{"id":1174,"date":"2020-02-13T10:55:43","date_gmt":"2020-02-13T15:55:43","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=1174"},"modified":"2020-02-20T21:36:26","modified_gmt":"2020-02-21T02:36:26","slug":"exploit-education-fusion-setup","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-fusion-setup\/","title":{"rendered":"Exploit Education | Fusion | Setup"},"content":{"rendered":"<p>I&#8217;ll be working through the <a href=\"http:\/\/exploit.education\/fusion\/\">Fusion<\/a> challenges and posting my solution to each level here. These challenges are a step above <a href=\"http:\/\/exploit.education\/phoenix\/\">Phoenix<\/a>. If you haven&#8217;t completed those, or don&#8217;t already have the requisite knowledge, I suggest you either try those or read my solutions to them here: <a href=\"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-solutions\/\">https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-solutions\/<\/a>. I&#8217;ll also be using these exercises to learn how to use <a href=\"https:\/\/github.com\/Gallopsled\/pwntools\">pwntools<\/a>.<\/p>\n<p>This post will describe how to get setup to follow along.<\/p>\n<h1>About<\/h1>\n<p>Fusion is the next step from the Phonenix setup, and covers more advanced styles of exploitation, and covers a variety of anti-exploitation mechanisms such as:<\/p>\n<ul>\n<li>Address Space Layout Randomisation<\/li>\n<li>Position Independent Executables<\/li>\n<li>Non-executable Memory<\/li>\n<li>Source Code Fortification (_DFORTIFY_SOURCE=)<\/li>\n<li>Stack Smashing Protection (ProPolice \/ SSP)<\/li>\n<\/ul>\n<p>In addition to the above, there are a variety of other challenges and things to explore, such as:<\/p>\n<ul>\n<li>Cryptographic issues<\/li>\n<li>Timing attacks<\/li>\n<li>Variety of network protocols (such as Protocol Buffers and Sun RPC)<\/li>\n<\/ul>\n<p>At the end of Fusion, the participant will have a through understanding of exploit prevention strategies, associated weaknesses, various cryptographic weaknesses, numerous heap implementations.<\/p>\n<h2>Required Knowledge<\/h2>\n<p>When writing these solutions, I assume that you have either completed the Phoenix challenges, read through my solutions to the <a href=\"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-solutions\/\">Phoenix challenges<\/a>, or simply already have the knowledge to be able to complete them.<\/p>\n<p>I&#8217;ll still be as detailed as I can while leaving out some basic techniques, such as finding the distance from the start of a buffer to the saved return address.<\/p>\n<h1>Tools<\/h1>\n<p>It shouldn&#8217;t matter which host OS you&#8217;re using. I switch between using Windows 10 and Arch Linux as my host OS. Regardless, I&#8217;ll be using an Arch Linux VM to attack the Fusion VM from. Here&#8217;s what you&#8217;ll need:<\/p>\n<ul>\n<li>On the host OS:<\/li>\n<ul>\n<li><a href=\"https:\/\/www.virtualbox.org\/\">VirtualBox<\/a> (you can use a different hypervisor if you want)<\/li>\n<\/ul>\n<li>On the attacking machine:<\/li>\n<ul>\n<li>Python 3<\/li>\n<li><a href=\"https:\/\/github.com\/Gallopsled\/pwntools\">pwntools<\/a><\/li>\n<\/ul>\n<\/ul>\n<h1>Installation<\/h1>\n<p>I won&#8217;t be going over how to install VirtualBox (you can follow their <a href=\"https:\/\/www.virtualbox.org\/manual\/ch02.html\">documentation<\/a>) or how to setup a Linux VM to attack from. But I will cover installing pwntools and creating the Fusion VM.<\/p>\n<h2>Python 3 &#038; Pwntools<\/h2>\n<p>From the terminal on your attacking machine, you can install Python 3 and pwntools:<\/p>\n<h3>Ubuntu<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ sudo -i\r\n# apt update\r\n# apt upgrade -y\r\n# apt install -y python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential\r\n# python3 -m pip install --upgrade pip\r\n# python3 -m pip install --upgrade git+https:\/\/github.com\/Gallopsled\/pwntools.git@dev\r\n<\/pre>\n<h3>Arch Linux<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ sudo -i\r\n# pacman -Syu\r\n# pacman -S --no-confirm python python-pip git openssl libffi\r\n# python -m pip install --upgrade pip\r\n# python -m pip install --upgrade git+https:\/\/github.com\/Gallopsled\/pwntools.git@dev\r\n<\/pre>\n<h2>Creating the VM<\/h2>\n<p>You can download the ISO used to boot the VM from here:<br \/>\n<a href=\"https:\/\/github.com\/ExploitEducation\/Protostar\/releases\/download\/v2.0.0\/exploit-exercises-protostar-2.iso\">https:\/\/github.com\/ExploitEducation\/Protostar\/releases\/download\/v2.0.0\/exploit-exercises-protostar-2.iso<\/a><\/p>\n<ol>\n<li>Open VirtualBox and click the &#8220;New&#8221; button to create a new VM.<\/li>\n<li>Enter a name (e.g. &#8220;Fusion&#8221;), select &#8220;Linux&#8221; for type, and &#8220;Ubuntu (32-bit)&#8221; for Version. Click Next.<\/li>\n<li>The default of 1024 MB for RAM should be fine. Click Next.<\/li>\n<li>Select &#8220;Do not add a virtual hard disk.&#8221; Click Create.<\/li>\n<li>Click &#8220;Continue&#8221; on the warning about creating a new Vm without a hard disk.<\/li>\n<li>Right-click on the newly-created VM and select &#8220;Settings&#8230;&#8221; Go to &#8220;Storage.&#8221;<\/li>\n<li>Select the &#8220;Empty&#8221; disc drive under &#8220;Controller: IDE&#8221;, click the small disc icon\/dropdown, select &#8220;Choose Virtual Optical Disk File&#8230;&#8221;<\/li>\n<li>Browse to where you&#8217;ve saved the downloaded ISO and open it.<\/li>\n<li>Check the box for &#8220;Live CD\/DVD.&#8221;<\/li>\n<li>Select &#8220;Audio&#8221; on the left menu and uncheck &#8220;Enable Audio.&#8221;<\/li>\n<li>Select &#8220;Network&#8221; on the left menu and change the adapter type from NAT to Host-only.<\/li>\n<li>Click OK to close the settings.<\/li>\n<\/ol>\n<p>Go ahead and boot the VM. Just keep in mind that it&#8217;s booting from an ISO and not a drive. So any changes you make to the file system will be reverted after a reboot.<\/p>\n<pre>\r\nNOTE:\r\nIf you're using your host as the attacking machine, reverse shells may not work properly with the \"host-only\" network. If this is the case, try using a bridged adapter for your VM.\r\n<\/pre>\n<p>You can log in with the username of <code>fusion<\/code> and password <code>godmode<\/code>. To get root for debugging purposes, you can use the <code>root<\/code> account with the password <code>godmode<\/code>.<\/p>\n<p>You should now be ready to go.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ll be working through the Fusion challenges and posting my solution to each level here. These challenges are a step above Phoenix. If you haven&#8217;t completed those, or don&#8217;t already<a href=\"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-fusion-setup\/\" class=\"more-link\"><span class=\"readmore\">Continue reading<span class=\"screen-reader-text\">Exploit Education | Fusion | Setup<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1174","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=1174"}],"version-history":[{"count":28,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1174\/revisions"}],"predecessor-version":[{"id":1311,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1174\/revisions\/1311"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=1174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=1174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=1174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}