Baby-Steps (50 points) [Security Mooc CTF]
This was part of a CTF conducted as an exercise during the SecurityMooc course organised by IIT Kanpur.
Here’s the file link.
This is a very simple gdb exercise given to us.
I have lost my password, entering which to the program I will be able to enter a bank
account which has billion dollars. I assure you million dollars if you get the key for
me :)
Let’s run the file using ltrace:
$ ltrace ./baby_steps
__libc_start_main(0x80485cb, 1, 0xffbc6ca4, 0x80486e0 <unfinished ...>
fopen("/dev/urandom", "r") = 0x9a2c008
__isoc99_fscanf(0x9a2c008, 0x804876f, 0xffbc6b88, 0xf7739c08) = 1
fclose(0x9a2c008) = 0
printf("Enter the password: ") = 20
__isoc99_scanf(0x8048789, 0xffbc6b24, 0xffbc6b88, 0xf7739c08Enter the password: ABCD
) = 1
strcmp("ABCD", "\352\272y\231$\320\277O\3262\247,\331/y\365\254j\274\255") = -1
printf("Wrong password!!") = 16
Wrong password!!+++ exited (status 0) +++
The binary asks for a password and after our input, prints that it’s wrong.
Let’s disassemble main() and see what we can infer (key is correct password, input is our input):
gdb-peda $ pdisas main
Dump of assembler code for function main:
0x080485cb <+0>: lea ecx,[esp+0x4]
..........
0x080485ed <+34>: push 0x8048760
0x080485f2 <+39>: push 0x8048762
0x080485f7 <+44>: call 0x80484a0 <fopen@plt> "fopen("/dev/urandom", "r") "
0x080485fc <+49>: add esp,0x10
0x080485ff <+52>: mov DWORD PTR [ebp-0xd8],eax "bytes we get from urandom"
0x08048605 <+58>: sub esp,0x4
0x08048608 <+61>: lea eax,[ebp-0x70]
0x0804860b <+64>: push eax
0x0804860c <+65>: push 0x804876f
0x08048611 <+70>: push DWORD PTR [ebp-0xd8]
0x08048617 <+76>: call 0x8048450 <__isoc99_fscanf@plt> "fscanf(bytes,"%s",&key)"
..........
0x08048643 <+120>: lea eax,[ebp-0xd4]
0x08048649 <+126>: push eax
0x0804864a <+127>: push 0x8048789
0x0804864f <+132>: call 0x80484b0 <__isoc99_scanf@plt> "Like scanf("%s",&input)"
0x08048654 <+137>: add esp,0x10
0x08048657 <+140>: sub esp,0x8
0x0804865a <+143>: lea eax,[ebp-0x70]
0x0804865d <+146>: push eax
0x0804865e <+147>: lea eax,[ebp-0xd4]
0x08048664 <+153>: push eax
0x08048665 <+154>: call 0x8048430 <strcmp@plt> "Comparing our input with the key"
0x0804866a <+159>: add esp,0x10
0x0804866d <+162>: test eax,eax "Checking for equality"
0x0804866f <+164>: jne 0x80486a3 <main+216>
0x08048671 <+166>: sub esp,0xc "If pass and key are equal"
0x08048674 <+169>: push 0x8048790
0x08048679 <+174>: call 0x8048440 <printf@plt>
0x0804867e <+179>: add esp,0x10
0x08048681 <+182>: sub esp,0xc
0x08048684 <+185>: push 0x804ad60
0x08048689 <+190>: call 0x8048480 <puts@plt>
0x0804868e <+195>: add esp,0x10
0x08048691 <+198>: sub esp,0xc
0x08048694 <+201>: push 0x80487b5
0x08048699 <+206>: call 0x8048480 <puts@plt>
0x0804869e <+211>: add esp,0x10
0x080486a1 <+214>: jmp 0x80486b3 <main+232>
0x080486a3 <+216>: sub esp,0xc "If pass and key unequal"
0x080486a6 <+219>: push 0x80487b8
..........
0x080486d0 <+261>: ret
End of assembler dump.
The program opens /dev/urandom and writes random bytes into they key.
If our input and the random bytes are equal, we fall through 0x0804866f <+164>: jne 0x80486a3.
Now this has 3 output statements:
printf(0x8048440)
puts(0x804ad60)
puts(0x80487b5)
We can see these values by simply issuing a x/s 0x8048440 and two others x/s’s for each address using gdb.
That subsequently leads to printing our flag:
Correct password!! The flag is flag{kH9h9skyxrgSZeN3oaqGnNo4amNJvhOa}
