Rating:
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="dns-prefetch" href="https://github.githubassets.com">
<link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
<link rel="dns-prefetch" href="https://avatars1.githubusercontent.com">
<link rel="dns-prefetch" href="https://avatars2.githubusercontent.com">
<link rel="dns-prefetch" href="https://avatars3.githubusercontent.com">
<link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com">
<link rel="dns-prefetch" href="https://user-images.githubusercontent.com/">
<link crossorigin="anonymous" media="all" integrity="sha512-FG+rXqMOivrAjdEQE7tO4BwM1poGmg70hJFTlNSxjX87grtrZ6UnPR8NkzwUHlQEGviu9XuRYeO8zH9YwvZhdg==" rel="stylesheet" href="https://github.githubassets.com/assets/frameworks-146fab5ea30e8afac08dd11013bb4ee0.css" />
<link crossorigin="anonymous" media="all" integrity="sha512-iXrV/b4ypc1nr10b3Giikqff+qAx5osQ0yJRxHRDd8mKFefdMtEZ0Sxs1QysJxuJBayOKThjsuMjynwBJQq0aw==" rel="stylesheet" href="https://github.githubassets.com/assets/site-897ad5fdbe32a5cd67af5d1bdc68a292.css" />
<link crossorigin="anonymous" media="all" integrity="sha512-whtr9xYX7utnpWsNSLW7XLm7eJONfryMwfwxIH2SpIRKCZbx4aryDfn/HGMFI5Fee7dogmqmtqvPPh13+2HW2Q==" rel="stylesheet" href="https://github.githubassets.com/assets/github-c21b6bf71617eeeb67a56b0d48b5bb5c.css" />
<meta name="viewport" content="width=device-width">
<title>write-ups-2016/README.md at pwn2win-ctf-2016 · epicleet/write-ups-2016 · GitHub</title>
<meta name="description" content="Wiki-like CTF write-ups repository, maintained by the community. 2016 - epicleet/write-ups-2016">
<link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub">
<link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub">
<meta property="fb:app_id" content="1401488693436528">
<meta name="twitter:image:src" content="https://avatars2.githubusercontent.com/u/18104388?s=400&v=4" /><meta name="twitter:site" content="@github" /><meta name="twitter:card" content="summary" /><meta name="twitter:title" content="epicleet/write-ups-2016" /><meta name="twitter:description" content="Wiki-like CTF write-ups repository, maintained by the community. 2016 - epicleet/write-ups-2016" />
<meta property="og:image" content="https://avatars2.githubusercontent.com/u/18104388?s=400&v=4" /><meta property="og:site_name" content="GitHub" /><meta property="og:type" content="object" /><meta property="og:title" content="epicleet/write-ups-2016" /><meta property="og:url" content="https://github.com/epicleet/write-ups-2016" /><meta property="og:description" content="Wiki-like CTF write-ups repository, maintained by the community. 2016 - epicleet/write-ups-2016" />
<link rel="assets" href="https://github.githubassets.com/">
<meta name="request-id" content="EC43:2E181:233CC70:337DF95:5E8A05A9" data-pjax-transient="true"/><meta name="html-safe-nonce" content="d95dcd8359c9fce220e62409a212be661cf92bf5" data-pjax-transient="true"/><meta name="visitor-payload" content="eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFQzQzOjJFMTgxOjIzM0NDNzA6MzM3REY5NTo1RThBMDVBOSIsInZpc2l0b3JfaWQiOiI2MDExMTI2NzIwMjg2NTU3NjA5IiwicmVnaW9uX2VkZ2UiOiJhbXMiLCJyZWdpb25fcmVuZGVyIjoiYW1zIn0=" data-pjax-transient="true"/><meta name="visitor-hmac" content="b6896f939fec8f9960dca3b5a6ddd256ecb3de2715d668618a2891d09f8545f1" data-pjax-transient="true"/>
<meta name="github-keyboard-shortcuts" content="repository,source-code" data-pjax-transient="true" />
<meta name="selected-link" value="repo_source" data-pjax-transient>
<meta name="google-site-verification" content="KT5gs8h0wvaagLKAVWq8bbeNwnZZK1r1XQysX3xurLU">
<meta name="google-site-verification" content="ZzhVyEFwb7w3e0-uOTltm8Jsck2F5StVihD0exw2fsA">
<meta name="google-site-verification" content="GXs5KoUUkNCoaAZn7wPN-t01Pywp9M3sEjnt_3_ZWPc">
<meta name="octolytics-host" content="collector.githubapp.com" /><meta name="octolytics-app-id" content="github" /><meta name="octolytics-event-url" content="https://collector.githubapp.com/github-external/browser_event" /><meta name="octolytics-dimension-ga_id" content="" class="js-octo-ga-id" />
<meta name="analytics-location" content="/<user-name>/<repo-name>/blob/show" data-pjax-transient="true" />
<meta name="google-analytics" content="UA-3769691-2">
