Impossible Password
3 minutos de lectura
Se nos proporciona un binario llamado impossible_password.bin
:
$ file impossible_password.bin
impossible_password.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba116ba1912a8c3779ddeb579404e2fdf34b1568, stripped
Análisis dinámico
Si lo ejecutamos, el programa espera una entrada de datos:
$ ./impossible_password.bin
* asdf
[asdf]
Strings
Si usamos strings
para mostrar caracteres imprimibles en el binario veremos SuperSeKretKey
:
$ strings impossible_password.bin
/lib64/ld-linux-x86-64.so.2
libc.so.6
exit
srand
__isoc99_scanf
time
putchar
printf
malloc
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.2.5
UH-x
UH-x
=1
[]A\A]A^A_
SuperSeKretKey
%20s
[%s]
;*3$"
GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-11)
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
Si ponemos esta clave, tendremos otra entrada de datos:
$ ./impossible_password.bin
* SuperSeKretKey
[SuperSeKretKey]
** asdf
ltrace
Con ltrace
vemos que la entrada esperada es aleatoria:
$ ltrace ./impossible_password.bin
__libc_start_main(0x40085d, 1, 0x7ffd7458dd68, 0x4009e0 <unfinished ...>
printf("* ") = 2
__isoc99_scanf(0x400a82, 0x7ffd7458dc50, 0, 0* SuperSeKretKey
) = 1
printf("[%s]\n", "SuperSeKretKey"[SuperSeKretKey]
) = 17
strcmp("SuperSeKretKey", "SuperSeKretKey") = 0
printf("** ") = 3
__isoc99_scanf(0x400a82, 0x7ffd7458dc50, 0, 0** asdf
) = 1
time(0) = 1647047526
srand(0xacecab09, 10, 0xab6f03f8, 0) = 0
malloc(21) = 0x1243ac0
rand(0, 0, 33, 0x1243ad0) = 0x5af63fcf
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac0, 94) = 0x1b68f15f
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac1, 94) = 0x30b173ef
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac2, 94) = 0x22a13185
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac3, 94) = 0x6a5a22a1
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac4, 94) = 0x5eaaddc4
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac5, 94) = 0x100c2f22
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac6, 94) = 0x7ec6c433
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac7, 94) = 0x56ca73a8
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac8, 94) = 0x11c19ffb
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ac9, 94) = 0x7809c17c
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243aca, 94) = 0x8e0575e
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243acb, 94) = 0x2ee7b99a
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243acc, 94) = 0x536fcfb5
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243acd, 94) = 0x7c7f05dc
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ace, 94) = 0x449e3403
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243acf, 94) = 0x1255542e
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ad0, 94) = 0x3e25d72a
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ad1, 94) = 0x133d797d
rand(0x7f036f373740, 0x7ffd7458dbb4, 0x1243ad2, 94) = 0xe06b05e
strcmp("asdf", "lp^HlQ!xO"5!abwBwEzi") = -11
+++ exited (status 245) +++
Vamos a ejecutar el binario en GDB y saltarnos esta validación:
$ gdb -q impossible_password.bin
Reading symbols from impossible_password.bin...
(No debugging symbols found in impossible_password.bin)
gef➤ break strcmp
Breakpoint 1 at 0x400630
gef➤ run
Starting program: ./impossible_password.bin
* SuperSeKretKey
[SuperSeKretKey]
Breakpoint 1, __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:23
23 ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S: No such file or directory.
gef➤ continue
Continuing.
** asdf
Breakpoint 1, __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:23
23 ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S: No such file or directory.
Bypass con GDB
Ahora podemos ver los argumentos de strcmp
en los registros $rdi
y $rsi
(debido a la convencion de llamadas en binarios de 64 bits):
gef➤ x/s $rdi
0x7fffffffe6c0: "asdf"
gef➤ x/s $rsi
0x602ac0: "{v)5ekMm$4eKIhxQ.`Sp"
Flag
Y además, podemos modificar el valor de $rdi
para que sea el mismo que $rsi
y continuar:
gef➤ set $rdi = $rsi
gef➤ continue
Continuing.
HTB{40b949f92b86b18}
[Inferior 1 (process 2760) exited with code 012]
gef➤ quit
Y ahí está la flag.