GHIDRA for Reverse Engineering (PicoCTF 2022 #42 'bbbloat')

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back everybody to another youtube video showcasing more of the pico ctf 2022 capture the flag hop over to my computer screen here i am still running kali linux as the virtual machine that i'm going to be hacking from and in this video we're going to tackle a new reverse engineering category challenge called bloat with many beads in front of it it says hey can you get the flag you're going to reverse engineer this binary from the tags at the very top i do see this is a binary i'm assuming we're going to be actually reverse engineering a real binary this time an obfuscation so there might be trying to hide some shenanigans doing some weird stuff let's move into our reverse engineering category make a directory for bloat and w get this down all right so i have a elf 64-bit lsb pie or position independent executable executable um and i guess we're going to be digging around to see what the heck this thing does i'll mark it executable and i'm going to try and run it just to get a feel for it it says what is my favorite number well the albert's answer is 42 and it says sorry that's not it okay um so i gotta be honest before i crack open like ida pro or gydra or any other hey disassembler debugger or some other shenanigans i will truthfully run and check with the low hanging fruit with some command line utilities called like s trace and l trace and if you aren't familiar with those ltrace oh okay never mind s trace never mind do i have these installed i do not let's go ahead and install them and then maybe we'll have man pages so stress and l trace will kind of do a kind of a similar thing um other like like a debugger but not really whatsoever because it's seeing how things run and operate um alongside the binary without stopping it without pausing it without like a break point but it'll try and list out any library calls that it makes from things like the c center library or others or other specific ones if i actually let's try l trace now with man page yeah yeah yeah yeah see a library call tracer l trace is a program that simply runs a specified command until exits but it intercepts and records the dynamic library calls which are called by the executable process and the signals that are received yeah mentioned it's also very similar to s trace as trace will trace system calls and signals so it's worth the try just kind of running it alongside with ltrace and s trace l trace isn't going to give us any output really uh tells us it exited though let's try it with s trace and then if that doesn't give us anything oh it spits out a whole lot of stuff executing the application accessing ld preload a shared object file libc of course reading in mappering memory with some of these mmap functions and protect to set memory protections etc etc but ultimately we see it writes out hey what is my favorite number uh at 27 was the amount of um characters written that is not its favorite number write is going to put it to standard output the file descriptor number one and read zero will read in from center input and we can just say sure 42 yet again it says okay then it just simply uses right sorry that's not it okay so we probably do have to poke around with what this thing does we could use something like ob dump object tac d i think uh will disassemble yeah okay so that'll break and disassemble things let me see if i could scroll through this and see okay where might be something like the main function or maybe just the strings hey what is my favorite number you could use of course ida or ghidra and realistically we should but before we dive into the deep end with that let's just use something like this text will run things and maybe see your dupe centered out it is going to be putting stuff on the stack blah blah blah hmm is this thing stripped by the way when we were in file did we actually see anything it is stripped uh uh-oh okay well then let's try can i run gdb on this bbb bloat and then does jeff let me look for strings because i want to try and key off of yeah search for the word number maybe how about that or we'll just let me look for strings something like r2 might be able to do it well you know what let's let me stop beating around the bush let's get ghidra going on this thing to run ghidra uh is giger actually in the repositories i don't know if i trust that ghidra is one of the many open source software projects developed by the national security agency so some of the cool high-flying hipster guys over there put this thing out in march of 2019 there is a lot of other super cool stuff that has came with it but it is a software reverse engineering tool we could download it from github we can go and install stuff in fact let me look at the installation guide and click this download from github button just as well so i'm going to grab this file here this is a zip file known as the asset which is the absolute latest thing not vulnerable to log4j nice in january of this year so what i'm going to do is i'm actually going to hop over to my opt directory that's where i've been putting a whole lot of stuff that's where i like to leave my tools uh do i actually have giger in here lsg i don't good so that makes me not as worried let's move download ghidra put it here we can go ahead and unzip that ghidra zip file and it'll carve through a whole ton of stuff all i did was run the