<meta class="js-ga-set" name="dimension1" content="Logged Out">
<meta name="hostname" content="github.com">
<meta name="user-login" content="">
<meta name="expected-hostname" content="github.com">
<meta name="enabled-features" content="MARKETPLACE_FEATURED_BLOG_POSTS,MARKETPLACE_INVOICED_BILLING,MARKETPLACE_SOCIAL_PROOF_CUSTOMERS,MARKETPLACE_TRENDING_SOCIAL_PROOF,MARKETPLACE_RECOMMENDATIONS,MARKETPLACE_PENDING_INSTALLATIONS,RELATED_ISSUES">
<meta http-equiv="x-pjax-version" content="80ebc3286fe9d88acaddc1320106dfc2">
<link href="https://github.com/epicleet/write-ups-2016/commits/pwn2win-ctf-2016.atom" rel="alternate" title="Recent Commits to write-ups-2016:pwn2win-ctf-2016" type="application/atom+xml">
<meta name="go-import" content="github.com/epicleet/write-ups-2016 git https://github.com/epicleet/write-ups-2016.git">
<meta name="octolytics-dimension-user_id" content="18104388" /><meta name="octolytics-dimension-user_login" content="epicleet" /><meta name="octolytics-dimension-repository_id" content="54845624" /><meta name="octolytics-dimension-repository_nwo" content="epicleet/write-ups-2016" /><meta name="octolytics-dimension-repository_public" content="true" /><meta name="octolytics-dimension-repository_is_fork" content="true" /><meta name="octolytics-dimension-repository_parent_id" content="48103176" /><meta name="octolytics-dimension-repository_parent_nwo" content="ctfs/write-ups-2016" /><meta name="octolytics-dimension-repository_network_root_id" content="48103176" /><meta name="octolytics-dimension-repository_network_root_nwo" content="ctfs/write-ups-2016" /><meta name="octolytics-dimension-repository_explore_github_marketplace_ci_cta_shown" content="false" />
<link rel="canonical" href="https://github.com/epicleet/write-ups-2016/blob/pwn2win-ctf-2016/pwn2win-ctf-2016/reverse/suspect-router-100/README.md" data-pjax-transient>
<meta name="browser-stats-url" content="https://api.github.com/_private/browser/stats">
<meta name="browser-errors-url" content="https://api.github.com/_private/browser/errors">
<link rel="mask-icon" href="https://github.githubassets.com/pinned-octocat.svg" color="#000000">
<link rel="alternate icon" class="js-site-favicon" type="image/png" href="https://github.githubassets.com/favicons/favicon.png">
<link rel="icon" class="js-site-favicon" type="image/svg+xml" href="https://github.githubassets.com/favicons/favicon.svg">
<meta name="theme-color" content="#1e2327">
<link rel="manifest" href="/manifest.json" crossOrigin="use-credentials">
</head>
<body class="logged-out env-production page-responsive page-blob">
<div class="position-relative js-header-wrapper ">
Skip to content
<span>
<span></span>
</span>
<header class="Header-old header-logged-out js-details-container Details position-relative f4 py-2" role="banner">
<div class="container-lg d-lg-flex flex-items-center p-responsive">
<div class="d-flex flex-justify-between flex-items-center">
<svg height="32" class="octicon octicon-mark-github text-white" viewBox="0 0 16 16" version="1.1" width="32" aria-hidden="true"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg>
<div class="d-lg-none css-truncate css-truncate-target width-fit p-2">
<svg class="octicon octicon-repo-forked" viewBox="0 0 10 16" version="1.1" width="10" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M8 1a1.993 1.993 0 00-1 3.72V6L5 8 3 6V4.72A1.993 1.993 0 002 1a1.993 1.993 0 00-1 3.72V6.5l3 3v1.78A1.993 1.993 0 005 15a1.993 1.993 0 001-3.72V9.5l3-3V4.72A1.993 1.993 0 008 1zM2 4.2C1.34 4.2.8 3.65.8 3c0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2zm3 10c-.66 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2zm3-10c-.66 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2z"></path></svg>
epicleet
/
write-ups-2016
</div>
<div class="d-flex flex-items-center">
Sign up
<button class="btn-link d-lg-none mt-1 js-details-target" type="button" aria-label="Toggle navigation" aria-expanded="false">
<svg height="24" class="octicon octicon-three-bars text-white" viewBox="0 0 12 16" version="1.1" width="18" aria-hidden="true"><path fill-rule="evenodd" d="M11.41 9H.59C0 9 0 8.59 0 8c0-.59 0-1 .59-1H11.4c.59 0 .59.41.59 1 0 .59 0 1-.59 1h.01zm0-4H.59C0 5 0 4.59 0 4c0-.59 0-1 .59-1H11.4c.59 0 .59.41.59 1 0 .59 0 1-.59 1h.01zM.59 11H11.4c.59 0 .59.41.59 1 0 .59 0 1-.59 1H.59C0 13 0 12.59 0 12c0-.59 0-1 .59-1z"></path></svg>
