 Hey folks, Adam DuPay here and today we're going to be looking at the Poneble.kr challenge flag. So this is an interesting challenge and it's definitely one that's outside of my wheelhouse. This is going to be a little bit more of a walkthrough because I've already solved this challenge but the actual solving of it took me a lot longer. So let's dive right in. So the flag, you can see it's worth seven points so this means it's probably more difficult than ones we've seen so far and let's see it says Papa brought me a packed present. Let's open it. Download the executable here and interesting and the next line actually goes to further this but it's clear it says, I mean there's no FSH, it's not saying this is running anywhere, this is saying that this is a reversing task, all you need is the binary. So how should we at CTFers look at this? This means that the flag is somehow hidden inside this binary and we'll need to figure out a way to extract that binary and that extract the flag just from the binary so I already have it here. So whenever I'm faced with any kind of reversing task like this I first want to understand as much as I can about this binary and really what you're doing here is you're just trying to, the goal here is just trying to get more information as much as you can about what is this binary and what does it do and so the first thing I always run is the file command on any type of unknown binary. This is a very good habit to get into on any type of CTF challenge is just what what are you looking at and it's important to know about how file works so if you don't know how it works read the man page. Basically it's reading the magic bytes of the file and telling you information about it. So here we can see that flag is an elf 64-bit executable. It's been statically linked which means that libc everything is all contained within flag which should mean that it's a pretty large 328k so it's a pretty large binary and we know that it's been stripped so this means it won't have any nice debugging symbols. Also interesting in terms of thinking about the idea behind this ponible.kr here's our first look at a challenge without c code so we're going to have to be exercising our reverse engineering and our those type of muscles so the first thing I always run is flag and the next thing I always run is strings so strings if we look at the man page it basically it's incredibly simple it just scans through the the file and it looks for ASCII strings of a minimum of a certain length so it just looks for ASCII characters I think at least four characters long or an option and we'll show it to you so I love running strings on a binary because it tells me it it lets me know so what you'll see is you'll see a lot of the UI elements will be strings in this in the binary that come out and what you can do is you can look for that in the program so you can kind of get a feel for what the program does without even running it so strings here let's see so you just kind of have to take this with a grain of salt you're really just trying to get a feel for what's here I just kind of spaced through it and yeah we got a lot of weird stuff in here I'm not trying to read everything I'm just trying to let my eyes a little bit relax and just kind of like see if anything pops out of us so nothing right away ooh let's see our temp these could be stuff from libc so we have to be careful about not you know having too many preload yeah a lot of these are probably the linker libc that sort of thing so I think we may have hit the usefulness here oh that looks like to be some text ah interesting uh proc exec pro right fail interesting thing here info this file was packed with the upx executable packer hmm one thing to look for once you run strings look for flag and maybe see if we see anything I mean the other thing we know there's been a lot of smiley faces so search for smiley faces see if there's anything in there and presumably there's not I mean but you always want to you never know I mean this comes up in ctf challenges sometimes with forensics when they give you some tcp dump or some kind of crazy dump and honestly a lot of times you can solve that just by grepping for the words flag okay so that didn't show us anything so it looks like this upx thing is interesting um so it's some kind of packer and a packer what it essentially does is a packer will go in and um you'll give it your binary and it will take that and pack it and basically dynamically unpack it at runtime with all kinds of crazy obfuscation tricks um so this seems to be rather than necessarily a static reverse engineering where you have the binary itself and it's just complicated um it looks like we may have to do some dynamic stuff here so let's so the next thing I do so I run file I run strings and then I execute it to see what it does um so here we see it outputs I will malloc and string copy the flag there take it interesting and the other interesting thing is if we pop this through the flag so we actually do not see this string anywhere in the program um and so presumably so it's telling us that it's going to malloc the code and then it's going to try to string copy the flag there so the other thing I always like to do is to run the binary under L trace so L trace will hook all of the libc calls that will give you all of the uh libc calls that the binary is making so I can run L trace and uh that's the wrong way so it says it can't find dynamic symbols or dynamic strings and here this actually makes sense if we remember um if I had remembered oh of course this this um the binary is statically linked so it's not using the dynamic system call so we can't use um l trace on a statically linked binary but we can use s trace so we can see the first thing that happens is uh exec the e so this is our