SKILLS ASSESSMENT

TASK 1

We are contracting for a company, and they find a suspicious binary file. We examine the file with gdb and see that it is loading an encoded shellcode to the Stack and storing the xor decoding key in rbx. We need to decode the shellcode after it is loaded to the Stack and then run the shellcode to get the flag.

1. Refer to the "Assembling & Disassembling" section to get the assembly code of the binary. We can also use the template from that section. Do not forget to change movabs to mov.

2. Refer to the "Arithmetic Instructions" and "Loops" sections to write instructions to decode the shellcode after it is loaded to the Stack.

3. Refer to the "GDB`" section to examine the entire shellcode once it is decoded.

4. Refer to the "Shellcodes" section to be able to run the decoded shellcode.

To loop over the stack, try storing "rsp" in "rdx" and then doing "add rdx, 8" to move to the next 8-bytes on the stack.

Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'.

root@htb:~$ curl -O https://academy.hackthebox.com/storage/modules/85/loaded_shellcode.zip
root@htb:~$ ls
 loaded_shellcode.zip
root@htb:~$ unzip loaded_shellcode.zip

root@htb:~$ file loaded_shellcode
loaded_shellcode: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped

root@htb:~$ ghidra
 ...

GHIDRA > File > New Project > Non-Shared Project
 Project Directory: /home/htb-ac-53539
 Project Name: loaded_shellcode
 
GHIDRA > File > Import File
 File Name: loaded_shellcode
 
GHIDRA > Code Browser
 Analyze...: yes
 Analysis Options...: default

TASK 2

We are performing a pentest, and in a binary exploitation exercise, we reach the point where we have to run our shellcode. However, only a buffer space of 50 bytes is available to us. So, we have to optimize our assembly code to make it shellcode-ready and under 50-bytes to successfully run it on the vulnerable server.

1. Refer to the "Syscalls`" section to understand what the assembly code is doing.

2. Refer to the "Shellcoding Techniques`" section to be able to optimize the assembly code.

Do we really care about a nice exit?!

The above server simulates a vulnerable server that we can run our shellcodes on. Optimize 'flag.s' for shellcoding and get it under 50 bytes, then send the shellcode to get the flag. (Feel free to find/create a custom shellcode)

PreviousPRACTICAL EXERCISES Next04.STACK-BASED BUFFER OVERFLOWS ON LINUX X86

Last updated 1 month ago