Syscall 14 is known as "SANDBOX_SPECIAL"... I wonder if that would be useful here. You'll be stuck in a never ending loop of binexec until you perform syscall 14. To learn about syscalls and how they work in pwnyOS, check out the documentation! System Calls in pwnyOS: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Syscalls.pdf Author: ravi
We start out with a welcome screen and are told that we are in a sandbox.
We are further told that we can write shell code in hex and then run it by typing the word
done and hitting enter.
Before we get too deep into this challenge lets go over some concepts that will make our life immensely easier, syscalls and shellcode.
SysCalls are a way for users process to make a request of the kernel. They are typically made by user process. Most modern operating systems have far more than the 16 in pwnyOS but the concept is the same.
Shellcode, is often thought of as code that is used to launch a shell. It is typically written in machine code which is a programming language that directly controls the CPU.
Now that we have some definitions we can understand that our goal is to write some code that executes a specific piece of code. By doing this we should be able to retrieve the flag.
We start by checking out the documentation and quickly identify “syscall 14” the
Now you may say that you don’t know assembly let alone machine language. Fortunately, for us we have an example that was helpfully included in the documentation. We can also see that this is i386 bytecode.
Unfortunately, it is written in AT&T syntax.
- First, we move the address we are running our code from into
- Second, we move
14(the value of the SANDBOX_SPECIAL syscall) into
- Third, we call interrupt with 0x80, which tells the system we want to execute a syscall.
- Finally, we call ret.
movl $0x0804c0a0, %eax movl $14, %eax int $0x80 ret
Cool. Now that we can visualize this in the assembly. We can do a few different things. We can try to compile but I had some challenges getting it to work. I was able to use both the example assembly, shellcode, and very handy discord bot called “REBot” to work out the shellcode needed line by line.
b2 a0 c0 04 08 8d 1d 15 00 00 00 01 d8 b8 0e 00 00 00 cd 80 c3
We grab the flag, hit enter, and are dropped into a “Rash” shell. Ready to tackle the next challenge.