https://brigatti.info/tags/writeup/ Recent content in Writeup on Riccardo Brigatti Hugo -- gohugo.io en-us Thu, 02 Dec 2021 11:44:31 +0100 https://brigatti.info/pages/cyber-challenge/shell-code/ Thu, 02 Dec 2021 11:44:31 +0100 https://brigatti.info/pages/cyber-challenge/shell-code/ Goal of the exercise Have a shell and print the contents of the flag file. Research And Reverse Engineering Test See if there are any protections: I see it with “checksec” command: Apparently the program has no protection. What the program uses: I see it with “ltrace” command: I want to know more about “puts” and “read”: Decompiled C code: main(): int __cdecl main(int argc, const char **argv, const char **envp) { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); puts( " _________. https://brigatti.info/blog/magic/ Fri, 05 Jun 2020 00:00:00 +0000 https://brigatti.info/blog/magic/ Become User —- Enumeration —- The first thing that I do is scan for the opened ports: nmap -sC -sV -oA nmap 10.10.10.185 This command returns me the following result: # Nmap 7.80 scan initiated Sun May 31 22:17:52 2020 as: nmap -sV -sC -oA nmap 10.10.10.185 Nmap scan report for 10.10.10.185 Host is up (0.044s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7. https://brigatti.info/pages/cyber-challenge/easy-leak/ Thu, 13 Jun 2019 00:00:00 +0000 https://brigatti.info/pages/cyber-challenge/easy-leak/ Goal of the exercise Have the program to print the contents of the flag file. Research And Reverse Engineering Test See if there are any protections: It appears to be only “NX” enabled. Decompiled C code of the executable: int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { FILE *stream; // [rsp+0h] [rbp-50h] char s1; // [rsp+10h] [rbp-40h] char *s; // [rsp+30h] [rbp-20h] const char *v6; // [rsp+38h] [rbp-18h] const char *v7; // [rsp+40h] [rbp-10h] unsigned __int64 v8; // [rsp+48h] [rbp-8h] v8 = __readfsqword(0x28u); memset(&s1, 0, 0x38uLL); s = "[!