ELF32 - Stack buffer overflow basic 1 ~ RootMe
Attacker: Putty on Windows OS
1) This this buffer overflow example we are using SSH to gain access to a machine and practice a buffer overflow. In this example we need the .passwd file for credit and we need elevated permissions in order to do so. In my case I am using Putty to SSH from a Windows box, on a Linux box like Kali i could just use the ssh command.
The challenge gives you the connection information:
Input into Putty:
2) Once I look at the file system I can see that all of our files are located in this directory. The source code for the C program is located in the directory ans I have the ability to view it (It is also located on the challenge webpage). I do not have the ability to view the .passwd file however. Let's see what ch13 does.
3) Looking at the code tells me everything that I need to know.
4) I'm going to Python to assist me in overflowing the buffer. This command will pipe 40 letter A's into the ch13 program.
I've changed the buffer and the program tells me that I'm on the right path. Now I'm going to add in the characters that I want to overflow with.
It looks like my overflow got jumbled in the process and therefore it did not call the shell. Maybe I can rearrange it in order to get it to work.
This has allowed me to overflow the buffer and execute the new shell. But, my shell did not execute. I believe that it is due to a timeout issue. Let me pipe the catted python command to the program and see if that works.
That's more like it. A simple whoami command confirms that I have elevated privileges.
5) Grab the password and collect your points!!!