Nuit-du-hack-2016/Matriochka/Step-1

From aldeid
Jump to: navigation, search
You are here:
Matriochka (step 1)

Description

The challenge is described as follows:

Can you help me?
Recently, I found an executable binary.
As I'm a true newbie,
Certainly, to solve it, I will have difficulties.
Keep in mind, the first step is quite easy.
Maybe the last one will be quite tricky.
Emulating it could be a good idea.

The challenge is available at:

File:

MD5 817d561f02a0cf42097812f4ce39fc34
SHA1 f6bb4fd2192845ac6b65271fd1e02fcc67f9f449
SHA256 ed0093922d7b3f42a34610a3dd3d09f92c42ef8647a514a7cce8dea7fecbf116

Analysis

Running the executable

$ file stage1.bin
stage1.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=d023239e2bf37734ba5a67401a092ba6273c37b6, not stripped

The executable is a 64bit ELF that seems to be expecting an argument:

$ ./stage1.bin
Usage: ./stage1.bin <pass>
$ ./stage1.bin oops
Try again...

Call to strcmp

This stage is really easy to solve. As shown on the below extrac, there is a
strcmp
function (at offset
0x40069A
) that compares the user input with the string "Much_secure__So_safe__Wow".
.text:0000000000400687 loc_400687:
.text:0000000000400687                 mov     rax, [rbp+pass] ; rax = user input
.text:000000000040068B                 add     rax, 8
.text:000000000040068F                 mov     rax, [rax]
.text:0000000000400692                 mov     esi, offset s2  ; "Much_secure__So_safe__Wow"
.text:0000000000400697                 mov     rdi, rax        ; s1
.text:000000000040069A                 call    _strcmp
.text:000000000040069F                 test    eax, eax
.text:00000000004006A1                 jnz     loc_400773
.text:00000000004006A7                 mov     rax, cs:stdout@@GLIBC_2_2_5
.text:00000000004006AE                 mov     rcx, rax        ; s
.text:00000000004006B1                 mov     edx, 0Bh        ; n
.text:00000000004006B6                 mov     esi, 1          ; size
.text:00000000004006BB                 mov     edi, offset aGoodGood ; "Good good!\n"
.text:00000000004006C0                 call    _fwrite
.text:00000000004006C5                 mov     [rbp+var_8], 0
.text:00000000004006CC                 mov     [rbp+var_4], 0
.text:00000000004006D3                 jmp     loc_400764

Solution

Providing the right answer outputs a long base64 encoded string:

$ ./stage1.bin Much_secure__So_safe__Wow
Good good!
c3RhZ2UyLmJpbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA3NTUAMDAwMTc1
MAAwMDAxNzUwADAwMDAwMTA0MjQwADEyNjU1MTAwNzc2ADAxMjMwMgAgMAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAGpoZXJ2ZQAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAamhlcnZlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB/
RUxGAgEBAAAAAAAAAAAAAgA+AAEAAABgBUAAAAAAAEAAAAAAAAAAoIEAAAAAAAAAAAAAQAA4AAkA
QAAcABsABgAAAAUAAABAAAAAAAAAAEAAQAAAAAAAQABAAAAAAAD4AQAAAAAAAPgBAAAAAAAACAAA
[...SNIP...]
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
If we export this string (first remove the "Good work!") to a file (
stage1.base64
) and decode it, it produces a second executable which will be the second stage.
$ cat stage1.base64 | base64 -d > stage2
$ file stage2
stage2: POSIX tar archive (GNU)

Comments

blog comments powered by Disqus

Keywords: nuit-du-hack-2016 NDH2K16 challenge reversing