GALERIA FOTOGRAFICA

Todas las fotos de familia, amigos y eventos realizados por los grupos al cual pertenesco estan en este segmento...

sábado, 22 de agosto de 2020

NcN 2015 CTF - theAnswer Writeup


1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:


But this process never ends .... let's see what strace say:


There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

  • static: understanding the cryptosystem and programming our own decryptor
  • dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)


At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:



With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:



The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.


we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.


And here we have the seed and the first bytes of the cypher-text:



With radare we can convert this to a c variable quickly:


And here is the flag cyphertext:


And with some radare magics, we have the c initialized array:


radare, is full featured :)

With a bit of rand() calibration here is the solution ...



The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c





3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:



There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.





Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:


after:



To patch the two infinite loops, just nop the two bytes of each jmp $-0



Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

  •  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
  •  Modify the pthread_cond_wait to avoid the futex()
  • We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop
Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

More information

  1. Pentest Tools Free
  2. Hacking Tools
  3. Hack Tools Download
  4. Hacking Tools And Software
  5. Hacker Tools Free
  6. Install Pentest Tools Ubuntu
  7. Pentest Tools For Ubuntu
  8. Hacker Tools For Pc
  9. New Hacker Tools
  10. Hacker Tools 2019
  11. Pentest Tools Website Vulnerability
  12. Bluetooth Hacking Tools Kali
  13. Hacking App
  14. Hacking Tools Online
  15. Pentest Tools Bluekeep
  16. Hacker Tools Software
  17. Pentest Tools For Android
  18. Hacker Tools For Mac
  19. Hack Tools
  20. Hack Website Online Tool
  21. Pentest Tools Free
  22. Hack App
  23. Wifi Hacker Tools For Windows
  24. Ethical Hacker Tools
  25. Pentest Tools Online
  26. Github Hacking Tools
  27. Hack App
  28. Pentest Tools Website Vulnerability
  29. Pentest Tools Website
  30. Hackrf Tools
  31. Hacks And Tools
  32. New Hack Tools
  33. Hacker Tool Kit
  34. Hackrf Tools
  35. Hacker Tools Hardware
  36. Hack Website Online Tool
  37. Pentest Tools Website Vulnerability
  38. Pentest Tools Online
  39. Hack Tools For Mac
  40. Hacking Tools Windows 10
  41. Hack Tools Pc
  42. Hacking Tools 2020
  43. Pentest Tools Bluekeep
  44. Hacking Apps
  45. Hacking Tools For Kali Linux
  46. Hacking Tools Usb
  47. Pentest Tools Port Scanner
  48. Hacking Tools Github
  49. Hack Tools
  50. Pentest Tools For Mac
  51. Pentest Tools For Android
  52. Hackers Toolbox
  53. Ethical Hacker Tools
  54. How To Hack
  55. Hacking Tools Github
  56. Hacker Tools List
  57. Hacking Tools Name
  58. Pentest Box Tools Download
  59. Hack Tools For Games
  60. Hacker Tools Apk
  61. Hacking Tools Mac
  62. Pentest Tools List
  63. Pentest Tools List
  64. Top Pentest Tools
  65. Beginner Hacker Tools
  66. Hacking Tools And Software
  67. Pentest Tools Open Source
  68. Game Hacking
  69. Pentest Tools Review
  70. Hack Tools Download
  71. Tools 4 Hack
  72. Nsa Hacker Tools
  73. Hacker Tools Mac
  74. Hacking Tools Pc
  75. Hacker Tools For Ios
  76. Pentest Tools Online
  77. Hacking Tools For Beginners
  78. Hacker Search Tools
  79. Hak5 Tools
  80. Free Pentest Tools For Windows
  81. Pentest Tools Windows
  82. Hack Tools Download
  83. Pentest Tools Github
  84. Bluetooth Hacking Tools Kali
  85. Top Pentest Tools
  86. Hack Apps
  87. Hacker Tools Apk Download
  88. New Hacker Tools
  89. Termux Hacking Tools 2019
  90. How To Hack
  91. Termux Hacking Tools 2019
  92. Hacking Tools Download
  93. Pentest Tools Alternative
  94. Pentest Reporting Tools
  95. Hacking Tools For Games
  96. Pentest Reporting Tools
  97. Pentest Tools List
  98. Best Pentesting Tools 2018
  99. New Hacker Tools
  100. Hacking Tools 2020

0 comentarios:

Blog Archive

  © Blogger templates ProBlogger Template by Ourblogtemplates.com 2008

Back to TOP