TryHackMe PWN101 (Binary Exploitation) room explained step-by-step and in detail so as we understand the underlying concepts and exploitation techniques. Each challenge has its own dedicated video. I recommend watching the Intro video to better understand the context of this series.
Index
- Intro
- pwn101
- pwn102
- pwn103
- pwn104
- pwn105
- pwn106
- pwn107
- pwn108
- pwn109
- pwn110
Link to YouTube video playlist: PWN101 playlist
Intro
Video link: PWN101 Intro
pwn101
Video link: PWN101 pwn101 (BOF)
Abusing a call to a vulnerable function (gets) in order to perform a buffer overflow and overwrite the value of a given variable stored in the stack. Since the value of this variable is later checked in the code, by overwriting it we manage to spawn a shell.
pwn102
Video link: PWN101 pwn102 (BOF to overwrite memory)
Overflowing a buffer due to the use of scanf
function. We are overwriting memory in such a way that we’re placing specific values at specific addresses hence spawning a shell.
pwn103
Video link: PWN101 pwn103 (ret2win)
Hijacking the program’s execution flow in order to execute a function of our choice, which is usually called ret2win (because we are returning to win() or any equivalent function) . We are abusing a buffer overflow caused by the use of scanf. A detailed explanation is given about how the stack behaves and what is happening in memory during the execution, so as to understand the underlying concepts and why this attack is possible. A thorough explanation will be given about how RSP and RBP registers are modified by the instructions, either as a direct or side effect.
pwn104
Video link: PWN101 pwn104 (ret2shellcode)
Hijacking the program’s execution flow in order to execute our payload, which conveniently corresponds to assembly instructions/code that spawn a shell (Shellcode), an attack that is commonly referred to as ret2shellcode or simply shellcode execution. This time we are abusing a buffer overflow caused by the misuse of read. The address of the buffer on the stack (where we want to jump to in order to execute the shellcode) is leaked by the binary itself, thus allowing us to bypass ASLR with ease. In this video ASLR and the concept of Shellcode are introduced. Detailed explanation is given as to how execute the shellcode.
pwn105
Video link: PWN101 pwn105 (Integer Overflow (IOF))
Exploiting an integer overflow so as to spawn a shell. In this video we are exploring the binary world and how the CPU treats numbers. We will discuss their representation in memory (both positive and negative numbers) and how basic arithmetic (addition and subtraction) is carried out, which will inevitably lead us to integer overflow, underflows, truncation and signedness errors.
pwn106
Video link: PWN101 pwn106 (Format String)
Abusing a Format String vulnerability to leak memory. Understanding the format string vulnerability step by step in this thorough tutorial explaining its very foundations, the underlying concepts. How do format string vulnerabilities happen, why and how can we abuse them. Format String vulnerabilities allow an attacker to both leak memory and corrupt it by writing arbitrary values. In this video we will learn how to leak memory by abusing a Format String vulnerability, aside from understanding what is happening internally.
pwn107
Bypassing stack canaries and PIE/PIC by abusing a Format String vulnerability. In this step-by-step tutorial we will understand what a canary is, what is its main purpose and how can we bypassing it in order to hijack the program’s execution flow. At the same time, we will dig into Position Independent Executable (PIE) or Position Independent Code (PIC) and learn how to bypass it as well, exploiting the same Format String vulnerability. Leaking addresses from the binary will allow us to get the dynamic binary’s base address (its base address during execution) to finally perform a ret2win attack.
pwn108
Overwriting GOT (Global Offset Table) entries by abusing a Format String vulnerability, hence hijacking the execution flow of the program. We will see in detail how to overwrite memory with the %n format specifier from the printf family of functions, understanding how to write 4 or less bytes with the values we desire at the address we want. Besides, bad chars of printf function will be also discussed, which define how the payload must be arranged
pwn109
Return to libc (ret2libc) fully explained from scratch. In this video we will see and understand how to perform a ret2libc in a multistaged exploit. First, we will abuse a buffer overflow in order to hijack the execution flow and leak addresses from the global offset table (GOT). We will create a tailored ROP chain to jump to PLT, passing as parameters addresses from the GOT. Once we obtained the information we need, we execute once again (second stage) the vulnerable function and, based on the leaked information, we will jump to system() passing as parameter the string “/bin/sh”. In order to do so, we will discover the libc version the server is running and jump to specific locations once we leak the dynamically resolved addresses.
pwn110
Abusing a buffer overflow to craft a malicious call to mprotect(2) and change the stack protections making it executable in order to spawn a shell (shellcode). This will bypass the NX bit, which the binary was compiled with. Step-by-step resolution of the pwn110 challenge of TryHackMe’s PWN101 room. We will also understand what an aligned address is by calculating the page boundary of the memory page containing the stack at any given point during execution. This is done by the means of leaking the variable fo __libc_stack_end during execution. The exploit will comprise 2 stages: in the first one we will leak the addresses of the stack and in the second one we will change the stack protections and execute the shellcode.
Coming soon
More challenges
- Click here to see TryHackMe index.