ColdwaterQ


DEF CON Quals - Access Control (Reverse Engineering 1)

by: ColdwaterQ on June 2 2015

This challenge was a rather simple reversing problem. Me and Javantea worked on this.

The hint for this challenge was:

It's all about who you know and what you want.
access_control_server_f380fcad6e9b2cdb3c73c651824222dc.quals.shallweplayaga.me:17069

[Download Client](http://downloads.notmalware.ru/client_197010ce28dffd35bf00ffc56e3aeb9f)

When we connect to that site a connection id is returned to us, and we are expected to return a version. Since we didn’t know the version to send we tried running the client. The client requests the user to enter something before it will connect, so we opened the client in hexrays. This showed that the client was expecting “hack the world”. We ran the client again, entering the phrase and watched the communication with the server in wireshark.

With this we found that the communication worked as follows.

server: connection ID: {connectionid}

***Welcome to the ACME data retrieval service***
what version is your client?

client: version 3.11.54

server: hello...who is this?

client: grumpy

server: enter user password

client: {password which changes}

server: hello grumpy, what would you like to do?

client: list users

server: grumpy
mrvito
gynophage
selir
jymbolia
sirgoon
duchess
deadwood
hello grumpy, what would you like to do?

client: print key

server: {access denied message}

Running this a couple of times we found that the password changed every time. As such we tried to impersonate the server. Looking at this in hexrays it was clear that the password was an xor of the user-name and connection id. But with the connection id offset by 0 to 3. This offset was probably based on something; however, since the password could be tried multiple times, it was easier to try the password at each offset.

Once we had a client that could log in as grumpy, which is the same user as the client provided, we took the list of users and tried logging in with each of them. With each user we logged in and we tried the command “print key”. The full list of listed users was:

grumpy
mrvito
gynophage
selir
jymbolia
sirgoon
duchess
deadwood

The user duchess was the only user that seemed to be allowed to view the key, which we took as a reference to Archer. With this user we were presented with a challenge that looked similar to the generated passwords. That part of the connection is shown bellow.

server: connection ID: {connectionid}

***Welcome to the ACME data retrieval service***
what version is your client?

client: version 3.11.54

server: hello...who is this?

client: duchess

...

client: print key

server: challenge: {challenge value}
answer?

So we looked at the client again, and found the part of the client that handled the challenge and response. This was also an xor however it was of the challenge, and an offset of the connection id. Although this time the connection id is offset by six plus the offset used before.

Then we sent the answer to the server and the server sent back the flag of:

The only easy day was yesterday. 44564

Bellow is the client I wrote in python.

import socket
import os
import time
import binascii

def send(text, find=None):
    print text
    s.send(text+'\n')
    time.sleep(.5)
    resp = s.recv(9999)
    print resp
    if find is not None and find in resp:
        return True
    return False

def get_password(username, connectionid):
    return ''.join([chr(ord(x) > 0x1f and ord(x) or ord(x)+0x20) for x in xorbin(connectionid, username)])

def xorbin(a, b):
    q = 5
    output = ''
    for i in range(q):
            output += chr(ord(a[i % len(a)]) ^ ord(b[i % len(b)]))
    return output

name = 'duchess'
s = socket.create_connection(('54.84.39.118',17069))
connectionid = s.recv(9999).partition(': ')[2].partition('\n')[0]
print connectionid
s.recv(9999)
send('version 3.11.54')
attempt = True
i = -1
while attempt:
    i+= 1
    send(name)
    password = get_password(name, connectionid[i:])
    attempt = not send(password, name)

s.send('print key\n')
time.sleep(.5)
resp = s.recv(9999)
print resp
challenge = resp.partition(': ')[2].partition('\n')[0]
print challenge
send(get_password(challenge, connectionid[8+i-2:]))

In order to see write ups for more challenges completed by others on Neg9 check out the neg9 site.