Writeup – Simple Secret 2 (Break In CTF), grgsm_livemon Headless Mode

During the last week, I participated in the Break In CTF. Unfortunately, I completely neglected to take notes or save binaries, therefore, I can only provide a single writeup, based on the only binary I saved.

Simple Secret 2

This challenge is presented as a Linux binary, which you can download here.

 

Upon initial analysis, we can see that this binary takes an input string, processes it somehow, then compares it against an existing string:

breakin-comp01

If this check succeeds, the program then makes an HTTP GET request to the CTF server, which retrieves the flag.

Going a bit further, we can investigate the “input processing” function, at 0x400BB6:

breakin-comp02

The rand() call is a little worrying – if it turns out that input is somehow combined with random input, we’ll need to either patch this out, or use an LD_PRELOAD hook to make the results of this static for testing purposes.

Our next step is to study this a bit further at runtime using gdb, to break on the strcmp call, to see if we can see anything obvious:

breakin-lol

Quickly, we can see that we got trolled, and it’s simply comparing our input against a static string. With this string in hand, we try to run the program again, giving us the flag:

breakin-win

As always, I would like to thank the organisers of the Break In CTF for organising this event. Looking on their website, it appears they run events quite frequently, and in a well organised manner – congratulations to the team for pulling this off. I enjoyed this event (what little time I could spend on it), and look forward to the next one.

grgsm_livemon Headless (+ misc. thoughts)

During this weekend, I also spent some time playing around with my bladeRF. While I am by all accounts a noob, I’ve quickly found this device to be quite versatile, but the interface with which to speak to it (i.e. gnuradio) is rather significant.

bladerf_fuckyou

I am currently working on understanding the GSM stack, and as part of this, I have modified the grgsm_livemon code to work in headless mode, with no dependency on Qt. You can download this code here.

(It turns out that the Python generated by gnuradio-companion is generally pretty old).

I look forward to exploring more of the SDR world, and posting more about what I learn.

See you all next week in AlexCTF.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s