Summary

In this post, we covered the basic steps to take in order to analyze a binary using several tools such as checksec and Gdb debugger. The purpose is to check the binary architecture, shellcode execution protections and whether it’s vulnerable to buffer overflow. This video was part of HackTheBox Cyber Apocalypse 2023 Track.

This post covers the walkthrough for HackTheBox Questionnaire

Challenge Description

It’s time to learn some things about binaries and basic c. Connect to a remote server and answer some questions to get the flag.

I started by downloading the necessary files, which included both the source code for analysis and the binary file itself. My goal was to connect to a remote server, answer a series of questions about this binary, and ultimately retrieve a flag.

I went through a structured analysis process, answering key questions about the binary:

  1. Is this a 32-bit or 64-bit ELF file? I used the file command on the binary named “test” and determined it was a 64-bit ELF file.
    • Command: file test
  2. What’s the linking of the binary (static or dynamic)? The file command output also revealed that it was dynamically linked.
  3. Is the binary stripped or not? Again, the file command showed that the binary was not stripped.
  4. Which protections are enabled (canary, NX, PIE, Fortify)? To check the security protections, I used the checksec tool. The output indicated that only NX (No-eXecute) was enabled, meaning code execution on the stack is prevented.
    • Command: checksec --file=test
  5. What’s the name of the custom function that gets called inside main? By examining the C source code, I found that the main function called a custom function named vulnerable (or vuln).
  6. What is the size of the buffer? Looking at the vulnerable function in the source code, I saw a buffer defined with a size of 20 bytes (0x20).
  7. Which custom function is never called? Reviewing the main function in the C code, I noticed that only the vulnerable function was called. There was another function named GG that appeared to retrieve a system flag but was never invoked from main.
  8. What’s the name of the standard function that could trigger a buffer overflow? In the C code, the fgets function was used to handle user input. This function is known to be susceptible to buffer overflows if the input size surpasses the buffer’s capacity.
  9. After how many bytes does a segmentation fault occur? A segmentation fault indicates the program couldn’t handle the input, often due to a buffer overflow. To pinpoint the exact number of bytes, I used GDB (GNU Debugger). I generated patterns of increasing length (30, 39, then 40 characters) and supplied them as input to the program running in GDB.
    • GDB Command (initial setup): gdb -q test
    • GDB Command (to generate pattern): pattern create <length> (e.g., pattern create 40)
    • GDB Command (to run program): r When I supplied 40 characters, a segmentation fault occurred. To find the exact offset, I looked at the instruction pointer (RIP) value at the time of the crash. Then, I used pattern search in GDB.
    • GDB Command (to search pattern): pattern search <address_of_instruction_pointer> The output confirmed the crash occurred precisely at 40 bytes. This means any shellcode would need to be inserted after these 40 bytes.
  10. What is the address of the GG function? In GDB, I used the disassemble command for the GG function.
    • GDB Command: disassemble GG The starting memory address of the GG function was clearly displayed.

After successfully answering all these questions, I obtained the flag. This challenge served as an excellent introduction to the fundamental steps of binary analysis.

Video Walk-through

 

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles