Security Summer School

User Tools

Site Tools

session:01

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:01 [2018/06/18 19:12]
Razvan Deaconescu 		session:01 [2020/07/19 12:49] (current)
Line 1: Line 1:
-= 0x01. Exploration Tools+====== 0x01. Exploration Tools ======
  
-== Slides+===== Resources =====
  
 [[https://security.cs.pub.ro/summer-school/res/slides/01-exploration-tools.pdf|Session 1 slides]] [[https://security.cs.pub.ro/summer-school/res/slides/01-exploration-tools.pdf|Session 1 slides]]
  
-[[https://security.cs.pub.ro/summer-school/res/arc/01-exploration-tools-skel.zip|Session's tutorials and challenges archive]]+/*[[https://security.cs.pub.ro/summer-school/res/arc/01-exploration-tools-skel.zip|Session's tutorials and challenges archive]]*/
  
-== Tutorials+/*[[https://security.cs.pub.ro/summer-school/wiki/_media/session/01-exploration-tools-last.zip|Session's tutorials and challenges archive]]*/ 
 + 
 +[[https://security.cs.pub.ro/summer-school/wiki/_media/session/01-exploration-tools-last-last.zip|Session's tutorials and challenges archive]] 
 + 
 + 
 +/*[[https://security.cs.pub.ro/summer-school/res/arc/01-exploration-tools-full.zip|Session's solutions]]*/ 
 + 
 +===== Tutorials =====
  
 When faced with a binary with no source or parts of the source missing you can infer some of its functionalities based upon some basic reconnaisance techniques using various tools. When faced with a binary with no source or parts of the source missing you can infer some of its functionalities based upon some basic reconnaisance techniques using various tools.
  
  
-=== 01. Tutorial - Poor man's technique: strings +==== 01. Tutorial - Poor man's technique: strings  ====
  
 The simplest recon technique is to dump the ASCII (or Unicode) text from a binary. It doesn't offer any guarantees but sometimes you can get a lot of useful information out of it. The simplest recon technique is to dump the ASCII (or Unicode) text from a binary. It doesn't offer any guarantees but sometimes you can get a lot of useful information out of it.
Line 62: Line 69:
 </note> </note>
  
-=== 02. Tutorial - Execution tracing (ltrace and strace)+==== 02. Tutorial - Execution tracing (ltrace and strace) ====
 [[http://man7.org/linux/man-pages/man1/ltrace.1.html|ltrace(1)]] is an utility that can list the calls made to library functions made by a program, or the [[http://man7.org/linux/man-pages/man2/syscalls.2.html|syscalls]] a program makes. A syscall is a function that uses services exposed by the kernel, not by some separate library.  [[http://man7.org/linux/man-pages/man1/ltrace.1.html|ltrace(1)]] is an utility that can list the calls made to library functions made by a program, or the [[http://man7.org/linux/man-pages/man2/syscalls.2.html|syscalls]] a program makes. A syscall is a function that uses services exposed by the kernel, not by some separate library. 
  
Line 115: Line 122:
 </code> </code>
  
-The ''deobf()'' function calls ''strlen()'' and that's why you get such a large number of ''strlen()'' calls when using running ''crackme2'' under ''ltrace''.+The ''deobf()'' function calls ''strlen()'' and that's why you get such a large number of ''strlen()'' calls when running ''crackme2'' under ''ltrace''.
  
-=== 03. Tutorial - Symbols: nm+==== 03. Tutorial - Symbols: nm ====
  
 Symbols are basically tags/labels, either for functions or for variables. If you enable debugging symbols you will get information on all the variables defined but normally symbols are only defined for functions and global variables. When stripping binaries even these can be deleted without any effect on the binary behaviour. Dynamic symbols, however, have to remain so that the linker knows what functions to import: Symbols are basically tags/labels, either for functions or for variables. If you enable debugging symbols you will get information on all the variables defined but normally symbols are only defined for functions and global variables. When stripping binaries even these can be deleted without any effect on the binary behaviour. Dynamic symbols, however, have to remain so that the linker knows what functions to import:
Line 245: Line 252:
 Dealing with stripped binaries (or worse, statically linked binaries that have been stripped) is harder but can still be done. We'll see how in a future lab. Dealing with stripped binaries (or worse, statically linked binaries that have been stripped) is harder but can still be done. We'll see how in a future lab.
  
