HatesIrony - PlaidCTF Override

This downloads as a bash script that gzip decodes data inside of it and runs the decoded data.

We can string the top of the bash script and decode the data ourselves to get a binary.

The binary is a 64-bit ELF.

After looking at the disassembled code I decided to run the binary. The binary did the same as SIMD, compared input with a string stored in the binary. I decided to go the easy route and look for the compare.

I started the binary, and broke when my input was read by the binary:

(gdb) r
Starting program: ./override
Please enter your password: ^C
Program received signal SIGINT, Interrupt.
0x00007ffff7b32a50 in read () from /lib/libc.so.6
(gdb) finish
Run till exit from #0  0x00007ffff7b32a50 in read () from /lib/libc.so.6
AAAAAAAAAAAAAAAAAAAA
0x00007ffff7acd598 in _IO_file_underflow () from /lib/libc.so.6
(gdb) finish
...snip...
(gdb) x/i $rip
=> 0x40084f:	mov    rdx,0x600dd8
(gdb) x/s 0x600dd8
0x600dd8:	 'A' <repeats 20 times>, "\n"
(gdb) rwatch *0x600dd8
Hardware read watchpoint 1: *0x600dd8
...snip...

Value = 1094795585
0x0000000000400805 in ?? ()
(gdb) x/4i $rip
=> 0x400805:	mov    eax,DWORD PTR [rbp-0x4]
   0x400808:	cdqe   
   0x40080a:	add    rax,QWORD PTR [rbp-0x20]
   0x40080e:	movzx  eax,BYTE PTR [rax]

After reaching code back in the original binary, i slowly continued until i found a compare.

(gdb) 
0x00000000004006f0 in ?? ()
1: x/4i $rip
=> 0x4006f0:	cmp    edx,eax
   0x4006f2:	xchg   eax,eax
   0x4006f4:	jmp    0x4006cd
   0x4006f6:	push   rax
(gdb)

From here i setup a few gdb commands for the breakpoint on the compare, and let the program run

(gdb) b *0x4006f0
Breakpoint 1 at 0x4006f0
(gdb) commands
Type commands for when breakpoint 1 is hit, one per line.
End with a line saying just "end".
>i r $rax
>set $rdx=$rax
>c
>end
(gdb) r
Starting program: ./override 
Please enter your password: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 1, 0x00000000004006f0 in ?? ()
rax            0x42	66
Breakpoint 1, 0x00000000004006f0 in ?? ()
rax            0x67	103
Breakpoint 1, 0x00000000004006f0 in ?? ()
rax            0x38	56
Breakpoint 1, 0x00000000004006f0 in ?? ()
rax            0x50	80
...snip...
Breakpoint 1, 0x00000000004006f0 in ?? ()
rax            0x33	51
Breakpoint 1, 0x00000000004006f0 in ?? ()
rax            0x6b	107
Success! You are now logged into the system.

Program exited normally.
(gdb)

Going back to the output and collecting all of the bytes into one string gives us (This is the key):

Bg8Ph#xnr||l*YjV|9K#RRfh6XhnhK8*%f:h5AAUgg%t5K3%xRnR%Xh|iU#W6h3k

Which can once again be verified with the binary.

scarecrow@firefly:~/PlaidCTF/Override$ ./override 
Please enter your password: Bg8Ph#xnr||l*YjV|9K#RRfh6XhnhK8*%f:h5AAUgg%t5K3%xRnR%Xh|iU#W6h3k
Success! You are now logged into the system.