Writeups – pwn50, rev250 (ekoparty CTF)

This week, I participated in the ekoparty CTF. Unfortunately, I wasn’t able to devote too much time to it (with the competition taking place over two work days), but I was able to solve a few challenges.

I will present my solutions for pwn50 and rev250 below, because I found the solutions to these interesting.

Pwn50 – Bleeding

bleeding

This challenge begins, as many “pwn” challenges do, with a binary file: pwn50_af93ddaf35df98ff.

Upon opening this in IDA, the structure of the binary appears reasonably simple:

  • it takes a piece of user input
  • adds what appears to be some canary values
  • encodes it in a static fashion (does not rely on any random or fetched key material)
  • sends it to a server, and
  • prints the reply.

However, there is a way of solving this challenge without really understanding what the binary does at all. The name of the bug implies a variation of Heartbleed, and XKCD’s excellent explanation practically gives away how to exploit this (taken from here):

Given that this is the case, we know that in the data which the application sends to the server, it should send some manner of “length” field, which if modified, will cause the server to return a different length of data (presumably containing the key).

We can simply brute force the location of this field, by setting the bytes one at a time to “0xFF”, and seeing what the server replies with. Thanks to the client we are provided, there’s no need to even patch the binary – simply point the binary to a listener on localhost, dump the output into a file, and mutate and send the file to the server. Very quickly, we get our key:

pasted_image_at_2016_10_27_10_50_pm

You can download the Python script for mutating the data here.

Rev250 – Fuckzing reverse

ruckzing_reverse

You can download the binary here: rev250_7349bb665456cae8.

Opening this executable in IDA, we realize that it reads a bit of user input, and then tries to match the input against a number of conditions. If you pass every check, the executable prints the flag. It is immediately apparent that manual analysis will not be a viable solution:

angr_fuckzing

For this solve, we were able to use the “angr” tool to great effect. Instead of using angr as in previous attempts, we built an angr script which would focus on finding a state where stdout contained what we wanted:

import angr

p = angr.Project('FUck_binary')

pg = p.factory.path_group()
pg.explore(find=lambda p: "Your flag is " in p.state.posix.dumps(1))

s = pg.found[0].state
f = open("fuck","wb")
f.write(s.posix.dumps(0))
f.close()
print "ok"

Note that this is doable with “strings”-level analysis on the binary. Of note, the “s.posix.dumps” function works on file descriptor, so in this case, we simply dump whatever stdin gets us “Your flag is ” on stdout.

As the input we provided isn’t printable, we simply dump this to a file, and then pipe the file to the server for the flag:

screenshot-281016-23%3a24%3a03

One final note: the binary imports it’s get_flag function, so you will need to fake your own libget_flag.so. A simple gcc shared object returning a static value is enough.

Technique – Scrolling up in Screen

This week, I learned it was possible to scroll up in GNU Screen. Specifically, if you press Ctrl-C, and then hit the left square bracket button “[“, you are able to use your arrow keys to scroll up in a screen session. To return to normal operation, hit the Enter button twice. Computers are ~magic~.

I’d like to extend a thanks to ekoparty CTF team / NULL Life for putting on this fantastic event. I had a lot of fun tackling challenges which were outside the usual scope for pwn/reversing, even if I was unable to solve many of them – well done.

See you all at “hack the vote” CTF next weekend 🙂

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s