</button>
</div>
</div>
<div class="HeaderMenu HeaderMenu--logged-out position-fixed top-0 right-0 bottom-0 height-fit position-lg-relative d-lg-flex flex-justify-between flex-items-center flex-auto">
<div class="d-flex d-lg-none flex-justify-end border-bottom bg-gray-light p-3">
<button class="btn-link js-details-target" type="button" aria-label="Toggle navigation" aria-expanded="false">
<svg height="24" class="octicon octicon-x text-gray" viewBox="0 0 12 16" version="1.1" width="18" aria-hidden="true"><path fill-rule="evenodd" d="M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48L7.48 8z"></path></svg>
</button>
</div>
<nav class="mt-0 px-3 px-lg-0 mb-5 mb-lg-0" aria-label="Global">
<div class="dropdown-menu flex-auto rounded-1 bg-white px-0 pt-2 pb-0 mt-0 pb-4 p-lg-4 position-relative position-lg-absolute left-0 left-lg-n4">
<h4 class="text-gray-light text-normal text-mono f5 mb-2 border-lg-top pt-lg-3">Learn & contribute</h4>
<h4 class="text-gray-light text-normal text-mono f5 mb-2 border-lg-top pt-lg-3">Connect with others</h4>
<div class="dropdown-menu flex-auto rounded-1 bg-white px-0 pt-2 pb-4 mt-0 p-lg-4 position-relative position-lg-absolute left-0 left-lg-n4">
Plans <span>→</span>
<div class="d-lg-flex flex-items-center px-3 px-lg-0 text-center text-lg-left">
<div class="d-lg-flex mb-3 mb-lg-0">
<div class="header-search flex-self-stretch flex-lg-self-auto mr-0 mr-lg-3 mb-3 mb-lg-0 scoped-search site-scoped-search js-site-search position-relative js-jump-to"
role="combobox"
aria-owns="jump-to-results"
aria-label="Search or jump to"
aria-haspopup="listbox"
aria-expanded="false"
>
<div class="position-relative">
</option></form><form class="js-site-search-form" role="search" aria-label="Site" data-scope-type="Repository" data-scope-id="54845624" data-scoped-search-url="/epicleet/write-ups-2016/search" data-unscoped-search-url="/search" action="/epicleet/write-ups-2016/search" accept-charset="UTF-8" method="get">
<label class="form-control input-sm header-search-wrapper p-0 header-search-wrapper-jump-to position-relative d-flex flex-justify-between flex-items-center js-chromeless-input-container">
<input type="text"
class="form-control input-sm header-search-input jump-to-field js-jump-to-field js-site-search-focus js-site-search-field is-clearable"
data-hotkey="s,/"
name="q"
value=""
placeholder="Search"
data-unscoped-placeholder="Search GitHub"
data-scoped-placeholder="Search"
autocapitalize="off"
aria-autocomplete="list"
aria-controls="jump-to-results"
aria-label="Search"
data-jump-to-suggestions-path="/_graphql/GetSuggestedNavigationDestinations"
spellcheck="false"
autocomplete="off"
>
<input type="hidden" data-csrf="true" class="js-data-jump-to-suggestions-path-csrf" value="JIGYZCZEsgAA5eAKu1FsT1TS7HorhmTss6jj9qm5tKPyBMwDLrWVFHHkX5jq31/zDm4dbsrg10c4yYW/cNNlpQ==" />
<input type="hidden" class="js-site-search-type-field" name="type" >
<div class="Box position-absolute overflow-hidden d-none jump-to-suggestions js-jump-to-suggestions-container">
<div class="jump-to-suggestion-name js-jump-to-suggestion-name flex-auto overflow-hidden text-left no-wrap css-truncate css-truncate-target">
</div>
<div class="border rounded-1 flex-shrink-0 bg-gray px-1 text-gray-light ml-1 f6 d-none js-jump-to-badge-search">
<span>
In this repository
</span>
<span>
All GitHub
</span>
<span>↵</span>
</div>
<div aria-hidden="true" class="border rounded-1 flex-shrink-0 bg-gray px-1 text-gray-light ml-1 f6 d-none d-on-nav-focus js-jump-to-badge-jump">
Jump to
<span>↵</span>
</div>
<div class="jump-to-suggestion-name js-jump-to-suggestion-name flex-auto overflow-hidden text-left no-wrap css-truncate css-truncate-target">
</div>
<div class="border rounded-1 flex-shrink-0 bg-gray px-1 text-gray-light ml-1 f6 d-none js-jump-to-badge-search">
<span>
In this repository
</span>
<span>
All GitHub
</span>
<span>↵</span>
</div>
<div aria-hidden="true" class="border rounded-1 flex-shrink-0 bg-gray px-1 text-gray-light ml-1 f6 d-none d-on-nav-focus js-jump-to-badge-jump">
Jump to
<span>↵</span>
