DEFCON CTF 2009 Packet 100
Exceptions in comments make exceptional passwords
http://shallweplayaga.me/packet/a9366acd80efa0aa78c2f76d9702f033
まず何のファイルか確認
$ file a9366acd80efa0aa78c2f76d9702f033 a9366acd80efa0aa78c2f76d9702f033: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
パケットファイルなのでwiresharkで確認するとHTTP通信が行われている
stringsでテキストを抽出
$ strings a9366acd80efa0aa78c2f76d9702f033 | more GET /sekritpr0n5.zip HTTP/1.0 User-Agent: suckitbitch Accept: */* Host: 127.0.0.1 Connection: Keep-Alive HTTP/1.1 200 OK Date: Wed, 27 May 2009 08:03:12 GMT Server: Apache/2.2.11 (Fedora) Last-Modified: Wed, 27 May 2009 08:01:49 GMT ETag: "aa969-e035-46ae04161f540" Accept-Ranges: bytes Content-Length: 57397 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/zip pr0n/UT
HTTPストリームの中のZIPファイルを確認
転送されているZIPファイル(sekritpr0n5.zip)をpktファイルから抽出→展開
$ unzip sekritpr0n5.zip Archive: sekritpr0n5.zip creating: pr0n/ extracting: pr0n/QugLgwF1aKV_WVLR_sV6_B2gfQneZ2gN extracting: pr0n/4oCziKTlBIaQJzxTOUahB7qce_z0Krav extracting: pr0n/BwVKw3SDP88PYx57M5Ozux07DFmcq2l_ extracting: pr0n/RjNqyXUY0SqN6P2oh2iG9xLptkmcvK22 extracting: pr0n/DXO9UHrGnfcSA0gQZeQ30xa745BzYyxS extracting: pr0n/Fz_o_IpG9gNdcch456FkbXjIhpqaG8Rn extracting: pr0n/Y2FoNM6B5TpjKfyXsqOJxRFqoRi_owki extracting: pr0n/pFnYMYtBRYi1GH0uO52B7OsRdPMu8pnw extracting: pr0n/S2rkD6c4fZxD435t1UW20P_FLC3uDWhi extracting: pr0n/a_awu4Rn3JcNqPyDsOX98cF3AjRyBKn4 extracting: pr0n/faHhBHRBj1uodtRxSSNaTF1KXK3cmRrL extracting: pr0n/_JNtcvrQc7E9k1fKRi6G33Yoxyq6TTZQ extracting: pr0n/Nzg_iDFEFVTXUxuy0kOkBvzBZrNgGxNZ extracting: pr0n/UUXQAoLjoCFPGvfJvqt0Bx039q8CJsui extracting: pr0n/JBIu4IBqj42d5zcXu5meSbi_NSBbSYZx extracting: pr0n/G9n3V_0H_ppcHqgf91xm3jQPnLfVeyC_ extracting: pr0n/hjeoBL4_QdiKRW_UT4NeorG8lEWBBR1k extracting: pr0n/iee5tjWWea0nLqETjgGTMcsbGXEl35C9 extracting: pr0n/Yje7PCSoQ6PhW4Uoc3VLeWhVCOCypn7y extracting: pr0n/YDYiiceXgwvRedaXXrReZ6Z3V_AF54ef extracting: pr0n/ePaYxfDPQ7paIVBNxXt9Ox3mYbWweLfE extracting: pr0n/6zhlo5HHx_L2n37yXWXuhOzNTPIHpeMj extracting: pr0n/yKRZmOwGo0YwVj1W0K94X4S3K1YiatIG extracting: pr0n/qXqORgSQY6u19T5beBZ3vRLFvVZn2ITv extracting: pr0n/zR8JUZbkZiFhE9W2IxRSYZqICWRRYssu extracting: pr0n/Ze16khmZ_GOdQW7iCKKExnwelvVtDbL6 extracting: pr0n/EpFcMCylH9B4PGnacl7sJ5MyKtWTId_F extracting: pr0n/tXn9Gd1uxPGqXIZauNl_8Ie7YP3RLf9f extracting: pr0n/_1q7XKGRldw5tNxMMuCnk5Xr31ooIB_G extracting: pr0n/veQdZBwjgEW23l84IgNf6OlN74LZ6Fge extracting: pr0n/YJSGeoiNiNCJ7xNsVGVJv4Oqqpcg9fe1 extracting: pr0n/d_KohH0Xw7r_2TjCS5tiHnTl2K8Xb1z2 extracting: pr0n/WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD $ ls pr0n sekritpr0n5.zip $ cd pr0n $ file * 4oCziKTlBIaQJzxTOUahB7qce_z0Krav: data 6zhlo5HHx_L2n37yXWXuhOzNTPIHpeMj: data BwVKw3SDP88PYx57M5Ozux07DFmcq2l_: data DXO9UHrGnfcSA0gQZeQ30xa745BzYyxS: data EpFcMCylH9B4PGnacl7sJ5MyKtWTId_F: data Fz_o_IpG9gNdcch456FkbXjIhpqaG8Rn: data G9n3V_0H_ppcHqgf91xm3jQPnLfVeyC_: data JBIu4IBqj42d5zcXu5meSbi_NSBbSYZx: data Nzg_iDFEFVTXUxuy0kOkBvzBZrNgGxNZ: data QugLgwF1aKV_WVLR_sV6_B2gfQneZ2gN: data RjNqyXUY0SqN6P2oh2iG9xLptkmcvK22: data S2rkD6c4fZxD435t1UW20P_FLC3uDWhi: data UUXQAoLjoCFPGvfJvqt0Bx039q8CJsui: data WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD: Zip archive data, at least v1.0 to extract Y2FoNM6B5TpjKfyXsqOJxRFqoRi_owki: data YDYiiceXgwvRedaXXrReZ6Z3V_AF54ef: data YJSGeoiNiNCJ7xNsVGVJv4Oqqpcg9fe1: data Yje7PCSoQ6PhW4Uoc3VLeWhVCOCypn7y: data Ze16khmZ_GOdQW7iCKKExnwelvVtDbL6: data _1q7XKGRldw5tNxMMuCnk5Xr31ooIB_G: data _JNtcvrQc7E9k1fKRi6G33Yoxyq6TTZQ: data a_awu4Rn3JcNqPyDsOX98cF3AjRyBKn4: data d_KohH0Xw7r_2TjCS5tiHnTl2K8Xb1z2: data ePaYxfDPQ7paIVBNxXt9Ox3mYbWweLfE: data faHhBHRBj1uodtRxSSNaTF1KXK3cmRrL: data hjeoBL4_QdiKRW_UT4NeorG8lEWBBR1k: data iee5tjWWea0nLqETjgGTMcsbGXEl35C9: data pFnYMYtBRYi1GH0uO52B7OsRdPMu8pnw: data qXqORgSQY6u19T5beBZ3vRLFvVZn2ITv: data tXn9Gd1uxPGqXIZauNl_8Ie7YP3RLf9f: data veQdZBwjgEW23l84IgNf6OlN74LZ6Fge: data yKRZmOwGo0YwVj1W0K94X4S3K1YiatIG: data zR8JUZbkZiFhE9W2IxRSYZqICWRRYssu: data
展開したsekritpr0n5.zipの中にさらにZIPファイルが存在する
そのWVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxDをunzipする
$ unzip WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD Archive: WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD [WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD] WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD password: password incorrect--reenter: password incorrect--reenter: skipping: WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD incorrect password
展開にはパスワードが必要
問題文に「コメントの中の例外が例外的パスワードを作る」とある
ZIPファイルフォーマットを調べる
http://www.pkware.com/documents/casestudies/APPNOTE.TXT
File header: central file header signature 4 bytes (0x02014b50) version made by 2 bytes version needed to extract 2 bytes general purpose bit flag 2 bytes compression method 2 bytes last mod file time 2 bytes last mod file date 2 bytes crc-32 4 bytes compressed size 4 bytes uncompressed size 4 bytes file name length 2 bytes extra field length 2 bytes file comment length 2 bytes disk number start 2 bytes internal file attributes 2 bytes external file attributes 4 bytes relative offset of local header 4 bytes file name (variable size) extra field (variable size) file comment (variable size)