unzip command and now it will extract all of these files if i hit ls you can see hey guide your republic is present there i'm actually going to move and rename that to simply guidra so it'll be a little bit easier for me to type and i could just try and dot slash gedra run usually a bash script but it does need to have jdk 11 installed so what i could do is probably apt cache search uh jdk 11 no java 11 there it is there it is okay open jdk gre headless i want the development environment uh i don't know the difference between headless and regular but i do want jdk right so let's do that let's sudo apt install that and all that i done there with app cache search was just try to find hey commands that might be associated with different repositories and things that i could download let's go ahead yes on that and fingers crossed uh that should be able to install java in the proper way where hedorah run will just be smart and be able to uh figure it out and run ghidra for me uh looks like it's gonna take a couple seconds to install or maybe it's done i don't know we'll just banter back and forth for a little bit or i'll pause the recording okay finishing up scanning candidates cali wants to restart stuff sure thing now let's try guidra run and looks like it's kicking it off all right we have a ghidra user agreement i agree and when we use gedra we will have the help menu pop up not huge concern we don't need the tips right away but we will need to create a new project if you go up here you hit file new project you can type in hey anything you want non-shared project is totally fine for your project name you can honestly call it whatever you want i like to call it like g or guidra i don't know if it'll let me use guidro okay well cool good enough and then you could use a code browser and you'd be able to open things up by clicking on the dragon however we did not give it any binary or program to look at so i will actually open and r open a file or import a file with the i keyword if you import a file you could specify hey let's go to the ctf terrari directory let's go to pico let's go to reverse engineering and let's go to bloat now that will be added and it'll say yo this is an executable format a linking format elf it is a linux binary in x64 bit and we'll throw it into ghidra for your project and we have the program name already saved it'll do some quick analysis super duper quickly where you can kind of get a kind of a high level overview on what all is included here again maybe just hit click ok hit next open up the dragon here we'll eventually offer that but i should have double clicked on this fella rather than just opening the tool chest now we'll specify it it says hey this file has not been analyzed would you like to analyze it now we can hit yes uh analyzers you could choose if you wanted more of these here but normally the defaults are just fine and with that takes a couple seconds but we should see it finally finish um i realize this is difficult for you to read because the text is so small so i will go make some changes super duper quickly and i'll allow make the text files bigger okay so i've amped up the text size so the middle section should be a little bit easier to read and what i'm gonna do actually is i'm actually gonna look for some potential strings because again i want to key off of the fact that it will actually tell me hey what is my favorite number it'll ask me that and that is going to be printed out so i'm going to click up window and check out defined strings and now that i'll change that window over here on the right side and i'll notice there is a what is my favorite number entry right here so while i clicked on that it brought me over in the actual disassembly view where this is going to showcase all the potential different things that might be present in the binary if it's assembly or instructions or things that it executes however it actually notes some cross references or an xref for given data for values and variables and things like that because this is used and seemingly a function that's what that fun or fun stands for at a given memory address we could try and double click on that and with that it brings us over here to a load effective address instruction somewhere along in the program running and executing so what i'm going to actually go back to over on the on the right hand side is checking out the decompile pane the compile pane allows us to see this in kind of like see source code it's very different right realistically but uh it tells us there is more to be able to be retrieved here i'm noticing as i look through this code sure we have a function name and we can rename it if i right click it it also hit l to rename things on the keyboard we'll do that maybe this is our main function so we'll rename it we have a couple variables that are on the stack are going to be using and present for this function we also have it looks like all these variables are going to be including hexadecimal values there's so many hexadecimal values here that part of me wonders if this is like a string just being built out somewhere um where is that a long fn set 20 can i modify some of these and like change the values can i say hey i want the data type to be like a string or something i wonder i'm not good at this this is where i make a fool of myself more often than not uh auto create structure let's do it nope probably didn't want to do that edit undo undo uh