</div>
</div>
</label>
</form> </div>
</div>
</div>
Sign in
Sign up
</div>
</div>
</div>
</header>
</div>
<div id="start-of-content" class="show-on-focus"></div>
<div id="js-flash-container">
<template class="js-flash-template">
<div class="flash flash-full js-flash-template-container">
<div class="container-lg px-2" >
<button class="flash-close js-flash-close" type="button" aria-label="Dismiss this message">
<svg class="octicon octicon-x" viewBox="0 0 12 16" version="1.1" width="12" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48L7.48 8z"></path></svg>
</button>
<div class="js-flash-template-message"></div>
</div>
</div>
</template>
</div>
<include-fragment class="js-notification-shelf-include-fragment" data-base-src="https://github.com/notifications/beta/shelf"></include-fragment>
<div class="application-main " data-commit-hovercards-enabled>
<div itemscope itemtype="http://schema.org/SoftwareSourceCode" class="">
<main >
<div class="pagehead repohead hx_repohead readability-menu bg-gray-light pb-0 pt-0 pt-lg-3">
<div class="d-flex container-lg mb-4 p-responsive d-none d-lg-flex">
<div class="flex-auto min-width-0 width-fit mr-3">
<h1 class="public d-flex flex-wrap flex-items-center break-word float-none ">
<svg class="octicon octicon-repo-forked" viewBox="0 0 10 16" version="1.1" width="10" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M8 1a1.993 1.993 0 00-1 3.72V6L5 8 3 6V4.72A1.993 1.993 0 002 1a1.993 1.993 0 00-1 3.72V6.5l3 3v1.78A1.993 1.993 0 005 15a1.993 1.993 0 001-3.72V9.5l3-3V4.72A1.993 1.993 0 008 1zM2 4.2C1.34 4.2.8 3.65.8 3c0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2zm3 10c-.66 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2zm3-10c-.66 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2z"></path></svg>
<span>
epicleet
</span>
<span>/</span>
write-ups-2016
</h1>
<span>
<span>forked from ctfs/write-ups-2016</span>
</span>
</div>
Star
</div>
<nav class="hx_reponav reponav js-repo-nav js-sidenav-container-pjax clearfix container-lg p-responsive d-none d-lg-block"
itemscope
itemtype="http://schema.org/BreadcrumbList"
aria-label="Repository"
data-pjax="#js-repo-pjax-container">
<div class="d-inline"><svg class="octicon octicon-shield" viewBox="0 0 14 16" version="1.1" width="14" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M0 2l7-2 7 2v6.02C14 12.69 8.69 16 7 16c-1.69 0-7-3.31-7-7.98V2zm1 .75L7 1l6 1.75v5.268C13 12.104 8.449 15 7 15c-1.449 0-6-2.896-6-6.982V2.75zm1 .75L7 2v12c-1.207 0-5-2.482-5-5.985V3.5z"></path></svg></div>
Security
<div class="d-inline"><svg class="octicon octicon-graph" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M16 14v1H0V0h1v14h15zM5 13H3V8h2v5zm4 0H7V3h2v10zm4 0h-2V6h2v7z"></path></svg></div>
Insights
</nav>
<div class="reponav-wrapper reponav-small d-lg-none">
<nav class="reponav js-reponav text-center no-wrap"
itemscope
itemtype="http://schema.org/BreadcrumbList">
<span>
<span>Code</span>
<meta itemprop="position" content="1">
</span>
<span>
<span>Pull requests</span>
<span>0</span>
<meta itemprop="position" content="4">
</span>
<span>
<span>Projects</span>
<span>0</span>
<meta itemprop="position" content="5">
</span>
<span>
<span>Actions</span>
<meta itemprop="position" content="6">
</span>
<span>Security</span>
<meta itemprop="position" content="8">
Pulse
</nav>
</div>
</div>
<include-fragment class="js-notification-shelf-include-fragment" data-base-src="https://github.com/notifications/beta/shelf"></include-fragment>
<div class="container-lg clearfix new-discussion-timeline p-responsive">
<div class="repository-content ">
<div class="signup-prompt-bg rounded-1 js-signup-prompt" data-prompt="signup" hidden>
<div class="signup-prompt p-4 text-center mb-4 rounded-1">
<div class="position-relative">
<button type="button" class="position-absolute top-0 right-0 btn-link link-gray js-signup-prompt-button" data-ga-click="(Logged out) Sign up prompt, clicked Dismiss, text:dismiss">
Dismiss
</button>
<h3 class="pt-2">Join GitHub today</h3>
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
<div class="d-flex flex-items-start flex-shrink-0 flex-column flex-md-row pb-3">
<span>
<details class="details-reset details-overlay branch-select-menu " id="branch-select-menu">