shell executing this it does some memory mappings it then reads the link to slash proc self exe which is interesting um it then is calling mmap so we could try to figure out what all these calls are um it's calling m protect on this memory region at what is this 400,000 it calls nmap again calls m protect again with this 6c1 um calls nmap m unmapped that's interesting unmapped stuff it calls uname to get the uname that's interesting uh it calls brk so presumably this is the call to malloc so it's telling us that it's going to call malloc and it's going to copy the string there and we can actually so brk is what's used so malloc is a libc function and malloc calls brk to actually allocate heat memory from the operating system so you can look up the man pages for all of these fun things to learn more about that then it calls arc protect arch set fs another break another break um then it calls fstat so fstat on one um it does another nmap and then writes out one i will malloc and string copy the flag so this is the right and then we have exit group so um it took me a long time of messing with this program but one of the things um i want to do here so now what i want to do is i want to run it in gdp right just to kind of get a sense for what it does um so we can see it runs we can run it totally fine um but actually debugging this is a bit of a pain and so we can actually boot this up and look at the disassembly and hopper so hopper or your favorite disassemblers so this will give us an entry point where it's going to first call this function and um hopper doesn't understand that this is code or a procedure um so i think all of this is probably code um so and this is probably some kind of a procedure anyways i had to play with around with this for a while but it's going to call in there it's going to do stuff it's um essentially what we're looking at here is the output of the upx packer so one idea would be to look for a upx unpacker i'm sure those exist online run it on here something that gets that uh the other thing it would be if the we know the flag is in memory at some point well let's just break point um somewhere and try to hook that try to see what the memory looks like at that place to try to find the flag so one thing we can do here is we can break on right the problem is that right function is not defined and the packer is actually somehow this code is encoded in here and it's going to unpack it at run time so even us just trying to hook that right function in libc is not going to work but there actually exists a nice way gb break point on syscall we know because we ran it in ftrace we know that it calls let's go up we know that it calls exit group and we know that it calls right so we can actually gdb and this actually is something i didn't know about gdb until this challenge and this is why doing ctf and ctf challenges is so fun because you get to learn things as you're as you're trying to break these things so i believe it's catch exit group is that right let's see gdb so always read the help help catch uh okay so catch syscall exit group catch help catch oh i misspelled it spelling okay good so now we have a catch point so now we'll break when it calls exit group so now here we are we've broken right before the program is about to exit which presumably means that the flag is somewhere in memory so what's the so gdb has this find command to look through memory but we kind of have to already know what we're looking for so one nice thing that we can use is we can create a core create a core dump so core dump writes out the current state of memory registers everything so that you can debug it later the good news for us uh file man exit yes i want you to make a core dump gdb create core dump so there's a way to do this um oh interesting huh interesting so you can just write out raw oh i did not know that see that could come in handy generate core file there we go so we can do learn more about it help generate core files save a core file so we can do generate core file um flag core can't do that without a process to debug want to generate this core file there we go okay and now if i run file on flag core i will see that it is a um interesting so it's l 64 bit core file so now at this point the binary has been unpacked so i could look at the main file and try to read what's going on but i know that i'm just trying to get some strings out so if i run strings now on this flag core i now should get the the output after the upx unpacker steps in so we can see hey there's core there's flag uh this sounds like a delivery service i will something and we can see we get a bunch of junk in here so one of the things to do is presumably we can use our knowledge that all of the other flags have been pretty long um so i can maybe set it to uh it seems not enough 13 maybe 15 would give us some nice ah there we go so what i would start doing is start trying things as flags so the first thing actually things is this sounds like a delivery service this looks like the flag right so you try this you'd find out that it failed it would be very annoying and you'd look through more and you'd look for more more things and more flags but you'd actually see this upx dot dot dot question mark sounds like a delivery service and that actually looks more like the flag because that actually makes sense so we put that in and we should see that this is the flag and we should be very very happy at this point um so this was a really interesting challenge it got me to learn about how to break point on system calls in in gdb and how to use gdb for all kinds of fun stuff so it's fun to always play with these unpackers because they make you learn more things about how these tools work so there you go this is how you break the flag challenge of pwnables.kr see you folks later