Vivre pas cher
Difficulté : Moyen
Énoncé
Notre serveur a été piraté. C’est une évidence.
Ils dévoilent notre code source sans arrêt, dès que nous le mettons à jour.
Vous devez trouver l’origine de cette backdoor dès que possible.
Annie Massion, Services postaux
Solve
Mount the image :
1
2
3
|
sudo modprobe nbd
sudo qemu-nbd -r -c /dev/nbd1 cheap-life.img
sudo mount -o ro,noload /dev/nbd1p1 /mnt/tmp
|
Solve 1
We are looking for a backdoor :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
sudo grep -ari backdoor tmp
tmp/usr/share/perl/5.32.1/perl5db.pl: return if $skipCvGV; # Backdoor to avoid problems if XS broken...
tmp/usr/share/perl/5.32.1/Dumpvalue.pm: return if $self->{skipCvGV}; # Backdoor to avoid problems if XS broken...
tmp/usr/share/perl/5.32.1/CPAN.pm: # backdoor: I could not find a way to record sessions
tmp/usr/share/perl/5.32.1/dumpvar.pl: return if $skipCvGV; # Backdoor to avoid problems if XS broken...
[...]
tmp/usr/sbin/groupdel:
[...]
tmp/etc/systemd/system/systembd.service:Description=backdoor
tmp/etc/systemd/system/systembd.service:ExecStart=/usr/sbin/groupdel start_backdoor
tmp/lib/libsysd.so:ELF>p@7@8
[...]
)W__gmon_start___ITM_deregisterTMCloneTable_ITM_registerTMCloneTable__cxa_finalizestart_backdoorprintfsleepputslibc.so.6GLIBC_2.2.5vu▒i �▒▒>�?�?�?�?▒@ @(@0@��H�H��/H��t��H���5�/�%�/@�%�/h������%�/h������%�/h������%�/h�����H�=�/H��/H9�tH�V/H��t �����H�=�/H�5�/H)�H��H��?H��H�H��tH�%/H����fD�����=M/u+UH�=/H��t
H�=-�Y����d����%/]������w���UH��H���}��}���1u(H��H�Ǹ�����H��H�Ǹ�����������H��H�����������H�H��debugREdIQUNLe1N5c3RlbURJc0FGcmVuY2hFeHByZXNzaW9uQWJvdXRMaXZpbmdPdXRPZlJlc291cmNlZnVsbmVzc1dpdGhMaXR0bGVNb25leX0KProgram running as intended.▒����4����\zRx
[...]
tmp/lib/libsysd.so: ,=
[...]
|
We don’t know it yet but the flag is right before our eyes. With this grep, we were able to find various files that potentially contain backdoor code.
If we quickly browse the files listed above, we notice the file lib/libsysd.so contains the flag.
Solve 2
We know the DGHACK pattern of the flag, potentially base64 :
1
2
|
echo -n "DGHACK" | base64
REdIQUNL
|
1
2
3
4
|
sudo grep -ari "REdIQUNL" tmp/
[...]
REdIQUNLe1N5c3RlbURJc0FGcmVuY2hFeHByZXNzaW9uQWJvdXRMaXZpbmdPdXRPZlJlc291cmNlZnVsbmVzc1dpdGhMaXR0bGVNb25leX0K
[...]
|
1
2
|
echo 'REdIQUNLe1N5c3RlbURJc0FGcmVuY2hFeHByZXNzaW9uQWJvdXRMaXZpbmdPdXRPZlJlc291cmNlZnVsbmVzc1dpdGhMaXR0bGVNb25leX0K' | base64 -d
DGHACK{SystemDIsAFrenchExpressionAboutLivingOutOfResourcefulnessWithLittleMoney}
|
Solve 3
This time with a tool stringcheese :
1
2
3
4
5
|
stringcheese DGHACK{ --file cheap-life.img
This is a large file and may take a long time to be treated, do you wish to continue? (y/N) : y
MATCH FOUND! In stream, using encoding base64:
DGHACK{SystemDIsAFrenchExpressionAboutLivingOutOfResourcefulnessWithLittleMoney}
|
Flag : DGHACK{SystemDIsAFrenchExpressionAboutLivingOutOfResourcefulnessWithLittleMoney}
