{"id":2442,"date":"2016-07-03T16:25:44","date_gmt":"2016-07-03T14:25:44","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=2442"},"modified":"2016-07-04T00:06:47","modified_gmt":"2016-07-03T22:06:47","slug":"ndh-2016-cracking-150-lol_so_obfuscated-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2016\/07\/03\/ndh-2016-cracking-150-lol_so_obfuscated-write-up\/","title":{"rendered":"[NDH 2016] [CRACKING 150 \u2013 lol_so_obfuscated] Write Up"},"content":{"rendered":"<h2>Description<\/h2>\n<blockquote><p>Seulement un fichier \u00e9tait donn\u00e9 pour ce challenge: <a href=\"https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/07\/lol_so_obfuscated.zip\">lol_so_obfuscated<\/a><\/p><\/blockquote>\n<p><!--more--><\/p>\n<h2>Resolution<\/h2>\n<p>Comme tout cracking, on fait un peu de reconnaissance pour voir comment on va pouvoir r\u00e9soudre l&rsquo;\u00e9preuve.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nlaxa:lol_so_obfuscated:16:02:28$ file lol_so_obfuscated \r\nlol_so_obfuscated: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 2.6.24, BuildID&#x5B;sha1]=fd77362edbdc23030c91c114ab4d795133722d96, not stripped\r\nlaxa:lol_so_obfuscated:16:02:32$ ldd lol_so_obfuscated \r\nlinux-vdso.so.1 (0x00007ffeceb18000)\r\nlibc.so.6 =&gt; \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007f64f03dd000)\r\n\/lib64\/ld-linux-x86-64.so.2 (0x00007f64f0788000)\r\n<\/pre>\n<p>On lance le binaire rapidement pour voir ce qui est attendu :<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nlaxa:lol_so_obfuscated:16:02:42$ .\/lol_so_obfuscated \r\nUsage .\/lol_so_obfuscated &lt;flag&gt;\r\nlaxa:lol_so_obfuscated:16:04:29$ .\/lol_so_obfuscated qwdqw\r\n29 29 10 16 3 \r\nYou're wrong.\r\n<\/pre>\n<p>Puis on passe le binaire sur IDA pour voir ce qu&rsquo;il se passe :<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\r\nint __cdecl main(int argc, const char **argv, const char **envp)\r\n{\r\n  int v3; \/\/ edx@1\r\n  signed __int64 v4; \/\/ rcx@1\r\n  char *v5; \/\/ rdi@1\r\n  signed int v6; \/\/ ebx@5\r\n  char v8; \/\/ &#x5B;sp+0h] &#x5B;bp-58h]@1\r\n  char v9; \/\/ &#x5B;sp+1h] &#x5B;bp-57h]@4\r\n  char v10; \/\/ &#x5B;sp+2h] &#x5B;bp-56h]@4\r\n  char v11; \/\/ &#x5B;sp+3h] &#x5B;bp-55h]@4\r\n  char v12; \/\/ &#x5B;sp+4h] &#x5B;bp-54h]@4\r\n  char v13; \/\/ &#x5B;sp+5h] &#x5B;bp-53h]@4\r\n  char v14; \/\/ &#x5B;sp+6h] &#x5B;bp-52h]@4\r\n  char v15; \/\/ &#x5B;sp+7h] &#x5B;bp-51h]@4\r\n  char v16; \/\/ &#x5B;sp+8h] &#x5B;bp-50h]@4\r\n  char v17; \/\/ &#x5B;sp+9h] &#x5B;bp-4Fh]@4\r\n  char v18; \/\/ &#x5B;sp+Ah] &#x5B;bp-4Eh]@4\r\n  char v19; \/\/ &#x5B;sp+Bh] &#x5B;bp-4Dh]@4\r\n  char v20; \/\/ &#x5B;sp+Ch] &#x5B;bp-4Ch]@4\r\n  char v21; \/\/ &#x5B;sp+Dh] &#x5B;bp-4Bh]@4\r\n  char v22; \/\/ &#x5B;sp+Eh] &#x5B;bp-4Ah]@4\r\n  char v23; \/\/ &#x5B;sp+Fh] &#x5B;bp-49h]@4\r\n  char v24; \/\/ &#x5B;sp+10h] &#x5B;bp-48h]@4\r\n  char v25; \/\/ &#x5B;sp+11h] &#x5B;bp-47h]@4\r\n  char v26; \/\/ &#x5B;sp+12h] &#x5B;bp-46h]@4\r\n  char v27; \/\/ &#x5B;sp+13h] &#x5B;bp-45h]@4\r\n  char v28; \/\/ &#x5B;sp+14h] &#x5B;bp-44h]@4\r\n  char v29; \/\/ &#x5B;sp+15h] &#x5B;bp-43h]@4\r\n  char v30; \/\/ &#x5B;sp+16h] &#x5B;bp-42h]@4\r\n  