Hackvent 2019: Day 10

Hackvent 2019180

Challenge

HV19.10 Guess what

Introduction
The flag is right, of course

Resources: HV19-Day10-guess3.zip

Solution

We are provided with an ELF binary so the first thing we do is run in in a Linux virtual machine.

The binary prompts us for some input and then tells us we have failed!

Example with input of test:

mo@ubuntu:~/Hackvent$ ./guess3 
Your input: test
nooooh. try harder!

We look at the strings in the binary for some clues:

mo@ubuntu:~/Hackvent$ strings ./guess3 
/lib64/ld-linux-x86-64.so.2
&J5g
libc.so.6
exit
sprintf
__isoc99_sscanf
time
__stack_chk_fail
getpid
strdup
calloc
strlen
memset
__errno_location
memcmp
putenv
memcpy
malloc
getenv
stderr
execvp
fwrite
fprintf
__cxa_finalize
atoll
strerror
__libc_start_main
__environ
__xstat
GLIBC_2.7
GLIBC_2.14
GLIBC_2.4
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
ATSH
[A\]
AWAVI
AUATL
[]A\A]A^A_
x%lx
=%lu %d
%lu %d%c
E: neither argv[0] nor $_ works.
<null>
%s%s%s: %s
;*3$"
1DB/
WF9s
@?H,
4'M0
\@J5
o-72z
GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

We observe how the string Your input and nooooh. try harder! don't appear as strings.

It is reasonable to assume obfuscation is used at this point to conceal some strings.
We decide to load up the program in one shell and, while its open waiting for input, check the process status output in another shell:

mo@ubuntu:~/Desktop$ ps -eaf | grep guess
mo         2500   2297  0 20:11 pts/0    00:00:00 ./guess3 -c #!/bin/bash  read -p "Your input: " input  if [ $input = "HV19{Sh3ll_0bfuscat10n_1s_fut1l3}" ]  then   echo "success" else    echo "nooooh. try harder!" fi   ./guess3
mo         2502   2263  0 20:11 pts/2    00:00:00 grep --color=auto guess

The original binary essentially delegates to calling execve on /bin/bash with the above command but we abuse the fact that it is all in memory to easily fetch our flag!

Flag:

HV19{Sh3ll_0bfuscat10n_1s_fut1l3}

Leave a comment

(required)(will not be published)(required)

Comments

There are no comments yet. Be the first to add one!