https://capturetheflag.withgoogle.com
Used commands/tools:
- strings
- Hopper Disassembler
- ltrace
The AS-IS is
Let's continue our JOURNEY
As always, download the attachment, check the file type, rename it and extract the content:
- file f7e577b61f5b98aa3c0e453e83c60729f6ce3ef15c59fc76d64490377f5a0b5b
It is a zip file.
- mv f7e577b61f5b98aa3c0e453e83c60729f6ce3ef15c59fc76d64490377f5a0b5b gatekeeper.zip
- unzip gatekeeper.zip
The content is composed of one file called gatekeeper. If we type:
- file gatekeeper
we get:
gatekeeper: ELF 64-bit LSB shared object, x-86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a89(and other digits), not stripped
This file is a binary so we can give it executable permission:
- chmod +x gatekeeper
Run this file:
- ./gatekeeper
It asks for username and password as arguments like:
- ./gatekeeper user passadmin
We get message of wrong username. So we see that the program allows us to know if we insert wrong username or wrong password.
If we try to look the content of this file in an ordered manner by:
- strings gatekeeper
we see different strings and we can understand that the possible username is 0n3_W4rM and the possible password is zLl1ks_d4m_T0g_I. If we try to submit these credentials, the username results correct, the password is not. Other useful information is not shown by using the strings command.
At this point, it's clear that this quest could be solved by disassembling the gatekeeper file.
We can do this by using a disassembler like Hopper Disassembler that you can download from https://www.hopperapp.com. After you installed this software, open it by:
- /opt/hopper-v4/bin/Hopper
This is a demo version with some limitation, i.e. one session lasts for 30 minutes. When the software is open, click on Try the Demo, then File->Read Executable to Disassemble... and select the gatekeeper file, a window appears, select ELF as Loader and click OK. On the left, click on the TAB Strs where the strings inside the file are shown. Select on the username 0n3_W4rM and the code will be redirected to the address 0000000000000de0 that contains the following:
db "0n3_W4rM", 0 ; DATA_XREF=main+133
Now we can double click on main+133 and we will be redirected to the address 0000000000000a3c that contains the following assembly code:
lea rsi, qword [a0n3W4rM] ; argument "__s2" for method j_strcmp, "0n3_W4rm"
From this line we can view the pseudocode by selecting this line and press ALT+ENTER on the keyboard or by clicking on the menu of the application Window->Show Pseudo Code of Procedure. By the pseudocode, we can understand how the interested part works. By the pseudocode, we understand that the username 0n3_W4rM is correct while the variable that contains the second input argument passes through some calculation before to go to the strcmp with zLl1ks_d4m_T0g_I.
For being sure on how the program works, we can try to run the program by using the ltrace command to trace what procedures the executable calls.
If ltrace is not installed on your machine (like Kali Linux OS), the current version of ltrace cannot be installed because of different problems that arise during the compiling and installation BUT I suggest you how to fix the current version (I repeat, I'm using Kali Linux distro). First of all, download ltrace from https://www.ltrace.org/. Extract all the content, enter in the folder, then type:
- ./configure
- gedit sysdeps/linux-gnu/proc.c
In the proc.c file search readdir_r and change readdir_r(...) with readdir(d) because the first one is deprecated, then delete (or comment) the declaration of entry and *result variables, and substitute the variable result (where is used) with readdir(d) (should be three points to substitute). Save the file and close gedit. Then type:
- gedit value.c
Here comment or delete the declaration of typedef char assert__long_enough_long. Save the file and close it. Then type:
- gedit lens_default.c
Here comment or delete the declaration of typedef char assert__long_enough_long. Save the file and close it. Then type:
- gedit ltrace-elf.c
Go to the line 221, then substitute the if(!need_data(...) < 0 ) with if(!(need_data(...)) != 0). Save the file and close it. At the end type:
- make
- make install
When the process ends, you have installed ltrace and you can call it from any path you are.
Now come back to the gatekeeper folder.
With ltrace, we will use grep command to extract the only rows contained strcmp to check the row where our second argument is compared with zLl1ks_d4m_T0g_I (as we saw from the pseudocode):
- ltrace ./gatekeeper 0n3_W4rM randompassword
we can look from the output that on strcmp, zLl1ks_d4m_T0g_I is compared with the backward version of randompassword that is drowssapmodnar. To filter this evidence you can type:
- ltrace ./gatekeeper 0n3_W4rM randompassword 2>&1 | grep "strcmp"
and you can see clearly strcmp("drowssapmodnar", "zLl1ks_d4m_T0g_I"). It means that the right password to insert is the backward version of zLl1ks_d4m_T0g_I that is I_g0T_m4d_sk1lLz. Finally we can execute the gatekeeper program by typing:
- ./gatekeeper 0n3_W4rM I_g0T_m4d_sk1lLz
This time the application will accept also the password and it will be shown the solution key.
IT IS THE END!
If you want to be SPOILED for the solution key, just click below
Nessun commento:
Posta un commento