Camp CTF 2015 - Bitterman

Name: Camp CTF 2015 - Bitterman
Uploaded: 2017-10-10T01:40:15Z
Channel: IppSec
Description: 00:00 - Introduction 01:20 - Using CheckSEC to explain the binary protections that can be applied. 02:45 - Running the binary to discover a segfault wit...

IppSec · Beginner ·🔐 Cybersecurity ·8y ago

00:00 - Introduction 01:20 - Using CheckSEC to explain the binary protections that can be applied. 02:45 - Running the binary to discover a segfault with long string of A's 04:10 - This is a 64 bit Binary so we overwrite RSP (Stack Pointer) not RIP (Instruction Pointer) 04:30 - Using Pattern Create to identify where we can overwrite RSP 05:15 - Using PwnTools to create a skeleton exploit 07:20 - Using objdump to dump the PLT (Procedural Link Address) and GOT (Global Offset Table) Address for PUTS so we can use ROP to write to the screen 09:00 - Using R2 (radare) to find the location to a pop r…

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Introduction

1:20 Using CheckSEC to explain the binary protections that can be applied.

2:45 Running the binary to discover a segfault with long string of A's

4:10 This is a 64 bit Binary so we overwrite RSP (Stack Pointer) not RIP (Instructi

4:30 Using Pattern Create to identify where we can overwrite RSP

5:15 Using PwnTools to create a skeleton exploit

7:20 Using objdump to dump the PLT (Procedural Link Address) and GOT (Global Offset

9:00 Using R2 (radare) to find the location to a pop rdi function

9:45 Building the gadget chain to print the location of PUTS

12:20 Packing the addresses in our exploit with p64(), then showing the leaked addre

14:00 Storing the leaked address as a variable so we can convert it to hex

15:50 Memory address retrieved! It changes every time the program loads, so adding

18:50 Looking for a SYSTEM() Address with ReadElf

19:00 Using strings to find the location of "/bin/sh" within libc

19:55 Using the leaked addresses to find where libc is loaded

24:50 Fixing up some memory addresses then getting a shell!

25:10 Using Pwntools to the max! Having it automate a lot of stuff.

25:50 Mapping the ELF + LIBC within PwnTools

26:45 Using PwnTools to build the ROP Chain to leak PUTS

28:15 Using PwnTools to rebase LibC From our memory leak

29:00 Using PwnTools to pull the SYSTEM and /bin/sh information from LibC

30:30 Debugging some errors then getting a shell!

Playlist

Uploads from IppSec · IppSec · 8 of 60

← Previous Next →

Camp CTF 2015 - Bitterman

Chapters (22)

Playlist

Lesson complete!