{"id":1042,"date":"2015-09-21T02:03:58","date_gmt":"2015-09-21T00:03:58","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=1042"},"modified":"2015-09-21T02:59:06","modified_gmt":"2015-09-21T00:59:06","slug":"ekoparty-pre-ctf-2015-reverse-200-reversing-the-apc-cache-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2015\/09\/21\/ekoparty-pre-ctf-2015-reverse-200-reversing-the-apc-cache-write-up\/","title":{"rendered":"[EKOPARTY PRE-CTF 2015] [Reverse 200 – Reversing the APC cache] Write Up"},"content":{"rendered":"

Description<\/h2>\n

Description: Strings are not always an alternative.<\/p>\n

Hints: APC 3.1.13 with PHP 5.4 was used.<\/p>\n

Attachment: reversing200.zip<\/a><\/p><\/blockquote>\n

<\/p>\n

Resolution<\/h2>\n

Nous nous retrouvons devant un myst\u00e9rieux fichier cache.data. Celui-ci n’\u00e9tant pas identifi\u00e9 avec notre habituelle commande \u00ab\u00a0file\u00a0\u00bb, on essaye alors avec la commande strings.<\/p>\n

Ici quelques choses int\u00e9ressantes :<\/p>\n

\r\n\/var\/www\/html\/index.php\r\n<html>\r\n    <head><\/head>\r\n    <body>\r\n        <form method="POST" action="login.php">\r\n            <input type="text" name="token">\r\n            <input type="submit" value="Login">\r\n        <\/form>\r\n    <\/body>\r\n<\/html>\r\n\/var\/www\/html\/login.php\r\n[..]\r\nAzDGCrypt\r\nazdgcrypt\r\nEKO{this_is_not_the_flag}\r\n[..]\r\ne88ef51d4112b999380444ce48488762\r\nsha1\r\nsha1\r\nWelcome master, your key is EKO{\r\n[...]\r\n<\/pre>\n
Evidemment, le flag n’\u00e9tait pas \u00ab\u00a0EKO{this_is_not_the_flag}\u00a0\u00bb.<\/p>\n
L’\u00e9nonc\u00e9 nous parle de cache APC, nous allons donc poursuivre cette voie. D’ailleurs il y a une fonction qui a l’air assez sympa dans le doc php, apc_bin_loadfile()<\/a>.<\/p>\n
Nous allons donc compiler php 5.4 et la derni\u00e8re version d’APC afin de pouvoir charger le fichier de cache et pouvoir l’utiliser. Ce qui nous montre quelque choses int\u00e9ressantes :<\/p>\n
.\/bin\/php -d extension=\/tmp\/php\/php-5.4.45\/compiled\/lib\/php\/extensions\/no-debug-non-zts-20100525\/apc.so -d apc.enable_cli=1 -d apc.stat=0 -r "apc_bin_loadfile('cache.data'); print_r(apc_cache_info());"<\/pre>\n
\r\nArray\r\n(\r\n    [num_slots] => 1031\r\n    [ttl] => 0\r\n    [num_hits] => 0\r\n    [num_misses] => 0\r\n    [num_inserts] => 2\r\n    [expunges] => 0\r\n    [start_time] => 1442496130\r\n    [mem_size] => 21568\r\n    [num_entries] => 2\r\n    [file_upload_progress] => 1\r\n    [memory_type] => mmap\r\n    [locking_type] => pthread mutex Locks\r\n    [cache_list] => Array\r\n        (\r\n            [0] => Array\r\n                (\r\n                    [type] => file\r\n                    [device] => 0\r\n                    [inode] => 0\r\n                    [filename] => \/var\/www\/html\/index.php\r\n                    [num_hits] => 0\r\n                    [mtime] => 1442496130\r\n                    [creation_time] => 1442496130\r\n                    [deletion_time] => 0\r\n                    [access_time] => 1442496130\r\n                    [ref_count] => 0\r\n                    [mem_size] => 1200\r\n                )\r\n\r\n            [1] => Array\r\n                (\r\n                    [type] => file\r\n                    [device] => 0\r\n                    [inode] => 0\r\n                    [filename] => \/var\/www\/html\/login.php\r\n                    [num_hits] => 0\r\n                    [mtime] => 1442496130\r\n                    [creation_time] => 1442496130\r\n                    [deletion_time] => 0\r\n                    [access_time] => 1442496130\r\n                    [ref_count] => 0\r\n                    [mem_size] => 20368\r\n                )\r\n\r\n        )\r\n\r\n    [deleted_list] => Array\r\n        (\r\n        )\r\n\r\n    [slot_distribution] => Array\r\n        (\r\n            [231] => 1\r\n            [850] => 1\r\n        )\r\n\r\n)\r\n<\/pre>\n
Nous apprenons donc que le fichier de cache contient deux pages php. Bien entendu un file_get_contents pour obtenir le code source ne fonctionne pas (comme APC ne met pas en cache les file_get_contents()), on va alors devoir inclure les diff\u00e9rents fichiers et d\u00e9sassembler le r\u00e9sultat.<\/p>\n
Pour ceci nous avons utilis\u00e9 l’extension php vld<\/a> qui nous a bien simplifi\u00e9 la compr\u00e9hension des opcodes php.<\/p>\n
