https://hegzploit.github.io/tags/nahamctf22/Recent content in NahamCTF22 on HegzploitHugo -- gohugo.ioenme (AT) this domain (Yusuf Hegazy)me (AT) this domain (Yusuf Hegazy)&copy;{year}, All Rights ReservedSun, 01 May 2022 00:00:00 +0000weeklyhttps://hegzploit.github.io/writeups/babiersteps/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/babiersteps/<h2 id="checksec">Checksec</h2> <pre tabindex="0"><code>Canary : ✘ NX : ✓ PIE : ✘ Fortify : ✘ RelRO : Full </code></pre><p>We only care about the stack canary as we will be overflowing RIP to control execution flow, and thankfully It&rsquo;s disabled.</p> <h2 id="exploitation">Exploitation</h2> <h3 id="1-rip-control">1. RIP Control</h3> <p>We overflow the binary with a cyclic pattern, however, for this being a 64-bit binary we can&rsquo;t overflow RIP with a non-canonical address.</p> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Canonical Address </button> <div class="expand__content"> An address is said to be canonical in the 64-bit world when the upper 16 bits are copies of the 48th bit. </div> </div> <p>The easiest way to find the RIP offset without overflowing RIP is by breaking at the <code>ret</code> instruction and searching for our pattern in <code>rsp</code>.</p>Yusuf Hegazyfeatured imagepwnNahamCTF22https://hegzploit.github.io/writeups/babysteps/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/babysteps/<h2 id="checksec">Checksec</h2> <p>It&rsquo;s an aboslute mess, nothing is turned on fortunately :)</p> <pre tabindex="0"><code>Canary : ✘ NX : ✘ PIE : ✘ Fortify : ✘ RelRO : Partial </code></pre><h2 id="exploitation">Exploitation</h2> <h3 id="1-eip-control">1. EIP Control</h3> <p>We obtain our offset very easily in GEF.<br /> <img src="https://hegzploit.github.io/writeups/babysteps/babysteps_offset.png" alt=""></p> <center> <p><img src="https://hegzploit.github.io/img/ach_offset.png" alt=""></p> </center> <h3 id="2-exploitation">2. Exploitation</h3> <p>We start by analyzing the stack at the overflown state.<br /> <img src="https://hegzploit.github.io/writeups/babysteps/babysteps_stackstate.png" alt=""></p> <p>Looking at the registers, It appears that only two registers point to our stack. <code>eax</code> and <code>esp</code>.</p> <p>We search for gadgets jumping to any of these registers.</p>Yusuf Hegazyfeatured imagepwnNahamCTF22https://hegzploit.github.io/writeups/detour/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/detour/<h2 id="checksec">Checksec</h2> <pre tabindex="0"><code>Canary : ✓ NX : ✓ PIE : ✘ Fortify : ✘ RelRO : ✘ </code></pre><p>RelRO is completely disabled unlike any other challenge we have encountered, this means that we have write permessions to all the relocations.</p> <h2 id="exploitation">Exploitation</h2> <p>Running the binary will let us specify an address and a value and then It will assign that value to the adderss we provided.</p> <pre tabindex="0"><code>hegz@pop-os$ ./detour What: 1234 Where: 123123123213 Segmentation fault (core dumped) </code></pre><p>I confirmed this by analyzing the binary in ghidra, below is the decompilation.</p>Yusuf Hegazyfeatured imagepwnNahamCTF22https://hegzploit.github.io/writeups/dweeno/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/dweeno/<details> <summary> Serial Output</summary> <pre tabindex="0"><code>00110011 00111001 00110100 00110010 00101110 00110100 01100100 01100011 00110111 01101101 01100101 01100111 01100010 00110110 00110011 01100110 01100010 01100001 00110111 01100100 01100100 01100000 00110011 01100010 00110110 01100110 00110000 01100111 00110011 01100011 01100111 01100111 00110001 01101101 01100001 00110111 00110110 00101000 </code></pre></details> <details> <summary> Wiring Diagram</summary> <p><img src="https://hegzploit.github.io/writeups/dweeno/sketch.jpg" alt=""></p> </details> <details> <summary> Arduino Code</summary> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c++" data-lang="c++"><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span> <span class="n">flag</span> <span class="o">=</span> <span class="s">&#34;REDACTED&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="n">String</span> <span class="n">curr</span><span class="p">,</span> <span class="n">first</span><span class="p">,</span> <span class="n">second</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">in1</span><span class="o">=</span><span class="mi">29</span><span class="p">,</span> <span class="n">in2</span><span class="o">=</span><span class="mi">27</span><span class="p">,</span> <span class="n">in3</span><span class="o">=</span><span class="mi">25</span><span class="p">,</span> <span class="n">in4</span><span class="o">=</span><span class="mi">23</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">out1</span><span class="o">=</span><span class="mi">53</span><span class="p">,</span> <span class="n">out2</span><span class="o">=</span><span class="mi">51</span><span class="p">,</span> <span class="n">out3</span><span class="o">=</span><span class="mi">49</span><span class="p">,</span> <span class="n">out4</span><span class="o">=</span><span class="mi">47</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">i</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">String</span> <span class="nf">get_output</span><span class="p">(</span><span class="n">String</span> <span class="n">bits</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">String</span> <span class="n">output</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out1</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out2</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out3</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out4</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">delay</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in1</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in2</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in3</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in4</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">output</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">//converts a given number into binary </span></span></span><span class="line"><span class="cl"><span class="n">String</span> <span class="nf">binary</span><span class="p">(</span><span class="kt">int</span> <span class="n">number</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">String</span> <span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span><span class="p">(</span><span class="n">number</span><span class="o">!=</span><span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="p">(</span><span class="n">number</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span> <span class="o">?</span> <span class="s">&#34;0&#34;</span> <span class="o">:</span> <span class="s">&#34;1&#34;</span><span class="p">)</span><span class="o">+</span><span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">number</span> <span class="o">/=</span> <span class="mi">2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="kt">int</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">length</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="s">&#34;0&#34;</span><span class="o">+</span><span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">setup</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out1</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out2</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out3</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out4</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in1</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in2</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in3</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in4</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Serial</span><span class="p">.</span><span class="n">begin</span><span class="p">(</span><span class="mi">9600</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">loop</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">&lt;</span> <span class="n">strlen</span><span class="p">(</span><span class="n">flag</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">curr</span> <span class="o">=</span> <span class="n">binary</span><span class="p">(</span><span class="n">flag</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">first</span> <span class="o">=</span> <span class="n">curr</span><span class="p">.</span><span class="n">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span><span class="mi">4</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">second</span> <span class="o">=</span> <span class="n">curr</span><span class="p">.</span><span class="n">substring</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span><span class="mi">8</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Serial</span><span class="p">.</span><span class="n">print</span><span class="p">(</span><span class="n">get_output</span><span class="p">(</span><span class="n">first</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">Serial</span><span class="p">.</span><span class="n">println</span><span class="p">(</span><span class="n">get_output</span><span class="p">(</span><span class="n">second</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">delay</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">i</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div></details> <p>Looking at the code we can break it down into a couple of steps:</p>Yusuf Hegazyfeatured imagepwnNahamCTF22Hardware