Reverse Engineering: Order Matters (350) — SunshineCTF 2018 Writeup (1 of x)

To pass time last weekend, I tried to answer some problems from the recently concluded SunshineCTF 2018. This is the first writeup since this one’s the easiest to explain (I think). So let’s get to it!

The Givens

We were given a binary file called order. Running the filecommand gives us the following output:

order: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=3239dbd5e13a2e342a607307c771dad2df3a1870, not stripp

Issuing the rabin2 -I order command gives us this output:

arch     x86
binsz    11274
bintype  elf
bits     64
canary   false
class    ELF64
crypto   false
endian   little
havecode true
intrp    /lib64/ld-linux-x86-64.so.2
lang     c
linenum  true
lsyms    true
machine  AMD x86-64 architecture
maxopsz  16
minopsz  1
nx       true
os       linux
pcalign  0
pic      true
relocs   true
relro    partial
rpath    NONE
static   false
stripped false
subsys   linux
va       true

So we now know that the order binary file is a 64-bit ELF binary that is not stripped and dynamically-linked. Let’s try running it:

$ ./order
Enter password: opensesame
Wrong password length.
$ ./order
Enter password: password
Wrong password length.

Hmmm. It seems that this program asks for a password of a specific length. Let’s check it out using radare2!

Issuing the ie command will show us the available entrypoints. (By default, however, radare2 will let you start at the first identifiable entrypoint)

[0x000006c0]> ie 
[Entrypoints]
vaddr=0x000006c0 paddr=0x000006c0 baddr=0x00000000 laddr=0x00000000 haddr=0x00000018 type=program
1 entrypoints

So we’re already at the entrypoint. Let’s issue the aa command first. What this does is to analyze all flags starting with sym. and entry0. After which, we can issue the fs command to show all the available flagspaces.

[0x000006c0]> fs
0   19 . strings
1   46 . symbols
2   80 . sections
3   11 . relocs
4   11 . imports
5    2 * functions

Let’s look at the symbols flagspace by issuing the following command:

[0x000006c0]> fs symbols; f
0x0000096e 256 main
0x000006c0 43 entry0
0x000007c0 10 entry1.init
0x00000780 1 entry2.fini
...
0x0000091a 28 sym.p13

As you can see from the output above, there is a main symbol existing on the program. Let’s go (seek) to it:

[0x000006c0]> s main
[0x0000096e]> 

Now that we’re in the main function, we can visualize the rest of the code using the VVVV directive.

Look at that beaut

Looking closer, we’ll see that the “Wrong password length is caused by the line

cmp rax, 0x1e ; <- This is 30 in decimal

True enough, entering 30 characters as the password will give us this:

$ ./orders
Enter password: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Access denied.

What the… Well, that indicates that it’s time to check the other flagspaces. Let’s look at the strings flagspace:

[0x000006c0]> 0x00000cb4 9 str.58335249
0x00000cbd 9 str.58306c45
0x00000cc6 9 str.5a314e66
0x00000ccf 9 str.63335675
0x00000cd8 9 str.58335177
0x00000ce1 9 str.51563969
0x00000cea 9 str.4e484a45
0x00000cf3 9 str.66513d3d
0x00000cfc 9 str.4d313935
0x00000d05 9 str.59544578
0x00000d0e 9 str.4d313943
0x00000d17 9 str.4d486c7a
0x00000d20 9 str.6532315a
0x00000d29 9 str.5831526f
0x00000d32 9 str.556a4675
0x00000d3b 17 str.Enter_password:
0x00000d4f 23 str.Wrong_password_length.
0x00000d66 15 str.Access_Granted
0x00000d75 15 str.Access_Denied.

Hmm. Getting all the suspicious values will give us this (presumed) hex string:

5833524958306c455a314e666333567558335177515639694e484a4566513d3d4d313935595445784d3139434d486c7a6532315a5831526f556a4675

Converting it to ASCII gives us this string:

$ echo -n "5833524958306c455a314e666333567558335177515639694e484a4566513d3d4d313935595445784d3139434d486c7a6532315a5831526f556a4675" | xxd -r -p
$ X3RIX0lEZ1Nfc3VuX3QwQV9iNHJEfQ==M195YTExM19CMHlze21ZX1RoUjFu

This looks like a base64 string, so let’s try to decode it:

$ echo "X3RIX0lEZ1Nfc3VuX3QwQV9iNHJEfQ==M195YTExM19CMHlze21ZX1RoUjFu" | base64 -d
$ _tH_IDgS_sun_t0A_b4rD}3_ya113_B0ys{mY_ThR1n

Mofo… At this point, I just decided to use the sickest piece of software to solve this:

EZ Clap. Microsoft Excel POGGERS

So the flag is sun{mY_IDA_bR1ngS_a11_tH3_B0ys_t0_Th3_y4rD}

…too bad I use radare2 😎

That’s it for this challenge! As always, thank you for reading!

-Mon