A (probably) never-ending post
I’m creating this post on my blog that gets a whopping 0-readers as a way for me to track my actual progress on learning reverse engineering and exploit development. For context: This post started with absolute 0 experience in RE/Exploit development. I’ll be updating it as I learn useful concepts.
What better way to spend the quarantine than attempting to tackle a subject that’s always been my weak-point: Finding vulnerabilities in binary applications through reverse engineering, debugging, and techniques I probably haven’t heard of yet.
Not gonna lie, one of the biggest deterrents I’ve had on this subject was the seeming community consensus that “IDA Pro” is the go-to tool for this line of vulnerability hunting, but I reeeaalllly didn’t want to drop between $600 - $1150 on a program I can’t even use properly yet. So, now that I’m locked inside, let’s see if I can get started without using IDA.
How much I think I know as of starting
- Heard of ASLR, I think it randomizes memory addresses, no idea what that looks like
- Buffer overflows overwrite some data in memory that attempt to take control of the program
- There are heap and stack overflows. No idea what a heap or stack is, other than “memory”
- DEP stands for Data Execution Prevention, which is a security control to prevent code from executing outside of permitted areas of memory
- NOP sledding is(was?) a thing
- People say “Integer Overflow” a lot
- The mitochondria is the powerhouse of the cell
The name of the game is to abuse what little influence you have on an application, to make it do whatever you want it to
Less than baby steps
I can’t tell you exactly what IDA Pro does, all I know is that I’m probably going to need something like it. So after some googling I came across this useful StackOverflow post (see here). Since I was only looking at the free options, Radare2 sounded the best out of all of them. It’s console based, which would have been a deal breaker, except there’s an awesome GUI you can get for it (also free) called Cutter.
Turns out Radare2 was already on my Kali box, and I was able to get Cutter going with a simple
apt install cutter
Cool, now I’ve got this - thing - of which I have no idea what it does or how it works, but at least I’m ReAdY tO gEt GoInG.
Before reading online, or even looking to see where I would start to read online, I thought I would first get a gauge of how screwed I was. So I logged into HackTheBox and navigated to their Challenges > Reversing section and selected the easiest rated one available, which was literally called: Baby RE.
Since I imagine I’ll be doing a lot of these challenges to figure this out, I’m gonna create an entire section of my unread blog for HTB challenges. This narrative of this post will briefly switch over to that write up now, and then (hopefully) wrap up in the next paragraph on this page once I completed the challenge.
First attempt results
Alright so I was successfully able to pop that one application. The way I think I did it was by taking the application and opening it up in a decompiler, Cutter in this case, and taking a look at the program execution flow/logic through a graph - I literally wouldn’t have been able to otherwise. I found that the application was taking in an input as a string, and then comparing it with another string declared as a constant, that I could see with the decompiler. SO…I couldn’t tell you if this was the same as just using strings but in a more convoluted way, but in the end I was able to get a modicum of a grasp of what this looks like.
Now, as a consultant, I am curious what the remediation is for this. Is this a bug? Are there remediation? No idea, but this first literal “baby level” exposure to RE made me feel a bit more comfortable in this arena.
Forgot the basics
Made another attempt at a HackTheBox reversing challenge, and was humbled yet again.
I’m not an RE guy, but even I’ve heard about breakpoints. I’m kicking myself that I struggled so badly on my latest HTB Reversing challenge because of that simple fact, but cest la vie. Thus far I’ve re-learned about breakpoints, and picked up a great tool for .NET applications.
Current knowledge status:
- Can use strings
- Can open Cutter
- Breakpoints exist
- Can set breakpoints, edit code, and recompile in DnSpy
- Can use the Linux file command to quickly a file type based on content