char v31; \/\/ &#x5B;sp+17h] &#x5B;bp-41h]@4\r\n  char v32; \/\/ &#x5B;sp+18h] &#x5B;bp-40h]@4\r\n  char v33; \/\/ &#x5B;sp+19h] &#x5B;bp-3Fh]@4\r\n  char v34; \/\/ &#x5B;sp+1Ah] &#x5B;bp-3Eh]@4\r\n  char v35; \/\/ &#x5B;sp+1Bh] &#x5B;bp-3Dh]@4\r\n  char v36; \/\/ &#x5B;sp+1Ch] &#x5B;bp-3Ch]@4\r\n  char v37; \/\/ &#x5B;sp+1Dh] &#x5B;bp-3Bh]@4\r\n  char v38; \/\/ &#x5B;sp+1Eh] &#x5B;bp-3Ah]@4\r\n  char v39; \/\/ &#x5B;sp+1Fh] &#x5B;bp-39h]@4\r\n  char v40; \/\/ &#x5B;sp+20h] &#x5B;bp-38h]@4\r\n  char v41; \/\/ &#x5B;sp+21h] &#x5B;bp-37h]@4\r\n  char v42; \/\/ &#x5B;sp+22h] &#x5B;bp-36h]@4\r\n  char v43; \/\/ &#x5B;sp+23h] &#x5B;bp-35h]@4\r\n  char v44; \/\/ &#x5B;sp+24h] &#x5B;bp-34h]@4\r\n  char v45; \/\/ &#x5B;sp+25h] &#x5B;bp-33h]@4\r\n  char v46; \/\/ &#x5B;sp+26h] &#x5B;bp-32h]@4\r\n  char v47; \/\/ &#x5B;sp+27h] &#x5B;bp-31h]@4\r\n  __int64 v48; \/\/ &#x5B;sp+38h] &#x5B;bp-20h]@1\r\n\r\n  v3 = argc;\r\n  v4 = 5LL;\r\n  v48 = *MK_FP(__FS__, 40LL);\r\n  v5 = &amp;v8;\r\n  while ( v4 )\r\n  {\r\n    *(_QWORD *)v5 = 0LL;\r\n    v5 += 8;\r\n    --v4;\r\n  }\r\n  v8 = 2;\r\n  v9 = 17;\r\n  v10 = 10;\r\n  v11 = 83;\r\n  v12 = 92;\r\n  v13 = 5;\r\n  v14 = 84;\r\n  v15 = 96;\r\n  v16 = 59;\r\n  v17 = 113;\r\n  *v5 = 0;\r\n  v18 = 97;\r\n  v19 = 108;\r\n  v20 = 40;\r\n  v21 = 39;\r\n  v22 = 121;\r\n  v23 = 63;\r\n  v24 = 115;\r\n  v25 = 115;\r\n  v26 = 42;\r\n  v27 = 97;\r\n  v28 = 98;\r\n  v29 = 1;\r\n  v30 = 37;\r\n  v31 = 74;\r\n  v32 = 121;\r\n  v33 = 91;\r\n  v34 = 54;\r\n  v35 = 28;\r\n  v36 = 103;\r\n  v37 = 65;\r\n  v38 = 60;\r\n  v39 = 89;\r\n  v40 = 58;\r\n  v41 = 80;\r\n  v42 = 118;\r\n  v43 = 14;\r\n  v44 = 116;\r\n  v45 = 2;\r\n  v46 = 39;\r\n  v47 = 3;\r\n  if ( v3 == 2 )\r\n  {\r\n    encrypt(&quot;lwskdhgkjsqnvkjwxchzeUBVWCXKJBNVWXCKJBGGG&quot;, (char *)argv&#x5B;1]);\r\n    v6 = strcmp(argv&#x5B;1], &amp;v8);\r\n    if ( v6 )\r\n    {\r\n      v6 = 0;\r\n      puts(&quot;You're wrong.&quot;);\r\n    }\r\n    else\r\n    {\r\n      puts(&quot;You're right.&quot;);\r\n    }\r\n  }\r\n  else\r\n  {\r\n    v6 = 1;\r\n    __printf_chk(1LL, 4196728LL, *argv);\r\n  }\r\n  return v6;\r\n}\r\n<\/pre>\n<p>On peut voir que notre input est chiffr\u00e9 puis compar\u00e9 \u00e0 une autre cha\u00eene de caract\u00e8re. Si celle-ci est \u00e9gale, c&rsquo;est qu&rsquo;on a le bon input.<br \/>\nDerri\u00e8re \u00e7a, j&rsquo;ai un peu jou\u00e9 avec du ltrace pour voir le comportement d&rsquo;un input diff\u00e9rent sur plusieurs caract\u00e8res, pour voir si chaque changement changeait la valeur retourn\u00e9e par encrypt(), de la m\u00eame fa\u00e7on qu&rsquo;une fonction de hachage.<br \/>\nJ&rsquo;ai test\u00e9 le principe de regarder le texte compar\u00e9 sur le strcmp, avec un caract\u00e8re jusqu&rsquo;\u00e0 trouver le caract\u00e8re qui est \u00e9gal au premier caract\u00e8re du contenu que l&rsquo;on doit avoir. Je passe au caract\u00e8re suivant et le reste de la comparaison ne change pas derri\u00e8re. Du coup, on peut bruteforce tr\u00e8s rapidement le bon input.<\/p>\n<p>Voici un test avec ltrace, le premier caract\u00e8re est bon, le suivant n&rsquo;est pas correct et pourtant cela ne change pas le chiffrement du premier caract\u00e8re.