Binary: http://binary.grayhash.com/c46a02c63c233dd9c62cececff9f52b5/pirate_danbi MD5SUM of priate_danbi : ebdcfa91ae9a270ccc15230019126c6d
OS: Ubuntu 14.04 (Kernel: 3.13.0-44) /lib/x86_64-linux-gnu/libc-2.19.so /lib/x86_64-linux-gnu/libbz2.so.1.0.4 /lib/x86_64-linux-gnu/ld-2.19.so /lib/x86_64-linux-gnu/ld-2.19.so
Server1 IP : 22.214.171.124 Port : 8888
Server2 IP : 126.96.36.199 Port : 8888
Let’s start by running the file command :
root@tinduong:~# file pirate_danbi pirate_danbi: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=f63963a28bb50da4a9bcf5cd383ffdee48fd5b05, stripped
Load the binary in IDA Pro and analyze the code. The binary is quite simple. It first read 8 bytes secret key from file and store in a buffer then waits for commands.
Each command should have following format:
Depend on what func_code is, the corresponding function will be called. There are 9 functions as you can see at 0x401A68
In summary, what we need to notice about this binary are:
- We can write our data into a bz2 file.
- We can extract the bz2 if dw_writeable = 1.
- If our processed data from authentication function is equal to “YO_DANBI_CREW_IN_THE_HOUSE.”, dw_run_shell can be set to 1.
- We can use sh to execute file which is extracted from the bz2 if dw_run_shell = 1.
- What we input in authentication function (function code 1) will affect to value of dw_writeable and dw_run_shell.
Authentication function gets an input and check whether its length is divisible by 8 (0x0400EAA).
Then it does some calculation (0x0400EDB) with secret key and our data, save the result to st_main.
We need to set dw_wriable to 1 to be able to extract data from bz2 file. Authentication function takes last 8 bytes of our data xor with secret key. The last byte of the result is the number of byte to be checked. Those XOR-ed bytes must be equal in order to change the value of dw_writable to 1.
If dw_writable is 1 and we use extract command (0x04011B6), the binary takes more time to extract bz2 file. Hence, we can easily use timming attack to brute-force the secret key byte by byte.
This approach is one of two ways to solve this challenge.
We have key and output (YO_DANBI_CREW_IN_THE_HOUSE.), we need a correct input to send to authentication function. Just reverse the calculation and we get it, then send data to server in the following step:
- Send command 1 with our input.
- Send command 4 to set dw_run_shell to 1
- Send command 2 with bz2 compressed data.
- Send command 3 to decompress bz2.
- Send command 5 to execute shell.
- Get flag and submit.
Flag is: barking_danbi_is_waiting_for_you_at_finals