<summary class="btn css-truncate btn-sm"
data-hotkey="w"
title="pwn2win-ctf-2016">
Branch:
<span>pwn2win-ctf-20…</span>
<span></span>
</summary>
<details-menu class="SelectMenu SelectMenu--hasFilter" src="/epicleet/write-ups-2016/refs/pwn2win-ctf-2016/pwn2win-ctf-2016/reverse/suspect-router-100/README.md?source_action=show&source_controller=blob" preload>
<div class="SelectMenu-modal">
<include-fragment class="SelectMenu-loading" aria-label="Menu is loading">
<svg class="octicon octicon-octoface anim-pulse" height="32" viewBox="0 0 16 16" version="1.1" width="32" aria-hidden="true"><path fill-rule="evenodd" d="M14.7 5.34c.13-.32.55-1.59-.13-3.31 0 0-1.05-.33-3.44 1.3-1-.28-2.07-.32-3.13-.32s-2.13.04-3.13.32c-2.39-1.64-3.44-1.3-3.44-1.3-.68 1.72-.26 2.99-.13 3.31C.49 6.21 0 7.33 0 8.69 0 13.84 3.33 15 7.98 15S16 13.84 16 8.69c0-1.36-.49-2.48-1.3-3.35zM8 14.02c-3.3 0-5.98-.15-5.98-3.35 0-.76.38-1.48 1.02-2.07 1.07-.98 2.9-.46 4.96-.46 2.07 0 3.88-.52 4.96.46.65.59 1.02 1.3 1.02 2.07 0 3.19-2.68 3.35-5.98 3.35zM5.49 9.01c-.66 0-1.2.8-1.2 1.78s.54 1.79 1.2 1.79c.66 0 1.2-.8 1.2-1.79s-.54-1.78-1.2-1.78zm5.02 0c-.66 0-1.2.79-1.2 1.78s.54 1.79 1.2 1.79c.66 0 1.2-.8 1.2-1.79s-.53-1.78-1.2-1.78z"></path></svg>
</include-fragment>
</div>
</details-menu>
</details>
<div class="BtnGroup flex-shrink-0 d-md-none">
Find file
<clipboard-copy value="pwn2win-ctf-2016/reverse/suspect-router-100/README.md" class="btn btn-sm BtnGroup-item">
Copy path
</clipboard-copy>
</div>
</span>
<h2 id="blob-path" class="breadcrumb flex-auto min-width-0 text-normal flex-md-self-center ml-md-2 mr-md-3 my-2 my-md-0">
<span><span><span>write-ups-2016</span></span></span><span>/</span><span><span>pwn2win-ctf-2016</span></span><span>/</span><span><span>reverse</span></span><span>/</span><span><span>suspect-router-100</span></span><span>/</span>README.md
</h2>
<div class="BtnGroup flex-shrink-0 d-none d-md-inline-block">
Find file
<clipboard-copy value="pwn2win-ctf-2016/reverse/suspect-router-100/README.md" class="btn btn-sm BtnGroup-item">
Copy path
</clipboard-copy>
</div>
</div>
<include-fragment src="/epicleet/write-ups-2016/contributors/pwn2win-ctf-2016/pwn2win-ctf-2016/reverse/suspect-router-100/README.md" class="Box Box--condensed commit-loader">
<div class="Box-body bg-blue-light f6">
Fetching contributors…
</div>
<div class="Box-body d-flex flex-items-center" >
<span>Cannot retrieve contributors at this time</span>
</div>
</include-fragment>
<div class="Box mt-3 position-relative
">
<div class="Box-header py-2 d-flex flex-column flex-shrink-0 flex-md-row flex-md-items-center">
<div class="text-mono f6 flex-auto pr-3 flex-order-2 flex-md-order-1 mt-2 mt-md-0">
262 lines (176 sloc)
<span></span>
11.9 KB
</div>
<div class="d-flex py-1 py-md-0 flex-auto flex-order-1 flex-md-order-2 flex-sm-grow-0 flex-justify-between">
<div class="BtnGroup">
Raw
Blame
History
</div>
<button type="button" class="btn-octicon disabled tooltipped tooltipped-nw"
aria-label="You must be signed in to make or propose changes">
<svg class="octicon octicon-pencil" viewBox="0 0 14 16" version="1.1" width="14" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M0 12v3h3l8-8-3-3-8 8zm3 2H1v-2h1v1h1v1zm10.3-9.3L12 6 9 3l1.3-1.3a.996.996 0 011.41 0l1.59 1.59c.39.39.39 1.02 0 1.41z"></path></svg>
</button>
<button type="button" class="btn-octicon btn-octicon-danger disabled tooltipped tooltipped-nw"
aria-label="You must be signed in to make or propose changes">
<svg class="octicon octicon-trashcan" viewBox="0 0 12 16" version="1.1" width="12" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M11 2H9c0-.55-.45-1-1-1H5c-.55 0-1 .45-1 1H2c-.55 0-1 .45-1 1v1c0 .55.45 1 1 1v9c0 .55.45 1 1 1h7c.55 0 1-.45 1-1V5c.55 0 1-.45 1-1V3c0-.55-.45-1-1-1zm-1 12H3V5h1v8h1V5h1v8h1V5h1v8h1V5h1v9zm1-10H2V3h9v1z"></path></svg>
</button>
</div>
</div>
</div>
<div id="readme" class="Box-body readme blob js-code-block-container px-5">
<article class="markdown-body entry-content" itemprop="text"><h1><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg>Pwn2Win CTF 2016: Suspect Router</h1>
Category: Reverse
Points: 100
Solves: 0
Description:
We have found this suspect binary in one of the SKY project routers.
