Writeup – bender_safe (Insomni’hack 2017 Teaser)

This weekend, I participated in the Insomni’hack 2017 Teaser. During this CTF, I got schooled pretty hardcore, but I was able to solve one challenge in the time allocated. I will write this challenge up below.

bender_safe

This challenge is presented as a Linux MIPS binary, as well as a standalone qemu-mips wrapper. You can download this binary here.

This binary presents the user with an “OTP challenge”, for which the user must generate the correct corresponding token:

bender_safe

We begin our adventure by reverse engineering the code. We can determine that this reads 8 bytes of OS-generated random data, and then transforms this into the OTP challenge. From there, it accepts the USB input, and attempts a complicated validation function against the OTP challenge. From the disassembly graph overview alone, it is apparent that the intended solution is angr:

plsno

However, upon closer inspection, we can determine there is a minor quirk which allows us to find a solution without resorting to angr – for each “block” of the validation function, a failed check will result in a call to exit, with the exit code being the number of the check that failed. Thankfully, qemu-mips will pass on this exit code to the user.

This means we can trivially brute force the correct answer for any OTP challenge. We simply need to tweak the binary to accept an OTP token from disk (instead of generating it from /dev/urandom):

modified_load

also read 0x10 instead of 0x8

This allows us to “lock” the OTP challenge to a single user-specified value (whatever we read from the challenge server).

From there, we simply brute force each character in sequence until the exit code changes. When the exit code changes, we “lock” the correctly guessed character in place, and restart the cycle for the next exit code:

bruteforcebestforce

This quickly reveals the correct code, and the flag:

flag_lol

You can download the python script for this brute force here – note that it doesn’t always work (qemu can be a bit finicky), if it doesn’t work, generate a new OTP token and try again.

Tools Update – retdec.com / Retargetable Decompiler

During this CTF, I made use of the free decompiler service offered by retdec.com, provided courtesy of AVG. This decompiler will accept an upload of a binary file (including, surprisingly for the cost, non-x86/x64 files), and output a decompiled C file.

Note that free-but-registered users are limited to 10 minutes of maximum decompilation time, which can cause an issue with large files. To get around this, I advise disabling decompiler optimisations. The output looks just like as if someone had pressed F5 in IDA:

bender

As always, I’d like to thank the organisers of the Insomni’hack 2017 Teaser CTF for putting together an enjoyable and challenging event. See you all in AlexCTF!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s