Heap Exploit (ret2win) - "Hellbound" Pwn Challenge [HackTheBox Cyber Apocalypse CTF 2022]

แชร์
ฝัง
  • เผยแพร่เมื่อ 29 ต.ค. 2024

ความคิดเห็น • 26

  • @bloombusta
    @bloombusta 2 ปีที่แล้ว +9

    missed the ctf and still made a video. what a legend

  • @_techwaves
    @_techwaves 2 ปีที่แล้ว +2

    Wow! Great explanation 💯

  • @roderickchan01
    @roderickchan01 2 ปีที่แล้ว +2

    Good job👍

  • @jonathanhoyos8191
    @jonathanhoyos8191 2 ปีที่แล้ว +2

    Dude are u gonna do the Web challenges too? Nice pwn's video ✌🏻

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว

      thanks mate! don't think i'll get time to do anymore.. maybe if HTB move some of them to retired challenges i will add to the playlist at some point 🙂

  • @Fever1984
    @Fever1984 2 ปีที่แล้ว +3

    Any chance in a going deeper walkthrough 🙏🙏 love the videos!

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว

      thanks 🙏🥰 going deeper on anything imparticular?
      edit: just realised you were talking about a walkthrough for the "going deeper" challenge 😂 request noted! might do another video if i get time 😉

  • @daniel01045
    @daniel01045 ปีที่แล้ว +2

    I was going to ask if you can make a good tutorial for heap stuff, but after watching this....
    Can you recommend any good resources for learning heap exploitation?

    • @_CryptoCat
      @_CryptoCat  ปีที่แล้ว +1

      Heap tutorials have been on my TODO list for a while but I'd need to do soooo much prep for them to be worth watching, I just don't have time >.< Here's some of my favourite pwn resources: github.com/Crypto-Cat/CTF/tree/main/pwn/binary_exploitation_101#additional-resources-for-learning-pwn - Exploit Education, How2Heap and PwnCollege are probably good starting places. If you search my channel I've done a couple of other heap CTF challenges as well. Finally, Max Kamper did a nice intro to some of the common heap exploits: th-cam.com/video/6-Et7M7qJJg/w-d-xo.html

    • @daniel01045
      @daniel01045 ปีที่แล้ว +1

      @@_CryptoCat thanks a ton will take a look! some look great!

  • @Randomname6133
    @Randomname6133 2 ปีที่แล้ว +2

    Any chance in doing a walkthrough the forensics puppeteer challenge? or any forensics and cryptography challenge

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว

      Doubt it but here's a good writeup for puppeteer: serioton.notion.site/Puppeteer-3c244a7b56334cc4829dfd35bf7f9a7c

  • @digitalcyclone7218
    @digitalcyclone7218 2 ปีที่แล้ว +2

    the thing i'm confused about though is how reading into buffer[0] causes this exploit path to work
    since read() requires a pointer, wouldn't buffer[0] translate to the malloc() address, and thus, make us only write to THAT address rather than the buffer itself? I assume I'm wrong but I want to know how since once the "writing directly to the buffer" concept makes sense everything else seems standard.

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว +1

      let me try and summarise the process as i understand it.. i'm a n00b when it comes to all things heap so don't quote me on this:
      1) when we read([0x0, return_address]), it's writing [0x0, return_address] to the chunk on the heap, pointed to by buffer[0] (the pointer returned from malloc)
      2) right now, we have buffer[0]->[0x0, return_address] so when we call option 3, it moves the pointer forward 8 bytes so buffer[0]->[return_address]
      3) now when we read([bezerk_mode_off, 0x0]), it's writing the address of bezerk_mode_off to the address pointed to by buffer[0], i.e. overwriting the return address on the stack
      4) if we used option 69 now, it would try to free our chunk (causing an error) so we move the pointer forward again with option 3 (it now points to our 0x0, so free(NULL) won't create error)
      hopefully the answer to your question is in there somewhere 😅

    • @digitalcyclone7218
      @digitalcyclone7218 2 ปีที่แล้ว +1

      @@_CryptoCat i suppose it makes sense, but wouldn't the malloc() address plus 8 just be an address that's in the heap but points to the return address location?
      since we write to buff[0] == malloc_addr, we'd get buff[0] == malloc_addr == [0x0, ret]
      then when we increment by 8 bytes, instead of buff[0] == ret, it'd be buff[0] == malloc_addr+8 == ret? afterwards, when we write the win function, we get buff[0] == malloc_addr+8 == [win, 0x0]?
      (since we write to buff[0] == malloc_addr+8)
      idk, i'm probably *really* missing something. lol.

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว

      @@digitalcyclone7218 "wouldn't the malloc() address plus 8 just be an address that's in the heap but points to the return address location?"
      malloc() returns a pointer to the base of the allocated chunk on the heap (stored in *buffer[0]), so plus 8 would be the return address location that we wrote with read().
      sounds correct to me.. but i'm probably missing something as well 😂

    • @digitalcyclone7218
      @digitalcyclone7218 2 ปีที่แล้ว +1

      @@_CryptoCat OHHH; I think I get how it works now.
      I was reading the code again and I realized that the "3" option takes the value of buffer[0] (the malloc() PTR result) and increments by 8
      then the new pointer (malloc+8) gets dereferenced, and the dereference result is stored as buffer[0], which since the return address is written to malloc+8 it makes buffer[0] point to the return address since *(malloc+8 -> ret_addr) == (ret_addr)
      i'm still a bit confused still but i think i get it now lol, thank you so much for the help!! :)

  • @quantum4691
    @quantum4691 2 ปีที่แล้ว +2

    Thank you!
    Can you make a walkthrough to the space Pirate entry Point?

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว

      ty 🥰 I probably won't get chance to make any more, but here's some writeups for that challenge: ctftime.org/task/21447

  • @kiedysbedemilionerem2414
    @kiedysbedemilionerem2414 2 ปีที่แล้ว +2

    Please make video with space pirate entrypoint. Please... I made all challenges from pwn but i had huge problem with space pirate entrypoint :(

    • @kiedysbedemilionerem2414
      @kiedysbedemilionerem2414 2 ปีที่แล้ว +1

      Or you can just tell me wtf. Password was 15+ lenght, but we could give only max 15 letters in password

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว

      I didn't do it but there's a couple of write-ups here: ctftime.org/task/21447 - I think I heard there was a bug with that challenge at the beginning, so it gave the flag when you entered the incorrect password.. Might of been a different one though

  • @fabiorj2008
    @fabiorj2008 2 ปีที่แล้ว +2

    hi nice video, thx for your time. Can you share the link of this ghidra auto script w

    • @_CryptoCat
      @_CryptoCat  2 ปีที่แล้ว +1

      thanks mate! here ya go: gist.github.com/liba2k/d522b4f20632c4581af728b286028f8f - you can change the auto delay (i reduced to 1)