Comment on page
UMDCTF 2020: Evil Santa's Mysterious Box of Treats
Patching and Instruction counting towards first blood.
Here we are given a 64bit ELF executable and we're tasked with finding the flag.
Running the binary:
| Evil Santa's Mysterious |
| Box of Treats |
Enter code here: a
You are getting coal for the next five years!
Running the binary reveals that it is looking for input on STDIN. When you pass in an invalid flag it responds with "You are getting coal for the next five years!"
stringson the binary reveals the first clue: with this much symbol data available it's possible that the binary is statically linked and will make debugging and static analysis difficult.
We can confirm this suspicion by parsing the binary and reading symbols through running
readelf -s EvilSantasBox.back. Without symbols this makes instrumenting this binary through and LD_PRELOAD tricks impossible. So our next step is opening it up in ghidra.
readelf -s EvilSantasBox.back
Dynamic symbol information is not available for displaying symbols.
Ghidra reveals a massive listing of functions in the it's function table further confirming static compilation.
These functions are additionally stripped, so we can't easily identify what each function does.
Following the entry function I discovered that
mainwas the function defined at
0x004005c0. Scrolling down through the decompilation reveals a couple additional pieces:
* Function at 0x411360 prints to screen * Function at 0x410680 collects user input * The user input is likely 0x28 (40) characters long * The success string of the binary is printing "You received a present from santa this year!"
The print functions display the message seen earlier.
The labels defining the success and failures of the input check.
Weird constant that looks like it might be a length check
The next step is setting up a debugger and then stepping through the binary after collecting some random input, however the challenge posses some anti-debugging logic as seen below:
The program prints out an error not seen before when running the binary.
To investigate why the program exited I used
straceto try and identify what syscalls the program used up to the point of failure.
stracerevealed that the program makes a
ptracesyscall with the
PTRACE_TRACEMEargument. This is a Classic anti-debuging technique that is easily solved through patching.
Strace reveals that a syscall using ptrace is used.
To identify where the syscall is made I used some QEMU usermode emulation through
qemu-x86_64to provide tracing information on the syscall. Using the command
qemu-x86_64 -d in_asm ./EvilSantasBox.back 2>&1 | grep syscallQemu will output all the instructions it executes with the addresses associated with those instructions as seen below.
Qemu provided a little hint for us since
101is the syscall number for ptrace. So we know that the binary calls ptrace at address
0x44b30dand we can track this back down in ghidra and patch it out with nulls. The function containing that address is shown below.
The function above will return the status code of the ptrace call, so looking at the function xrefs we can identify where this call is being made. The function at
0x4012a0will call this function and return either a 0 or a 1 and print out the previous error message we saw before. By patching out the check and always returning a 0 we can avoid being detected!
Here is the two byte NOP patch applied to skip over verifying the result.
Removing this check allows
straceto work again! Being the lazy reverse engineer that I am, I wanted to see if this binary is vulnerable to side channel analysis. If CTF problems verify solutions incrementally, then instruction counting is a super easy way to recover a flag *FAST*! Scrolling back down the to success string reveals the the input received from the function at
0x410680is then subjected to a number of individual byte comparisons. If anyone one of these checks fail, then the program exits before checking the rest. (SCORE!) CTF problems that do this or use memcmp or strcmp tend to fall into this category too.
Each user inputted byte being checked
# Startup the celery workers
celery -A lib.celery_tasks worker --loglevel=info
python InstStomp.py -i 40 --stdin /home/chris/ctf/umdctf/EvilSantasBox_NoPtrace
Instruction stomp starting creating some weird looking input, so I immediately thought that there might be some non-deterministic instructions being executed. Looking back through the
stracereveals that there is a syscall made to get the current time. Using the same
qemu-x86_64 -d in_asmtrick from earlier I was able to find where this syscall was made and patch it out.
Firing Instruction Stomp off again reveals the flag after a minute or two. The flag appears to be base64 encoded, so base64 decoding reveals the final flag. By using instruction counting instead of dumping each value out of a debugger I was able to quickly snatch a first blood with this problem.
$ python InstStomp.py -i 40 --stdin /home/chris/ctf/umdctf/EvilSantasBox
[~] Running on position 0: 88%|██████████████████████████████████████████████████████████████▍ | 88/100 [00:02<00:00, 40.60it/s]
[~] Running on position 1: 93%|██████████████████████████████████████████████████████████████████ | 93/100 [00:02<00:00, 43.18it/s]
[~] Running on position 2: 94%|██████████████████████████████████████████████████████████████████▋ | 94/100 [00:02<00:00, 43.64it/s]
... SNIP ...
[~] Running on position 37: 92%|████████████████████████████████████████████████████████████████▍ | 92/100 [00:02<00:00, 43.35it/s]
[~] Running on position 38: 98%|████████████████████████████████████████████████████████████████████▌ | 98/100 [00:02<00:00, 44.90it/s]
[~] Running on position 39: 86%|████████████████████████████████████████████████████████████▏ | 86/100 [00:02<00:00, 39.69it/s]
$ echo VU1EQ1RGLXtTYW50NV81MW5UX1RoYVRfM3YxTH0= | base64 -d