writeups

HTB Oouch Writeup

Oouch Writeup Starting the recon with a nmap scan to scan for ports and services running on them PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 ftp ftp 49 Feb 11 19:34 project.txt | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.185 | Logged in as ftp | TYPE: ASCII | Session bandwidth limit in byte/s is 30000 | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.

HTB Cascade Writeup

Cascade Writeup We start with a nmap scan on the ip to scan tcp ports and the services running on them. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 # Nmap 7.80 scan initiated Wed Apr 1 11:48:58 2020 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.

ROP Emporium ret2win

Challenge info ret2win is the first challenge from rop emporium’s series of challenges of learning ROP. The objection of the challenge is to Locate a method within the binary that you want to call and do so by overwriting a saved return address on the stack Recon As always in order to solve any problem we must recon the problem and then understand it so that we can effectively write a solution.

Fuzzing and exploiting vulnserver TRUN command

Fuzzing and exploiting vulnserver TRUN command It’s been a long time since I wrote a post now since the lockdown keeps extending so I decided to polish my skills of exploit development on windows. So in this post, I will be fuzzing TRUN command of vulnserver.exe using boofuzz which is a network fuzzing framework based on sully framework. So let’s get started! Environment The lab environment for the given tutorial is as follows:-

HTB Luke Writeup

Luke Recon Nmap Scan We begin our reconnaissance by running an Nmap scan checking default scripts and testing for vulnerabilities. 1 nmap -sC -sV -oA nmap/tcpInitial -vv 10.10.10.137 PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.

Protostar Heap-2 Writeup

Heap 2 Source code The following is the source code for Heap 2 Challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 #include <stdlib.h>#include <unistd.h>#include <string.h>#include <sys/types.h>#include <stdio.h> struct auth { char name[32]; int auth; }; struct auth *auth; char *service; int main(int argc, char **argv) { char line[128]; while(1) { printf("[ auth = %p, service = %p ]\n", auth, service); if(fgets(line, sizeof(line), stdin) == NULL) break; if(strncmp(line, "auth ", 5) == 0) { auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { strcpy(auth->name, line + 5); } } if(strncmp(line, "reset", 5) == 0) { free(auth); } if(strncmp(line, "service", 6) == 0) { service = strdup(line + 7); } if(strncmp(line, "login", 5) == 0) { if(auth->auth) { printf("you have logged in already!

Protostar Heap-1 Writeup

heap 1 Source code The following is the source code for Heap 1 Challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 #include <stdlib.h>#include <unistd.h>#include <string.h>#include <stdio.h>#include <sys/types.h> struct internet { int priority; char *name; }; void winner() { printf("and we have a winner @ %d\n", time(NULL)); } int main(int argc, char **argv) { struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]); printf("and that's a wrap folks!

Protostar Heap-0 Writeup

Heap 0 Source code The following is the source code for Heap 0 Challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 #include <stdlib.h>#include <unistd.h>#include <string.h>#include <stdio.h>#include <sys/types.h> struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1]); f->fp(); } Challenge In this challenge we need to modify the f-fp pointer to call winner function on running the program it outputs two address one is of data struct and other is of f struct clearly we can exploit this challenge using buffer overflow

Protostar Format-4 Writeup

Format 4 Source code The following is the source code for Format 4 Challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } Challenge In this challenge we need to execute hello() function we can do this by modifying our GLOBAL_OFFSET_TABLE we can do that by using arbitary memory write using format string vulnerabilty so first we need to find the address of exit() in global offset table

Protostar Format-3 Writeup

Format 3 Source Code The following is the source code for Format 3 Challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); } Challenge Again we need to modify the target variable to 0x01025544 so we can do this in two wasy either using the same method as in format3 or we can modify the least significant byte of target 0x080496f4 address once and then doing this repeatidily 4 times we can modify the whole address so i am gonna try the second method so our payload will be