user@linuxtrack:~ $ python -c 'print("Soyez les bienvenus !")'

Vous n'êtes pas identifié(e).

#1 13-04-2019 17:45:45

Azgarech
Crazy one

Epreuves BreizhCTF

Epreuve Stégano

1555170340_duckyduke.jpg


Epreuve Reverse


1) Assembleur

Reading compilation is a reverse basic function.

The given file is the assembly of a function. The main function is as follows and ouputs the flag.
The format is breizhctf{**********}.

Will you be able to read and compile it?

Good Luck buddy wink

[== Indéfini ==]

int main(int argc, char const *argv[])
{
  char input[] = {0x0,  0x43, 0x50, 0x46, 0x4d, 0x5f, 0x4e, 0x44, 0x5c, 0x4f, 0x71, 
                  0x79, 0x69, 0x6c, 0x6a, 0x50, 0x71, 0x62, 0x7f, 0x4c, 0x7d, 0x66, 
                  0x49, 0x63, 0x70, 0x7c, 0x45, 0x79, 0x7d, 0x6e, 0x77, 0x7c, 0x5d, 0x21};
  func(input, 33);
  printf("%s\n",input+1);
  return 0;
}

2) Python

[== python3 ==]

# -*- encoding: utf-8 -*-

#!/usr/bin/env python3
#
# File: enc.py
# by @_SaxX_
#

def get_flag(s):
	pass

print('Well Done' if get_flag(''.join(map(lambda x: chr((ord(x)^32)+16).encode('base64'), "cg==\ngg==\ndQ==\neQ==\nig==\neA==\ncw==\nhA==\ndg==\naw==\nUg==\nUQ==\nWw==\nYw==\njw==\nZA==\nIA==\njw==\nYg==\nXw==\nXw==\nZA==\nYw==\njw==\nZw==\nWQ==\nZA==\nWA==\njw==\nYw==\nXw==\nXQ==\nVQ==\njw==\nYw==\nWQ==\nXQ==\nYA==\nXA==\nVQ==\njw==\nIA==\nXg==\nIw==\njw==\nXA==\nIQ==\nXg==\nVQ==\nYg==\nbQ==\n")))=="###REDACTED###" else 'Nope')

3) Binaire

binaire à télécharger ici: https://git.linuxtrack.net/Azgarech/bre … erizchacha



Je crois que c'est tout ce que j'ai.

Promis, la prochaine fois je ferai des WriteUp en même temps que de gagner du flag smile


Security is always excessive until it’s not enough. — Robbie Sinclair

Hors ligne

#2 14-04-2019 09:09:41

Azgarech
Crazy one

Re : Epreuves BreizhCTF


Security is always excessive until it’s not enough. — Robbie Sinclair

Hors ligne

#3 15-04-2019 08:07:01

Viperr
Modérateur

Re : Epreuves BreizhCTF

Writeup :
https://k-lfa.info/write-ups-breizhctf/
et de chez  aperi kube ( attention il fait mal celui la )
https://www.aperikube.fr/docs/breizhctf_2019/


vi est mon ami pour la vie
Viperr
Ph'nglui nglw-nafh Cthulhu R'lyeh wgah-nagl fhtagn

Hors ligne

#4 15-04-2019 11:46:48

Azgarech
Crazy one

Re : Epreuves BreizhCTF


Security is always excessive until it’s not enough. — Robbie Sinclair

Hors ligne

#5 16-04-2019 15:36:06

Viperr
Modérateur

Re : Epreuves BreizhCTF

Ce chalenge est un chalenge de reverse engineering faisant gagner 25point au BreizhCTF 2k19
Test de lancement du script :

[== Indéfini ==]
penthium@viperr:~/CTF$./werizchacha 
usage: ./werizchacha flag
./werizchacha flag
That's not the flag.

On voit donc que l’application demande un argument et nous répond si le flag donné en argument est le bon ou pas.

Analyse de l’application :

[== Indéfini ==]
penthium@viperr:~/CTF$file ./werizchacha
./werizchacha: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bf80a2aa8567041c0bd974a46c6bd160f458eb29, not stripped

Lancement de ltrace ( debugger affichant la RAM de l'espace utilisateur ) cela permet de voir les registre RAM de façon simplifier.

[== Indéfini ==]
penthium@viperr:~/CTF$ltrace ./werizchacha flag
strlen("AQDHYGBSEzj2x^G0c0mf^hm^O030m^Rh"...)                                                                        = 36
strcmp("BREIZHCTF{k3y_H1d1ng_in_P141n_Si"..., "flag")                                                                   = -31
puts("That's not the flag."That's not the flag.
)                                                                                         = 21
+++ exited (status 1) +++

On remarque le début du FLAG a récupérer : BREIZHCTF{k3y_H1d1ng_in_P141n_Si"... dans la fonction assembleur strcmp ( comparateur de string )

On va donc passer a gdb pour avoir la string en entier ! ( gdm est un deboguer )

[== Indéfini ==]
penthium@viperr:~/CTF$gdb ./werizchacha
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./werizchacha...(no debugging symbols found)...done.

