Chapter2: Exercises
Clone the repository first (in case you haven’t yet!):
git clone https://github.com/nonamed01/exploits.git
The vulnerable programs, their source code and exploits for this chapter are located on the creativepwning/chapter2 directory. Try to solve the exercises without reading their source code and exploits first; if you get stuck, feel free to read and try the provided exploits. For each exercise, its exploit is: exN-exploit.py.
Exercise1 (creativepwning/chapter2/ex1)
Goal: Consider this is a binary running on a live instance with a custom libc. You need to find the address of execve() first, and then spawn a shell by calling execve(“/bin/shx00”,NULL,NULL);
Exercise2 (creativepwning/chapter2/ex2)
Goal: Without using ret2dlresolve, try to gain a shell on this vulnerable program by running system(“/bin/shx00”). This exercise has been tested with GLIBC 2.36. It should work without issues in most modern GLIBC versions (2.38 for example). Of course, if you try the exploit on your local system the offsets may vary!
Exercise3 (creativepwning/chapter2/ex3)
Goal: Without using any known techniques except the ones described in this chapter, change the permissions of the stack to rwx by exploiting the vulnerable program ex3.
Exercise4 (creativepwning/chapter2/ex4)
Goal: Without using any known techniques except the ones described in this chapter, set .bss to rwx, write a simple execve(‘/bin/sh’) shell-code there and spawn a shell. This exercise is relatively similar to the previous one. Remember that, if the program is not using pthreads, you can fake it! You can fake anything as long as you have control of the EIP and have addresses where you can actually write to! Absolutely neither leaks nor use of libc6 allowed!
My exploit has been tested on Debian GNU/Linux 12 Bookworm (GLIBC 2.36) and Ubuntu GNU/Linux 23.10 (GLIBC 2.38) (adjusting the offsets previously, of course!). It won’t work on GLIBC 2.35,for example (see creativepwning/chapter2/libc-2.35-funcs.txt).
HTB Finale
Time to practise with a real challenge. Try solving the retired challenge on the HTB platform and spawn a remote shell: https://app.hackthebox.com/challenges/405.
Note
Spawning a remote shell is not the intended way for this challenge. But it is your goal for this chapter!
This challenge is running a custom libc6 on the live instance. Don’t use any other techniques, try to solve it using the techniques described here. If you get stuck, I wrote a exploit you will find here: creativepwning/chapter2/HTB-finale-2024.py.
Try your exploit in local first, then move on to exploit the live instance. You may need to use a technique described in Chapter 1: Setting arbitrary values into registers to set a particular value into a certain register too. As an extra exercise for you, try to disable the alarm the program sets. Have fun!
HTB Void from CyberApocalypse 2023
If you finished the previous real exercise, then it’s time to try something new. HTB retired challenge Void from last year’s CyberApocalypse was meant to be solved by using ret2dlresolve. Now go and do something different! If you get stuck, I wrote an exploit: creativepwning/chapter2/HTB-Void-nodlresolve.py! Here you have a writeup for someone who solve it without using ret2dlresolve: https://github.com/sbencoding/htb_ca2023_writeups/tree/master/pwn/void.
Try to find a better way! Imagine that no one gadget can be found. Then, this exploit would fail! Time to pwn creatively!
The challenge is still playable on the Tracks section of the platform: https://app.hackthebox.com/challenges/462
I wrote a write-up for my exploit, see (HTB Void writeup) if you get stuck.
HTB active challenge LoginSimulator
Try to solve this challenge next: https://app.hackthebox.com/challenges/login-simulator. Because it’s an active challenge, so I’m not giving anything away. Try solving it without leaking any libc6 addresses!