それぞれのファイルに対してコメントが付加できるようだ
$ hexdump -C sekritpr0n5.zip ... 0000dfb0 50 4b 01 02 17 03 0a 00 00 00 00 00 b7 18 bb 3a |PK.............:| 0000dfc0 a5 3c 09 16 00 06 00 00 00 06 00 00 25 00 0d 00 |.<..........%...| 0000dfd0 0f 00 00 00 00 00 00 00 a4 81 38 cb 00 00 70 72 |..........8...pr| 0000dfe0 30 6e 2f 57 56 4c 52 5f 73 56 36 5f 42 32 67 66 |0n/WVLR_sV6_B2gf| 0000dff0 51 6e 65 5a 32 67 4e 53 32 72 6b 44 36 63 34 66 |QneZ2gNS2rkD6c4f| 0000e000 5a 78 44 55 54 05 00 03 49 e6 1c 4a 55 78 00 00 |ZxDUT...I..JUx..| 0000e010 53 71 63 6f 69 75 6b 72 78 6c 6e 79 7a 68 72 50 |SqcoiukrxlnyzhrP|
"Sqcoiukrxlnyzhr"がWVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxDファイルに対するコメント
すべてのファイルからコメントのみ抽出
$ unzip -l sekritpr0n5.zip | grep ^[A-Za-z0-9] Archive: sekritpr0n5.zip qwmfa5tvKveh3z3 bl1ut2ir8pauJlc 0lrnQ8hlqfpoe1t vns2Ec9m1lxlssd axsfg0l6wDzsdzl ffoopVphuzoldgi 4Gxmly61dgv7j4q xv89cHxku6pfqxe Zqxrqzbxlnpuepo zI67fegu5xqugsy fmgau7a4sOctsdu 6vytgSiryqb8msk moPlyqywoyoxcyk Znx5kdat6ldngum llbnoAy56x4xol7 og9au3oqplnmgTb vk29qfhqwUaij8s wwfmfby8Vcmfqfr Psizaqt0wgaf6um 6cu4yrciyf1dpiV kfodpTc9cllpm4o csiTb91nljefrfz jly09Ub391lgurj x944kqaf5kzNfas 6vd4wvkjrsizoFo qjA10u2uqzht5yw qblox7zrisYgjkc 9zu2r0yBcgg0dco fx4d8mjyypdjIpj cskxmkkWkp59e4c mi08xkc3zBk85b8 tsmrl7j2kz0Vltm Sqcoiukrxlnyzhr
コメントの中に常にひとつだけ大文字が存在する
この大文字を列挙する
$ unzip -l sekritpr0n5.zip | grep ^[A-Za-z0-9] | grep -o [A-Z] | tr -d '\012' AKJQEDVGHZIOSPZATUVPVTTUNFAYBIWBVS
最初の1文字"A"は"Archive..."のやつなので排除
残りの"KJQEDVGHZIOSPZATUVPVTTUNFAYBIWBVS"がZIPのパスワード
$ unzip WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD Archive: WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD [WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD] WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD password: replace WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD? [y]es, [n]o, [A]ll, [N]one, [r]ename: y extracting: WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD $ file WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD: data $ strings WVLR_sV6_B2gfQneZ2gNS2rkD6c4fZxD ]MGoP auis y1S\>q ]MGoP D8XE ffn]V BhN%K 'YoC plb sometimeswhatyouseeisthekey
展開したファイルの中にある文字列"sometimeswhatyouseeisthekey"が答え
DEFCON CTF 2009 Binary 100
find a key
http://shallweplayaga.me/binary/f414376cc2322d4ad4c5cd364e89fd34
まず何のファイルか確認
$ file f414376cc2322d4ad4c5cd364e89fd34 f414376cc2322d4ad4c5cd364e89fd34: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Linux上で実行
$ ./f414376cc2322d4ad4c5cd364e89fd34 What is the password? TEST I smack you down. Step off bitch.
