Hacking Apps at HOPE

I must admit I got to the party late, but managed to spend a little time on the CTF ran by the EFF at HOPE this past weekend. With limited time I cherry picked some of the interesting challenges and hoped for the best. This was a very fun event and I hope some of the steps I took (both right and wrong) would be helpful to others in appsec.

1. The Password Vault

The password vault looked like a typical "crackme" binary. A standard Linux ELF executable that asks for a password and exits.

 A quick binary analysis with 'strings', hexeditor, and objdump were not fruitful. The author went through some effort to try and protect the stored password. I then looked at the disassembly in GDB:

Right away we can see the array creation. Given the fact that the first character is outside of a printable ascii range I won't bother extracting it manually. Perhaps we can extract the string at runtime and leverage the application's existing decoding ability. In all applications I generally try to identify the "critical points" where important flow control is  altered. In this example we can be sure such a point exists in the string comparison functionality. Perhaps our password will be decoded in order to validate our password?

The call to memcmp() is a critical point, and we can see two strings are pushed to %rax and %rcx. Let's set a breakpoint here so we can inspect the two strings after we type a password:

Rats. The password is hashed and compared to another hash. Instead of decoding the strings, perhaps we can just alter the flow of the application? Let's just jump to the address of code where the application would go if we had entered the right password:

Rats again. We can alter the application code fairly easily, but are not pulling the actual password out correctly. Perhaps we can just manually reveal a character mapping scheme by looking at our hashed value:

"\003\003\003\003\003\003\003\003HB\275\275\275=BB\352"

Remember that we input 8 'A' characters, and it looks promising that the chars are mapped directly to a counterpart '\003'. We can probably enumerate the scheme fairly easily, but it's concerning that the string "HB\275\275\275=BB\352" is appended to the string. We ultimately need to compare it to the shorter hash of "\021\066\067:,'6b6*'b\022.#,'6c" so it is critical that we also identify a character that maps to a NULL byte to terminate our string.

Through some quick enumeration and mapping of characters we can run the app with strings like "ABCDEFGHIJKL" and compare this with our value in $rax. We also find that the 'B' character maps to '\0' and allows us to terminate the string. After about ten tedious minutes of this we have our password.

This is surely not the most efficient road to go down, but when time is of the essence and a viable solution is in plain sight it was tempting to take it.

2. Mystery Code

A sample of mystery code was provided with no other clues. Obfuscated JavaScript is all the rage today, so my first attempt was to run it in a Chrome developer console. No luck.

Thanks to the internet and some searching we find an online interpreter which may help us. Not JavaScript but a purpose built language that uses an extremely reduced character set. The code runs, but does not give us the flag.

It only taunts us.

From some searching of this language we can see strings are denoted by the [-]++++++. sequences. By adding a few + chars to our first sequence, we can alster the 'NOPE' to 'QOPE'. Naturally we're curious about the bottom chunk of string sequences. If we cut and paste this at the starting point before the first existing 'N' we get our flag:

Our new results reveal the flag:

Conclusion

CTFs and other challenges with intentionally laid bugs can be challenging in their own way. There is often an assumption of rationale used in the design of bugs which does not always follow a real world attack pattern. Despite this, the EFF CTF was relatively easy to follow and included many exercises that build on valuable skills relevant to the real world. I'd just like to thank all the people at the EFF for creating, hosting, and running this event. I highly recommend participating in these if you get the chance.