DEADFACE2021 Logo

Author(s):

  • syyntax

Category:

  • Exploitation

Points:

  • 30

File(s):

  • demon.zip

Hint(s):

  • None

Old Devil

Challenge:

We found this program written by luciafer. She used it to hide a password in the form of a flag. See if you can find the flag in the program.

Download File
SHA1: dbaec5a38890cb8977865f321de4bf0e8ad2604f
Password: d34df4c3

Solution:

Executing the binary prompts the user to enter a name:

$ ./demon 

Luciafer v1.0
Say the demon's name to gain access to the secret.
Enter the demon's name: pingtrip

That is not the demon's name.

Our workflow was the same used during the Cereal Killer challenge. We open the binary in gdb and disassamble the main() function to locate where the user's input is being validated.

   0x0000555555555225 <+192>:	lea    rdi,[rip+0xe3e]        # 0x55555555606a
   0x000055555555522c <+199>:	mov    eax,0x0
   0x0000555555555231 <+204>:	call   0x555555555040 <printf@plt>
   0x0000555555555236 <+209>:	lea    rax,[rbp-0x2f]
   0x000055555555523a <+213>:	mov    rdi,rax
   0x000055555555523d <+216>:	mov    eax,0x0
   0x0000555555555242 <+221>:	call   0x555555555060 <gets@plt>
   0x0000555555555247 <+226>:	lea    rdx,[rbp-0x3b]
   0x000055555555524b <+230>:	lea    rax,[rbp-0x2f]
   0x000055555555524f <+234>:	mov    rsi,rdx
   0x0000555555555252 <+237>:	mov    rdi,rax
   0x0000555555555255 <+240>:	call   0x555555555050 <strcmp@plt>

We verify that the gets() call at <+221> is the correct one by examining the memory address that is printed just prior:

gdb-peda$ x/s 0x55555555606a
0x55555555606a:	"Enter the demon's name: "

Now that we've located the correct location for the the input validation we add a breakpoint at the strcmp() call following the gets() and run the binary:

gdb-peda$ b *0x0000555555555255
Breakpoint 2 at 0x555555555255
gdb-peda$ run

Again like the Cereal Killer challenge, we observed the flag at the top of the stack:

0000| 0x7fffffffdf00 ("flag{AdraMMel3ch}")

For the sake of completing the exercise we checked the RDX and RAX registers, which strcmp() is comparing, and identify the name the binary is expecting in RDX:

gdb-peda$ x/s $rax
0x7fffffffdf21:	"PingTrip"

gdb-peda$ x/s $rdx
0x7fffffffdf15:	"Adrammelech"

We re-run the binary to validate our findings:

$ ./demon 

Luciafer v1.0
Say the demon's name to gain access to the secret.
Enter the demon's name: Adrammelech

You are correct.
flag{AdraMMel3ch}

Published:

Updated:

Leave a comment