.\/bin\/php -d extension=\/tmp\/php\/php-5.4.45\/compiled\/lib\/php\/extensions\/no-debug-non-zts-20100525\/apc.so -d apc.enable_cli=1 -d apc.stat=0 -d extension=\/tmp\/php\/php-5.4.45\/compiled\/lib\/php\/extensions\/no-debug-non-zts-20100525\/vld.so -d vld.active=0 -d vld.execute=1 -r "apc_bin_loadfile('cache.data'); include '\/var\/www\/html\/login.php';"<\/pre>\n
Ce qui nous a donn\u00e9 :<\/p>\n
Finding entry points\r\nBranch analysis from position: 0\r\nJump found. Position 1 = -2\r\nfunction name:  (null)\r\nnumber of ops:  4\r\ncompiled vars:  none\r\nline     #* E I O op                           fetch          ext  return  operands\r\n-------------------------------------------------------------------------------------\r\n   2     0  E >   SEND_VAL                                                 '%2Ftmp%2Fcache.data'\r\n         1        DO_FCALL                                      1          'apc_bin_loadfile'\r\n   3     2        INCLUDE_OR_EVAL                                          '%2Fvar%2Fwww%2Fhtml%2Flogin.php', REQUIRE\r\n   8     3      > RETURN                                                   1\r\n\r\nbranch: #  0; line:     2-    8; sop:     0; eop:     3; out1:  -2\r\npath #1: 0, \r\nFinding entry points\r\nBranch analysis from position: 0\r\nJump found. Position 1 = 5, Position 2 = 55\r\nBranch analysis from position: 5\r\nJump found. Position 1 = 15, Position 2 = 22\r\nBranch analysis from position: 15\r\nJump found. Position 1 = 23, Position 2 = 29\r\nBranch analysis from position: 23\r\nJump found. Position 1 = 30, Position 2 = 54\r\nBranch analysis from position: 30\r\nJump found. Position 1 = 41, Position 2 = 50\r\nBranch analysis from position: 41\r\nJump found. Position 1 = 53\r\nBranch analysis from position: 53\r\nJump found. Position 1 = 54\r\nBranch analysis from position: 54\r\nJump found. Position 1 = 58\r\nBranch analysis from position: 58\r\nJump found. Position 1 = -2\r\nBranch analysis from position: 50\r\nJump found. Position 1 = 54\r\nBranch analysis from position: 54\r\nBranch analysis from position: 54\r\nBranch analysis from position: 29\r\nBranch analysis from position: 22\r\nBranch analysis from position: 55\r\nJump found. Position 1 = -2\r\nfilename:       \/var\/www\/html\/login.php\r\nfunction name:  (null)\r\nnumber of ops:  59\r\ncompiled vars:  !0 = $token, !1 = $crypt, !2 = $hash, !3 = $flag\r\nline     #* E I O op                           fetch          ext  return  operands\r\n-------------------------------------------------------------------------------------\r\n   3     0  E >   NOP                                                      \r\n  44     1        FETCH_IS                                         $1      '_POST'\r\n         2        ISSET_ISEMPTY_DIM_OBJ                       16777216  ~2      $1, 'token'\r\n         3        BOOL_NOT                                         ~3      ~2\r\n         4      > JMPZ                                                     ~3, ->55\r\n  45     5    >   FETCH_R                      global              $4      '_POST'\r\n         6        FETCH_DIM_R                                      $5      $4, 'token'\r\n         7        ASSIGN                                                   !0, $5\r\n  47     8        INIT_FCALL_BY_NAME                                       'substr'\r\n         9        SEND_VAR                                                 !0\r\n        10        SEND_VAL                                                 0\r\n        11        SEND_VAL                                                 4\r\n        12        DO_FCALL_BY_NAME                              3  $7      \r\n        13        IS_IDENTICAL                                     ~8      $7, 'CmxQ'                                   ; substr($token, 0, 4) == "CmxQ"\r\n        14      > JMPZ_EX                                          ~8      ~8, ->22\r\n        15    >   INIT_FCALL_BY_NAME                                       'substr'\r\n        16        SEND_VAR                                                 !0\r\n        17        SEND_VAL                                                 44\r\n        18        SEND_VAL                                                 4\r\n        19        DO_FCALL_BY_NAME                              