{"id":326,"date":"2018-10-29T20:15:59","date_gmt":"2018-10-30T00:15:59","guid":{"rendered":"http:\/\/www.wispwisp.com\/?p=326"},"modified":"2020-11-09T23:44:58","modified_gmt":"2020-11-09T23:44:58","slug":"raymond-james-ctf","status":"publish","type":"post","link":"https:\/\/www.wispwisp.com\/index.php\/2018\/10\/29\/raymond-james-ctf\/","title":{"rendered":"Raymond James CTF"},"content":{"rendered":"

I went to Tampa, Florida last weekend to participate Raymond James CTF. My team got 3rd place with $2500 award.<\/span><\/p>\n

The weather in Florida is so0O gO0od: 24 degrees C, meanwhile it’s like 3 degrees C in Baltimore.<\/span>
\n\"\"<\/span><\/p>\n

The team photo:<\/strong><\/span>
\nMy eyes were closed lol.<\/span>
\n\"\"<\/span>
\nThe trophy:<\/strong><\/span>
\n\"\"<\/span>
\nThe coin from gam3z:<\/strong><\/span>
\n\"\" \"\"<\/span><\/p>\n

The onsite-CTF was 70% forensics, 20% binary reverse and 10% Misc. I’m not good at forensics so I didn’t contribute much on that. However, I earn 185 out of 215 points from the pre-challenge by solving a binary reverse problem. Those points from the pre-challenge give our team a huge advantage during the on-site CTF.<\/span><\/p>\n

\n

Write up for the binary reverse problem from pre-challenge(without IDA):<\/strong><\/span>
\nStep 1: Understand the program<\/strong><\/span>
\nUse the password in the email from t0k3nz@gam3z-inc.com to extract the binary from the Zip file.<\/span>
\n\"\"<\/span>
\n\"\"<\/span><\/p>\n

file Ghost_Protocol_Access<\/span><\/p><\/blockquote>\n

Ghost_Protocol_Access: ELF 64-bit LSB executable, x86-64, version 1 (GNU\/Linux), statically linked, for GNU\/Linux 3.2.0, BuildID[sha1]=cf8c2aebbde52c274e2f71dc3a83bb63e4a629e3, stripped<\/span><\/code><\/span><\/p>\n

I copy the binary to my Ubuntu VM and run the binary:<\/span>
\n\"\"<\/span>
\nThe program print out two messages:<\/span>
\n\"This version of bash is terribly out of date....your environment is not secure and this program will not run.\"<\/code><\/span>
\n\"You're not even authorized to use this program!\"<\/code><\/span>
\nI load the binary in Hopper Disassembler(https:\/\/www.hopperapp.com\/<\/a>) and search for the string: “This version of bash is terribly out of date....<\/code>“<\/span>
\n\"\"<\/span>
\nThe string was used in function: sub_401c99. <\/strong>I then load the binary in radare2, I prefer reading assembly code in r2 because it looks nicer:<\/span>
\nr2 Ghost_Protocol_Access<\/code><\/span>
\naaa<\/code><\/span>
\ns 0x401c99<\/code><\/span>
\npdf<\/code><\/span>
\n\"\"<\/span>
\nThe program check for things like “gdb”, “r2”, and “bash”. If “gdb” or “r2” is found, the program will print out the string:<\/span>
\n\"Seriously....you're trying to debug and disassemble me?!?\\n ....ridiculous....I don't even know what to say.....so disappointed....\"<\/code><\/span>
\nIf “bash”  is found, the program will print:<\/span>
\n\"This version of bash is terribly out of date....your environment is not secure and this program will not run.\"<\/code><\/span>
\nNow I understand the function “sub_401c99<\/strong>” does some environment check and exit the program. My next step is to find out where this function gets called in the program.<\/span>
\nI reload the binary in radare2:<\/span>
\nr2 Ghost_Protocol_Access<\/code><\/span>
\naaa<\/code><\/span>
\npdf<\/code><\/span>
\n\"\"<\/span>
\nNoticed the function address “0x401c99<\/strong>” was one of the function argument for the next function call(sub.libc_start_main_40<\/strong>). To display the instruction in function sub.libc_start_main_40 in r2, I used following command:<\/span>
\ns sub.libc_start_main_40<\/code><\/span>
\npdf<\/code><\/span>
\nI can’t really understand what the program is doing inside the function “sub.libc_start_main_40<\/code>” by reading the assembly code only, I need to run the program in GDB to understand the program flow.<\/span>
\ngdb .\/Ghost_Protocol_Access<\/code><\/span>
\nThe program starts at address 0x004015f0:<\/span>
\n\"\"<\/span><\/p>\n