We suspect that the Club installs this binary to mark the enemy networks
intruded by them, and that hidden information exists inside the binary
which can be obtained via network. Find which information is that.
Beware that old versions of qemu have a bug which prevent this binary from being emulated correctly. We recommend emulating it in qemu-user >= 2.3.0 or running it in a real router.
The admpanel file is a MIPS binary which runs in OpenWRT routers, as you might suspect from the problem statement and also from inspecting the toolchain used to compile it:
$ strings admpanel | grep -i gcc
[...]
GCC: (OpenWrt/Linaro GCC 4.8-2014.04 r42625) 4.8.3
The binary can thus be run using the qemu-user emulator for the MIPS architecture, which allows a debugger to be attached using the GDB protocol. The debugger might be GDB itself or even IDA Pro, which supports the GDB protocol.
But before running the binary, we need to get the OpenWRT system libraries. We might as well download the entire SDK. Looking at the GCC version string, it is easy to find the correct SDK in the OpenWRT downloads page.
Once the SDK is extracted, you can setup the directory used by qemu to look for libraries by typing:
export QEMU_LD_PREFIX=${OPENWRT_SDK_ROOT}/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2
After that, the binary can be run by calling:
qemu-mips ./admpanel
If you want qemu to wait for a debugger to be attached before running the binary, use the -g command line option, passing the port on which the debugger will listen:
qemu-mips -g 1234 ./admpanel
From the problem statement, we know hidden information exists inside the binary which can be obtained via network. Therefore we first check to see if the process is listening at any port:
$ netstat -tnap
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 29454/qemu-mips
By looking at strings such as "HTTP/1.1", "200 OK", "Content-Length: ", "asynchttpserver.processClient" and many others which exist in the binary, one can easily guess this is a HTTP server. So let us see if we can get it to answer a HTTP request:
$ curl -v 'http://localhost:8080/'
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Content-Length: 13
<
* Connection #0 to host localhost left intact
Access Denied
By Googling strings contained in the binary such as "SIGSEGV: Illegal storage access. (Attempt to read from nil?)" or "asynchttpserver.processClient", we find the program was originally written in the Nim programming language.
Nim translates the program to C before compiling, which is good news since we are essentially dealing with <em>C on steroids</em>, adopting e.g. the usual C calling convention. The Nim standard library is statically linked into the executable, which means IDA Pro's FLIRT signatures might save us a lot of time.
We start with a <em>hello world</em> web server in Nim which mimics the behavior we have seen until now from the binary being analyzed:
import asynchttpserver, asyncdispatch
var server = newAsyncHttpServer()
proc cb(req: Request) {.async.} =
await req.respond(Http403, "Access Denied")
waitFor server.serve(Port(8080), cb)
Now we compile this file with Nim, assemble a static library file from the objects (*.o) generated in the nimcache directory, and use it to generate a FLIRT signature. As the analysis proceed, we can insert more code to call other standard library procedures in order to get them included in the FLIRT signature.
The FLIRT signature file is intended to be copied to the sig/mips directory inside the IDA Pro installation.
After opening the binary in IDA Pro, the FLIRT signature can be loaded using the File → Load file → FLIRT signature file... menu. Just select the nimstdlib signature and it will be applied.
Now, it would be a nightmare to get to the request handler by following the code from the main function onwards, because this program is written using Nim's asynchronous procedures, for which the compiler generates FSMs and lots of indirection.
But we are lucky because we can look for cross-references to strings, such as the "Access Denied" which the program replies as an answer to our requests. However, we need to remember that the Nim string type extends TGenericSeq (defined below), so before the ASCII characters, there are 8 bytes containing the string length repeated twice (well, strictly speaking, reserved can contain a number bigger than len).
TGenericSeq struc # (sizeof=0x8, mappedto_1).
len: .word ?
reserved: .word ?
TGenericSeq ends
So the "Access Denied" string is represented as follows:
.rodata:00415DE0 sAccessDenied: TGenericSeq <0xD, 0xD> # DATA XREF: sub_413D20+240↑o
.rodata:00415DE8 aAccessDenied: .ascii "Access Denied"<0>
Following its cross-reference we get to a very interesting function:
Above, the nsthasKey and nstTake references were not detected by our original FLIRT signature, but if we look at the nstTake function, it contains a reference to the "key not found: " string. Grepping through Nim standard library code, we see it is used by a template whose purpose is to get values from string tables. After adding some pointless strtab manipulation to nimstdlib.nim, we finally get these included in the FLIRT signature.
Before we go further on, first a MIPS calling convention crash course:
Before the call, $a0, $a1, $a2, ... contain the arguments to a function.
After the call, $v0 contains the returned value.
Besides, always remember that MIPS has a branch delay slot, so the instruction just after a branch or jump is always executed, before the jump is effectively taken.
By analyzing the flow, we can see that some action happens when the branch beqz $v0, loc_413F48 is not taken. For the execution flow to get there at the first place, the string table at the 0xC($v0) address needs to contain a "Return" key (call to nsthasKey). The value corresponding to this key is taken from the string table (call to nstTake). It is then converted to lower case (call to nsuToLowerStr), and only the first 3 chars are copied from it (call to copyStrLast, to which the second and third arguments are 0 and 2).
