Tags: bin
Rating:
Hack.lu 2012 Zombie-lockbox (200) Writeup
by cutz
ctf@zombie_lockbox:~$ file zombie-lockbox
zombie-lockbox: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x85b329ae9ddc0039a4a3a7a0d42ed1098eda09c1, not strippedzombie-lockbox was also 32 bits, dynamically linked and did nothing but ask for a password to drop a shell if it is correct:
ctf@zombie_lockbox:~$ ./zombie-lockbox
ZOMBIE AUTHENTICATION SYSTEM
ONLY ZOMBIES MAY ENTER
Password: ASDASD
You are not allowed to enter!
ctf@zombie_lockbox:~$ctf@zombie_lockbox:~$ strings zombie-lockbox
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
puts
__stack_chk_fail
stdin
printf
fgets
execve
strcmp
__libc_start_main
/lib/libc
GLIBC_2.4
GLIBC_2.0
PTRh
QVh$
D$\1
T$\e3
UWVS
[^_]
z0mb1ez_haq_teh_sh1t
ZOMBIE AUTHENTICATION SYSTEM
ONLY ZOMBIES MAY ENTER
Password:
You are allowed to enter!
/bin/sh
You are not allowed to enter!
;*2$"So one might think that z0mb1ez_haq_teh_sh1t is the correct password and it actually works
but only if it looses its suidbit, for example under gdb:(gdb) r
Starting program: /home/ctf/zombie-lockbox
ZOMBIE AUTHENTICATION SYSTEM
ONLY ZOMBIES MAY ENTER
Password: z0mb1ez_haq_teh_sh1t
You are allowed to enter!
process 30610 is executing new program: /bin/dash
warning: Selected architecture i386:x86-64 is not compatible with reported target architecture i386
Architecture of file not recognized.
(gdb)However, if you use ldd, you see that it used a different version of libc than all the other challenges:
ctf@zombie_lockbox:~$ ldd zombie-lockbox
linux-gate.so.1 => (0xf773f000)
libc.so.6 => /lib/libc/libc.so.6 (0xf7596000)
/lib/ld-linux.so.2 (0xf7740000)
ctf@zombie_lockbox:~$You could now either search for the hacked part inside that libc or simply diff it
with the original one:ctf@zombie_lockbox:/tmp/cutz_STUFF$ strings /lib32/libc-2.15.so > 2
ctf@zombie_lockbox:/tmp/cutz_STUFF$ strings /lib/libc/libc.so.6 > 1
ctf@zombie_lockbox:/tmp/cutz_STUFF$ diff 1 2
3575,3579c3575,3578
< @dlol_
< @hz0mb
< @l1ez_
< @pc4nt
< @t_haq
---
> JsX1
> Js>1
> Js$1
> @+D$
8643c8642
< GNU C Library (Ubuntu EGLIBC 2.15-0ubuntu10.2) stable release version 2.15, by Roland McGrath et al.
---
> GNU C Library (Ubuntu EGLIBC 2.15-0ubuntu10.3) stable release version 2.15, by Roland McGrath et al.
8649c8648
< Compiled on a Linux 3.2.28 system on 2012-09-29.
---
> Compiled on a Linux 3.2.30 system on 2012-10-05.Strings are different so you can see the new password: lol_z0mb1ez_c4nt_haq
If you are interested: The hacked part of libc was the 2nd call inside of puts() (which actually is a strlen()):ctf@zombie_lockbox:/tmp/cutz_STUFF$ gdb /lib/libc/libc.so.6
(gdb) disas puts
Dump of assembler code for function puts:
0x00067a30 <+0>: sub $0x3c,%esp
0x00067a33 <+3>: mov %ebx,0x2c(%esp)
0x00067a37 <+7>: mov 0x40(%esp),%eax
0x00067a3b <+11>: call 0x12a2e3
0x00067a40 <+16>: add $0x13b5b4,%ebx
0x00067a46 <+22>: mov %edi,0x34(%esp)
0x00067a4a <+26>: mov %ebp,0x38(%esp)
0x00067a4e <+30>: mov %eax,(%esp)
0x00067a51 <+33>: mov %esi,0x30(%esp)
0x00067a55 <+37>: call 0x7dff0
(gdb) x/10i 0x7dff0
0x7dff0: nop
...
0x7e004: nop
0x7e005: cmp $0x8048708,%eax
0x7e00a: je 0x7e01a
0x7e00c: cmp $0x804874a,%eax
0x7e011: je 0x7e02e
0x7e013: cmp $0x804876c,%eax
0x7e018: je 0x7e034
0x7e01a: mov $0x31,%eax
0x7e01f: int $0x80
0x7e021: cmp $0x3e9,%eax
(gdb)
0x7e026: je 0x7e03a
0x7e028: mov $0x35,%eax
0x7e02d: ret
0x7e02e: mov $0x19,%eax
0x7e033: ret
0x7e034: mov $0x1d,%eax
0x7e039: ret
0x7e03a: mov $0x8049ffc,%eax
0x7e03f: movl $0x5f6c6f6c,0x64(%eax)
0x7e046: movl $0x626d307a,0x68(%eax)
(gdb)
0x7e04d: movl $0x5f7a6531,0x6c(%eax)
0x7e054: movl $0x746e3463,0x70(%eax)
0x7e05b: movl $0x7161685f,0x74(%eax)
0x7e062: mov $0x35,%eax
0x7e067: retSo finally:
ctf@zombie_lockbox:~$ ./zombie-lockbox
ZOMBIE AUTHENTICATION SYSTEM
ONLY ZOMBIES MAY ENTER
Password: lol_z0mb1ez_c4nt_haq
You are allowed to enter!
$ cat FLAG
GETEUID_YOU_NASTY_BITCH
