Binary Range - HackMD

# Binary Range ## Challenge 1-4 ![image](https://hackmd.io/_uploads/SkG9lz-3ee.png) * Caser FTP buffer overflow exploit * https://www.exploit-db.com/exploits/16713 * ![image](https://hackmd.io/_uploads/r14SVXZhgx.png) ## Answer * Challenge 1:`n` * Challenge 2:`671` * Challenge 3:`False` * Challenge 4: ## Challenge 5-14 * `.125`這台帳密要自己爆 ```zsh= [22][ssh] host: 172.25.120.125 login: admin password: Pa$$w0rd123 ``` ![image](https://hackmd.io/_uploads/B1d1Lf9hle.png) ![image](https://hackmd.io/_uploads/HJkbUfc2lx.png) * ![image](https://hackmd.io/_uploads/Hk2T8Gchex.png) * ![image](https://hackmd.io/_uploads/BJFxvz93ee.png) * 開`ghidra`搜尋 * ![image](https://hackmd.io/_uploads/SyuAsM9ngg.png) * ![image](https://hackmd.io/_uploads/BJ0yrmchgx.png) * ![image](https://hackmd.io/_uploads/rkX8S75hgg.png) * ![image](https://hackmd.io/_uploads/r18drX9hex.png) ## Answer * Challenge 5:`32` * Challenge 6:`64` * Challenge 7:`False` * Challenge 8:`8681` * Challenge 9: * Challenge 10:`Enabled` * Challenge 11:`Disabled` * Challenge 12:`Disabled` * Challenge 13:`32` * Challenge 14:`32` ## Challenge 15-25 ![image](https://hackmd.io/_uploads/HJsnr7cnge.png) ![image](https://hackmd.io/_uploads/B1Dk87c3le.png) ![image](https://hackmd.io/_uploads/rJkeLXqnge.png) * 找到ssh 開在60000 port * ![image](https://hackmd.io/_uploads/Hk0igIc2xg.png) * ![image](https://hackmd.io/_uploads/S1J--8c3ex.png) * `student:studentpassword` ```zsh= nmap -p- -sV -sC -T3 -v -Pn 172.25.120.240 ``` * ![image](https://hackmd.io/_uploads/BkviXUqnxx.png) * ![image](https://hackmd.io/_uploads/ByGv4L53el.png) * ![image](https://hackmd.io/_uploads/HyC-B85neg.png) ```zsh= readelf -h rp-lin-x86 ``` * ![image](https://hackmd.io/_uploads/ByNtBI53xg.png) * ![image](https://hackmd.io/_uploads/HkgdCrI9hge.png) * 先找出rbp的位置在`0x7fffffffe580`, 再根據ghidra反編譯的結果得知Canary(local_10)位於rbp - `0x10`, 用gdb算出Canary位置`0x7fffffffe570` * ![image](https://hackmd.io/_uploads/S12Pevcngl.png) * ![image](https://hackmd.io/_uploads/SJtLGDc3gx.png) ```zsh= gdb -q one.exe (gdb) break main (gdb) r (gdb) info frame (gdb) p/x $rbp - 0x10 ``` * 生成pattern後繼續執行程式, crash後看一下之前找到的canary位置現在存放了我們送的payload(0x4141334141644141)再算出字串的偏移量+1得到答案 * ![image](https://hackmd.io/_uploads/BJLTGP9nxx.png) * ![image](https://hackmd.io/_uploads/SJ8vQwqhxg.png) ```zsh= (gdb) pattern create 120 (gdb) continue (gdb) AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAA (gdb) x/gx 0x7fffffffe570 (gdb) pattern offset 0x4141334141644141 ``` * ![image](https://hackmd.io/_uploads/HyIPM89nll.png) * ![image](https://hackmd.io/_uploads/rkaOGUc3le.png) ## Answer * Challenge 15:`7.6p1` * Challenge 16:`Stripped` * Challenge 17:`ROP` * Challenge 18:`intel` * Challenge 19:`52` * Challenge 20:`False` * Challenge 21:`64` * Challenge 22:`65` * Challenge 23:`Enabled` * Challenge 24:`INTRANET--BINARIES` * Challenge 25:`INTRANET-ROOT`