Prompt
We need to break into a program that the hackers have created. You will need to provide the identifier, 7074, as the only argument to the program.
Walk-Through
This challenge involves using a disassembler to exploit a compiled binary. Compiled binaries consist of machine code instructions which can be represented as an assembly language, examples of assembly languages include X86/X64, ARM, MIPS, PowerPC, and more. One possible tool to use is the gdb program on Linux.
A Linux binary is provided and the user is tasked with extracting the secret flag. This can be solved by disassembling the main function using the disassemble main command in gdb, which reveals a call to gets.
disassemble main in gdbBased on the disassembly, it can be inferred that the original code looks something along these lines:
gets is a function that is known to commonly have issues with buffer overflows. The disassembly also reveals the size of the buffer (30 bytes) which can be exploited if more than 30 bytes are inputted. This is because if you enter more than 30 bytes, the data starts to overwrite that pass variable which controls if you pass the check or not.
Thus, entering at least 31 bytes into the password prompt will overflow the input buffer which only holds 30 bytes, overwriting the value of pass. Any ASCII character for the 31st character would make the pass variable a truthy value (non-zero) and print out the flag.
If reading instructions is not your strong suite, that’s okay. You can alternatively use a tool like Ghidra to help you with the software reverse engineering process.
After you install Ghidra, you can create a new project and import the binary into Ghidra. Once imported, you can right click on the file to open it in the default tool - Code Browser.
Once opened, Ghidra will prompt you to analyze the file. Allow it to take a moment to analyze the file. After the file has been analyzed, you’ll find some new items for you to explore. Firstly, you will find the Symbol Tree on the left hand sidebar. That contains a listing of all the C Symbols. In the Symbol Tree listing, you’ll find a folder that lists the Functions in this file. In C, the primary function that gets executed is the main function, so you’ll want to select the main function in the Functions folder of the Symbol Tree which will reveal the Ghidra decompiled version on the right hand side of the Ghidra Code Browser.
The decompiled source code is Ghidra’s best attempt at recreating the original source code, it is not necessarily 100% reflective of what the source code looked like, but it is a fairly close representation of it. Certain symbols such as local variable names are often not included in compiled binaries, so those variable names are often replaced with placeholders such as “local_32”.
From here, you can additionally rename variable names based on the assembly instructions or the decompiled source code logic to help you organize your decompile process and better interpret the decompiled source code.
After going through and renaming the variables based on their logic and functionality, it can look something like this image above. One thing to note is that if you highlight a line in the decompiled source code, Ghidra will highlight the corresponding line(s) in the assembly pane as well, and vice versa.
Questions
What is the flag hidden in the program?
©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.