Reverse-Engineering

From South Africa to Asia via Northern California, smashing stacks along the way, we progress through the next versions of the LockIT Pro.

A thrilling ride through icy Whitehorse to sultry Montevideo, as we unmask more flaws in Lockitall’s feeble attempts to keep us out… And learn a thing or two about stack overflows and shellcode injection along the way.

I’ve decided to take another crack at the microcorruption CTF and document my progress as some form of tutorial type thing. I also wanted to have a play around with ghidra and this seemed like a good candidate.

It has been a long time since I wrote anything here, but I’d been getting the itch again recently and I’d always planned on re-visting Hades to do a full writeup. Three years later, and here we are… Hades is a boot2root challenge created by Lok_Sigma with a heavy focus on binary exploitation and stack overflows. Service discovery using netdiscover and nmap, you know the drill… # netdiscover -i eth1 -p r 10.66.66.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.66.66.6 08:00:27:4a:6c:d9 1 60 PCS Systemtechnik GmbH # echo 10.66.66.6 > ip # nmap -A -p- -T5 $(cat ip) | tee nmap.txt Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-12 14:22 EDT Nmap scan report for 10.66.66.6 Host is up (0.00044s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 e1:47:74:6c:b5:9c:8b:76:fd:92:77:91:fa:e7:f4:ee (DSA) | 2048 9c:a0:0b:f3:63:2e:8e:10:77:e9:a3:5a:dd:f1:6d:46 (RSA) |_ 256 0b:8d:d1:bf:6e:b8:cf:99:38:64:f0:58:bb:3c:45:77 (ECDSA) 65535/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq: | Welcome to the jungle. |_ Enter up to two commands of less than 121 characters each. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port65535-TCP:V=7.70%I=7%D=6/12%Time=5D0142F9%P=x86_64-pc-linux-gnu%r(N SF:ULL,55,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20 SF:two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\ SF:0")%r(GenericLines,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\ SF:x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characte SF:rs\x20each\.\n\0Got\x20it\n")%r(GetRequest,5C,"Welcome\x20to\x20the\x20 SF:jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x2 SF:0than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(HTTPOptions,5C, SF:"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20 SF:commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x2 SF:0it\n")%r(RTSPRequest,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnt SF:er\x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20chara SF:cters\x20each\.\n\0Got\x20it\n")%r(RPCCheck,5C,"Welcome\x20to\x20the\x2 SF:0jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x SF:20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(DNSVersionBind SF:ReqTCP,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\ SF:x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\. SF:\n\0Got\x20it\n")%r(DNSStatusRequestTCP,5C,"Welcome\x20to\x20the\x20jun SF:gle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20th SF:an\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Help,5C,"Welcome\x SF:20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x SF:20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r( SF:SSLSessionReq,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up SF:\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x2 SF:0each\.\n\0Got\x20it\n")%r(TLSSessionReq,5C,"Welcome\x20to\x20the\x20ju SF:ngle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20t SF:han\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Kerberos,5C,"Welc SF:ome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20comma SF:nds\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n SF:")%r(SMBProgNeg,63,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20 SF:up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\ SF:x20each\.\n\0Got\x20it\nGot\x20it\n"); MAC Address: 08:00:27:4A:6C:D9 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.44 ms 10.66.66.6 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 114.77 seconds I actually remember this, the ssh banner is a base64 encoded copy of the binary running on port 65535. ...

Hades is a boot2root challenge created by Lok_Sigma with a heavy focus on reverse engineering. Video This really was a fantastic challenge, standby for a full writeup!