\n\nThis page has been machine-translated from the original page.
\n
I participated in TSG CTF 2024, which started on 12/14, with 0nePadding and finished in 63rd place. (Everyone was really good…)
\nI will write a quick writeup.
\n\n\n\nThis binary is a little strange…
\nHint for beginners:
\nThe attached file is an ELF executable that runs on x86-64 Linux.\nIf you run it and enter the correct FLAG, it will display
\nCorrect!.\nUse Ghidra or IDA Free to understand the overall processing.\nUse gdb to observe its behavior while actually running it.\nYou do not need to understand every detail of every routine exactly.\nIn many cases, it is enough just to understand what a routine takes as input and what it changes.
I first checked the challenge binary with capa, but I could not find any information that seemed especially useful.
\nWhen I decompiled it with Binja, I found that the main function was implemented as follows.
int32_t main(int32_t argc, char** argv, char** envp)\n{\n char var_9 = 1;\n int32_t var_14 = 4;\n void input_0x30_flag;\n input_flag(&input_0x30_flag, 0x30);\n init(0x2cb7, 0x22);\n \n for (int32_t i = 0; i <= 0xb; i += 1)\n {\n int32_t rax_2 = gen_rand();\n *(uint32_t*)(((int64_t)(i << 2)) + &input_0x30_flag) ^= rax_2;\n \n if (memcmp((&input_0x30_flag + ((int64_t)(i << 2))), (((int64_t)(i << 2)) + &flag_enc), ((int64_t)var_14)) != 0)\n var_9 = 0;\n }\n \n if (var_9 == 0)\n puts(\"Wrong...\");\n else\n puts(\"Correct!\");\n \n return 0;\n}At a high level, the main function seems to perform the following steps.
0x30 bytes of input from standard input.init function.gen_rand in 4-byte chunks and compare it against a hardcoded value with memcmp.Correct!.Since the XOR-encrypted flag is hardcoded, it seems that once we correctly identify the key generated by gen_rand, we can work backward to recover the flag.
Looking at the implementation of gen_rand, it seems to be a function that manipulates the state variable in various ways. (It did not seem very important, so I did not read the implementation in detail.)
Because the XOR-encrypted flag is hardcoded in the binary with a specific key, it seems highly likely that the key generated by gen_rand is not truly random but instead uniquely determined by a specific seed.
In fact, if you debug it by driving gdb with the following script, you can confirm that only the first 4 bytes of the key are fixed (using the hardcoded seed from the init function), and that the subsequent keys change depending on each 4-byte chunk of the input string.
# gdb -x run.py\nimport gdb\nimport ctypes\nfrom pprint import pprint\n\nBINDIR = \"./\"\nBIN = \"misbehave\"\nINPUT = \"./in.txt\"\nOUTPUT = \"./out.txt\"\nBREAK = \"*(main+74)\"\n\nwith open(INPUT, \"w\") as f:\n f.write(\"A\"*0x30)\n\nwith open(OUTPUT, \"w\") as f:\n f.write(\"A\"*0x30)\n\ngdb.execute('file {}/{}'.format(BINDIR, BIN))\ngdb.execute('b {}'.format(BREAK))\n\ngdb.execute('run < {}'.format(INPUT, OUTPUT))\n\nwhile True:\n print(hex(\n ctypes.c_int32(int(gdb.parse_and_eval(\"$eax\"))).value\n ))\n gdb.execute(\"continue\")Note: the following is the value of the key generated when the input string consists only of A.
You can also confirm that the hardcoded XOR-encrypted flag is as follows.
\nFrom this information, we can tell that only the first 4 bytes of the flag can be identified by XORing the initial value of state with the first 4 bytes of the encrypted flag. After that, the rest of the flag can be identified in order by entering the correct flag string 4 bytes at a time and using the correct key generated from it.
Below is the recipe I used in CyberChef to identify the correct flag 4 bytes at a time.
\nIn the end, by using the following solver to extract each key generated when the correct flag string was entered 4 bytes at a time, I was able to identify the correct flag.