3  $9      \r\n        20        IS_IDENTICAL                                     ~10     $9, 'MgY%2F'                                 ; substr($token, 44, 4) == "MgY%2F"\r\n        21        BOOL                                             ~8      ~10\r\n        22    > > JMPZ_EX                                          ~8      ~8, ->29\r\n        23    >   INIT_FCALL_BY_NAME                                       'substr'\r\n        24        SEND_VAR                                                 !0\r\n        25        SEND_VAL                                                 -4\r\n        26        DO_FCALL_BY_NAME                              2  $11     \r\n        27        IS_IDENTICAL                                     ~12     $11, 'Mg%3D%3D'                              ; substr($token, -4) == "Mg%3D%3D"\r\n        28        BOOL                                             ~8      ~12\r\n        29    > > JMPZ                                                     ~8, ->54\r\n  48    30    >   FETCH_CLASS                                   4  :13     'AzDGCrypt'\r\n        31        NEW                                              $14     :13                                          ; $14 = new AzDGCrypt('EKO{this_is_not_the_flag}');\r\n        32        SEND_VAL                                                 'EKO%7Bthis_is_not_the_flag%7D'\r\n        33        DO_FCALL_BY_NAME                              1          \r\n        34        ASSIGN                                                   !1, $14\r\n  49    35        INIT_METHOD_CALL                                         !1, 'decrypt'                                ; \r\n        36        SEND_VAR                                                 !0\r\n        37        DO_FCALL_BY_NAME                              1  $18                                                  ; $18 = $14.decrypt($token);\r\n        38        ASSIGN                                                   !2, $18\r\n  51    39        IS_IDENTICAL                                     ~20     !2, 'e88ef51d4112b999380444ce48488762'       ; $14.decrypt($token) == md5("EKO{}")    <-- This is what we want ! 40 > JMPZ                                                     ~20, ->50\r\n  52    41    >   INIT_FCALL_BY_NAME                                       'sha1'                                       \r\n        42        SEND_VAR                                                 !0\r\n        43        DO_FCALL_BY_NAME                              1  $21     \r\n        44        ASSIGN                                                   !3, $21                                      ; $21 c'est le flag, c'est sha1($token)\r\n  53    45        ADD_STRING                                       ~23     'Welcome+master%2C+your+key+is+EKO%7B'       ; %7B <=> "{"\r\n        46        ADD_VAR                                          ~23     ~23, !3                                      ; Le flag c'est le "!3"\r\n        47        ADD_CHAR                                         ~23     ~23, 125                                     ; 125 == %7D == "}"\r\n        48        ECHO                                                     ~23\r\n  54    49      > JMP                                                      ->53\r\n  55    50    >   INIT_FCALL_BY_NAME                                       'header'\r\n        51        SEND_VAL                                                 'Location%3A+index.php'\r\n        52        DO_FCALL_BY_NAME                              1          \r\n  57    53    > > JMP                                                      ->54\r\n  58    54    > > JMP                                                      ->58\r\n  59    55    >   INIT_FCALL_BY_NAME                                       'header'\r\n        56        SEND_VAL                                                 'Location%3A+index.php'\r\n        57        DO_FCALL_BY_NAME                              1          \r\n  61    58    > > RETURN                                                   1<\/pre>\n
On comprend ici que le param\u00e8tre POST \u00ab\u00a0token\u00a0\u00bb doit avoir un certain format. Il est v\u00e9rifi\u00e9 par 3 substr : substr($token, 0, 4) doit valoir \u00ab\u00a0CmxQ\u00a0\u00bb, substr($token, 44, 4) : \u00ab\u00a0MgY\/\u00a0\u00bb et substr($token, -4) : \u00ab\u00a0Mg==\u00a0\u00bb.<\/p>\n