hexdumpでバイナリの中を見る
$ hexdump -C f414376cc2322d4ad4c5cd364e89fd34 | more 00000000 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 e8 83 c0 00 34 00 00 00 |............4...| 00000020 00 00 00 00 00 00 00 00 34 00 20 00 02 00 28 00 |........4. ...(.| 00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 10 c0 00 |................| 00000040 00 10 c0 00 d0 7b 00 00 d0 7b 00 00 05 00 00 00 |.....{...{......| 00000050 00 10 00 00 01 00 00 00 1c 0e 00 00 1c 0e 05 08 |................| 00000060 1c 0e 05 08 00 00 00 00 00 00 00 00 06 00 00 00 |................| 00000070 00 10 00 00 01 99 69 2e 55 50 58 21 e6 07 0d 0c |......i.UPX!....| 00000080 00 00 00 00 a6 03 01 00 a6 03 01 00 14 01 00 00 |................|
UPXで圧縮されている模様
$ ./upx -d ../f414376cc2322d4ad4c5cd364e89fd34 Ultimate Packer for eXecutables Copyright (C) 1996 - 2009 UPX 3.04 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: ../f414376cc2322d4ad4c5cd364e89fd34: Exception: checksum error Unpacked 1 file: 0 ok, 1 error.
checksumが間違っており展開できない
$ gdb f414376cc2322d4ad4c5cd364e89fd34 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. (gdb) r Starting program: /home/ubuntu/tmp/f414376cc2322d4ad4c5cd364e89fd34 (no debugging symbols found) What is the password? (Ctrl + C) Program received signal SIGINT, Interrupt. 0xb7ffd410 in __kernel_vsyscall () (gdb) gcore Saved corefile core.16229 (gdb) q The program is running. Exit anyway? (y or n) y $ ls core.* core.16229
実行時のcoreダンプを取得
core.16229をIDAProで解析
"What is the password?"文字列を頼りに重要コードを発見
load:080493EE mov dword ptr [esp], "What is the password? " load:080493F5 mov ebx, eax load:080493F7 call sub_8049074 load:080493FC mov eax, ds:off_804EEC8 load:08049401 mov dword ptr [esp+4], 3FFh load:08049409 mov [esp], ebx load:0804940C mov [esp+8], eax load:08049410 call sub_8048F24 load:08049415 mov ecx, 17h load:0804941A mov edi, eax load:0804941C repe cmpsb load:0804941E jz short loc_8049448 load:08049420 mov dword ptr [esp], "I smack you down. Step off bitch." load:08049427 call sub_8049154
もう一度gdbで解析
$ gdb f414376cc2322d4ad4c5cd364e89fd34 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. (gdb) r Starting program: /home/ubuntu/tmp/f414376cc2322d4ad4c5cd364e89fd34 (no debugging symbols found) What is the password? Program received signal SIGINT, Interrupt. 0xb7f1b410 in __kernel_vsyscall () (gdb) b *0x0804941C Breakpoint 1 at 0x804941c (gdb) c Continuing. AAAA Breakpoint 1, 0x0804941c in ?? () (gdb) i r $esi $edi $ecx esi 0x804c757 134530903 edi 0x8051008 134549512 ecx 0x17 23 (gdb) x/1s $esi 0x804c757: "visilooksgoodinhotpants" (gdb) x/1s $edi 0x8051008: "AAAA\n" (gdb)
repe cmpsbで"visilooksgoodinhotpants"と入力文字が比較されている
$ ./f414376cc2322d4ad4c5cd364e89fd34 What is the password? visilooksgoodinhotpants You're my daddy! See you at the hacker swinger's club next week.
"visilooksgoodinhotpants"が答え