Return to forum

voidx01 · October 25, 2022 at 3:10 PM

it's getting tougher

fkrch1978tze · October 25, 2022 at 3:25 PM

(October 25, 2022, 02:49 PM)11231123 Wrote:
(October 25, 2022, 02:44 PM)fkrch1978tze Wrote: Forensics - Day 4
1. Wireshark > Right click anywhere > Follow TCP Stream > Find the URL
2. Volatility > Use the custom profil they gave you > "volatility -f mem.dmp --profile=LinuxUbuntu_4_15_0-184-generic_profilex64 linux_bash" > See in bash history that "./configure" is the last thing they typed
3. Wireshark again > File > Export Objects > Download the Zip file > "md5sum configure"
4. On the "configure" file > "strings | grep python"
5. & 6. Run Ghidra or any decompiler on the "configure" file and find the function

I suggest using https://github.com/extremecoders-re/pyinstxtractor and uncompyle6 for questions 5 and 6.

Didn't know those tools, looks better than an heavy duty Ghidra sometimes
Thx for the tips

P1blicEnemy · October 25, 2022 at 3:30 PM

thanks

zenmpi · October 25, 2022 at 3:35 PM

thanks

daxweavez · October 25, 2022 at 3:36 PM

(October 25, 2022, 01:05 PM)Hacker2222 Wrote: plz discuss day 4 challenges here

reversing challenge:
thanks

overwatch · October 25, 2022 at 3:45 PM

check it out

karhu · October 25, 2022 at 3:53 PM

(October 25, 2022, 02:29 PM)Meep Wrote: Pwn day 4 is a string format exploit using %n to override something. Not working reading in on it.

Idk if it is, though. In main:

char local_154 [12];
char local_148 [312];


__isoc99_scanf("%299s", local_148)
printf(local_148)

So, it's taking 299 bytes from the local_148 buffer, which means that there should be a 13 byte overflow, right? Unless I'm completely off base, which has been known to happen.

sp1d3y · October 25, 2022 at 3:56 PM

niceee

Meep · October 25, 2022 at 3:57 PM

(October 25, 2022, 03:53 PM)karhu Wrote:
(October 25, 2022, 02:29 PM)Meep Wrote: Pwn day 4 is a string format exploit using %n to override something. Not working reading in on it.

Idk if it is, though. In main:
char local_154 [12];
char local_148 [312];


__isoc99_scanf("%299s", local_148)
printf(local_148)
So, it's taking 299 bytes from the local_148 buffer, which means that there should be a 13 byte overflow, right? Unless I'm completely off base, which has been known to happen.

Yeah I'm kind of stuck too. I've read some articles on turning a format vuln into shellcode execution. But the layout seems kinda off. What is certain is that the flag is not referenced in the code. But that also got me thinking what if the flag contents have been passed as program arguments when running the application. Perhaps thats what they want to achieve. Anyways I'm stuck and someone solved it in like 10 minutes which is really fast.

Also it has many security settings set.

n1c31c3 · October 25, 2022 at 4:00 PM

(October 25, 2022, 03:57 PM)Meep Wrote:
(October 25, 2022, 03:53 PM)karhu Wrote:
(October 25, 2022, 02:29 PM)Meep Wrote: Pwn day 4 is a string format exploit using %n to override something. Not working reading in on it.

Idk if it is, though. In main:
char local_154 [12];
char local_148 [312];


__isoc99_scanf("%299s", local_148)
printf(local_148)
So, it's taking 299 bytes from the local_148 buffer, which means that there should be a 13 byte overflow, right? Unless I'm completely off base, which has been known to happen.
Yeah I'm kind of stuck too. I've read some articles on turning a format vuln into shellcode execution. But the layout seems kinda off. What is certain is that the flag is not referenced in the code. But that also got me thinking what if the flag contents have been passed as program arguments when running the application. Perhaps thats what they want to achieve. Anyways I'm stuck and someone solved it in like 10 minutes which is really fast.

Well, the first input takes exactly 11 chars, the 12th char is overflow to the local_148 space. If you input AAAAAAAAAAB, the B will be directly printed with better luck next time, skipping the 2nd input. Hope this leads to someehere