-=== 04. Tutorial - Library dependencies+==== 04. Tutorial - Library dependencies ====
  
 Most programs you will see make use of existing functionality. You don't want to always reimplement string functions or file functions. Therefore, most programs use dynamic libraries. These shared objects, as they are called alternatively, allow you to have a smaller program and also allow multiple programs to use a single copy of the code within the library. But how does that actually work? Most programs you will see make use of existing functionality. You don't want to always reimplement string functions or file functions. Therefore, most programs use dynamic libraries. These shared objects, as they are called alternatively, allow you to have a smaller program and also allow multiple programs to use a single copy of the code within the library. But how does that actually work?
Line 363: Line 370:
 As you can see, functions like ''puts()'', ''fgets()'', ''strlen()'' and ''strcmp()'' are not actually resolved until the first call to them is made. Make the loader resolve all the symbols at startup. (Hint: [[http://man7.org/linux/man-pages/man8/ld-linux.8.html|ld-linux(8)]]). As you can see, functions like ''puts()'', ''fgets()'', ''strlen()'' and ''strcmp()'' are not actually resolved until the first call to them is made. Make the loader resolve all the symbols at startup. (Hint: [[http://man7.org/linux/man-pages/man8/ld-linux.8.html|ld-linux(8)]]).
  
-==== Library Wrapper Task+=== Library Wrapper Task ===
  
 You've previously solved ''crackme2'' with the help of the ''ltrace''. Check out the files in the ''04-tutorial-library-dependencies/'' folder from the [[https://security.cs.pub.ro/summer-school/res/arc/01-exploration-tools-skel.zip|Session archive]]. The folders consists of a ''Makefile'' and a C source code file reimplementing the ''strcmp()'' function (library wrapper). The ''strcmp.c'' implementation uses ''LD_PRELOAD'' to wrap the actual ''strcmp()'' call to our own one. You've previously solved ''crackme2'' with the help of the ''ltrace''. Check out the files in the ''04-tutorial-library-dependencies/'' folder from the [[https://security.cs.pub.ro/summer-school/res/arc/01-exploration-tools-skel.zip|Session archive]]. The folders consists of a ''Makefile'' and a C source code file reimplementing the ''strcmp()'' function (library wrapper). The ''strcmp.c'' implementation uses ''LD_PRELOAD'' to wrap the actual ''strcmp()'' call to our own one.
Line 380: Line 387:
 </code> </code>
  
-=== 05. Tutorial - Network: netstat and netcat+==== 05. Tutorial - Network: netstat and netcat ====
  
 Services running on remote machines offer a gateway to those particular machines. Whether it's improper handling of the data received from clients, or a flaw in the protocol used between server and clients, certain privileges can be obtained if care is not taken. We'll explore some tools and approaches to analyzing remote services. To follow along, use the server and client programs in the crackme5 folder of the {{:session:tutorial_01.tgz|tutorial}} archive. Services running on remote machines offer a gateway to those particular machines. Whether it's improper handling of the data received from clients, or a flaw in the protocol used between server and clients, certain privileges can be obtained if care is not taken. We'll explore some tools and approaches to analyzing remote services. To follow along, use the server and client programs in the crackme5 folder of the {{:session:tutorial_01.tgz|tutorial}} archive.
Line 444: Line 451:
  
 We can see what the server and client are exchanging at an application level by capturing the traffic with the [[http://man7.org/linux/man-pages/man1/tcpdump.1.html|tcpdump(1)]] utility. Start tcpdump, the server and then the client, and run the commands again. When you're done, stop tcpdump with Ctrl+C. We can see what the server and client are exchanging at an application level by capturing the traffic with the [[http://man7.org/linux/man-pages/man1/tcpdump.1.html|tcpdump(1)]] utility. Start tcpdump, the server and then the client, and run the commands again. When you're done, stop tcpdump with Ctrl+C.
-<code bash>+<code>
 # tcpdump -i any -w crackme5.pcap 'port 31337' # tcpdump -i any -w crackme5.pcap 'port 31337'
 tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Line 461: Line 468:
 </note> </note>
  
-<code bash>+<code>
 # netcat localhost 31337 # netcat localhost 31337
 Welcome to the awesome server. Welcome to the awesome server.
Line 471: Line 478:
 </code> </code>
  
-==== Doing It in Python+=== Doing It in Python ===
  
 You can create a sever and a client in Python only. We can use the ''server.py'' and ''client.py'' scripts. Check them out first. You can create a sever and a client in Python only. We can use the ''server.py'' and ''client.py'' scripts. Check them out first.
Line 502: Line 509:
 </code> </code>
  
-==== Doing It Only with netcat+=== Doing It Only with netcat ===
  
 We can still simulate a network connection using ''netcat'' only, both for starting the server and for runing the client. We can still simulate a network connection using ''netcat'' only, both for starting the server and for runing the client.
Line 549: Line 556:
 </note> </note>
  
