Reverse Engineering

Challenge	Link
What am I? (80 pts)	Here
Can you break the armor? (180 pts)	Here
Light up the Server (320 pts)	Here

Challenge

Link

What am I? (80 pts)

Here

Can you break the armor? (180 pts)

Here

Light up the Server (320 pts)

Here

What am I? (80 pts)

Description

Solution

Given DLL file, decompiling the file we don't find any interesting part. So the next step we do is checking the executable file using CFF Explorer. Take a look on resource editor we found flag in image format

Flag : BHFlagY{c3wl_r3s0rce_f1nding}

Light up the Server (320 pts)

Description

Solution

Given elf 64 bit file

Opening it using IDA, take a look on main function and strings window

In this case i tried to search string "-f filename of the config-file" on github and found this

Now, we know that the executable maybe lighttpd since it contains some string that available on lighttp repository. The given executable contains many function that can be function available on original lighttpd. So my approach is to find function that is not available on original lighttpd. First step i do is finding the correct version of lighttpd used in the challenge.

From the string window we found there is "1.4.72-devel" before "\nusage" and based on repository we found that string should be the version of lighttp used.

Now clone the specific version from lighttpd repository and build the binary.

git clone -b lighttpd-1.4.72 https://github.com/lighttpd/lighttpd1.4.git
cd lighttpd1.4
cmake .
make
file build/lighttpd

Now we have lighttpd original binary, next we need to findout how to compare two binary in low level. Searching on google i found this plugin on ida http://diaphora.re/. Download the plugin then open diaphora.py through script file. First, i open lighttpd original file then use diaphora to dump IDA database in SQLite format with option below.

Next open challenge file then load diaphora again. Now put lighttpd_new.sqlite to SQLite database to diff against form then click ok.

There are some tab opened after diaphora analysis done. Since challenge binary is on first position, so open primary tab then check one by one the function.

Latest stripped function before libc function is suspicious.

^\\([a-z]\\?[^a-e,g-z]\\)la[g]{\\(h\\)0\\(s\\)t_\\2\\(e\\)4d\\4\\(r\\([_]\\?[^a-z]\\)\\)\\(!\\)n\\(\\(j\\(3\\)\\)cti0\\)n\\(_\\)1s\\6\\{1\\}5up3\\5c3wl}$

We can see that the function compile the regex and match a variable with the pattern. Analyzing a few first part of the pattern we found that it match with flag format. I use this online regex to debug it https://regex101.com/ . We need to remove some backslash to make the pattern valid

^([a-z]?[^a-e,g-z])la[g]{

[a-z]? a until z (optional), so can be blank
[^a-e,g-z], not a-e or g-z, so it string "f"
la, string "la"
[g], string "g"

So, we just need to continue debugging the next pattern

(h)0(s)t_\2(e)4d\4(r([_]?[^a-z]))(!)n((j(3))cti0)n(_)1s\6{1}5up3\5c3wl}$

create group based on round brackets ()
+ group 1, 0-1	  f
+ group 2, 5-6	  h 
+ group 3, 7-8	  s
+ group 4, 11-12  e
+ group 5, 15-17  r_
+ group 6, 16-17  _
+ group 7, 17-18  !
+ group 8, 19-25  j3cti0
+ group 9, 19-21  j3
+ group 10, 20-21 3
+ group 11, 26-27 _

- (h) == h
- 0 == 0
- (s) == s
- t == t
- _ == _
- \2 == h, match second group
- (e) == e
- 4d == 4d
- \4 == e, match fourth group
- (r([_]?[^a-z])) == r_ , r then underscore with optional a-z after that
- (!) == !
- n == n
- ((j(3))cti0) == j3cti0
- n == n
- (_) == _
- 1s == 1s
- \6{1} == _, match sixth group
- 5up3 == 5up3
- \5 == r_, match fifth rgroup
- c3wl}$ == c3wl}

Flag : flag{h0st_he4der_!nj3cti0n_1s_5up3r_c3wl}

PreviousBlackHat MEA Quals NextASCIS Final

Last updated 1 month ago