Monday, September 2, 2013

ASIS CTF Finals 2013 - memdump

Since I never had a chance to work with volatility and Linux dumps, I've decided to take a crack at this challenge.

We were given a memory dump. Looking at strings we could tell it's from a VirtualBox image running Ubuntu with a 3.5.0-23-generic kernel.

strings /tmp/mem.dump | grep BOOT_

Since the profile available on volatilty site is for older kernel we had to make our own (the steps are described here).

After that it's time to play ;]

First: bash_history it's quite long but this looks important:

$ ./  -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_bash -H 0x6ee4c0
Volatile Systems Volatility Framework 2.3_beta
     967 bash                 2013-08-26 11:27:53 UTC+0000   uname -a
     967 bash                 2013-08-26 11:27:53 UTC+0000   wget -O /tmp/
     967 bash                 2013-08-26 11:27:53 UTC+0000   wget
     967 bash                 2013-08-26 11:27:53 UTC+0000   ls
     967 bash                 2013-08-26 11:27:53 UTC+0000   du -h asis-ctf
     967 bash                 2013-08-26 11:27:53 UTC+0000   chmod +x asis-ctf
     967 bash                 2013-08-26 11:27:53 UTC+0000   ./asis-ctf
     967 bash                 2013-08-26 11:27:53 UTC+0000   sudo poweroff
     967 bash                 2013-08-26 11:27:54 UTC+0000   ls
     967 bash                 2013-08-26 11:30:37 UTC+0000   ./asis-ctf
     967 bash                 2013-08-26 12:00:04 UTC+0000   sudo apt-get install lynx
     967 bash                 2013-08-26 12:00:27 UTC+0000   lynx
     967 bash                 2013-08-26 12:10:44 UTC+0000   sudo apt-get install elinks
     967 bash                 2013-08-26 12:10:57 UTC+0000   elinks
     967 bash                 2013-08-26 12:14:58 UTC+0000   clear
     967 bash                 2013-08-26 12:15:00 UTC+0000   ls
     967 bash                 2013-08-26 12:15:28 UTC+0000   cp asis-ctf flag1

So lets take a look at procesess:  -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_pstree
Volatile Systems Volatility Framework 2.3_beta
Name                 Pid             Uid
.login               837             0
..bash               967             1000
...asis-ctf          9425            1000
...nano              15584           1000
.apache2             16346           0

And lets dump the asis-ctf process memory and analyze it:

$  -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_dump_map -p 9425 -D foo/
Volatile Systems Volatility Framework 2.3_beta
Task       VM Start           VM End                         Length Path
---------- ------------------ ------------------ ------------------ ----
      9425 0x0000000000400000 0x0000000000401000             0x1000 foo/task.9425.0x400000.vma
      9425 0x0000000000600000 0x0000000000601000             0x1000 foo/task.9425.0x600000.vma
      9425 0x0000000000601000 0x0000000000602000             0x1000 foo/task.9425.0x601000.vma
      9425 0x00007fd496e34000 0x00007fd496fe9000           0x1b5000 foo/task.9425.0x7fd496e34000.vma
      9425 0x00007fd496fe9000 0x00007fd4971e8000           0x1ff000 foo/task.9425.0x7fd496fe9000.vma
      9425 0x00007fd4971e8000 0x00007fd4971ec000             0x4000 foo/task.9425.0x7fd4971e8000.vma
      9425 0x00007fd4971ec000 0x00007fd4971ee000             0x2000 foo/task.9425.0x7fd4971ec000.vma
      9425 0x00007fd4971ee000 0x00007fd4971f3000             0x5000 foo/task.9425.0x7fd4971ee000.vma
      9425 0x00007fd4971f3000 0x00007fd497215000            0x22000 foo/task.9425.0x7fd4971f3000.vma
      9425 0x00007fd497408000 0x00007fd49740b000             0x3000 foo/task.9425.0x7fd497408000.vma
      9425 0x00007fd497411000 0x00007fd497415000             0x4000 foo/task.9425.0x7fd497411000.vma
      9425 0x00007fd497415000 0x00007fd497416000             0x1000 foo/task.9425.0x7fd497415000.vma
      9425 0x00007fd497416000 0x00007fd497418000             0x2000 foo/task.9425.0x7fd497416000.vma
      9425 0x00007fff62ff0000 0x00007fff63012000            0x22000 foo/task.9425.0x7fff62ff0000.vma
      9425 0x00007fff63048000 0x00007fff63049000             0x1000 foo/task.9425.0x7fff63048000.vma,/

To do real RE we should reconstruct the binary, but I didn't bother assuming it's a really simple app, and IDA can follow programs headers, excluding sections which are not present dumped image.

The binary was indeed simple, it waits for input, if input was 'flag' it prints the flag.

The flag was put on the stack byte-by-byte:

LOAD:0000000000400683 mov     byte ptr [rbp+var_A0], 66
LOAD:000000000040068A mov     byte ptr [rbp+var_A0+1], 73
LOAD:0000000000400691 mov     byte ptr [rbp+var_A0+2], 85
LOAD:0000000000400698 mov     byte ptr [rbp+var_A0+3], 82
LOAD:000000000040069F mov     byte ptr [rbp+var_A0+4], 76
LOAD:00000000004006A6 mov     byte ptr [rbp+var_A0+5], 65
LOAD:00000000004006AD mov     byte ptr [rbp+var_A0+6], 87
LOAD:00000000004006B4 mov     byte ptr [rbp+var_A0+7], 78
LOAD:00000000004006BB mov     [rbp+var_98], 100
LOAD:00000000004006C2 mov     [rbp+var_97], 95
LOAD:00000000004006C9 mov     [rbp+var_96], 105
LOAD:00000000004006D0 mov     [rbp+var_95], 55
LOAD:00000000004006D7 mov     [rbp+var_94], 105
LOAD:00000000004006DE mov     [rbp+var_93]

and printed:

LOAD:0000000000400867 loc_400867:
LOAD:0000000000400867 mov     eax, [rbp+idx]
LOAD:000000000040086D add     eax, eax
LOAD:000000000040086F cdqe
LOAD:0000000000400871 movzx   eax, byte ptr [rbp+rax+var_A0]
LOAD:0000000000400879 movsx   eax, al
LOAD:000000000040087C sub     eax, [rbp+idx]
LOAD:0000000000400882 sub     eax, 1
LOAD:0000000000400885 mov     edi, eax
LOAD:0000000000400887 call    sub_400500
LOAD:000000000040088C add     [rbp+idx], 1

Since we don't have a runnable binary, we have to do it `manually` - easiest method, use idapython:

add = 0x400683
for i in range(0,38):
    sys.stdout.write(chr(int(GetOpnd(add,1)) - i -1))
    add = Rfirst(Rfirst(add))
print ""


No comments:

Post a Comment