\n# gdb -x run.py\nimport gdb\nimport ctypes\nfrom pprint import pprint\n\nBINDIR = \"./\"\nBIN = \"misbehave\"\nINPUT = \"./in.txt\"\nOUTPUT = \"./out.txt\"\nBREAK = \"*(main+74)\"\n\nN = 11\nwith open(INPUT, \"w\") as f:\n f.write(\"TSGCTF{h1dd3n_func7i0n_4nd_s31f_g07_0verwr17\" + \"A\"*(0x30-4*N))\n\nwith open(OUTPUT, \"w\") as f:\n f.write(\"A\"*0x30)\n\ngdb.execute('file {}/{}'.format(BINDIR, BIN))\ngdb.execute('b {}'.format(BREAK))\ngdb.execute('run < {}'.format(INPUT, OUTPUT))\n\nflag_enc = [0x906f6020, 0xf38f77ae, 0x5ea509fc, 0x51396bdd,\n0x5e6efddf, 0x858860a8, 0x5295d7bc, 0xf382e975,\n0x9504a2b7, 0x675c0e4a, 0xbf138153, 0xc1706134]\n\nfor i in range(12):\n if i == N:\n rand_val = ctypes.c_int32(int(gdb.parse_and_eval(\"$eax\"))).value & 0xFFFFFFFF\n print(hex(rand_val))\n print(hex(\n rand_val ^ flag_enc[N]\n ))\n gdb.execute(\"continue\")\n\ngdb.execute(\"quit\")\n\n# TSGCTF{h1dd3n_func7i0n_4nd_s31f_g07_0verwr173}\n\nIt looks like you will be told the flag if you enter the correct password.
\n
The challenge provides the following C code and compiled ELF file as the binary.
\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <time.h>\n\nvoid crypting(long long* secret, size_t len, long long key) {\nfor (int i = 0; i < (len - 1) / 8 + 1; i++) {\nsecret[i] = secret[i] ^ key;\n}\n}\n\nvoid output_flag() {\nchar flag[100];\nFILE *fd = fopen(\"./flag.txt\", \"r\");\nif (fd == NULL) {\nputs(\"Could not open \\\"flag.txt\\\"\");\nexit(1);\n}\nfscanf(fd, \"%99s\", flag);\nprintf(\"%s\\n\", flag);\n}\n\nint main() {\nsetvbuf(stdout, NULL, _IONBF, 0);\n\nchar hints[3][8] = {\"Hint1:T\", \"Hint2:S\", \"Hint3:G\"};\nchar password[0x20];\nchar input[0x20];\n\n\nsrand(time(0));\nlong long key = ((long long)rand() << 32) | rand();\n\nFILE *fd = fopen(\"password.txt\", \"r\");\nif (fd == NULL) {\nputs(\"Could not open \\\"password.txt\\\"\");\nexit(1);\n}\n\nfscanf(fd, \"%31s\", password);\nsize_t length = strlen(password);\ncrypting((long long*)password, 0x20, key);\n\nprintf(\"Enter the password > \");\nscanf(\"%31s\", input);\n\ncrypting((long long*)input, 0x20, key);\n\nif (memcmp(password, input, length + 1) == 0) {\nputs(\"OK! Here's the flag!\");\noutput_flag();\nexit(0);\n}\n\nputs(\"Authentication failed.\");\nputs(\"You can get some hints.\");\n\nwhile (1) {\nint idx;\nprintf(\"Enter a hint number (0~2) > \");\nif (scanf(\"%d\", &idx) == 1 && idx >= 0) {\nfor (int i = 0; i < 8; i++) {\nputchar(hints[idx][i]);\n}\nputs(\"\");\n} else {\nbreak;\n}\n}\n\nwhile (getchar()!='\\n');\n\nprintf(\"Enter the password > \");\nscanf(\"%31s\", input);\n\ncrypting((long long*)input, 0x20, key);\n\nif (memcmp(password, input, length + 1) == 0) {\nputs(\"OK! Here's the flag!\");\noutput_flag();\n} else {\nputs(\"Authentication failed.\");\n}\n\nreturn 0;\n}Reading this code, you can see that the correct password and the input value are both XOR-encrypted with a randomly generated 8-byte key, and the flag is displayed only when the results match.
\nAlso, conveniently, this program lets you view hints for the password after entering an incorrect password once, and then gives you another chance to enter the password afterward.
\nThe part that displays those password hints is implemented as follows.
\nchar hints[3][8] = {\"Hint1:T\", \"Hint2:S\", \"Hint3:G\"};\nchar password[0x20];\nchar input[0x20];\n\nwhile (1) {\n int idx;\n printf(\"Enter a hint number (0~2) > \");\n if (scanf(\"%d\", &idx) == 1 && idx >= 0) {\n for (int i = 0; i < 8; i++) {\n putchar(hints[idx][i]);\n }\n puts(\"\");\n } else {\n break;\n }\n}Because the code above imposes no restriction on the range of idx other than idx >= 0, it has an obvious vulnerability that allows out-of-bounds access to information on the stack.
Also, the information that can be accessed by exploiting this vulnerability is expected to include stack data containing the encrypted password and the input value.
Below is the recipe I used to decrypt the password. By sending the password identified in this way to the challenge server, I was able to obtain the correct flag. I did not have enough patience to completely solve the SQLite VM challenge, but I plan to review that one in another article.Summary
\n