-=== 06. Tutorial - Open files+==== 06. Tutorial - Open files ====
  
 Let's remember how files and programs relate in Linux. Let's remember how files and programs relate in Linux.
Line 636: Line 643:
  
  
-=== Misc+==== Misc ====
  
 There are other sources of information available about running processes if you prefer to do things by hand such as: There are other sources of information available about running processes if you prefer to do things by hand such as:
Line 646: Line 653:
   * ''/proc/<PID>/cmdline'' : complete program commandline, with arguments   * ''/proc/<PID>/cmdline'' : complete program commandline, with arguments
  
-== Challenges+===== Challenges =====
  
-=== 07. Challenge - Perfect Answer+==== 07. Challenge - Perfect Answer ====
  
 For this task use the ''perfect'' binary from the 07-challenge-perfect-answer directory. For this task use the ''perfect'' binary from the 07-challenge-perfect-answer directory.
Line 654: Line 661:
 Can you find the flag? Can you find the flag?
  
-=== 08. Challenge - Lots of strings+==== 08. Challenge - Lots of strings ====
  
 Use the ''lots_of_files'' binary from ''08-challenge-lots-of-strings'' directory. Use the ''lots_of_files'' binary from ''08-challenge-lots-of-strings'' directory.
Line 663: Line 670:
 Hint: use the tools presented in the tutorials. Hint: use the tools presented in the tutorials.
 </note> </note>
-=== 09. Challenge - Sleepy cats+==== 09. Challenge - Sleepy cats ====
  
 For this task use the ''sleepy'' binary from the ''09-challenge-sleepy-cats'' directory. For this task use the ''sleepy'' binary from the ''09-challenge-sleepy-cats'' directory.
Line 672: Line 679:
  
 <note tip> <note tip>
-To edit a binary, you can use [[http://vim.wikia.com/wiki/Hex_dump|vim + xxd]] or [[https://www.forensicswiki.org/wiki/Bless|Bless]].+To edit a binary, you can use [[https://vim.fandom.com/wiki/Hex_dump#Editing_binary_files|vim + xxd]] or [[https://www.forensicswiki.org/wiki/Bless|Bless]].
  
 </note> </note>
-=== 10. Challenge - Hidden +==== 10. Challenge - Hidden  ====
  
-For this task use the ''hidden'' binary from the 10-challenge-hidden directory.+For this challenge use the ''hidden'' binary from the ''10-challenge-hidden/'' directory.
  
 Can you find the hidden flag? Can you find the hidden flag?
  
 +<note tip>
 +You could use ''ltrace'' and ''strace'' to find the flag. But try to make it give you the flag by simply altering the environment, do not attach to the executable.
 +</note>
  
-=== Extra+==== 11. Challenge - Detective ==== 
 + 
 +This challenge runs remotely at ''141.85.224.157:31337''. You can use ''netcat'' to connect to it. 
 + 
 +Investigate the ''detective'' executable in the ''11-challenge-detective/'' directory. See what it does and work to get the flag. 
 + 
 +You can start from the ''sol/exploit_template.sh'' solution template script. 
 + 
 +<note> 
 +There is a bonus to this challenge and you will be able to find another flag. See that below. 
 +</note> 
 + 
 +=== Bonus: Get the Second Flag === 
 + 
 +You can actually exploit the remote ''detective'' executable and get the second flag. Look thoroughly through the executable and craft your payload to exploit the remote service. 
 + 
 +<note tip> 
 +You need to keep the connection going. Use the construction: 
 +<code> 
 +cat /path/to/file - | nc <host> <port> 
 +</code> 
 +</note> 
 +==== Extra ====
 If you want some more, have a go at the bonus task included in the task archive. It is a simplified CTF task that you should be able to solve using the information learned in this lab. If you want some more, have a go at the bonus task included in the task archive. It is a simplified CTF task that you should be able to solve using the information learned in this lab.
  
Line 688: Line 720:
 Hint: This executable needs elevated permissions (run with ''sudo''). Hint: This executable needs elevated permissions (run with ''sudo'').
 </note> </note>
 +
 +==== Further pwning ====
 +
 +[[http://pwnable.kr/|pwnable.kr]] is a wargames site with fun challenges of different difficulty levels. After completing all tutorials and challenges in this session, you should be able to go there and try your hand at the following games from Toddler's bottle: ''fd'', ''collision'', ''bof'', ''passcode'', ''mistake'', ''cmd1'', ''blukat''.
 +
session/01.1529338325.txt.gz · Last modified: 2018/06/18 19:12 by Razvan Deaconescu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki