Reverse Engineering
Last updated
Last updated
What am I? (80 pts)
Can you break the armor? (180 pts)
Light up the Server (320 pts)
-
Given DLL file, decompiling the file we don't find any interesting part. So the next step we do is checking the executable file using CFF Explorer. Take a look on resource editor we found flag in image format
Flag : BHFlagY{c3wl_r3s0rce_f1nding}
-
Given elf 64 bit file
Opening it using IDA, take a look on main function and strings window
In this case i tried to search string "-f filename of the config-file" on github and found this
Now, we know that the executable maybe lighttpd since it contains some string that available on lighttp repository. The given executable contains many function that can be function available on original lighttpd. So my approach is to find function that is not available on original lighttpd. First step i do is finding the correct version of lighttpd used in the challenge.
From the string window we found there is "1.4.72-devel" before "\nusage" and based on repository we found that string should be the version of lighttp used.
Now clone the specific version from lighttpd repository and build the binary.
Now we have lighttpd original binary, next we need to findout how to compare two binary in low level. Searching on google i found this plugin on ida http://diaphora.re/. Download the plugin then open diaphora.py through script file. First, i open lighttpd original file then use diaphora to dump IDA database in SQLite format with option below.
Next open challenge file then load diaphora again. Now put lighttpd_new.sqlite to SQLite database to diff against form then click ok.
There are some tab opened after diaphora analysis done. Since challenge binary is on first position, so open primary tab then check one by one the function.
Latest stripped function before libc function is suspicious.
We can see that the function compile the regex and match a variable with the pattern. Analyzing a few first part of the pattern we found that it match with flag format. I use this online regex to debug it https://regex101.com/ . We need to remove some backslash to make the pattern valid
[a-z]? a until z (optional), so can be blank
[^a-e,g-z], not a-e or g-z, so it string "f"
la, string "la"
[g], string "g"
So, we just need to continue debugging the next pattern
Flag : flag{h0st_he4der_!nj3cti0n_1s_5up3r_c3wl}