This weekend, I participated in the Insomni’hack 2017 Teaser. During this CTF, I got schooled pretty hardcore, but I was able to solve one challenge in the time allocated. I will write this challenge up below.
This challenge is presented as a Linux MIPS binary, as well as a standalone qemu-mips wrapper. You can download this binary here.
This binary presents the user with an “OTP challenge”, for which the user must generate the correct corresponding token:
We begin our adventure by reverse engineering the code. We can determine that this reads 8 bytes of OS-generated random data, and then transforms this into the OTP challenge. From there, it accepts the USB input, and attempts a complicated validation function against the OTP challenge. From the disassembly graph overview alone, it is apparent that the intended solution is angr:
However, upon closer inspection, we can determine there is a minor quirk which allows us to find a solution without resorting to angr – for each “block” of the validation function, a failed check will result in a call to exit, with the exit code being the number of the check that failed. Thankfully, qemu-mips will pass on this exit code to the user.
This means we can trivially brute force the correct answer for any OTP challenge. We simply need to tweak the binary to accept an OTP token from disk (instead of generating it from /dev/urandom):
This allows us to “lock” the OTP challenge to a single user-specified value (whatever we read from the challenge server).
From there, we simply brute force each character in sequence until the exit code changes. When the exit code changes, we “lock” the correctly guessed character in place, and restart the cycle for the next exit code:
This quickly reveals the correct code, and the flag:
You can download the python script for this brute force here – note that it doesn’t always work (qemu can be a bit finicky), if it doesn’t work, generate a new OTP token and try again.
Tools Update – retdec.com / Retargetable Decompiler
During this CTF, I made use of the free decompiler service offered by retdec.com, provided courtesy of AVG. This decompiler will accept an upload of a binary file (including, surprisingly for the cost, non-x86/x64 files), and output a decompiled C file.
Note that free-but-registered users are limited to 10 minutes of maximum decompilation time, which can cause an issue with large files. To get around this, I advise disabling decompiler optimisations. The output looks just like as if someone had pressed F5 in IDA:
As always, I’d like to thank the organisers of the Insomni’hack 2017 Teaser CTF for putting together an enjoyable and challenging event. See you all in AlexCTF!