This past weekend I played a bit of the NahamCon CTF with WreckTheLine, and we placed really well in 2nd place! I didn’t manage to solve many challenges as I was stuck in camp (compulsory army), so I had to get a bit creative and try solving some pwns with only my phone. It was a pretty interesting experience, and I don’t urge you to try it out yourself after reading about my approach :P.
Tools of the Trade
First things first we have to create the linux environment in order for us to solve (most) pwn challenges. I made use of a $5/month DigitalOcean(my referral link) droplet with the Ubuntu 18.04.3 (LTS) x64 base image.
In order to access this from my Android phone, I made use of the JuiceSSH app to ssh into the droplet. The app is pretty convenient and has various useful features. One of which, is the
Tmux next/prev window option in the
Horizontal Swipe setting. Pairing this with tmux on the droplet allowed me to shift between tmux windows with ease during debugging and exploit writing by swiping left or right on the screen. For my fellow tmux idiots, the following cheatsheet should be ample for this minimal usage of tmux.
Initially, I did consider using r2 as my reversing tool as I would be working primarily through ssh to interact with the linux environment, thus I had no access to GUI applications. However, as my friends would know, my usual reaction to r2 is
:drakeno:. Fortunately, I found a great alternative that recently introduced its HLIL, Binary Ninja Cloud! It was not the most amazing user experience considering the UI was probably not designed for mobile browsers, but most of the basic functionality worked fine so it was a great option for me. However, I did find some issues with the output the HLIL produced, so that would be one consideration to make when using this. For a greater experience, use the application on landscape view instead of portrait view as the internal windows are resizeable but not collapsible, so they may occasionally take too much horizontal space, covering useful IL output.
As a note, it is probably a bare minimum to understand the IL syntax of binary ninja to use it for reversing, the official documentation is a useful reference for this.
With everything set-up, we can begin working on the actual challenges!
You’ve heard of software as a service, but have you heard of syscall as a service?
nc jh2i.com 50016 (Solves: 67, 100 pts)
This challenge allowed us to run arbitrary syscalls, except for a list of blacklisted syscalls.
Welcome to syscall-as-a-service! Enter rax (decimal): 0 Enter rdi (decimal): 0 Enter rsi (decimal): 0 Enter rdx (decimal): 0 Enter r10 (decimal): 0 Enter r9 (decimal): 0 Enter r8 (decimal): 0 Rax: 0x0
An important Binary Ninja HLIL note when reversing this binary is the importance of setting the right types for local variables. In the
blacklist function, an array of 7 blacklisted syscalls are initalised in a stack int array. However, if we do not create this array in the function local variables, the HLIL will not display the value of these blacklisted syscalls. Here are the screenshots to show this behaviour.
The banned syscall numbers are shown in the screenshot and correspond to various syscalls that allow for executing programs (needed for popping a shell), like
execveat. We can simply ignore this and perform a
write of the flag file, guessing the flag file name.
mmap can be used to create a temporary buffer in memory that we can read and write to, as the binary has PIE enabled, so it’s difficult for us to reuse existing RW- memory allocations.
The following annotated exploit code has more details.
I created super advanced encryption software for us to communicate securely.
nc jh2i.com 50015 (Solves: 72, 100 pts)
This challenge presents us with a menu that allows us to encrypt or decrypt text. However, the
decrypt option is not implemented so we are just limited to encrypting text.
Shifts Ahoy™ v1.0.2a What would you like to do? 1. Encrypt text. 2. Decrypt text. >
checksec the binary, we realise that the NX bit is not set, we have a stack mapped with RWX permissions!
This is very useful as we can load shellcode into the stack. Upon reversing the
encrypt function, we can note a trivial buffer overflow of the stack buffer which would allow us to overwrite 7 bytes into the saved RIP on stack, followed by a null byte.
Thus, we are allowed to call 1 arbitrary ROP gadget. Fortunately, I found that the execution state left
r15 pointing to our stack buffer, and there was a
jmp r15 ROP gadget in the binary. We could then trivially jump straight to shellcode in our payload. To take the encryption into consideration, we have to send a “decrypted” payload, considering that,
encrypt(decrypt(payload)) == payload
With this, we can pop a shell and get our flag!
Can you pwn me?
nc jh2i.com 50036 (Solves: 53, 100 pts)
This challenge was a very minimal binary with only 3 functions,
fn2. For interaction with the user, direct syscalls were used instead of calling libc functions. The bug was yet again a buffer overflow, with certain checks in place that were similar to stack cookies. However, the value was hardcoded and thus we can just write the correct value in our buffer overflow payload. An interesting note is that binary ninja seemed to overlook this check in the MLIL and HLIL views, I’m not sure why.
To exploit this, we can use ROP to set the value of
0x402000(address of the RWX .bss section), and jump to address
0x040105d in the middle of
fn1, which allows us to write into
0x402000 with any input. We can write our shellcode there, and allow the ropchain to bring us to
0x402000, popping our shell to get the flag.
Pwning on mobile is certainly possible, but is honestly quite an inconvenient experience. Especially after writing this writeup on the computer and being able to reference the computer web version of Binary Ninja Cloud, it’s really far more frustrating to use on mobile. However, I think this set-up could be a possibility for those who do not have access to computers due to their costs. With a phone, internet access, $5 USD/month and lots of patience to drag sliders around in binary ninja’s HLIL view, one could possibly practice pwning with a minimal budget.
Hopefully, I won’t have to do pwning on mobile much more in the future XD. But seeing as I’m going to be the Singapore army’s version of a security guard for 2 more years T-T, I may not have much of a choice…