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nlaxa:lol_so_obfuscated:16:14:50$ ltrace .\/lol_so_obfuscated na\r\n(...)                                                                                                                                   = 10\r\nstrcmp(&quot;&#92;&#48;02&#92;&#48;24&quot;, &quot;&#92;&#48;02&#92;&#48;21\\nS\\\\&#92;&#48;05T`;qal('y?ss*ab&#92;&#48;01%Jy&#x5B;6&#92;&#48;34gA&lt;Y&quot;...)                                                                                                = 3\r\n(...)\r\nlaxa:lol_so_obfuscated:16:14:52$ ltrace .\/lol_so_obfuscated nb\r\n(...)\r\nstrcmp(&quot;&#92;&#48;02&#92;&#48;27&quot;, &quot;&#92;&#48;02&#92;&#48;21\\nS\\\\&#92;&#48;05T`;qal('y?ss*ab&#92;&#48;01%Jy&#x5B;6&#92;&#48;34gA&lt;Y&quot;...)                                                                                                = 6\r\n(...)\r\n<\/pre>\n<p>Avec gdb on r\u00e9cup\u00e8re la cha\u00eene compl\u00e8te de la comparaison du strcmp (puisque tronqu\u00e9 sur le ltrace) dont on a besoin pour faire le bruteforce.<br \/>\nIci on va pouvoir faire un script plut\u00f4t simple, le programme nous imprime la comparaison entre chaque caract\u00e8re, on sait que le premier caract\u00e8re chiffr\u00e9 de notre input doit sortir 2 sur la sortie standard.<\/p>\n<p>Voici le script final<\/p>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\">\r\n#!\/usr\/bin\/python\r\n\r\nfrom pwn import *\r\nimport string\r\nimport os\r\n\r\nflag = &quot;&quot;\r\ntest = &quot;&#92;&#48;02&#92;&#48;21\\nS\\\\&#92;&#48;05T`;qal('y?ss*ab&#92;&#48;01%Jy&#x5B;6&#92;&#48;34gA&lt;Y:Pv&#92;&#48;16t&#92;&#48;02'&#92;&#48;03&quot;\r\n\r\nfor a in range(0, len(test)):\r\n    for x in string.printable:\r\n        r = process(&#x5B;&quot;.\/lol_so_obfuscated&quot;, flag + x])\r\n        print &quot;&#x5B;%d]%c&quot; % (a, x)\r\n        ret = r.recvline()\r\n        r.close()\r\n        if int(ret.split(&quot; &quot;)&#x5B;a]) == int(ord(test&#x5B;a])):\r\n            flag += x\r\n            print &quot;flag so far: &quot; + flag\r\n            break\r\n\r\nlog.info(&quot;flag is: &quot; + flag)\r\n<\/pre>\n<p>Et on r\u00e9cup\u00e8re le flag : ndh2k16_19ac2d414c11f6f9da5a1d3342e304bc<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description Seulement un fichier \u00e9tait donn\u00e9 pour ce challenge: lol_so_obfuscated<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[130,35,180],"tags":[178,179,177],"class_list":["post-2442","post","type-post","status-publish","format-standard","hentry","category-2016-fr","category-ctf-fr","category-nuit-du-hack-wargame","tag-cracking","tag-ndh2k16","tag-write-up"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=2442"}],"version-history":[{"count":3,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2442\/revisions"}],"predecessor-version":[{"id":2448,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2442\/revisions\/2448"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=2442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=2442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=2442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}