Defcon Quals challenge 2015 -- Twentyfiveseventy level WriteUp

Defcon Quals challenge 2015 -- Twentyfiveseventy level WriteUp

 

Not long ago, the Defcon Qualification ctf I attended was very interesting. I want to share with you the detail analysis of the longest level I used in this challenge.

This level is "Twentyfiveseventy" in the PWNABLE directory. Generally, the level in this directory should be obtained through a vulnerability. Download this file [file can be downloaded after the text], open it with IDA-Pro, and analyze what the program is doing, as well as possible bugs. Through reverse engineering, I gradually realized that the SNMP protocol seemed to be used in this program, and finally I saw the challenge Name Pointing to RFC 2570 before it was finally confirmed as SNMP V3.

Through disassembly and analysis of the program, we can see that the program loads the flag of the challenge into the memory at startup. This makes me more confident that the common method can no longer solve this problem.

 

Further analysis shows that as long as the correct authentication and encryption SNMP V3 GET packet receive the correct OID request, the program will return the flag value.
My first thought was to first find an open-source SNMP V3 program to create such a data packet. However, I have noticed that SNMP is implemented in TCP rather than UDP in the challenge. This also means that most of the databases I dug need to be converted to TCP. I remember that I executed the SNMP V3 library in the Java environment a few years ago. This challenge may be helpful.

This challenge seems to require a lot of programming, even if I already have an execution library. Check the previous disassembly and analyze whether there are obvious bugs. As I have observed, the program implements SNMPV3 using MD5 as the hash value and DES_CBC for encryption.

Displays the overall structure of SNMPV3.

 

The binary program in the challenge actually has a very strict parser, checking the field length, value, and so on. These checks usually send SNMP reports and fill in a new snmp get content to pass. The SNMP report is a packet whose most field values are empty. The SNMP server sends back an SNMP response packet. The fields include Engine Id, Engine Time, and Engine Boots.

In order to pass the parser, some fields in the Protocol still need to be carefully determined. In the program data section, I found username, engine id, and target OID. They are "lbs", "0x80007a6903deadbeefcafe", and "1.3.6.1.2.1.1.5.0.0.0 ". The remaining key fields need to construct a suitable package, review the function for setting encryption keys. Keys are actually randomly generated. Engine time sets seed and returns the client. As an added test integrity, the engine boots value is obtained from the first randomly generated number and can be used to verify whether the random number generation algorithm is correct.

 

To localize the engine time, the same random encryption key should be generated. Since my library is executed in Java, I need to execute some JNA code to use the local libc random function to ensure the algorithm is consistent.

interface CLibrary extends Library {CLibrary INSTANCE = (CLibrary) Native.loadLibrary(“libc”, CLibrary.class);void srand(int an_int);int rand();}public static byte[] get_auth_key( long passedSeed, long engineBoots ){byte[] retKey = new byte[32];//Seed itCLibrary.INSTANCE.srand((int)passedSeed);//Throw away onelong tempNum = CLibrary.INSTANCE.rand();long bootTest = (( tempNum >> 32 ) >> 25) + (( tempNum) & 0x7F )- (( tempNum >> 32 ) >> 25);if(engineBoots == bootTest){//Create the encryption keyfor( int i = 0; i < 32; i++){long retVal = CLibrary.INSTANCE.rand();retKey[i] = (byte) ((retVal % 94) + 32);}}return retKey;}

Next we will look for ways to break through identity verification. One of my teammates found a way to break through the predicament. The parser only copies and verifies the number of md5 bytes. Its length value is specified in the package. In addition, you can set the length, which means there is a 1/256 chance to match the first byte.

 

Finally, I integrated all the information. I opened the Java SNMP client and tried to obtain the flag after more than a dozen attempts.