Binary Heaven-1 | CTF
Hello Exploiters,
Welcome back to my channel. Today, I will be writing a blog about reversing and exploitation phases. If you are interested and want to learn more about exploitation through my blogs, please consider following my channel.
First of all, we will check the binary before diving deep into the investigation. Before solving this CTF, I advise you to learn assembly language to understand this properly.
Analyzing phase[angel_A]
As usual, we should always check the file before doing something with it. I recommend always starting with the file command. I got the file as a zip file, so to unzip it, you can use unzip command and you shall see two files.
As you can see angel_A and angel_B have appeared in our terminal.
Let me check what kind of files have shown us.
As you can see:
angel_A: ELF 64-bit LSB pie executable, x86–64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86–64.so.2, BuildID[sha1]=90a71dbbf2c94dc164a49328fb82f8fa914a9701, for GNU/Linux 3.2.0, not stripped
angel_B: ELF 64-bit LSB executable, x86–64, version 1 (SYSV), statically linked, Go BuildID=Xd_LgpWItJBNJmN63lQy/oWW_4FYae77KCrbbrcIX/2pmyS7gUszdXBsoOAYWo/PyEjnQ2VYI7PIdiOmGXg, not stripped
I am going to start with the angel_A file:
We see that angel_A is 64-bit and it is not stripped which is great!
It is asking for a username, which we do not know. I was trying to overflow with the character “A” but it did not work.
I was using the strings command and saw an interesting link that redirects to a youtube video. When you click on it you will see this result :)
A rabbit hole! which we do not need it. We will still try other methods to see what we can do with this file.
fgets is more secure than gets. And this means that we are not able to overflow it!
When we check with the checksec command we can see that PIE is enabled as well as NX.
If you are not familiar with this. Please go back to my previous blogs where I shared some great blogs and channels where you can learn!
We can see execve() system call, and this means:
This causes the program that is currently being run by the calling process to be replaced with a new program, with a newly initialized stack, heap, and (initialized and uninitialized) data segments.
If we use strace -c ./angel_A we can see how many syscalls are called. If you are interested and want to learn more about ELF files you can check: https://man7.org/linux/man-pages/man2/syscall.2.html
https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/
We will go further with our investigation phase.
When you type ‘info functions’ you will see how many functions are called from the binary.
I am going to disassemble the main function as usual.
If you are not familiar, you can check the main page of gdb. Now, for this exercise, I will use the Cutter program.
Please consider where I drew. We have argc and argv, we need to remember what it's in C programming.
- argc is the number of arguments on the command line (including the program name itself)
- argv is an array of C-style strings (character arrays, with a null character at the end of each string
As you can see ‘var_4 he expects input from the user. To have a better understanding of this file, I will use radare2.
Hmm, interesting! I can see a string called U”kym~humr”, and we have an address called 0x561c1cf5b060.
This should be the hex value of this string. We can use an easy python script to decode it, but we need to understand the code and what it does.
Each hex represents a string which will be easy for us to decode it.
As I mentioned, we ought to understand the algorithm of the above-disassembled code.
Each character of the entered string is compared with each character of a predefined string, but before comparing, an XOR operation is performed on each character and then 8 is added to the character.
Let me show an example:
- k was given to us as a character. Normally, it will compare with my input, but we already knew that the strange string was already being used. Thus, we can use an ASCII table to see the decimal value of k
Awesome. Now, I am going to try to reverse the character to read it.
To reverse it, we will start from the base to the top. That should be the reverse operation.
- k = 107, we will subtract 8 and then xor with 4
Hmm, interesting! To read the username, I am going to use a simple python script!
Awesome! We found the username, that was the first question
Analyzing phase[angel_B]
We have completed the first part! The next goal is to complete the second question.
As you can see that this file is written in GO language. Let me check this file as well.
We see countless strings which we do not need. We are more interested in syscalls as well as useful strings which leads us to get the password.
We can see the syscalls of the GO language, but still not what we want.
I was trying to search the main function in the runtime of this binary file. I think that I shall use cutter or radare2 to see more in-depth.
As you can see that we are not able to see the main function in this binary.
We input ‘A’ to see whether it has a buffer overflow or not. And we can see that it does not have!
We get the output as: “You are not worthy of heaven”
Let's consider open into the cutter again to see what we can get from this result.
As you can see above, if we put an incorrect value it will follow the red line or else the green line.
We can see that ‘runtime. memequal’ will be called to control if pointers are equal.
We can get info from this documentation: https://groups.google.com/g/golang-codereviews/c/toERNWvTLq8
I am going to open this in R2:
0x004a54a1 48890424 mov qword [rsp], rax
0x004a54a5 488d055f5802. lea rax, [0x004cad0b] ; “GOg0esGrrr!IdeographicMedefaidrinNandinagariNew_Tai_LueOld_PersinOld_SogdianPau_Cin_HauSignWritingSoft_DottedWarang_CitiWhite_”
0x004a54ac 4889442408 mov qword [var_8h], rax
0x004a54b1 48894c2410 mov qword [var_10h], rcx
Awesome we get the string through R2. You could also decompile it through a cutter. You would be able to get the same result.
You can also check on GDB:
This password should be: GOg0esGrrr!
Now we got the username and the password. We are concerned about the flag.
Summary
Part 2 will be shared with u. The first part was just a reverse training/warming up:)
The second part will be about binary exploitation part. I am super thrilled to see you again on this channel!