Binary Exploitation (Pwn) Challenge Walkthroughs - PicoCTF 2022 (BEGINNER-FRIENDLY Capture The Flag)
ฝัง
- เผยแพร่เมื่อ 7 ก.ค. 2024
- Binary Exploitation (Pwn) challenge walkthroughs for the Pico Capture The Flag competition 2022 (picoCTF). We'll cover buffer overflows, ret2win (x86/x64), canary brute force, format string vulnerabilities (leak), ROP chains, function pointer overwrite, stack caching and more! We'll use Ghidra, GDB (PwnDbg), python, PwnTools, ropper and Cyber-Chef. Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #Pwn #BinaryExploitation #BinExp #CTF #CaptureTheFlag #Pico #PicoCTF #PicoCTF2022
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat/CTF
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
TH-cam: / cryptocat23
Twitch: / cryptocat23
↢PicoCTF↣
ctftime.org/event/1578/
play.picoctf.org/events/70/ch...
picoctf.org/discord
/ picoctf
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
basic-file-exploit: 0:15
CVE-XXXX-XXXX: 2:17
RPS: 3:16
buffer overflow 0: 7:22
buffer overflow 1: 11:59
buffer overflow 2: 23:59
buffer overflow 3: 27:56
x-sixty-what: 39:28
flag leak: 43:54
ropfu: 50:02
wine: 1:01:53
function overwrite: 1:04:43
stack cache: 1:16:31
End: 1:20:38 - วิทยาศาสตร์และเทคโนโลยี
Somebody let me know of another solution to RPS which I thought was cool so I'll share here:
Notice at 5:19, line 90 has the check to see if we win the round. strstr() actually checking if the "loses[computer_turn]" string is in the "player_turn" string. The possibilities for computer turn are "rock", "paper", "scissors" so if the player submits "rock paper scissors" every round, this condition will always be true, and the player will always win 😁
nice
Doesn’t your rand() seed method have a race condition? Unless I’m missing something I’m surprised it worked over a client/server env. because who’s to say that the server time is synchronized to your client time and also what time zone that is for that matter.
In the flag leak challenge, I leaked a number of stack values in hex, then used cyberchef to decode the values and fixnig the endianness.
Keep up the good work, CryptoCat!
Nice! I noticed it was possible to both e.g. leak values (%x or %p) then convert from hex OR use string format (%s). thanks 🥰
you are amazing Bro..keep going💙
thanks mate 💜
I’ve just noticed the way you did RPS challenge is different and interesting from the way I approached it. I recognized that the program just checks if the proper value is there, if not, it will count it as a wrong answer. So what I did is type “rock paper scissors” at every prompts and it’ll always be right.
Somebody told me this solution earlier, very cool! I completely missed it 😂
@@_CryptoCat Yeah I just saw the pinned comment lol
Good job, brother. I like your video very much.
thanks bro 🥰
Well done as usual!
BTW, can you share the link to download your gear aka VM configurations?
I usually use kali
Thanks 🥰 I'm using ParrotOS which you can get here: www.parrotsec.org/ - it's got a lot of the same tools as Kali pre-installed. I've been using the current VM for a couple of years so I've added a lot of tools / customisations over time, but not really in a way I can easily share the changes 😆
I'm quite confused about buffer overflow 3. When we were brute forcing the canary, i thought the right input would be 'tset' and not 'test' because of endianness. Any explications ?
Oh, good question! Before I looked back at the challenge, I thought it was in little endian format but because I set the context.binary at the beginning of the script. Therefore, pwntools knows what architecture, endianess etc so when calling pack() or flat() in my case, it will pack/flatten the payload into little endian format. *However,* in this instance endianess doesn't actually apply because the canary is a string (array of bytes in C).
@@_CryptoCat Thanks for the quick answer !!
hello, old video i know, but quick question if you're still around:
in buffer overflow 1, you incorrectly typed the return address to the win function 080491f6 (so \xf6\x91\x04\x08) as 80491f6 (so \xf6\x91\x49\x80). however, i don't understand how you still got it to work despite this, using the script as well as using (cat payload; echo) | ./vuln
Hi mate, so the padded zeroes can be skipped here. Entering 0x80491f6 doesn't give a 32 bit address, so it will be interpreted as 0x080491f6 - if we had provided 0x491f6 it would of padded the address with zeroes to make 32 bit as well, e.g. 0x000491f6 (this wouldn't be a valid address though, so would crash).
Here's an explanation for the second part of your Q - stackoverflow.com/a/72244465
@@_CryptoCat Appreciate the quick reply! Thanks.
np mate 👊
For RPS I did it in the webshell so I didn't have to sleep at all. I think they're on the same network or something
Ahhh that makes sense, ty 😊
hello,thank you,your explination is all right ,please you have the videos on foriensic
Sure! th-cam.com/video/V_Hm6P00IwU/w-d-xo.html
Seriously, you explain, thanks to your videos I understood a little reverse engineering.,thank you
@@cheikinaadamo6634 thank you mate 💟
Can you please go to hack the box tier 1 responder and do a walkthrough
Yes mate! Check back Sunday 😉
Where did you find the python script for the stack cache challenge? Did you write it yourself?
yeh i wrote it although i use a pwntools template so didn't have to write much really..
here's the solve script: github.com/Crypto-Cat/CTF/blob/main/ctf_events/pico_22/pwn/stack_cache/exploit.py
and here's the template:
github.com/Crypto-Cat/CTF/blob/main/pwn/official_template.py
Good video keep it up ❤
Also , can you give me the link to the ghidra script that you used to open the binary and thanks
Thanks mate 🥰 Heres the auto script: gist.github.com/liba2k/d522b4f20632c4581af728b286028f8f - I changed the auto-analysis time in mine to 1 second for an extra speed boost 😊
plz i need the script u use to open a temporary ghidra project
Heres the auto script: gist.github.com/liba2k/d522b4f20632c4581af728b286028f8f - I changed the auto-analysis time in mine to 1 second for an extra speed boost 😊