PWN101 Walkthrough | TryHackMe

Hello, infosec 👋

I’m back with another one after a short-term break. I’m exterior the box to make new connections, Social relationships and take care of my mental health. But today, I planned to solve some binary exploitation challenges & I wrote this walkthrough of 3 challenges from PWN101 — TryHackMe.

PWN101 is a free room created by Jopraveen on TryHackMe, which means anyone can deploy virtual machines in the room (without being subscribed)!

You can see it’s the Binary Exploitation challenges.
I’m triggered!

So let’s start, shall we…?

Challenge 1: Buffer overflow

• Abusing a call to a vulnerable function (gets) to accomplish a buffer overflow and overwrite the value of a variable stored in the stack. By overwriting, we can spawn a shell

I downloaded the attachment and analyzed the file. The result showed underneath.

Let’s do this

After running the binary, I get that it inquires for client input as ingredients. Hmmm… cool! :)

The peculiar thing was that when I gave some bulk input, I got the shell

Now it’s time to analyze the binary, And at the moment itself, I’m able to understand the flaw.

gets() function

Now it’s just a matter of finding out the offset and fair affirming the segmentation fault. Checking “A”*80 (80 A’s) returns segmentation fault. Also, identical in every case > 72 A’s. By gradually examining the process, I identified that the proper offset is 60!

less than 60: no changes, gift (shell) provides if input > 60

Exploitation

The abuse is straightforward. We ought to send the bulk values to the given server & allocated port. And in this way, the shell from the server will return to us. I created a simple python script for accomplishing the pursuit & it functioned as intended ;)

exploit.py

Nailed it! Successfully cracked the challenge 1

;)

Challenge 2: Modify the variable’s value

• For cracking the second challenge, I reversed the binary & determined how it’s intended to solve! Here we gonna alter specific values at typical addresses & at that point, we can spawn the shell :)

0x000000000000091a <+28>: mov DWORD PTR [rbp-0x4],0xbadf00d
0x0000000000000921 <+35>: mov DWORD PTR [rbp-0x8],0xfee1dead

We know the current value

• [rbp-0x4] is 0xbadf00d
• [rbp-0x8] is 0xfee1dead

0x0000000000000959 <+91>: cmp DWORD PTR [rbp-0x4],0xc0ff33
0x0000000000000960 <+98>: jne 0x992 <main+148>
0x0000000000000962 <+100>: cmp DWORD PTR [rbp-0x8],0xc0d3

• At the address “0x0000000000000959” it checks whether [rbp-0x4] is 0xc0ff33
• At “0x0000000000000962” it checks whether [rbp-0x8] is 0xc0d3
• If the condition satisfies it’ll continue to execute at → 0x000000000000096b <+109>
• Else it’ll jump to <main+148> it doesn’t return the shell.

Reason: I already mentioned, the values are still

• [rbp-0x4]: 0xbadf00d
• [rbp-0x8]: 0xfee1dead

Solution

• We have to redirect the execution to crack this challenge. Once the requirement is satisfied, we can pop up the shell. We only have to make the execution probable at the address “0x55555540096b <main+109>”
• I cracked it by Reversing. But in terms of binary exploitation, we need to do some more auxiliary stuff.

Proof:

Shell pops up ;)

So I concocted a simple exploit for this challenge, as we know the service running on port: 9002

Offset calculated during reversing. It was pretty straightforward!

• Overflowing the buffer and overwriting memory in such a way, we can modify the value for popping up the shell.

Exploit

Nailed it! Successfully cracked the challenge 2

;)

Challenge 3: Return to win

• For cracking the third challenge, I execute the binary & comprehend its functioning. I reversed the binary (my same methodology) for mind-mapping. Here we return the pointer to a distinct address for popping up the shell.

1st I executed the program & comprehend the flow.

Abides user input

I checked every option, and the interesting one is the third

• General:

It carries the user input, and also, there’s a glimmer of vulnerability. I checked by surging the bulk input into it, & I was correct!

segmentation fault (core dumped)

Reverse Engineering

Towards the goal, I’ve to apprehend & want to check in-depth. Thus I reversed the binary for understanding the premeditated solution. I’m clarifying the steps which I heeded!

<general>

Overflow confirmed, we can see “_isoc99_scanf” which is likely our scanf calls.

_isoc99_scanf

Overflow

Solution

• Overwrite the memory & transform the execution to a distinct location. So the following objective is to designate the distinct location where to return the execution.
• By reversing itself, we can discover our terminus.

admins_only

Once we manage to execute this function, the shell will pops-up. I proved the scenario by using gdb

• I placed the breakpoint & redirect the flow to ensure the case. I was right about my decision. The shell pops up ;)

Yaay! We got the shell

Exploitation

All information accumulated was nicely operated (while reversing). I materialized the exploit from the local machine & it was flourishing.

Successfully diverted the execution flow…!

local.py

Final Exploit

• Some hardships exist during exploitation, but I found a solution. I’d inserted the return address multi times to establish the stable shell. Thus the execution struck & Shell is up after triggering the “admins_only” function.

And the strategy was likewise successful!
Successfully cracked the challenge 3

Job done :)

Final thoughts

• There’re plenty of challenges left to do. But unfortunately, I can’t stick on. My internal assessment by the university is running & the current semester is hectic. And also, I have a lot more to explore outdoor.
• I’m happy to understand that I can crack challenges after a break. I’ll reach around shortly to infosec & will proceed with my exploit development series.

GitHub - 7h3h4ckv157/Binary-exploitation-series: A series of writes about "Binary Exploitation".

I hope you relished my write-up. Feel free to connect & share your views with me. You can find me here @•7h3h4ckv157

see you again!