Into the rabbit hole

By Yaakov Cohen

Into the rabbit hole

We downloaded and extracted infected.zip and got an elf file infected.

Running strings on it gave:

bfddbacfdb438990581f105921d5ab2f6963644c711f598e1e342ff3269904
88ecfa6f235d26606304c1f1b4bf82dd6d6a86b8914cd94d98c40ac84c2427
583246665831396d5a57567861324d7a616a4e735832463059584e6c4c6e3d
5d0fef7835710ba4019b235317b5fb2bbb1714b387b717f7c99227b7a8a316
a09618d9b8d0039265a4b6c892d6556006095f3ed0554fe629945047a3c404
fb9df0cd02d639ca2c182db9f6c8927eddeb4313000795504ad8a88a7082d7
275e71cd2bf300b0fac21a0bfb76e676316036a299aaee5f9a1d9eb5076d41
...
...
...
b116b5327fdbc9ab90b2e08184949990b621f97672950f010107f75400a9d1
5112d0d547f07399d36379ff7489501f8089653087316da76251f1cdaecdeb
c660537dbc20096356b8ccdde5036963f0e1334aac4cde340bf257286794b7
805efdf76a86ac21b0843758ca116d94b74c523d107ebabc3bc8a1599a4cbf
cf2a902b874ea94200266437273f8003a3863f599e9c9507d98e5b736d130f
c2732e3fa8a6b6e0c858432368927ed673eb8aa4b393dfa861f46f9dac1910
5853df786011a97539b47aacc118ae7dafe433916b2be1fa4678f3ab4564fe
6710c504fd78d4e6c304062faa5037cf4b3b0a4b269fa22401d24e64e7982e
8f2a0bef6b08a1aff8f5731f87dc240a3c9820486621c035b741a4d6fcbbb9
d3ab66aabf048fb10edba27c3e7e57a44552d2b1a6f9bd2dae8c7503bb7111
ede79d87d8912f67ccdea85e938785d3b6555ffc25eb12b95c5e57469653cf
0c53925d165dcebf11abb2fea11f40e07bd4edfc239bc5cb182740b682a4e0

We decoded it and saw it was probably base64 strings.

With a little reversing we understood that the program takes input from the user and compares it to one of strings we found, it repeats this 8 times. We can keep doing static analysis or we can try the easy (dynamic) way. We debugged it and put some breakpoints and read the register value. It worked, but here is an elegant and even easier way (credit to team Bagel):

ltrace ./infected &> trace

We put "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 8 times until it finished running.

Next we took only the lines that had strncpy in them:

# cat trace | grep strncpy
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "QlNpZGVzVExWe1dlX2dvbm5hX3J1bl9", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "ydW5fcnVuX3RvX3RoZV9jaXRpZXNfb2", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "ZfdGhlX2Z1dHVyZSxfdGFrZV93aGF0X", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "3dlX2Nhbl9hbmRfYnJpbmdfaXRfYmFj", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "a19ob21lLl9Tb190YWtlX21lX2Rvd25", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "fdG9fdGhlX2NpdGllc19vZl90aGVfZn", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "V0dXJlLF9ldmVyeWJvZHknc19oYXBwe", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10
strncpy(0x7fffd54abe40, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abe40
strncpy(0x7fffd54abd60, "V9hbmRfSV9mZWVsX2F0X2hvbWUufQ==", 80) = 0x7fffd54abd60
strncpy(0x7fffd54abd10, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 80) = 0x7fffd54abd10

We combined all the parts of the flag and decoded it:

python -c "print 'QlNpZGVzVExWe1dlX2dvbm5hX3J1bl9ydW5fcnVuX3RvX3RoZV9jaXRpZXNfb2ZfdGhlX2Z1dHVyZSxfdGFrZV93aGF0X3dlX2Nhbl9hbmRfYnJpbmdfaXRfYmFja19ob21lLl9Tb190YWtlX21lX2Rvd25fdG9fdGhlX2NpdGllc19vZl90aGVfZnV0dXJlLF9ldmVyeWJvZHknc19oYXBweV9hbmRfSV9mZWVsX2F0X2hvbWUufQ=='.decode('base64')"

We got the flag: BSidesTLV{We_gonna_run_run_run_to_the_cities_of_the_future,_take_what_we_can_and_bring_it_back_home._So_take_me_down_to_the_cities_of_the_future,_everybody's_happy_and_I_feel_at_home.}

Success