In order to understand the beqz $v0, loc_413F48 branch, we need to analyze sub_413CA4 and sub_40AF88. It turns out that sub_413CA4 is easy — it is equivalent to issuing the sw $a1, 0($a0) instruction (look the code at 0x00413D0C), after doing some garbage collector bookkeeping. Thus we see that sub_40AF88 receives as its first argument the substring returned by copyStrLast, and some table contained in unk_415E2C as its second argument.
Above we have the sub_40AF88 disassembly graph. The function receives a string str as the first argument, and a bitmap tbl as the second argument. It consists of a loop which iterates over the string chars and returns true (1) only if no char is found to be outside the bitmap. In order to lookup a char in the bitmap, its value is divided by 8 (srl $a3, char, 3). Then the division remainder (andi char, 7) is used to look at a specific bit (srlv leastsig, $a3, leastsig) of this 8-bit value.
Analyzing the bitmap located at unk_415E2C, we see that it contains the chars '0'..'9', 'A'..'F' and 'a'..'f', i.e. hex digits.
Summing all up, the string we are looking for has at most 3 chars, and consists of lowercase hex digits.
By looking at the nimcache/stdlib_strtabs.c file inside a Nim project, we can find how the structure is supposed to appear in memory:
struct TNimObject {
TNimType* m_type;
};
struct Stringtableobj140209 {
TNimObject Sup;
NI counter;
Keyvaluepairseq140207* data;
NU8 mode;
};
struct Keyvaluepairseq140207 {
TGenericSeq Sup;
Keyvaluepair140205 data[SEQ_DECL_SIZE];
};
struct Keyvaluepair140205 {
NimStringDesc* Field0;
NimStringDesc* Field1;
};
Let us map that to a bunch IDA Pro structures:
Stringtable struc # (sizeof=0xD, mappedto_2)
m_type_ptr: .word ?
counter: .word ?
keyvaluepairseq_ptr:.word ?
mode: .byte ?
Stringtable ends
# ---------------------------------------------------------------------------
Keyvaluepairseq struc # (sizeof=0x208, mappedto_3)
sup: TGenericSeq ?
data: Keyvaluepair 64 dup(?)
Keyvaluepairseq ends
# ---------------------------------------------------------------------------
Keyvaluepair struc # (sizeof=0x8, mappedto_4) # XREF: Keyvaluepairseq/r
key_ptr: .word ?
value_ptr: .word ?
Keyvaluepair ends
Of course we could read asynchttpserver docs and find out that the only string table you could get from the request which would make any sense consists of the HTTP request headers, a hypothesis which, by the way, can be promptly tested by running curl -H 'Return: 123' -v http://localhost:8080/.
But debugging is endless joy, so now let us call the executable passing -g 1234 as argument to qemu-mips and fire the IDA Pro debugger.
Setting a breakpoint at 0x00413D74 (jal nsthasKey), we can inspect the memory location referenced by $a0, which should contain a string table. If we run curl http://localhost:8080/, we trigger the breakpoint.
Now we navigate the memory, starting from the address referenced by $a0, and always typing Alt+Q when we find something which should be represented as one of our structures:
So yes, the string table contains HTTP request headers.
Until now, we know we need to pass 3 lowercase hex digits as the Return header to the server. But which 3 lowercase hex digits?
If we pass some incorrect string, we get garbage back in the answer's Return header:
$ curl -H 'Return: 123' -v http://localhost:8080/
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> return: 123
>
< HTTP/1.1 403 Forbidden
< Return: {{some seemingly random garbage}}
< Content-Length: 13
<
* Connection #0 to host localhost left intact
Access Denied
We might try to understand the rest of the code, but the search space is so small that we might rather just bruteforce the string.
