RPISEC – Modern Binary Exploitation

I recently discovered the Modern Binary Exploitation CSCI 4968 by Rensselaer Polytechnic Institute.  The students of RPI developed and taught this course and was made available for others to learn.  Let’s learn something new.

Although these challenges are from Spring 2015, I am new to these and wanted to take the challenge. There are 11 challenges.

  • crackme0x00a
  • crackme0x00b
  • crackme0x01
  • crackme0x02
  • crackme0x03
  • crackme0x04
  • crackme0x05
  • crackme0x06
  • crackme0x07
  • crackme0x08
  • crackme0x09

I’ll be going through these and will be posting my experiences. We’ll see how far I get. If you want to try them yourselves, you can download the challenges and have fun.

I am analyzing these crackme files in a 64-bit Ubuntu operating system.

[ crackme0x00a ]

One of the first and easiest things to check in a binary for its file type and its strings.  With the file command, we can see that this file is a 32-bit LSB executable.

I am running a 64-bit Ubuntu version.  I wont be able to run this program without additional libraries.

This could possibly provide us with clues such as keywords, urls, or any type of useful information.  In this case, the strings command exposed the “g00dJ0B!” string.  That looks like it could be a password.

Let’s go ahead and run the program.  Entered g00dJ0B! and received the Congrats! message.

That was it.  Moving on to crackme0x00b.

[ crackme0x00b ]

Following the same methodology as crackme0x00a, let’s check the file.  This file has the same characteritics as crackme0x00a.  It’s an ELF 32-bit LSB executable.

Checking the strings, it doesn’t appear to show anything useful for right now except that we have “Enter password:”, “Congrats!”, and “Wrong!” just like our previous challenge.

Let’s dig a little bit deeper by analyzing the hex dump with the xxd command.

After scrolling down the hex dump, we find something that looks interesting.

w…0…w…g…r…e…a…t…

We know we have a 32-bit application as we observed earlier with the file command.  Each character appears in the first 4-bit hex digit every 8-bit hex digit.

We can put the characters together to read w0wgreat but let’s analyze this binary deeper with Radare2, a forensic tool for disassembling code and debugging programs.  We launch Radare2 with r2 crackme0x00b.  Then we analyze all with the triple aaa.

Taking a closer look at the main function, the print disassemble function (pdf) will give us more details to analyze.  Immediately, we can see str.w0wgreat.

Firing up the crackme0x00b binary and entering w0wgreat string yields us our desired Congrats! message.

With a few tools, we were able to dig deep into the binaries to analyze and find the information we needed to crack the crackme0x00a and crackme0x00b binaries.  Stay tuned for the next analysis on binary crackme0x01.


References

Modern Binary Exploitation – CSCI 4968 – Spring ’15
Modern Binary Exploitation – Course Materials – GitHub

Leave a Reply

Your email address will not be published. Required fields are marked *