PWN7 : Hacktivity Bullseye challenge

on
Hello guys this is a write-up for the Bullseye challenge.
If you don't have the binary and libc downloaded, you can find them in my github repo here :
You can also find the full exploit here (and some ther challenges):
https://github.com/MaherAzzouzi/PWNing/tree/master/hacktivity



Let's go.

File:


We're dealing with a binary that is not stripped, and it's 64-bit.

Checksec :



* The PIE is disabled, so ASLR doesn't apply for the binary and we already know the addresses of each function in the binary (don't expect to have fixed libc addresses because PIE is disabled. PIE apply just for the binary page).

* RelRO is partial, we can think of overwriting the GOT.

Reverse engineering :

I will be using ghidra.
Open ghidra, create a new project name it 'bullseye', and import the binary we have.
Go to function and filter for main (because the binary is not stripped, you can find the main easily by just searching for it)



Double click 'main' under Exports and wait for it to decompile...
This is what you will see after it finishes.


This what the main do :

* It's just give you "write what where" primitive.
* After the first "write what where", the program give us a libc leak which is the alarm function address.
* The main doesn't return but it uses exit(0) to finish.

Plan:

*Because one write what where isn't enough, the program is using exit() as I said, and the RelRO is partial, so I can use the first write to change exit@got to main, and now I have infinite writes.

*After the first write, the program gives us a libc leak, so we can easily calculate the base address, and then we know the address of system() function.

*Now I'm gonna change strtoull@got to system(), why I chose strtoull because it handles my input as it's first argument, this is perfect for system() because instead of giving an address I will be giving "/bin/sh" or just "sh".

Exploit:

I defined this helper function :



For the first part exit@got -> main :

Here I changed sleep@GOT to ret, just to not wait 0xf seconds after each iteration of main.
It's not necessary I think.


This part leak alarm, and calculate the base address :


This part change strtoull@GOT to system()
And send sh to get shell :


This is what the binary looks like after these modifications:


Hope this help you understand something new.







Comments

Post a Comment