Reverse Engineering

What am I? (80 pts)

Description

-

Solution

Given DLL file, decompiling the file we don't find any interesting part. So the next step we do is checking the executable file using CFF Explorer. Take a look on resource editor we found flag in image format

Flag : BHFlagY{c3wl_r3s0rce_f1nding}

Light up the Server (320 pts)

Description

-

Solution

Given elf 64 bit file

Opening it using IDA, take a look on main function and strings window

In this case i tried to search string "-f filename of the config-file" on github and found this

Now, we know that the executable maybe lighttpd since it contains some string that available on lighttp repository. The given executable contains many function that can be function available on original lighttpd. So my approach is to find function that is not available on original lighttpd. First step i do is finding the correct version of lighttpd used in the challenge.

From the string window we found there is "1.4.72-devel" before "\nusage" and based on repository we found that string should be the version of lighttp used.

Now clone the specific version from lighttpd repository and build the binary.

git clone -b lighttpd-1.4.72 https://github.com/lighttpd/lighttpd1.4.git
cd lighttpd1.4
cmake .
make
file build/lighttpd

Next open challenge file then load diaphora again. Now put lighttpd_new.sqlite to SQLite database to diff against form then click ok.

There are some tab opened after diaphora analysis done. Since challenge binary is on first position, so open primary tab then check one by one the function.

Latest stripped function before libc function is suspicious.

^\\([a-z]\\?[^a-e,g-z]\\)la[g]{\\(h\\)0\\(s\\)t_\\2\\(e\\)4d\\4\\(r\\([_]\\?[^a-z]\\)\\)\\(!\\)n\\(\\(j\\(3\\)\\)cti0\\)n\\(_\\)1s\\6\\{1\\}5up3\\5c3wl}$

^([a-z]?[^a-e,g-z])la[g]{

• [a-z]? a until z (optional), so can be blank

• [^a-e,g-z], not a-e or g-z, so it string "f"

• la, string "la"

• [g], string "g"

So, we just need to continue debugging the next pattern

(h)0(s)t_\2(e)4d\4(r([_]?[^a-z]))(!)n((j(3))cti0)n(_)1s\6{1}5up3\5c3wl}$

create group based on round brackets ()
+ group 1, 0-1	  f
+ group 2, 5-6	  h 
+ group 3, 7-8	  s
+ group 4, 11-12  e
+ group 5, 15-17  r_
+ group 6, 16-17  _
+ group 7, 17-18  !
+ group 8, 19-25  j3cti0
+ group 9, 19-21  j3
+ group 10, 20-21 3
+ group 11, 26-27 _

- (h) == h
- 0 == 0
- (s) == s
- t == t
- _ == _
- \2 == h, match second group
- (e) == e
- 4d == 4d
- \4 == e, match fourth group
- (r([_]?[^a-z])) == r_ , r then underscore with optional a-z after that
- (!) == !
- n == n
- ((j(3))cti0) == j3cti0
- n == n
- (_) == _
- 1s == 1s
- \6{1} == _, match sixth group
- 5up3 == 5up3
- \5 == r_, match fifth rgroup
- c3wl}$ == c3wl}

Flag : flag{h0st_he4der_!nj3cti0n_1s_5up3r_c3wl}