search

🚩babyshell

hashtag
Notes

hashtag
Online Shellcode Assembler/Disassembler

https://defuse.ca/online-x86-assembler.htmarrow-up-right

hashtag
The catflag C Wrapper

In this series of challenges, our objective is to read /flag. We need to make the following two syscalls consecutively:

  1. Call open("/flag", 0).

  2. Use the result from step 1 to call sendfile(1, open("/flag", 0), 0, 1000).

To simplify our shellcode, we can combine these two steps into a C wrapper:

// catflag.c
void main()
{
    sendfile(1, open("/flag", 0), 0, 1000);
}

Compile it:

gcc catflag.c -o \;

Why name this file a special character ;? The ASCII number for ; is 59 in decimal, which is just the syscall number of execve. In our shellcode, there will always be mov al, 59. By naming catflag as ;, we could utilize rax for two purposes at the same time: syscall number and filename.

hashtag
Writing Shellcode

hashtag
Method 1: Pwntools (Connor's Method)

For example:

hashtag
Method 2: Manually (Yan's Method)

Compile the shellcode source shellcode.s into raw bytes:

We can create an alias to make life easier. Add the following line to ~/.bashrc:

Reload ~/.bashrc:

Now if you want to compile shellcode, simply type compile inside the babyshell directory.

Run the shellcode:

For debugging purposes, to get the disassembly of the shellcode:

Similarly, add the following line to ~/.bashrc:

Reload ~/.bashrc:

Now if you want to check the disassembly of the shellcode, simply type debug inside the babyshell directory.

Examine system calls:

hashtag
Breakpoint

In some levels, we need to examine the registers at the moment of shellcode execution. This can be done with the int 3 instruction, which sets a breakpoint in GDB:

To run it:

hashtag
Utilizing Register States

By inserting the int 3 shellcode as breakpoint, we could examine the registers at the moment of shellcode execution. For example, in level1_teaching1, the registers are in the following state:

Level 1 Register States

Utilizing those values that already reside in the registers is crucial for some of the levels in this assignment.

hashtag
Level 1

hashtag
Challenge

Level 1

hashtag
Solution

Write a program named catflag.c which is a wrapper for calling sendfile():

This wrapper is needed because it simplifies the shellcoding process a lot. Compile it and name it as ;:

This weird naming would further simplify our shellcode: the ascii value of ; equals the syscall number of execve, which is 59.

Our objective is calling execve(catflag_pathname, 0, 0). To achieve this objective, our shellcode should do the following things:

  1. Set rax to 59. This is used for the syscall number and the C wrapper filename at the same time.

  2. Push rax onto the stack, so that rsp now contains the address of 59. Give this address to rdi.

  3. Zero out rsi and rdx.

  4. Invoke syscall.

hashtag
Exploit

hashtag
Level 2

hashtag
Challenge

Level 2

hashtag
Solution

This level can be solved with the same shellcode as in Level 1.

hashtag
Exploit

PreviousData Execution PreventionNextSandboxing

Last updated