Hack.lu CTF 2012 – #18 Zombie Lockbox (200 points)
Challenge
Some zombies use a lock box with a not so complicated authentication system to hide their food (brains) from unwanted thieves. Since non-infested brains are rare these days, you desperately need one for your local science team for dissection, so they can continue working on some sort of cure again. So, are you able to open one of these rare lockboxes? SSH: ctf.fluxfingers.net PORT: 2094 USER: ctf PASS: LkxiPPsxYzzsxf
Let’s see what we have here.
# md5sum zombie-lockbox aad4ea4ccfc0a402c70681ddabe27d1f zombie-lockbox # file zombie-lockbox zombie-lockbox: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
Load this one in IDA.
.text:08048539 mov eax, offset aZ0mb1ez_haq_te ; "z0mb1ez_haq_teh_sh1t"
A local run confirms this is the password. Wooot! But….on the CTF server is does not accept this password, there is something strange going on here. It seems our executable is linked against libc (duh) but libc has been changed. We can see a libc.so.6 and libc.so.6.bak file on the CTF server. Are we going to load these into IDA or use a more powerful method. đŸ˜‰
# strings -a libc.6.so > v1 # strings -a libc.6.so.bak > v2 # diff v1 v2 3575,3579c3575,3578 > @dlol_ > @hz0mb > @l1ez_ > @pc4nt > @t_haq
We found the following password: lol_z0mb1ez_c4nt_haq. Inputting this on the CTF server as password gave us the answer key.
Answer key: GETEUID_YOU_NASTY_BITCH
Thanks for your writeup, however finding that libc.6.so.bak was actually not intended by me, as
I forgot to delete it from the Server … Minor but annoying fail …
cutz
October 25, 2012 at 5:10 pm