Hack.lu CTF 2012 – #18 Zombie Lockbox (200 points)

with one comment

Challenge

Some zombies use a lock box with a not so complicated authentication system to hide their food (brains) from unwanted thieves. Since non-infested brains are rare these days, you desperately need one for your local science team for dissection, so they can continue working on some sort of cure again. So, are you able to open one of these rare lockboxes? 

SSH: ctf.fluxfingers.net 
PORT: 2094 
USER: ctf 
PASS: LkxiPPsxYzzsxf

Let’s see what we have here.

# md5sum zombie-lockbox
aad4ea4ccfc0a402c70681ddabe27d1f  zombie-lockbox
# file zombie-lockbox
zombie-lockbox: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped

Load this one in IDA.

.text:08048539                 mov     eax, offset aZ0mb1ez_haq_te ; "z0mb1ez_haq_teh_sh1t"

A local run confirms this is the password. Wooot! But….on the CTF server is does not accept this password, there is something strange going on here. It seems our executable is linked against libc (duh) but libc has been changed. We can see a libc.so.6 and libc.so.6.bak file on the CTF server. Are we going to load these into IDA or use a more powerful method. 😉

# strings -a libc.6.so > v1
# strings -a libc.6.so.bak > v2
# diff v1 v2
3575,3579c3575,3578
> @dlol_
> @hz0mb
> @l1ez_
> @pc4nt
> @t_haq

We found the following password: lol_z0mb1ez_c4nt_haq. Inputting this on the CTF server as password gave us the answer key.

Answer key: GETEUID_YOU_NASTY_BITCH

Written by teampong

October 25, 2012 at 10:00 am

Posted in Uncategorized