Si ces conditions sont remplies, il est d\u00e9crypt\u00e9 \u00e0 l’aide de la m\u00e9thode \u00ab\u00a0decrypt\u00a0\u00bb d’une classe s’appelant \u00ab\u00a0AzDGCrypt\u00a0\u00bb et instanci\u00e9e avec comme param\u00e8tre \u00ab\u00a0EKO{this_is_not_the_flag}\u00a0\u00bb (qui sert de cl\u00e9 de cryptage), et le texte d\u00e9crypt\u00e9 doit avoir comme valeur \u00ab\u00a0e88ef51d4112b999380444ce48488762\u00a0\u00bb .<\/p>\n
Au lieu de nous emb\u00eater \u00e0 comprendre le code d\u00e9sassembl\u00e9 de cette classe, nous avons fait une recherche sur google \u00ab\u00a0au cas o\u00f9\u00a0\u00bb, et cela a port\u00e9 ses fruits, le code source \u00e9tait disponible sur github<\/a>.<\/p>\n
Arriv\u00e9 \u00e0 ce point, on aurait pu se dire que comme nous avions le code pour crypter\/d\u00e9cryter, la cl\u00e9 de cryptage ainsi que le texte \u00e0 retrouver en clair, nous avions tout, mais en fait pas tout \u00e0 fait.<\/p>\n
La fonction de cryptage a une partie al\u00e9atoire : $r = md5(rand(0,32000));, ce qui fait que le token base64 n’a que tr\u00e8s peu de chances de correspondre aux verifications faites par les trois substr.<\/p>\n
Nous avons alors modifi\u00e9 la fonction crypt afin qu’elle prenne un nouvel argument, celui qui aurait d\u00fb \u00eatre al\u00e9atoire, puis nous avons cr\u00e9\u00e9 un script de bruteforce. 32000 possibilit\u00e9s \u00e7a va assez vite \u00e0 tester.<\/p>\n
\r\n<?php\r\nclass AzDGCrypt{\r\n   var $k;\r\n   function AzDGCrypt($m){\r\n      $this->k = $m;\r\n   }\r\n   function ed($t) {\r\n      $r = md5($this->k);\r\n      $c=0;\r\n      $v = "";\r\n      for ($i=0;$i<strlen($t);$i++) {\r\n         if ($c==strlen($r)) $c=0;\r\n         $v.= substr($t,$i,1) ^ substr($r,$c,1);\r\n         $c++;\r\n      }\r\n      return $v;\r\n   }\r\n   function crypt($t, $rand){\r\n      $r = md5($rand);\r\n      $c=0;\r\n      $v = "";\r\n      for ($i=0;$i<strlen($t);$i++){ if ($c==strlen($r)) $c=0; $v.= substr($r,$c,1) . (substr($t,$i,1) ^ substr($r,$c,1)); $c++; } return base64_encode($this->ed($v));\r\n   }\r\n   function decrypt($t) {\r\n      $t = $this->ed(base64_decode($t));\r\n      $v = "";\r\n      for ($i=0;$i<strlen($t);$i++){\r\n         $md5 = substr($t,$i,1);\r\n         $i++;\r\n         $v.= (substr($t,$i,1) ^ $md5);\r\n      }\r\n      return $v;\r\n   }\r\n}\r\n\r\n \/\/ bf\r\n $crypt = new AzDGCrypt('EKO{this_is_not_the_flag}');\r\n for ($i = 0; $i <= 32000; ++$i) {\r\n  $result = $crypt->crypt('e88ef51d4112b999380444ce48488762', $i);\r\n  if (substr($result, 0, 4) == 'CmxQ' && substr($result, 44, 4) == 'MgY\/' && substr($result, -4) == 'Mg==') {\r\n   echo "b64: $result\\nRand: $i\\n";\r\n   break;\r\n  }\r\n }\r\n<\/pre>\n
Au bout de quelques instants, le r\u00e9sultat s’affiche :<\/p>\n
\r\nb64: CmxQaQAzBTYKZQYzAWAFZAY1V2NVZAZgUGQCbAU9Vz4CMgY\/AzgLaQwxWm5SYVY2UGNUaVFlAm5VO1MzBDNQMg==\r\nRand: 17291\r\n<\/pre>\n
On teste alors ce token avec la page cach\u00e9e :<\/p>\n
\r\n<?php\r\n $_POST['token'] = 'CmxQaQAzBTYKZQYzAWAFZAY1V2NVZAZgUGQCbAU9Vz4CMgY\/AzgLaQwxWm5SYVY2UGNUaVFlAm5VO1MzBDNQMg==';\r\n apc_bin_loadfile('cache.data');\r\n include('\/var\/www\/html\/login.php');\r\n<\/pre>\n
Tout est OK ! \ud83d\ude42<\/p>\n
Welcome master, your key is EKO{59a59936b318e8ef20fd923a3e7b05a1e44e9e91}<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
Description Description: Strings are not always an alternative. Hints: APC 3.1.13 with PHP 5.4 was used. Attachment: reversing200.zip<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,35,70],"tags":[71,72,10,54],"class_list":["post-1042","post","type-post","status-publish","format-standard","hentry","category-2015-fr","category-ctf-fr","category-ekoparty","tag-apc","tag-cache","tag-reverse","tag-php"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=1042"}],"version-history":[{"count":5,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1042\/revisions"}],"predecessor-version":[{"id":1118,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1042\/revisions\/1118"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=1042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=1042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=1042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}