La premier étape est de désassemblé la fonction main du programme afin de voir les diferentes fonction assembleur, notre but étant de retrouver le strcmp

[== Indéfini ==]
(gdb) disass main
Dump of assembler code for function main:
   0x0000000000000790 <+0>:     push   %rbp
   0x0000000000000791 <+1>:     mov    %rsp,%rbp
   0x0000000000000794 <+4>:     push   %r15
   0x0000000000000796 <+6>:     push   %r14
   0x0000000000000798 <+8>:     push   %r13
   0x000000000000079a <+10>:    push   %r12
   0x000000000000079c <+12>:    push   %rbx
   0x000000000000079d <+13>:    sub    $0x48,%rsp
   0x00000000000007a1 <+17>:    mov    %edi,-0x64(%rbp)
   0x00000000000007a4 <+20>:    mov    %rsi,-0x70(%rbp)
   0x00000000000007a8 <+24>:    mov    %rsp,%rax
   0x00000000000007ab <+27>:    mov    %rax,%rbx
   0x00000000000007ae <+30>:    lea    0x1b3(%rip),%rax        # 0x968
   0x00000000000007b5 <+37>:    mov    %rax,-0x40(%rbp)
   0x00000000000007b9 <+41>:    mov    -0x40(%rbp),%rax
   0x00000000000007bd <+45>:    mov    %rax,%rdi
   0x00000000000007c0 <+48>:    callq  0x620 <strlen@plt>
   0x00000000000007c5 <+53>:    mov    %eax,-0x44(%rbp)
   0x00000000000007c8 <+56>:    mov    -0x44(%rbp),%eax
   0x00000000000007cb <+59>:    movslq %eax,%rdx
   0x00000000000007ce <+62>:    sub    $0x1,%rdx
   0x00000000000007d2 <+66>:    mov    %rdx,-0x50(%rbp)
   0x00000000000007d6 <+70>:    movslq %eax,%rdx
   0x00000000000007d9 <+73>:    mov    %rdx,%r14
   0x00000000000007dc <+76>:    mov    $0x0,%r15d
   0x00000000000007e2 <+82>:    movslq %eax,%rdx
   0x00000000000007e5 <+85>:    mov    %rdx,%r12
   0x00000000000007e8 <+88>:    mov    $0x0,%r13d
   0x00000000000007ee <+94>:    cltq
   0x00000000000007f0 <+96>:    mov    $0x10,%edx
   0x00000000000007f5 <+101>:   sub    $0x1,%rdx
   0x00000000000007f9 <+105>:   add    %rdx,%rax
   0x00000000000007fc <+108>:   mov    $0x10,%ecx
   0x0000000000000801 <+113>:   mov    $0x0,%edx
   0x0000000000000806 <+118>:   div    %rcx
   0x0000000000000809 <+121>:   imul   $0x10,%rax,%rax
   0x000000000000080d <+125>:   sub    %rax,%rsp
   0x0000000000000810 <+128>:   mov    %rsp,%rax
   0x0000000000000813 <+131>:   add    $0x0,%rax
   0x0000000000000817 <+135>:   mov    %rax,-0x58(%rbp)
   0x000000000000081b <+139>:   movl   $0x0,-0x34(%rbp)
   0x0000000000000822 <+146>:   jmp    0x849 <main+185>
   0x0000000000000824 <+148>:   mov    -0x34(%rbp),%eax
   0x0000000000000827 <+151>:   movslq %eax,%rdx
   0x000000000000082a <+154>:   mov    -0x40(%rbp),%rax
   0x000000000000082e <+158>:   add    %rdx,%rax
   0x0000000000000831 <+161>:   movzbl (%rax),%eax
   0x0000000000000834 <+164>:   add    $0x1,%eax
   0x0000000000000837 <+167>:   mov    %eax,%ecx
   0x0000000000000839 <+169>:   mov    -0x58(%rbp),%rdx
   0x000000000000083d <+173>:   mov    -0x34(%rbp),%eax
   0x0000000000000840 <+176>:   cltq
   0x0000000000000842 <+178>:   mov    %cl,(%rdx,%rax,1)
   0x0000000000000845 <+181>:   addl   $0x1,-0x34(%rbp)
   0x0000000000000849 <+185>:   mov    -0x34(%rbp),%eax
   0x000000000000084c <+188>:   cmp    -0x44(%rbp),%eax
   0x000000000000084f <+191>:   jl     0x824 <main+148>
   0x0000000000000851 <+193>:   cmpl   $0x1,-0x64(%rbp)
   0x0000000000000855 <+197>:   jle    0x89b <main+267>
   0x0000000000000857 <+199>:   mov    -0x70(%rbp),%rax
   0x000000000000085b <+203>:   add    $0x8,%rax
   0x000000000000085f <+207>:   mov    (%rax),%rdx
   0x0000000000000862 <+210>:   mov    -0x58(%rbp),%rax
   0x0000000000000866 <+214>:   mov    %rdx,%rsi
   0x0000000000000869 <+217>:   mov    %rax,%rdi
   0x000000000000086c <+220>:   callq  0x640 <strcmp@plt>
   0x0000000000000871 <+225>:   test   %eax,%eax
   0x0000000000000873 <+227>:   jne    0x888 <main+248>
   0x0000000000000875 <+229>:   lea    0x111(%rip),%rdi        # 0x98d
   0x000000000000087c <+236>:   callq  0x610 <puts@plt>
   0x0000000000000881 <+241>:   mov    $0x0,%eax
   0x0000000000000886 <+246>:   jmp    0x8ce <main+318>
   0x0000000000000888 <+248>:   lea    0x10f(%rip),%rdi        # 0x99e
   0x000000000000088f <+255>:   callq  0x610 <puts@plt>
   0x0000000000000894 <+260>:   mov    $0x1,%eax
   0x0000000000000899 <+265>:   jmp    0x8ce <main+318>
   0x000000000000089b <+267>:   mov    -0x70(%rbp),%rax
   0x000000000000089f <+271>:   mov    (%rax),%rax
   0x00000000000008a2 <+274>:   lea    0x10a(%rip),%rcx        # 0x9b3
   0x00000000000008a9 <+281>:   mov    %rax,%rdx
   0x00000000000008ac <+284>:   lea    0x106(%rip),%rsi        # 0x9b9
   0x00000000000008b3 <+291>:   lea    0x107(%rip),%rdi        # 0x9c1
   0x00000000000008ba <+298>:   mov    $0x0,%eax
   0x00000000000008bf <+303>:   callq  0x630 <printf@plt>
   0x00000000000008c4 <+308>:   mov    %rbx,%rsp
   0x00000000000008c7 <+311>:   mov    $0x0,%eax
   0x00000000000008cc <+316>:   jmp    0x8d1 <main+321>
   0x00000000000008ce <+318>:   mov    %rbx,%rsp
   0x00000000000008d1 <+321>:   lea    -0x28(%rbp),%rsp
   0x00000000000008d5 <+325>:   pop    %rbx
   0x00000000000008d6 <+326>:   pop    %r12
   0x00000000000008d8 <+328>:   pop    %r13
   0x00000000000008da <+330>:   pop    %r14
   0x00000000000008dc <+332>:   pop    %r15
   0x00000000000008de <+334>:   pop    %rbp
   0x00000000000008df <+335>:   retq
End of assembler dump.

