Rating:

# Secret IMAGination

**Category:** Reverse

**Points:** 995

**Description:**

Here's a minimal system image. Evil kackers know a way to IMAGine secrets, so your task is to bring them to the real world.

You may need to surround flag with kks{}

@servidei9707

## WriteUp

[mlinux.iso](mlinux.iso)

We have got image of filesystem. First of all, we try to run it in VirtualBox. After start the image demands password. Enter something string:

[![enter-something.png](https://i.postimg.cc/FKdRcPrZ/enter-something.png)](https://postimg.cc/TyxfvJWL)

Then, we should to unpack image to understand the logic of application.
For example, on Debian:

$7z x mlinux.iso And we received: [![ll-of-iso.png](https://i.postimg.cc/tCQMH7nC/ll-of-iso.png)](https://postimg.cc/w32VXqkS) We are interested in kernel.gz and rootfs.gz. Unpack them: + kernel.gz use binwalk: $ binwalk --extract kernel.gz

The result will be one file 43B1 - ELF 64-bit, statically linked, stripped.

+ rootfs.gz is simple: $gunzip rootfs.gz. The outcome file rootfs - ASCII cpio archive (SVR4 with no CRC). To get init we again make use of binwalk: $ binwalk --extract rootfs. And got:

[![rootfs.png](https://i.postimg.cc/bw3GhDJ7/rootfs.png)](https://postimg.cc/SnYQLKcd)

After reading init we see /bin/task.

Lets begin reverse task - ELF 64-bit, statically linked, not stripped.

In main function we can see, that program get from stdin 20 symbols and open file descriptor /pass to write our string, which we input. Then syscall is called.

[![syscall.png](https://i.postimg.cc/1zmTx7tK/syscall.png)](https://postimg.cc/VJh4nRXS)

As you can see, program calls custom syscall with id 1337.

Then we should reverse 43B1 .
In task is called path /pass. Try to find it in 43B1.
After call kernel_path proceed to the next call function. We see string md5, suppose, that function generate md5 from our input string.
The next function is called with 3 parameters:
+ edx - 16;
+ rsi - md5 from our input string;
+ rdi - string, which is located in .rodata;

Reverse this function, we have found out, that it has compared two strings.

[![kernel-check.png](https://i.postimg.cc/J46FZ546/kernel-check.png)](https://postimg.cc/mt9VGM9C)

Therefore, string, which is located in .rodata - md5 from true password.

[![true-md5.png](https://i.postimg.cc/HLn3HrGr/true-md5.png)](https://postimg.cc/PLG1Qr5H)

Take advantage of <https://hashkiller.co.uk/Cracker> to decode hash.
We got diviz_)(159\$=*@. Try to enter this string - you receive flag.

flag: kks{Y0u_d0n7_n33D_70_p47ch_k3rn3l_by_y0r53lf}`