hackthebox ca2022 ctf

HackTheBox CA 2022 - Wide

Within this post I’ll be doing a write up of the Wide challenge from the HackTheBox Cyber Apocalypse 2022 CTF competition (14/05/2022). This write up will be written according to my thought process whilst I was trying to complete the challenge.

Reconaissance

First look

After I downloaded the file attached to the challenge on the CTF platform, I unpacked the zip file and took a look at the contents. To start off with, there was a binary file called wide and a file called db.ex. I decided to take a look at the wide binary to begin.

Executing the file in the terminal yielded the following output:

An unsuccessful attempt at executing the program

After adding db.ex as a parameter, I ran the command again.

The main menu of the program

There were several different dimensions I could choose to access in the program, so I tried accessing them one by one and checking them to see if they had anything interesting.

A password prompt from the program

Ah, it seemed that one of them was encrypted and required a password for access. I decided to take a closer look at the wide binary in radare2.

Analysis

After seeking to the main function and printing the disassembled function, I decided to take a look through the instructions. Near the end of the function, the following function call attracted my attention:

1

           0x00000fee      e8f7f9ffff     call sym.menu

So next I seeked to the ‘sym.menu’ function and printed the contents of that too, with these lines being of particular interest to me:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

    │╎╎╎   0x00000cca      e891fbffff     call sym.imp.fgets          ; char *fgets(char *s, int size, FILE *stream)
    │╎╎╎   0x00000ccf      488d8d40ffff.  lea rcx, [s]
    │╎╎╎   0x00000cd6      488d8540feff.  lea rax, [pwcs]
    │╎╎╎   0x00000cdd      ba10000000     mov edx, 0x10               ; size_t n
    │╎╎╎   0x00000ce2      4889ce         mov rsi, rcx                ; const char *s
    │╎╎╎   0x00000ce5      4889c7         mov rdi, rax                ; wchar_t *pwcs
    │╎╎╎   0x00000ce8      e843fbffff     call sym.imp.mbstowcs       ; size_t mbstowcs(wchar_t *pwcs, const char *s, size_t n)                                                                                                                      
    │╎╎╎   0x00000ced      488d8540feff.  lea rax, [pwcs]
    │╎╎╎   0x00000cf4      488d351d0400.  lea rsi, str.sup3rs3cr3tw1d3 ; 0x1118 ; U"sup3rs3cr3tw1d3" ; const wchar_t *s2
    │╎╎╎   0x00000cfb      4889c7         mov rdi, rax                ; const wchar_t *s1
    │╎╎╎   0x00000cfe      e8fdfaffff     call sym.imp.wcscmp         ; int wcscmp(const wchar_t *s1, const wchar_t *s2)
    │╎╎╎   0x00000d03      85c0           test eax, eax
   ┌─────< 0x00000d05      0f85ae000000   jne 0xdb9
   ││╎╎╎   0x00000d0b      c78534feffff.  mov dword [var_1cch], 0
  ┌──────< 0x00000d15      eb7c           jmp 0xd93

It appeared that the section was getting some input from the user using fgets and then comparing it to another string, ‘sup3rs3cr3tw1d3’, which is of type wchar. I wasn’t actually aware of this type of string, so I decided to research it in comparison to other types. Eventually, I came across this wikipedia page which explained that they are effectively characters which have sizes greater than 8 bits and are therefore different to the typical ascii standard. To confirm this, I decided to run strings on the binary and see if the ‘sup3rs3cr3tw1d3’ string would show.

Running strings on wide and filtering the output with grep

Clearly, strings only looked for ascii strings when it scanning the content of files. Interesting.

Exploitation

Next, I decided to attempt to input the ‘sup3rs3cr3tw1d3’ string as the password when prompted in the program.

Successfully inputting the password and retrieving the flag

There we go, that was a rather short challenge, but an interesting one nonetheless.

Mitigations

Security by obscurity

The usage of the wchar type in c is not an effective method for storing encryption keys for sensitive content, as despite taking longer for discovery of the key in some circumstances, it’s useless for truly securing the key. Ideally, the key should not be present in the file and the program would simply attempt to decrypt the text with the given password and check for the ‘HTB{’ header in the text to tell if the decryption was successful.

Monero

Monero

Licensed under CC BY-NC-SA 4.0
© 2022 - 2024 A feat of security
Built with Hugo
Theme Stack designed by Jimmy