Posted on April 2, 2017 as Overthewire.
Today we're going to attack another reverse engineering challenge from Behemoth series, to improve our knowledge in reverse engineering.
This one seems to behave quite similar as the behemoth0 level, but unluckily we can't view the password like in the previous one. Let's dissasemble the binary.
Hmm, we have printf, gets and puts function. We will have to somehow exploit the gets function, by overflowing an buffer and then possibly we will be able to spawn a shell.
Great, now we have something to focus on. This time, I wanted to find an offset not by brute forcing (also known as guessing), but by running pattern_offset.rb on the value in EIP - which resulted in number 79. But how can we store the shellcode, since nothing is actually stored in the binary?
In one of the Narnia levels, we used enviromental variable as the way to store the shellcode.
Now we can use a tool like getenvaddr to get the address of the enviromental variable EGG.
Unluckily it didn't seem to work, so I had to come up with another solution, using gdb.
Great, now we have to only point the address to our shellcode.
As you may know, the first try didn't work because the shellcode opened the shell without any arguments, resulting in immediate close. Adding cat - allowed us to keep the shell open, and view the password.
Fun as always, and very educational. Thanks OverTheWire!
I would also like to point out that if you're thinking about starting journey with CTF challenges PicoCTF is running now, with a lot of great challenges. Check that out if you're interested!