I put break point at the beginning of the program:<\/span>
\ntbreak *0x004015f0<\/code><\/span>
\nrun<\/code><\/span>
\nRun the program line by line(in assembly) in GDB with “next” and “step”. Pressing “n” in gdb for a while and the program stop at address: 0x402347:<\/span>
\n\"\"<\/span>
\nwhats in eax? It’s the function(sub_0x401c99<\/strong>) I mentioned before, the function that checks environment and quit the program.<\/span>
\n\"\"<\/span>
\nAt this point I understand after entering the function “sub.libc_start_main_40<\/code>“, the program call “sub_0x401c99<\/code>” and the program die afterword.<\/span>
\nI am not sure what to do at this point, I just randomly do a “strings Ghost_Protocol_Access | grep t0k3n<\/code>” and got some interesting result:<\/span>
\n\"\"<\/span>
\nSince I know one of the token named “acc3ss”, I start searching the string “acc3sst0k3n” in the program. I search the string in r2 with command \"\/ $string\"<\/code>:<\/span>
\n\"\"<\/span>
\nIn hopper, it shows the strings was used in function sub_401987<\/strong>:<\/span>
\n\"\"<\/span>
\nI notice the function sub_401987<\/strong> doesn’t get call in the program:<\/span>
\n\"\"<\/span>
\nHopper has the feature to show where a function get called, if a function get called, it will show something like this in hopper:<\/span>
\n\"\"<\/span>
\nI want to see what function sub_401987<\/strong> does, my plan is to patch the program and let the function sub_401987<\/strong> run.<\/span><\/p>\n

\n
\n

Second Patch:<\/strong><\/span>
\nCheck the sub_0x00401987<\/strong> function in r2:<\/span>
\ns 0x00401987<\/code><\/span>
\npdf<\/code><\/span>
\n\"\"<\/span>
\nThere are two place call the function “call sub.You_re_not_even_authorized_to_use_this_program_70d”. The jump come from CODE XREF from main (0x401b42)<\/code> and CODE XREF from main (0x401b0d)<\/code><\/span>
\nBoth section does the same thing: call a function, compare the output to a variable, jump if not equal:<\/span>
\n\"\"<\/span>
\nI patch the jump instruction to let the program can keep running without doing the jump:<\/span>
\noo+<\/code><\/span>
\ns 0x401b42<\/code><\/span>
\nwx 909090909090<\/code><\/span>
\ns 0x401b0d<\/code><\/span>
\nwx 909090909090<\/code><\/span>
\nq<\/code><\/span>
\nChange jne instruction to nop:<\/span>
\n\"\"<\/span><\/p>\n

Run the program again to get the flag:<\/span>
\n\"\"<\/span><\/p>\n

\n

Step 3: Fix the image file:<\/strong><\/span>
\nAfter the program print our both token, it also outputs a file called: “acc3sst0k3n”:<\/span>
\n\"\"<\/span>
\nMy teammate told me this file can be base64 decode to an image, but the file is somewhere corrupted and they can’t the flag in the image.<\/span>
\nI did remember there is a super long string in function sub_0x0401987<\/strong>:<\/span>
\n\"\"<\/span>
\nI am not sure what was this at the beginning, I went to address “0x00496498” in r2 and type:<\/span>
\ns 0x00496498<\/code><\/span>
\nps 100000<\/code><\/code><\/span>
\nIn r2 it outputs a huge amount of base64 encoded string, the image below shows the end of the string. <\/span>
\n\"\"<\/span>
\nI search for \"XXH+Kk\"<\/code> in “acc3sst0k3n” file and found a “NUL”.<\/span>
\n\"\"<\/span>
\nI delete the \"NUL\"<\/code> and run the following command to convert base64 encoded file to an image:<\/span><\/p>\n

base64 -D acc3sst0k3n > a.png<\/span><\/code><\/span><\/p>\n

View the image:<\/span>
\n\"\"<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

I went to Tampa, Florida last weekend to participate Raymond James CTF. My team got 3rd place with $2500 award. The weather in Florida is so0O gO0od: 24 degrees C, meanwhile it’s like 3 degrees C in Baltimore. The team photo: My eyes were closed lol. The trophy: The coin from gam3z: The onsite-CTF was 70% […]<\/p>\n","protected":false},"author":1,"featured_media":692,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/326"}],"collection":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/comments?post=326"}],"version-history":[{"count":3,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/326\/revisions"}],"predecessor-version":[{"id":750,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/326\/revisions\/750"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media\/692"}],"wp:attachment":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media?parent=326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/categories?post=326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/tags?post=326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Step 2: Patch the binary to get the Token(Flag):<\/strong><\/span>
\nFirst Patch:<\/strong><\/span>
\nRemember at the beginning of the program, the environment checking function: sub_0x401c99 was moved into the register and get called in “sub.libc_start_main_40” function. I first patch the binary to change the value from sub_0x401c99<\/strong> to sub_401987<\/strong>, so sub_401987<\/strong> will be called afterwords.<\/span>
\n\"\"<\/span>
\nThe opcode 48c7c7991c40. means 48c7c7991c4000, the small dot, in the end, represent two zero “00”. I use this website to convert between opcode and assembly: https:\/\/defuse.ca\/online-x86-assembler.htm#disassembly2<\/a><\/span>
\nI need the opcode for mov rdi, 0x401987<\/code>:<\/span>
\n\"\"<\/span>
\nPatch the binary in r2:<\/span>
\noo+<\/code>(enable write)<\/span>
\ns 0x0040160d<\/code><\/span>
\nwx 48C7C787194000<\/code><\/span>
\nq<\/code><\/span>
\nRun the program again:<\/span>
\n\"\"<\/span>
\nThe program ask for a “Confirmation Code”, I am not sure what the code is so I enter some random string:<\/span>
\n\"\"<\/span><\/p>\n