Reverse Engineering CTF. 

These are a series of challenges which need to be solved. We will be using Binary Ninja to reverse engineer the program. The program looks as follows with 3 different sections: 

Lets begin with section 1) x64_ASM. After pressing 1, we are presented with the following screen which asks for 2 args: 

Lets begin reverse engineering. 
The source code shows this function which handles the logic. 

As we can see the instruction_test(arg1, arg2) function plays a crucial role. Lets take a look at its assembly 

Very simple. If the result of the function does not equal 0x7a69 (31337), evaluation failed. Going back to the assembly provided in the first screenshot, some quick maths gives us the answer 30569. Therefore arg1 = 0 and arg2 = 30569

The second challenge asks for a serial.

Source code below:

As you can see, the check_serial(serial) function does the heavy lifting. Lets analyse its assembly.

The check_serial function looks to see if each value of arg1 is a particular number converting these hex to ascii gives us the following serial number: ​189715

The third and final challenge asks for a password 

If you provide a password of the wrong length you receive this error:

Lets look at the code and begin reverse engineering. As we can see from the code below, the password needs to 14 characters long (0xe = 14).

Providing a password of length 14 gives us this screen.

It appears to check each character. Analysing the earlier source code and assembly shows the check is done under encryption_check(password). Lets disassemble this function. 

Following the logic of the disassembled function, we can see that it takes our arguments and encrypts them via XOR against 0x17. If the output does not equal gW""`xesHav{~s, then it goes to the invalid_encryped_char() function. 
Therefore gW""`xesHav{~s is our encrypted string and with this, we can write a very simple decryption routine to obtain the password.

Quick C++ program I wrote to decrypt and encrypt the strings for demo purposes. The decrypt function essentially reverses the XOR encryption routine. Encrypt function shows how the CTF challenge encrypts the password in the first place. Running the program outputs the following. 

1) The decrypted string = p@55w0rd_valid
2) The encrypted string = gW""`xesHav{~s

Entering the decrypted string into the CTF challenge shows us:

Finished. Hope you enjoyed it.

5) Shared Object Library Hijacking/Injection
6) Exploits
​

From the title you can probably deduce what this is about. This method involves:
1) finding a binary/file/service which has SUID bit set and owned by root. 
2) Checking to find if the file has is vulnerable to hijacking 
3) Replacing the library with a malicious one
​4) profit

Finding a SUID file to exploit is simple. See below:
​

Now we have our list of vulnerable SUID binaries, time to pick one to exploit. For demo purposes i'm choosing the last one. 
Now we need to check whether the file is actually vulnerable. Luckily we can do this with strace. 
Strace is a linux util which helps with tracing system calls. For us, we can find open calls to files which are missing or replaceable. See below: 

We can see the SUID binary is vulnerable as it to open a library(./libcalc.so). However it is possible for us to overwrite this library as its located in a writable folder. Next we create our malware (which just executes /bin/sh). 

Next, compile your malicious code and replace the innocent library with your malicious one. Make sure to name your malicious library exactly the same as the innocent one we replace. Run the SUID binary and hopefully it will load your code and you'll get a root shell

Check which the of binaries with SUID is vulnerable to exploits. Try to compare against a exploit database such as exploit-db. Once you've found one, give it a go. Below i'm exploiting a vulnerable exim service with a well known exploit. Code below.

Root Shell :) 

A simple and easy kernel exploit is the famous dirtyc0w exploit[CVE-2016-5195]. I wont go into the intricacies with the code. Running the exploit shows this:  

Root Shell :)