Goal of the exercise Have a shell and print the contents of the flag file.
Research And Reverse Engineering Test See if there are any protections: I see it with “checksec” command:
Apparently the program has no protection. What the program uses: I see it with “ltrace” command: I want to know more about “puts” and “read”: Decompiled C code: main():
int __cdecl main(int argc, const char **argv, const char **envp) { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); puts( " _________.
Become User â- Enumeration â- The first thing that I do is scan for the opened ports:
nmap -sC -sV -oA nmap 10.10.10.185 This command returns me the following result:
# Nmap 7.80 scan initiated Sun May 31 22:17:52 2020 as: nmap -sV -sC -oA nmap 10.10.10.185 Nmap scan report for 10.10.10.185 Host is up (0.044s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.
Goal of the exercise Have the program to print the contents of the flag file.
Research And Reverse Engineering Test See if there are any protections: It appears to be only âNXâ enabled.
Decompiled C code of the executable: int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { FILE *stream; // [rsp+0h] [rbp-50h] char s1; // [rsp+10h] [rbp-40h] char *s; // [rsp+30h] [rbp-20h] const char *v6; // [rsp+38h] [rbp-18h] const char *v7; // [rsp+40h] [rbp-10h] unsigned __int64 v8; // [rsp+48h] [rbp-8h] v8 = __readfsqword(0x28u); memset(&s1, 0, 0x38uLL); s = "[!