NcN 2015 CTF - theAnswer Writeup


1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:


But this process never ends .... let's see what strace say:


There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

  • static: understanding the cryptosystem and programming our own decryptor
  • dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)


At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:



With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:



The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.


we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.


And here we have the seed and the first bytes of the cypher-text:



With radare we can convert this to a c variable quickly:


And here is the flag cyphertext:


And with some radare magics, we have the c initialized array:


radare, is full featured :)

With a bit of rand() calibration here is the solution ...



The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c





3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:



There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.





Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:


after:



To patch the two infinite loops, just nop the two bytes of each jmp $-0



Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

  •  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
  •  Modify the pthread_cond_wait to avoid the futex()
  • We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop
Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

More information
  1. Free Pentest Tools For Windows
  2. Hacking Tools For Windows
  3. How To Hack
  4. Hacking Apps
  5. Hacker Search Tools
  6. Pentest Tools Find Subdomains
  7. Pentest Tools Url Fuzzer
  8. Best Hacking Tools 2020
  9. Blackhat Hacker Tools
  10. Pentest Tools Linux
  11. Hack Website Online Tool
  12. Nsa Hacker Tools
  13. Hack Tools
  14. Tools 4 Hack
  15. Hacking Tools For Windows 7
  16. Hacking Tools Online
  17. Easy Hack Tools
  18. Pentest Tools For Ubuntu
  19. Hacker Tool Kit
  20. Hack Tools
  21. Hacking Tools For Windows 7
  22. Hacking Tools 2019
  23. Tools 4 Hack
  24. Hacking Tools Name
  25. Pentest Tools For Mac
  26. Easy Hack Tools
  27. Hacking Tools Usb
  28. Blackhat Hacker Tools
  29. Hack Tool Apk No Root
  30. Hacking Tools For Pc
  31. Hacking Tools Hardware
  32. Beginner Hacker Tools
  33. Hacker Tools Linux
  34. Pentest Tools Windows
  35. What Are Hacking Tools
  36. Hacker Tools Hardware
  37. Hacking Tools Name
  38. Hacking Tools Kit
  39. Pentest Tools Online
  40. Hacker Tools For Mac
  41. Android Hack Tools Github
  42. Bluetooth Hacking Tools Kali
  43. Hack Tools For Windows
  44. Hack Tool Apk
  45. Hacker Tools For Pc
  46. Hacker Tools Online
  47. Free Pentest Tools For Windows
  48. Hack Tools
  49. Growth Hacker Tools
  50. Pentest Tools Nmap
  51. Hacker Tools For Ios
  52. Android Hack Tools Github
  53. Hacking Tools Download
  54. Pentest Tools Alternative
  55. Beginner Hacker Tools
  56. Pentest Tools For Android
  57. What Are Hacking Tools
  58. Pentest Box Tools Download
  59. Tools 4 Hack
  60. Hacker Tools For Pc
  61. Pentest Tools Nmap
  62. Best Hacking Tools 2020
  63. Hacker
  64. Pentest Tools
  65. Hack Website Online Tool
  66. Underground Hacker Sites
  67. Blackhat Hacker Tools
  68. Hack Tools Mac
  69. Tools For Hacker
  70. What Is Hacking Tools
  71. Hacking Tools Online
  72. Hacking Tools For Kali Linux
  73. Hacking Tools 2020
  74. Tools Used For Hacking
  75. Hacker Tools Hardware
  76. Hack And Tools
  77. Hak5 Tools
  78. Nsa Hacker Tools
  79. Hacker Tools Linux
  80. Pentest Tools Subdomain
  81. Hacker Tools For Mac
  82. Pentest Tools Tcp Port Scanner
  83. Physical Pentest Tools
  84. Kik Hack Tools
  85. Hack Tool Apk No Root
  86. Hacking Tools For Windows
  87. Github Hacking Tools
  88. Top Pentest Tools
  89. Bluetooth Hacking Tools Kali
  90. Kik Hack Tools
  91. Hacking Tools
  92. Hack And Tools
  93. Easy Hack Tools
  94. Pentest Tools Alternative
  95. Pentest Automation Tools
  96. Pentest Tools
  97. Hack And Tools
  98. What Are Hacking Tools
  99. Hacking Tools Software
  100. Computer Hacker
  101. Hacking Tools
  102. Hacker Tools Software
  103. Black Hat Hacker Tools
  104. Hacking Tools For Kali Linux
  105. Nsa Hacker Tools
  106. Pentest Tools Alternative
  107. Hackers Toolbox
  108. Hacking Tools Download
  109. Hacking Tools For Pc
  110. How To Make Hacking Tools
  111. Pentest Tools Framework
  112. What Is Hacking Tools
  113. Pentest Tools Subdomain
  114. Underground Hacker Sites
  115. Hacking Tools
  116. Hacker Tools Windows
  117. Hack Tools Online
  118. Pentest Tools Online
  119. Tools 4 Hack
  120. Hacker Tools For Pc
  121. Hacker Tools Free
  122. New Hacker Tools
  123. Physical Pentest Tools
  124. Hacking Tools Github
  125. Pentest Tools Kali Linux
  126. Easy Hack Tools
  127. Hacking Tools For Kali Linux
  128. Pentest Tools Nmap
  129. Hacker Tools Linux
  130. Hacking Tools Usb
  131. Best Pentesting Tools 2018
  132. World No 1 Hacker Software

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)