This challenge requires skills both in exploit development, reverse engineering, and writing scripts using python. In this challenge we got a file named

“baby-6971f0aeb454444a72cb5b7ac92524cd945812c2.tgz”

Note: you can view the solution here

Get OSCP Certificate Notes

After extracting this file we’ll be presented with two files; “baby” and “libc.so”. The targeted file that we’re required to exploit is “baby”. As we get used to do when analyzing and reversing binaries and files especially in the environment of Linux both 32 and 64 bit, we would like to get some information about the file.

As shown in the picture we got a DLL file which needs to be checked against the enabled security measures. We will use a tool called “checks.sh” developed by “ slimm609” .

As we see above, we have PIE and NX enabled and that means that we cannot overwrite EIP using stack over flow simply because this file has ASLR and DEP enabled thus randomizing EIP each time. So we should leak some pointers and addresses by checking if there is a probability of “format string” vulnerability in place then we will leverage that to take advantage of libc base address and use that information to construct or ROP chain to bypass DEP and ASLR in order to drop our shell and pwn the system. First, let me show some approaches on how to search for ROP gadgets and get them. If you have an executable file then use immunity debugger and use “mona” plugin developed by “corelanc”

Use the following command in immunity debugger to get ROP Gadgets in separated “rop.txt” file

!mona modules

!mona ropfunc -m some.dll -cpb ‘\x00\x09\x0a’

Now “some.dll” in the command is a dll which has non-rebase, non-ASLR and no bad characters to make sure that the generated ROP chains are proper and effective to conduct the attack.

Now in our case we can use edb-debugger with ROP plugin to get’em. Basically ROP chains end with “RET”

Now the interesting part which is the python script

Now let’s execute our pwn.py python script to see if we get the shell

And we get it