Category: CTF

Posted on

From Radare2 N00b to successful RE walkthrough

So a couple of us were working on a reverse engineering challenge in a CTF.

We were provided with an ELF binary and an encrypted file. The goal was apparently to decrypt the file into a .PNG, the MD5SUM of which would be the flag to solve the challenge.

A cursory look at the code, either in IDA or in radare2, clearly showed that the primary purpose of the code was to XOR the entire file with the letter A.

AHA, we thought, all we have to do is an XOR. We don’t need to RE to do that. Enter xortools, a pip-installable python module. Installed, ran xor against the file, with the output as a .PNG file. Success, it looked like. The linux “file” command recognized the new file as a PNG, and we could even browse and view the image, which is exactly what we expected to see. Excitedly, we entered the MD5 of the PNG into the flag field. NOPE. Not accepted.

So it quickly became clear that the binary was doing something hinky to the file in addition to the obvious XOR, because the XOR worked and decrypted the file in a working PNG.

So Kevin and I rolled up our sleeves and got down to some RE work in radare2. I prefer IDA because it’s so much prettier, and easier to navigate and see everything, but connecting an ELF debugger to IDA is no trivial matter, and Kevin is a whiz at radare2, so off to the races we went.

First, we identified the code segment that opens, translates (via XOR) and closes the file. I’m no genius at radare2, and time constraints prevented me from fully learning assembly, but it was clear to me that the goal was to get the binary to execute that segment, and experience had showed us that earlier tricks were proving just to dance around that section of the code with evil trickery.

So we followed the desired code segment backwards, and found two decision points that would normally have an opportunity to redirect program flow. We decided to change them both in a way that would guarantee program flow in our desired direction, whether that’s changing a je/jne (jump if equal, jump if not equal) to a jmp (unconditional jump), or a NOP (no operation).

After we did that, and entered the password, program flow moved as expected, and the encrypted file was successfully decrypted to a .png. Sure enough, the md5sum of the new .png was different from the one we xor’ed manually. I put the new md5sum into the flag field, and it was ACCEPTED! Yay, we won.

But I wasn’t satisfied, I wanted to know what was different from our manually-xor’ed decryption and the one that the binary did.

So I used xxd to dump the hex output of both versions of the .png to files, then ran a diff between them.

The only difference? The very last line of the new file contained the following:
0000f380: 0a .

Meaning a single character, hex 0x0A, was appended to the file, which of course changes the checksum of the entire file without distorting the image in any way.

Let’s go back to the code and see if we can figure out why it does that.

Nope. No idea. Guess I’m still a noob. But we solved the challenge, and I learned some things about navigating radare2 and focusing and recognizing what’s going on in the program flow, and that’s what counts, right?

Posted on

TryHackMe Advent of Cyber 2

So someone on my feed mentioned the TryHackMe Advent of Cyber 2 event that’s coming up, and I figured, f it, I’ve been all in on the last few events, what’s one more, right? So I looked into it…

I kinda like the idea. It’s a new challenge every day from 12/1 to xmas. Billed as “beginner-friendly” challenges, which is fine, because any practice is good practice, keep your skills fresh and all that.

I especially like TryHackMe’s platform. If you haven’t explored it yet, it works like this. When there’s a machine to attack for a challenge, they offer it as a deployable machine, on their network. The way you attack them can be either through a VPN (they will give you a personalized .ovpn file that you can drop onto your Kali box or whatever your chosen attack platform is) –OR– they will give you a fully-configured attack platform in the browser. Best of both worlds. If you’re just getting your feet wet and don’t have an attack platform set up yet, they’ve got you covered. And if you’ve got a fully-refined set of tools you’d prefer to use (and continue to refine and beef up while you’re at it), they’ve got you covered there too.

I signed up nine days ago, and I’ve already leveled up to level 5 and earned 10 badges. None of this was part of the Advent of Cyber event, this was just part of their regular offerings. I’m comfortable with the platform and ready to hit the ground running.

The other thing I like about this event is that the prizes, of which there are quite a few, are not awarded in order of performance. Instead, you get a raffle ticket for every task you complete. That means n00b hacker just getting his or her feet wet stands a reasonable chance of winning something, and it’s not all going to be locked in by the best of the best.

Hope to see some of you on the leaderboard. It starts Tuesday. Get signed in now at https://tryhackme.com and get comfortable now so you can plow through. I expect the time commitments will be light, even if you try to hit every challenge.

Posted on

Server acquired

Well, I did it. Scored a Dell R710 with 72GB RAM and 6TB of HDD (well, somewhat less after RAID overhead). I’m well on the way to rebuilding WOPR Jr (the Hades Canyon NUC).

Posted on

BSidesNova, here I come!

At BSidesDC, I registered for “CTF for Noobs.”  I had done a couple of CTF exercises on my own and with my employer, but never in a competitive environment, so I thought that’d be a good test. And it was. I did very well, scored a lot of points for my group/table, but managed to find some weak spots.  

One of my weaknesses is in quickly pulling information out of Wireshark. So I left there with the intent on improving my Wireshark fu.  

Lo and behold, I look at the BSidesNova course listing, and there’s a session on Wireshark.  So bitches, I’m in.  Who’s in with me?