EncodedPayload
4 minutos de lectura
Se nos proporciona un archivo binario llamado encodedpayload
:
$ file encodedpayload
encodedpayload: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, no section header
Ingeniería inversa
Si lo ejecutamos, no aparece nada. Por otro lado, el binario es muy corto:
$ ./encodedpayload
$ xxd encodedpayload
00000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............
00000010: 0200 0300 0100 0000 5480 0408 3400 0000 ........T...4...
00000020: 0000 0000 0000 0000 3400 2000 0100 0000 ........4. .....
00000030: 0000 0000 0100 0000 0000 0000 0080 0408 ................
00000040: 0080 0408 9301 0000 d202 0000 0700 0000 ................
00000050: 0010 0000 d9e8 d974 24f4 5b53 5949 4949 .......t$.[SYIII
00000060: 4949 4949 4949 4343 4343 4343 4337 515a IIIIIICCCCCCC7QZ
00000070: 6a41 5850 3041 3041 6b41 4151 3241 4232 jAXP0A0AkAAQ2AB2
00000080: 4242 3042 4241 4258 5038 4142 754a 4930 BB0BBABXP8ABuJI0
00000090: 3169 4b7a 5748 6353 6357 3346 3350 6a36 1iKzWHcScW3F3Pj6
000000a0: 624f 7948 6178 3063 565a 6d4b 304d 4370 bOyHax0cVZmK0MCp
000000b0: 5968 3057 4f38 4d6b 3050 4962 5959 6962 Yh0WO8Mk0PIbYYib
000000c0: 4873 4f53 3077 7037 7171 7855 5265 5035 HsOS0wp7qqxUReP5
000000d0: 5566 596d 5968 614c 7043 5656 3050 5146 UfYmYhaLpCVV0PQF
000000e0: 334c 7366 634f 7949 715a 6d4d 5046 3261 3LsfcOyIqZmMPF2a
000000f0: 7830 6e64 6f31 6345 3865 3866 4f76 4f52 x0ndo1cE8e8fOvOR
00000100: 4243 594d 5948 6346 3250 534f 7948 614e BCYMYHcF2PSOyHaN
00000110: 5046 6b4a 6d6f 7052 4a34 4b43 686d 4933 PFkJmopRJ4KChmI3
00000120: 6255 3665 3854 6d65 336e 6938 6743 5846 bU6e8Tme3ni8gCXF
00000130: 4f32 5331 7843 3055 3856 4f73 5235 3952 O2S1xC0U8VOsR59R
00000140: 4e4b 394b 5361 4279 7834 5a53 3045 5055 NK9KSaByx4ZS0EPU
00000150: 5061 7550 6370 6872 4f71 3062 6830 5467 PauPcphrOq0bh0Tg
00000160: 3263 4b32 7030 4c53 4a73 6f31 6374 3433 2cK2p0LSJso1ct43
00000170: 4235 3165 3331 7553 6f72 6d46 5347 4354 B51e31uSormFSGCT
00000180: 7353 4d67 7056 3772 734c 4939 714a 6d6d sSMgpV7rsLI9qJmm
00000190: 5041 41 PAA
$ strings encodedpayload
[SYIIIIIIIIICCCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI01iKzWHcScW3F3Pj6bOyHax0cVZmK0MCpYh0WO8Mk0PIbYYibHsOS0wp7qqxUReP5UfYmYhaLpCVV0PQF3LsfcOyIqZmMPF2ax0ndo1cE8e8fOvORBCYMYHcF2PSOyHaNPFkJmopRJ4KChmI3bU6e8Tme3ni8gCXFO2S1xC0U8VOsR59RNK9KSaByx4ZS0EPUPauPcphrOq0bh0Tg2cK2p0LSJso1ct43B51e31uSormFSGCTsSMgpV7rsLI9qJmmPAA
Antes de usar un depurador, podemos usar ltrace
y strace
para analizar las llamadas a funciones de librerías externas e instrucciones syscall
ejecutadas por el binario.
Flag
En verdad, ltrace
no funcionará porque el binario es estático. Entonces, procedemos con strace
:
$ strace ./encodedpayload
execve("./encodedpayload", ["./encodedpayload"], 0x7ffc9234b590 /* 40 vars */) = 0
strace: [ Process PID=132019 runs in 32 bit mode. ]
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
dup2(3, 2) = 2
dup2(3, 1) = 1
dup2(3, 0) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(1337), sin_addr=inet_addr("127.0.0.1")}, 102) = -1 ECONNREFUSED (Connection refused)
syscall_0xffffffffffffff0b(0xff9d0b58, 0xff9d0b50, 0, 0, 0, 0) = -1 ENOSYS (Function not implemented)
execve("/bin/sh", ["/bin/sh", "-c", "echo HTB{PLz_strace_M333}"], NULL) = 0
strace: [ Process PID=132019 runs in 64 bit mode. ]
brk(NULL) = 0x56243f358000
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffc88d74930) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=94688, ...}) = 0
mmap(NULL, 94688, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7fc8acdb3000
close(4) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300A\2\0\0\0\0\0"..., 832) = 832
pread64(4, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(4, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(4, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\30x\346\264ur\f|Q\226\236i\253-'o"..., 68, 880) = 68
fstat(4, {st_mode=S_IFREG|0755, st_size=2029592, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc8acdb1000
pread64(4, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(4, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(4, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\30x\346\264ur\f|Q\226\236i\253-'o"..., 68, 880) = 68
mmap(NULL, 2037344, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fc8acbbf000
mmap(0x7fc8acbe1000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x22000) = 0x7fc8acbe1000
mmap(0x7fc8acd59000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x19a000) = 0x7fc8acd59000
mmap(0x7fc8acda7000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x1e7000) = 0x7fc8acda7000
mmap(0x7fc8acdad000, 13920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc8acdad000
close(4) = 0
arch_prctl(ARCH_SET_FS, 0x7fc8acdb2580) = 0
mprotect(0x7fc8acda7000, 16384, PROT_READ) = 0
mprotect(0x56243d535000, 8192, PROT_READ) = 0
mprotect(0x7fc8acdf8000, 4096, PROT_READ) = 0
munmap(0x7fc8acdb3000, 94688) = 0
getuid() = 1000
getgid() = 1000
getpid() = 132019
rt_sigaction(SIGCHLD, {sa_handler=0x56243d52ac30, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER, sa_restorer=0x7fc8acc02090}, NULL, 8) = 0
geteuid() = 1000
getppid() = 132016
brk(NULL) = 0x56243f358000
brk(0x56243f379000) = 0x56243f379000
getcwd("/tmp", 4096) = 4
geteuid() = 1000
getegid() = 1000
rt_sigaction(SIGINT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x56243d52ac30, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER, sa_restorer=0x7fc8acc02090}, NULL, 8) = 0
rt_sigaction(SIGQUIT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER, sa_restorer=0x7fc8acc02090}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER, sa_restorer=0x7fc8acc02090}, NULL, 8) = 0
write(1, "HTB{PLz_strace_M333}\n", 21) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=132019, si_uid=1000} ---
+++ killed by SIGPIPE +++
Y ahí tenemos la flag. No se mostraba en stdout
(descriptor de archivo número 1
) por un error Broken pipe
.