Capture The Flag evening - Part 11

• 24 March, 2014 - 7 PM
• Please bring along a laptop with you!!!

General CTF Info

• See the page for the Ctf-evenings
• Link to the Tech Inc Challenge Website Scoreboard

Walkthrough: Minibomb

• Brainsmoke is explaining how he solved the challenge 'Minibomb' during the Codegate CTF
• Minibomb is a small setuid binary
  • This is probably a handmade binary written in assembler, Linux ELF, 32 bit
  • You can see the ELF header if you use file or hexdump
    • For more information about the ELF header (including the binary entry point, memory pages being loaded, executable text, etc..), you can use readelf
  • Objdump allows us to disassemble the binary
  • It's a static binary - there's no dynamic loader
    • Dynamic binaries have an interpreter section, with more LD-* things that need to be resolved
    • The kernel needs to tell where the binary starts
  • You could also use IDA, but that's overkill for this binary
• If you run it with strace, you see a list of signals and system calls
  • It starts, does an old_mmap call (you can get lots of information from the arguments, including the starting address), an unman (looks like a stack address - bfxx if usually on the stack in 32 bits)
  • It does a write and read
  • If you send lots of A's, you get a segfault - this gives away that you have a bug here
  • You can do this in gdb to get more information
    • You can see that a fault happens on the address 0x41414141 - our input!
    • It's easy to get arbitrary code execution here
• Because it's a small file, we can take a look at the disassembled code
  • We can see the memory map
  • You can get system call information by typing 'syscall mmap' - we can see 0x5a, which is the syscall instruction in the disassembly!
  • We should read up to understand the meanings of: %eax, %ebx, etc...

Next CTF Competition

• We are having a look at:https://ctftime.org/event/list/upcoming

Cryptanalysis

http://www.overthewire.org/wargames/krypton/krypton0.shtml