If any of you have played around with the Offensive Security certifications, then for sure you have discovered that they are quite creative and that the people administering them want to make you think by yourself with as little help as possible.
One of their courses, CTP (Cracking the Perimeter), even requires you to hack into a website, retrieve a code, decipher how to get a secret key and only then can you proceed with the registration which checks that you managed to fetch these values.
Without giving a way the challenge, I can only say that working with GDB is needed for the final tests and that I, being lazy, installed a plugin for it called GEF so that I could trace what happens with the registers and have the information visually displayed all the time.
What is needed and how we install it on a Mac?
First of all while browsing around I also found something nice:
LLDB to GDB equivalents
Then better to work inside a container as it’s easier to export the image OR container:
- Export container
docker ps -a docker export <CONTAINER ID> > export-name.tar
- Import container
cat export-name.tar | docker import - image_name:latest
- Export image
docker images docker save <image name> > export-name.tar
- Import image
docker load < export-name.tar
docker run -dit --cap-add=SYS_PTRACE ubuntu:latest docker ps docker attach <ID from docker ps> apt-get install python3-pip pip3 install capstone unicorn keystone-engine ropper retdec-python wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh
Run it and use it
gdb -q <program to analyze>
root@90707107d7df:~# gdb -q <program name> GEF for linux ready, type `gef' to start, `gef config' to configure 65 commands loaded for GDB 18.104.22.16880409-git using Python engine 3.6 [*] 3 commands could not be loaded, run `gef missing` to know why. Reading symbols from shellcode-final...done. Python Exception <class 'UnicodeEncodeError'> 'ascii' codec can't encode character '\u27a4' in position 12: ordinal not in range(128): (gdb) l 1 1 global _start 2 _start: #set breakpoint on start (gdb) b 2 (gdb) run \# go through the program step by step and see in the output window how the registers \# change (gdb) n
The output will be something similar to: