m3dsec - Hacktober 2020 CTF - Haunted Mirror Writeup

Hacktober 2020 CTF - Haunted Mirror

Oct 17, 2020

Challenge Description

We found a script being used by DEADFACE. One of our informants says that the code contains one of mort1cia's passwords. There must be a way to get it out of the file. ?
A Zip file
Password: hacktober

Solution

After retriving the binary file, we start by analyzing it :

m3dsec@local:~/ht/prog/03_Haunted_Mirror$ chmod +x mirror; ./mirror
Hello, stranger. I'm trapped behind your screen. Type any word and I'll write it back to you from the other side. Say the right word, and I'll tell you a secret.

Segmentation fault

No Header where shown on the binary

m3dsec@local:~/ht/prog/03_Haunted_Mirror$ file mirror
mirror: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header

Grepping for flag like strings

m3dsec@local:~/ht/prog/03_Haunted_Mirror$  strings mirror|grep -i flag -A4
flag{
xeon_p"
haswN
../csu/libc-
arXc

Well this junk can be the flag, but its not clear enaugh for a submition, lets check the header.

m3dsec@local:~/ht/prog/03_Haunted_Mirror$ hexdump -C mirror|head -n 20
00000000  7f 45 4c 46 02 01 01 03  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 3e 00 01 00 00 00  b0 32 44 00 00 00 00 00  |..>......2D.....|
00000020  40 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |@...............|
...
000000e0  10 00 00 00 00 00 00 00  f9 3e af 90 55 50 58 21  |.........>..UPX!|
000000f0  84 09 0d 16 00 00 00 00  d0 b9 0b 00 d0 b9 0b 00  |................|
00000100  00 02 00 00 af 00 00 00  08 00 00 00 f7 fb 93 ff  |................|
00000110  7f 45 4c 46 02 01 01 03  00 02 00 3e 00 01 0e 60  |.ELF.......>...`|
00000120  1b 40 1f df 2f ec db 40  2f 90 b2 0b 45 26 38 00  |.@../..@/...E&8.|
00000130  08 0a 1d 00 1f 6c 60 bf  1c 57 04 00 01 40 0f 88  |.....l`..W...@..|

We can see that the binary was packed with UPX packer, if we pass the binary into a disassembler we wont see much, we had to unpack the binary:

m3dsec@local:~/ht/prog/03_Haunted_Mirror$ upx -d mirror
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    768464 <-    303916   39.55%   linux/amd64   mirror

Unpacked 1 file.

After reversing the binary, on main() function, we can spot our flag in there :

undefined8 main(undefined8 param_1,long param_2)

{
  long lVar1;
  int local_c;
  
  lVar1 = *(long *)(param_2 + 8);
  puts(
      "Hello, stranger. I\'m trapped behind your screen. Type any word and I\'ll write it back toyou from the other side. Say the right word, and I\'ll tell you a secret."
      );
  printf(*(char **)(param_2 + 8),"flag{","XQwG1PhUqJ9A&5v",&DAT_0047f0ba);
  putchar(10);
  local_c = thunk_FUN_004010d6();
  while (local_c = local_c + -1, -1 < local_c) {
    putchar((int)*(char *)(lVar1 + local_c));
  }
  putchar(10);
  return 0;
}

The flag was flag{XQwG1PhUqJ9A&5v}

Hacktober 2020 CTF - Haunted Mirror

Challenge Description

Solution

back to Hacktober 2020 CTF

back to main