4 bytes up the stack so we added the string "aaaa" before inserting the address of the key address. The address is 4 bytes long - After that since we already added 8 bytes instead of adding `48879` bytes to get the address `0xbeef`, we add `48871` bytes and only then we use the `%n` to change the value of the key and access the shell. ![](https://i.imgur.com/5iZhFOR.png) - After running the program the new shell opens as we can see by the "Backdoor activated" output and then we can see the flag.txt file. ![](https://i.imgur.com/zABJV5q.png)
Last changed by  
FSI l14g02
103

Read more

PFL_TP2_T08_Yoxii_4

Elementos: André Morais (50% contribuição) Lucas Sousa (50% contribuição) Instalação e Execução: Após instalar o SICTUS PROLOG é apenas preciso de consultar o ficheiro main.pl:consult('main.pl') e rodar o comando play. para poder começar a jogar. Descrição do jogo: Yoxii é um jogo que para ganhar devemos de circular o totem com as nossas peças mais fortes. O totem começa no centro do tabuleiro de jogo, que possui 37 quadrados e se assemelha a um retângulo sem cantos.

1/2/2023
LOGBOOK11

Task 1 In order to become a root CA we copied the openssl.cnf file to our directory, and edited it, created an empty index.txt file and a serial file with content 1000. We then used the following command to generate the ca.crt and ca.key: openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \ -keyout ca.key -out ca.crt \ -subj "/CN=www.modelCA.com/O=Model CA LTD./C=US" \ -passout pass:dees ca.crt:

12/22/2022
LOGBOOK 10

Tarefas #1 a #4 Task #1 To embed a javascript profile in our profile, in the editing page we typed <script>alert('XSS');</script> in the brief description area. Now when we view our profile, the script is executed and we see an alert with XSS. Task #2 In order to display a user's cookies, we typed the following script on our brief description section in the profile: <script>alert(document.cookie);</script>

12/8/2022
LOGBOOK 8

TASK 1: In this task, we interact with the MySQL database through a shell in the docker container. We login with mysql -u root -pdees, select the database Database changed and see the tables show tables;: We then use the SQL query SELECT * FROM credential WHERE name='alice'; to print Alice's information: | ID | Name | EID | Salary | birth | SSN | PhoneNumber | Address | Email | NickName | Password | | 1 | Alice | 10000 | 20000 | 9/20 | 10211002 ||||| fdbe918bdae83000aa54747fc95fe0470fff4976 | TASK 2.1 In order to login as an admin, we inject the the following username: admin'# or admin'--. Taking into account this query:

12/2/2022
Read more from FSI l14g02
Published on HackMD