added official hacktheboo2024 writeups

2024-10-23 11:10:43 +02:00 · 2024-10-23 11:10:43 +02:00 · e3c46450f7
commit e3c46450f7
parent 1f7a9b0566
327 changed files with 14303 additions and 0 deletions
--- a/htb/hacktheboo2024/rev/[Very
+++ b/htb/hacktheboo2024/rev/[Very
@ -0,0 +1,101 @@
+<img src="../../assets/banner.png" style="zoom: 80%;" align=center />
+
+<img src="../../assets/htb.png" style="zoom: 80%;" align='left' /><font size="6">Graverobber</font>
+
+  4<sup>th</sup> 10 24 / Document No. D24.102.X168
+
+  Prepared By: clubby789
+
+  Challenge Author: clubby789
+
+  Difficulty: <font color=green>Very Easy</font>
+
+  Classification: Official
+
+
+
+
+
+
+# Synopsis
+
+Graverobber is a Very Easy reversing challenge. Players will use `strace` to identify binary functionality, then scripting to uncover the flag.
+
+## Skills Learned
+    - strace
+    - basic scripting
+
+
+# Solution
+
+If we run the provided binary, we're given an error message.
+
+```
+We took a wrong turning!
+```
+
+## Tracing
+
+We can use `strace` to try and guess what the binary is doing.
+
+```c
+$ strace ./robber
+/* SNIP */
+newfstatat(AT_FDCWD, "H/", 0x7ffcbd70cf50, 0) = -1 ENOENT (No such file or directory)
+write(1, "We took a wrong turning!\n", 25We took a wrong turning!
+) = 25
+exit_group(1)                           = ?
+++ exited with 1 +++
+```
+
+We're trying to use `newfstatat` (a specialized version of the `stat` syscall used for file metadata) on some directory `H`. If we create it and run again:
+
+```c
+newfstatat(AT_FDCWD, "H/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
+newfstatat(AT_FDCWD, "H/T/", 0x7fff03f91e00, 0) = -1 ENOENT (No such file or directory)
+write(1, "We took a wrong turning!\n", 25We took a wrong turning!
+```
+
+Looks like it will open several directories in sequence. We'll write a script to automate creating them.
+
+## Scripting
+
+We'll begin by deleting and creating a directory to work in.
+
+```py
+import os
+import shutil
+from pwn import *
+
+try:
+    shutil.rmtree("directories")
+    os.mkdir("directories")
+except Exception:
+    pass
+os.chdir("directories")
+```
+
+We'll then loop, running the binary under `strace` (using `-e` to filter to only the `newfstatat` calls):
+
+```py
+while True:
+    with context.local(log_level='ERROR'):
+        p = process(["strace", "-e", "newfstatat", "../robber"])
+        out = p.recvall().decode()
+        p.close()
+```
+
+We'll then look at the last call to see the last path expected, and use that to create a directory. We'll also break if the error message isn't printed as we've likely found the whole path.
+
+```py
+        if 'wrong turning' not in out: break
+        stats = [line for line in out.split("\n") if "newfstatat" in line]
+        # Get last line, and get the content of the string
+        path = stats[-1].split('"')[1]
+        # Remove separators and print path
+        print(path.replace("/", ""))
+        # Recursively make the directory
+        os.makedirs(path)
+```
+
+On running this script, we'll get the flag.
--- a/htb/hacktheboo2024/rev/[Very
+++ b/htb/hacktheboo2024/rev/[Very
@ -0,0 +1,23 @@
+#!/usr/bin/env python3
+import os
+import shutil
+from pwn import *
+
+try:
+    shutil.rmtree("directories")
+    os.mkdir("directories")
+except Exception:
+    pass
+os.chdir("directories")
+
+while True:
+    with context.local(log_level='ERROR'):
+        p = process(["strace", "-e", "newfstatat", "../robber"])
+        out = p.recvall().decode()
+        p.close()
+        if 'wrong turning' not in out: break
+        stats = [line for line in out.split("\n") if "newfstatat" in line]
+        path = stats[-1].split('"')[1]
+        print(path.replace("/", ""))
+        os.makedirs(path)
+
--- a/Graverobber/release/rev_graverobber.zip
+++ b/Graverobber/release/rev_graverobber.zip
--- a/htb/hacktheboo2024/rev/[Very
+++ b/htb/hacktheboo2024/rev/[Very
@ -0,0 +1 @@
+directories
--- a/htb/hacktheboo2024/rev/[Very
+++ b/htb/hacktheboo2024/rev/[Very
@ -0,0 +1,7 @@
+.PHONY := clean
+
+robber: main.c
+	gcc main.c -o robber 
+
+clean:
+	rm -f robber
--- a/htb/hacktheboo2024/rev/[Very
+++ b/htb/hacktheboo2024/rev/[Very
@ -0,0 +1,56 @@
+#include <stdint.h>
+#include <stdio.h>
+
+#include <sys/stat.h>
+
+// HTB{br34k1n9_d0wn_th3_sysc4ll5}
+uint32_t parts[] = {
+    U'H',
+    U'T',
+    U'B',
+    U'{',
+    U'b',
+    U'r',
+    U'3',
+    U'4',
+    U'k',
+    U'1',
+    U'n',
+    U'9',
+    U'_',
+    U'd',
+    U'0',
+    U'w',
+    U'n',
+    U'_',
+    U't',
+    U'h',
+    U'3',
+    U'_',
+    U's',
+    U'y',
+    U's',
+    U'c',
+    U'4',
+    U'l',
+    U'l',
+    U'5',
+    U'}',
+    0,
+};
+
+#define N_PARTS sizeof(parts)/sizeof(parts[0])
+
+int main() {
+    char buf[(N_PARTS * 2) + 4] = { 0 };
+    struct stat st;
+    for (int i = 0; i < N_PARTS; i++) {
+        buf[i * 2] = parts[i];
+        buf[(i * 2) + 1] = '/';
+        if (stat(buf, &st)) {
+            puts("We took a wrong turning!");
+            return 1;
+        }
+    }
+    puts("We found the treasure! (I hope it's not cursed)");
+}