Analyse du résultat : on recherche strcmp

[== Indéfini ==]
   0x0000000000000866 <+214>:   mov    %rdx,%rsi
   0x0000000000000869 <+217>:   mov    %rax,%rdi
   0x000000000000086c <+220>:   callq  0x640 <strcmp@plt>

On remarque deux choses importantes sur les ligne du dessus de , ce sont les registre rsi et rdi
rsi : registre général, adresse source pour déplacement ou comparaison
rdi : registre général, adresse destination pour déplacement ou comparaison
On va donc demander a gdb de faire un break du programme en 220 afin de pouvoir lire le contenue de ces deux registre :

[== Indéfini ==]
(gdb) break *main+220
Breakpoint 1 at 0x86c

Puis on lance le programme :

[== Indéfini ==]
(gdb) run flag
Starting program: /penthium/home/CTF/werizchacha aaa

Breakpoint 1, 0x000055555555486c in main ()

Une fois le programme stoppé il suffit d’afficher les registres via un print avec traduction caractère :

[== Indéfini ==]
(gdb) print (char*)$rsi
$1 = 0x7fffffffe7f5 "flag"
(gdb) print (char*)$rdi
$2 = 0x7fffffffe410 "BREIZHCTF{k3y_H1d1ng_in_P141n_SiGhT}"

Voila un a notre flag, on peut donc quitter gdb et lancer la vérification dans le shell

[== Indéfini ==]
penthium@viperr:~/CTF$ ./werizchacha "BREIZHCTF{k3y_H1d1ng_in_P141n_SiGhT}"
That's the flag!

Voila j'ai biensur 3j de retard, mais c'est mon premier reverse et j'ai mal au crane...

penthium2
Cthulhu  Cthulhu  Cthulhu

Dernière modification par Viperr (16-04-2019 15:37:57)


vi est mon ami pour la vie
Viperr
Ph'nglui nglw-nafh Cthulhu R'lyeh wgah-nagl fhtagn

Hors ligne

Pied de page des forums