Mohamed Sayed - Blog

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) I decided to go back to a challenge from RITSEC-CTF 2024 called "gadget_database" After months, it was an ROP challenge in ARM64 binary, let's start. Let's drop the binary into Ghidra to understand what it is doing, "main" function checks the return value from the "answer" function. If it is right we will trigger a branch that is vulnerable to buffer overflow because it takes "0x200" byte and the buf size "32" byte. "answer" function checks a password value and it is fixed. now it is an ARM64 binary and we running on Intel Processor so we have to setup the script for debugging using "gdb-mutliarch" and "qemu" when we run the script with "GDB" argument it will run "qemu-aarch64-static -g 2020 ./gadget_database" to start a listener for gdb and in our "gdb-mutliarch" session we ca

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) User Management it is a format string challenge, let's start it. First, our menu contains the following after reversing the binary with Ghidra and trying the options we know that there is a Format String in the view description and we can hit it when we create a new user and login with it but to create a user we have to login as admin first and the admin password is random :-). with some static/dynamic analysis, we know that there something weird with the admin login function it reads 21 bytes and it just needs 12 ;-) so we have a trigger here if we check the address (DAT_555555559340) it is close to the address of the password on (DAT_555555559350) and we have an overflow on the first address so we can overwrite the password. When we overwrite the password with the following payload we will get the "strncmp" check for the username and we can get it after logging in with admin we