BitFriends's admin

Author:
BitFriends

Language:
C/C++

Upload:
2020-03-20 11:10

Download

Platform:
Unix/linux etc.

Difficulty:
2.0

Quality:
4.0

Arch:
x86-64

Downloads:
9

Writeups:
1

Comments:
17

Description

Welcome to my little crackme! Your goal is to get a shell! As usual patching is not allowed. ld_preload, dll injection and rootkits are not allowed too. I hope the crackme is not overrated or underated. Have fun!

Comments (17)
Writeups (1)

You must be logged in to post a comment

_sam on 2020-03-25 16:15: hi, can you give me a hint .

tim0tei on 2020-03-26 06:54: @_sam there no name/pass algo to reverse but one of the used C-functions can be exploited.

ano12 on 2020-03-28 18:09: There is a format string vuln but don't know how to exploit it.

BitFriends on 2020-03-28 22:45: @_sam try objdump -t ;)

ano12 on 2020-03-29 10:09: [Click to reveal]

tim0tei on 2020-03-29 12:24: @ano12 I found this quite useful: http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

ano12 on 2020-03-29 17:15: I am able to write the address which is at %7$p to the stack but not able to write to it's memory. I wrote a python script with pwntools to interact with the process. I'm getting nowhere. Can someone help me. my email ano12@pm.me

BitFriends on 2020-03-31 13:53: Hint: %p does NOT write to memory.

ano12 on 2020-03-31 17:00: Yeah, I know it's %n but it's not working. I think i'm Missing something.

tim0tei on 2020-03-31 18:13: For me it works that way "\x9a\x0e\x00\x00_%08x.%08x.%08x.%08x.%08x.%3676u%n"

BitFriends on 2020-03-31 20:32: @tim0tei please submit a solution when you got it. Don't spoil

terbo on 2020-04-18 02:19: guys where is the 3676 coming from iv no idea?

tim0tei on 2020-04-19 04:45: @terbo It does not need to be 3676. Depending on what you input before may change that value.

ano12 on 2020-04-20 15:23: "%3737u %7$n"

ano12 on 2020-04-20 15:24: and then "shell" that's all easy.

nm on 2020-09-11 21:54: Spoilery comment, but I assume it's okay since there are already spoilers commented. So it appears that the address for the "admin" global variable is the 7th parameter on the stack. Two questions about this: 1. When using objdump/ghidra, I saw the address for admin was something like "0010407c". When using the string format exploit to print out the stack values, the 7th parameter always ended in 7c but otherwise was completely different every time. Is this due to address randomization moving around the BSS segment? 2. I assume the address of "admin" is only on the stack in the first place due to it being a leftover pushed argument when calling strcpy(admin_cpy, (char *)%admin)? Thanks!

BitFriends on 2020-10-07 17:51: @nm you don't have to worry about the address, because it's already on the stack. Just write to it with using the format string vuln

Show all spoilers

You must be logged in to submit a writeup

Solution by rjkenny on 2020-09-14 15:56:
Step by step to determine type of exploit and how to crack

Download

crackmes.one

crackmes.one

BitFriends's admin_panel