Backdoor CTF 2013-BIN-50

The following writeup is about a R3D5, a small Information Security Club, meeting.

We decided that for our first activity, we would look for a website that already have Information Security challenges to decrease the amount of setup time needed. We found website which had a list of challenges, so we decided to go with the first one The rest of this writeup will be how we chose to work through this exercise.

The challenge provides a file, and its details are as follows:

One day, after getting tired of being made fun of by all the other hackers, he decided to finally take a look at BASH.
His first thoughts were 'Bash? Bash Windows? Oh those violent script kiddies!'. After finishing hundreds of online tutorials,
he accidentally (obviously)found a flag. His next status update was ' The script kiddies will never be able to get the flag from this password protected binary.
How dare he call you and us 'script kiddies'?! Take him down.

Here is the file . For 32bit users - file
The flag is SHA-256 of the MD-5 hash obtained.

So the first thing we did was download the only file provided “binaary50”. We immediately noticed that the file did not have an extension and attempted to open it with a text editor. It was clear that the file was not a text file as plenty of random ASCII character were littered throughout the file. To determine the file type of “binaary50” we ran

$ file binaary50

Which returns

binaary50: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=745172a5d855872a241d62ddf8a40bcad4bb07bc, not stripped

Showing us that this file is executable. Running it:

$ ./binaary50

yields the following output “Please provide the password”, so we guessed correctly. This is an executable program, but that begs the question of “what kind of executable”? So we can try to figure that out using the following program

Now that we know that this file is an executable that prompts us for the password, we wanted to see if we could extract any information from it. Remember, we saw a lot of gibberish and some human readable strings when we opened the file up in a text editor.

We can run the following command

$ strings binaary50

and filter the unrelated results by hand to get

  • Password is Advicemallard
  • Password is Butter
  • Password is Hoobastank
  • Password is Darth
  • Password is Jedimaster
  • Password is Masternamer
  • Password is Morpheus
  • Password is Neutron
  • Password is Coyote
  • Password is Tweety
  • Nothing to see here.
  • Please provide the password

So now we have some potential passwords. We than ran the program with each of the passwords as input on at a time like so:

$ ./binaary50 Advicemallard

Each of which ended execution with “Nothing to see here.”, except for “Masternamer” which returned 3cd50c6be9bbede06e51741928d88b7e, an MD-5.

Looking back to the original problem

The flag is SHA-256 of the MD-5 hash obtained.

We obtained the MD-5 , so we simply need to take the SHA-256 of this MD-5 and we have our key. Running:

echo -n 3cd50c6be9bbede06e51741928d88b7e | sha256sum

returns us our key