In one terminal, we start the emulator (without enabling the debugger). In other terminal, we call the bruteforce.py script. After 3 seconds, the flag should be found:
$ ./bruteforce.py
key: f21
flag: CTF-BR{naVcO_you_found_it_PQZ0a}
</div>
<details class="details-reset details-overlay details-overlay-dark">
<summary data-hotkey="l" aria-label="Jump to line"></summary>
<details-dialog class="Box Box--overlay d-flex flex-column anim-fade-in fast linejump" aria-label="Jump to line">
</option></form><form class="js-jump-to-line-form Box-body d-flex" action="" accept-charset="UTF-8" method="get">
<input class="form-control flex-auto mr-3 linejump-input js-jump-to-line-field" type="text" placeholder="Jump to line…" aria-label="Jump to line" autofocus>
<button type="submit" class="btn" data-close-dialog>Go</button>
</form> </details-dialog>
</details>
<div class="Popover anim-scale-in js-tagsearch-popover"
hidden
data-tagsearch-url="/epicleet/write-ups-2016/find-symbols"
data-tagsearch-ref="pwn2win-ctf-2016"
data-tagsearch-path="pwn2win-ctf-2016/reverse/suspect-router-100/README.md"
data-tagsearch-lang="Markdown"
data-hydro-click="{"event_type":"code_navigation.click_on_symbol","payload":{"action":"click_on_symbol","repository_id":54845624,"ref":"pwn2win-ctf-2016","language":"Markdown","originating_url":"https://github.com/epicleet/write-ups-2016/blob/pwn2win-ctf-2016/pwn2win-ctf-2016/reverse/suspect-router-100/README.md","user_id":null}}"
data-hydro-click-hmac="297abef5f6be1f0dc5990ea995af5d5ec298fb0f9738669cca4057ee0dc13a66">
<div class="Popover-message Popover-message--large Popover-message--top-left TagsearchPopover mt-1 mb-4 mx-auto Box box-shadow-large">
<div class="TagsearchPopover-content js-tagsearch-popover-content overflow-auto" style="will-change:transform;">
</div>
</div>
</div>
</div>
</div>
</main>
</div>
</div>
<div class="footer container-lg width-full p-responsive" role="contentinfo">
<div class="position-relative d-flex flex-row-reverse flex-lg-row flex-wrap flex-lg-nowrap flex-justify-center flex-lg-justify-between pt-6 pb-2 mt-6 f6 text-gray border-top border-gray-light ">
<div id="ajax-error-message" class="ajax-error-message flash flash-error">
<svg class="octicon octicon-alert" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 000 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 00.01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"></path></svg>
<button type="button" class="flash-close js-ajax-error-dismiss" aria-label="Dismiss error">
<svg class="octicon octicon-x" viewBox="0 0 12 16" version="1.1" width="12" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48L7.48 8z"></path></svg>
</button>
You can’t perform that action at this time.
</div>
<script crossorigin="anonymous" async="async" integrity="sha512-WcQmT2vhcClFVOaaAJV/M+HqsJ2Gq/myvl6F3gCVBxykazXTs+i5fvxncSXwyG1CSfcrqmLFw/R/bmFYzprX2A==" type="application/javascript" id="js-conditional-compat" data-src="https://github.githubassets.com/assets/compat-bootstrap-59c4264f.js"></script>
<script crossorigin="anonymous" integrity="sha512-6XBdUZGib4aqdruJTnLMOLpIh0VJsGlgQ7M3vndWJIH6YQNv+zqpo1TbCDzjHJ+YYEm4xkEinaY0VsemDUfi9A==" type="application/javascript" src="https://github.githubassets.com/assets/environment-bootstrap-e9705d51.js"></script>
<script crossorigin="anonymous" async="async" integrity="sha512-EDN3kiqMVKpDXq6euD9tcIPeh3xqtWzCcm8mqqLAZOkXwdMo0hSA8Bfg0NqZ8c2n51yU4SlSal3hqgdrus+M2A==" type="application/javascript" src="https://github.githubassets.com/assets/vendor-10337792.js"></script>
<script crossorigin="anonymous" async="async" integrity="sha512-CcKFBqQZKOCZU5otP6R8GH2k+iJ3zC9r2z2Iakfs/Bo9/ptHy6JIWQN3FPhVuS3CR+Q/CkEOSfg+WJfoq3YMxQ==" type="application/javascript" src="https://github.githubassets.com/assets/frameworks-09c28506.js"></script>
<script crossorigin="anonymous" async="async" integrity="sha512-7Evx/cY3o6cyoeTQc+OX5n6X4k+wTJkQnAyjtmpge6F3Hgw511TPF+N0BFvn3IZLaQro6kyC/f0dqhklyssNow==" type="application/javascript" src="https://github.githubassets.com/assets/github-bootstrap-ec4bf1fd.js"></script>
<div class="js-stale-session-flash flash flash-warn flash-banner" hidden
>
<svg class="octicon octicon-alert" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 000 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 00.01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"></path></svg>
<span>You signed in with another tab or window. Reload to refresh your session.</span>
<span>You signed out in another tab or window. Reload to refresh your session.</span>
</div>
<template id="site-details-dialog">
<details class="details-reset details-overlay details-overlay-dark lh-default text-gray-dark hx_rsm" open>
<summary role="button" aria-label="Close dialog"></summary>
<details-dialog class="Box Box--overlay d-flex flex-column anim-fade-in fast hx_rsm-dialog hx_rsm-modal">
<button class="Box-btn-octicon m-0 btn-octicon position-absolute right-0 top-0" type="button" aria-label="Close dialog" data-close-dialog>
<svg class="octicon octicon-x" viewBox="0 0 12 16" version="1.1" width="12" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48L7.48 8z"></path></svg>
</button>
<div class="octocat-spinner my-6 js-details-dialog-spinner"></div>
</details-dialog>
</details>
</template>
<div class="Popover js-hovercard-content position-absolute" style="display: none; outline: none;" tabindex="0">
<div class="Popover-message Popover-message--bottom-left Popover-message--large Box box-shadow-large" style="width:360px;">
</div>
</div>
<div aria-live="polite" class="js-global-screen-reader-notice sr-only"></div>
</body>
</html>
