Writeup – tiny_backdoor_v1, tiny_backdoor_v2 (hackover.de)

This weekend, I participated in the hackover.de CTF. Unfortunately, I was only able to dedicate very limited time to this, but I was able to complete “tiny_backdoor_v1” and “tiny_backdoor_v2” challenges in time. As usual, the writeups are below:

tiny_backdoor_v1

This challenge was presented as a Linux executable file. This was presented as a Linux executable file: tiny_backdoor_v1_v2 (this contains both v1 and v2). To start with, we inspect the file in IDA – it becomes immediately apparent that this executable takes a 9-character key, xor’s a block of data with it and jumps to the block of data:

somewhere, there's code in there...

somewhere, there’s code in there…

Without any further information, we know that this block is 0x48 characters in length, and the key is 9 characters in length. My first thought was that this was encrypted shellcode, specifically:

hackover_google

Observant readers will quickly notice my error, but this took me about half an hour of fruitless manual xor because I’m a dumbass.

I then made the assumption that this was a legitimate function, with a legitimate function prologue and epilogue, compiled with the same compiler which built the rest of the program. That is:

hackover_prologue

This gives us enough “known bytes” to combine with our encrypted blob to produce the 9 bytes of xor key (first seven, last two – the 20 doesn’t count because the stack size for various functions is prob. different). Our next step is to try this in gdb:

hackover_gdb

This looked like a very promising function, though some of the bytes at 0x600154 seemed broken. It turns out that these were data bytes(“flag.txt”), loaded by 0x60014b (this is a common trick with position independent code, which must use relative addressing and often comes in contiguous blocks).

The rest is standard CTF nonsense – packaging up the payload, sending it through to the host, and waiting for a flag (solution here)

tiny_backdoor_v2

Upon first inspection, tiny_backdoor_v2 implements a single addition to tiny_backdoor_v1: before calling the decrypted shellcode, a call to mprotect is made to render it executable:

hackover_tinybdv2

Fortunately, everything else is the same, including the “shellcode”. And the key.

Simply changing the port number on the previous solution and pointing it at this challenge reveals the flag. I’m at a loss for why a different number of people solved tiny_backdoor_v1 and tiny_backdoor_v2.

Tooling – IDA Consonance

Some of you may have noticed that my IDA Pro is no longer blindingly bright colours. This week, I discovered the magic of the IDA Consonance color scheme. I highly recommend this for anyone who likes to spend extended periods of time in IDA – being able to see the screen without fucking squinting is a massive plus in those four-hour-plus reverse engineering sessions at 2:30am.

Thankyou to the hackover.de team for putting together a wonderful CTF – it is with great sadness that I must confess I spent time on the weekend doing other reversing (I’m getting into some IOT stuff), rather than playing in this event.

See you all in ekoparty CTF 😀

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s