okay i i i undo too far so while we could dig into the stuff that immediately jumps out at us uh we should probably step through this function and kind of get an understanding as to what it does um it doesn't have a typeset for the moment it has a strange name actually if you right-click you can specify rename function or like use the letter l as a keyboard hotkey and you can rename it to something like hey this is probably going to be the main function since it does run right away we see there are a couple variables that are used within the function couple these are undefined and it looks like this local 38 is going to be referenced as some hexadecimal value which i'm going to assume is like a string just not being interpreted well if you hover over it you can actually see different representations of it and the character one right here is actually maybe just how it's going to be as if it were read out as ascii characters um this doesn't look like a flag but i assume it's going to be used later however again if we just kind of take it piece by piece we know oh we print out to the screen what is my favorite number we read in input and that's probably going to be passed to like local 48 i assume maybe some way somehow uh whatever it's still going to end up being compared to 0x86187 or a number a hexadecimal number right so what if this function if this conditional statement sorry this if statement if that were to return true what it would end up doing is it would do some sort of function fun 0 0 1 0 1 2 4 9 based off of local 38 or the address here given all of these hexadecimal numbers probably just something weird with it yeah so i just double clicked on the function there i just wanted to kind of go see what did this thing do um looks like it duplicates the string of the parameter that's passed in also checks out the length of okay what it might have done loops through it with the for loop does some magic based off of hey here where etc um i'm assuming this is going to like unmangle that script that's or that string that's passed in and we saw all those hex numbers maybe it was trying to hide it for a reason and that gets it being returned out you could hit the back arrow on the top left and move back or use like hey alt left on your keyboard like as if you're navigating in the browser now if we didn't get that right if this condition did not get met it says sorry that's not it [Music] then it ends up closing the program and we're turning zero end things off so based off some you know deductive reasoning the only check as to what might do something else other than sorry that's not it well that is the only activity we've seen thus far it would be worthwhile to try and enter what this number could be maybe this is their favorite number so i'll hop back over to my screen my terminal here and i'm just going to try and paste this into python so i can understand hey what is that number sure they give it to us in decimal excuse me in hexadecimal you know the 0 8 prefix 0x prefix but i want that to know i want to know what that is in decimal so i can just enter it in the way the program would probably expect so if i now run bb bloat actually let me go back to ctf pico reverse engineering we were in the bloat folder i can run this thing it asked me what is your favorite number and i'll paste in that value that we just saw hexadecimal inside of gydra decimal from what we got out of python and that is it that's the flag that's how we get the flag right so all we did hey crack this thing open in ghidra try to make sense of the logic flow here this other function again as i mentioned probably scrambled or unscrambled this local 38 value so if we want to rename this we could unscramble flag and it puts it out to standard output i'm going to assume hey that's uh gonna print out the flag for us in which case that's how we could determine what that favorite number was uh pretty easy from that point on right we can echo this thing into bb bloat we can grep taco e flag excuse me the flag format is pico ctf and grab anything inside of curly braces there color can be none so we retrieve just the flag and that we can save is how we can get the flag in the future and we can cut that flag.text out but more importantly we can finish this and call that challenge done so not all too hard just a matter of hey putting our big boy pants on and then you know throwing this thing in a ghidra might make our lives easier in the long run throw it into a real disassembler try and piece together what the code does even if you don't know what you're doing it's a matter of funding around and i don't know trying stuff that's all the whole fun of it so thanks so much for watching everybody i hope you enjoyed this video if you did please do all those youtube algorithm things you know like the video subscribe comment etc share support i appreciate any of it but i really do hope you got something out of value out of this i know ghidra might be a formidable foe but the more spend you time more time you spend it the better it is to gain more exposure and more fear merity i cannot talk for this video i gotta end this video everybody thanks so much for watching see you in the next one
Info
Channel: John Hammond
Views: 135,399
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: oTD_ki86c9I
Channel Id: undefined
Length: 17min 44sec (1064 seconds)
Published: Wed Apr 27 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.