Sunday, 31 January 2016

CTF Writeup - HackIM 2016 - ZorroPub (RE 100)


  • Name - Zorro Pub
  • Category - Reverse Engineering
  • Points - 100
  • Description - N/A
  • Binary - Download here

Running the 64-bit ELF:

root@kali: ~/Desktop
root@kali:~/Desktop# ./zorro_bin Welcome to Pub Zorro!! Straight to the point. How many drinks you want?5 OK. I need details of all the drinks. Give me 5 drink ids:100 200 300 400 500 Looks like its a dangerous combination of drinks right there. Get Out, you will get yourself killed root@kali:~/Desktop#


The binary first accepts an integer, the number of drinks, and asks for a number of drink IDs equal to the first number. In the above example I've put '5' as the number of drinks and hence it expects 5 drink IDs. Let's load it in IDA.

Starting from the bottom, it's clear where we need to get to. Also, it shows that the flag is computed during the program's execution; "strings" will not do the job.


Let's look at the top part of the binary now:


The program scans for an integer and moves onto the next section if it is greater than 0, if not it prints "You are too drunk!! Get Out!!" and exits. The next part is the main logic of the program. I've colour-coded the boxes to make it easier (hopefully) to decipher what's happening.



The colour-scheme legend:
  • Blue - Start of logic; Scans for input; call this Algorithm A
  • Pink - Call this Algorithm B
  • White - Final decision box
  • Red - Error boxes; program exits straight after
  • Green - Destination

Right after we give the program our first input (# of drinks) we arrive at the blue box at the top and Algorithm A starts. This simply scans for a digit, makes sure it's between 0x10 and 0xFFFF and XORes it with the previous input which, in the first round is 0x00. The process is repeated a number of times equal to the first parameter. The result of Alogrithm A is the XOR of all our drink IDs. When done, the program jumps to the pink boxes, Algorithm B.

Algorithm B grabs the resultant, say X, from Algorithm A and does the following:
  • X AND (X-1) = new X
  • Increment Counter
  • If X is not 0, repeat
  • If X is 0, stop
When Alogirthm B finishes, we end up in the white box in the middle. If the Counter in Algorithm B is not equal to 0xA, it displays "Looks like its a dangerous combination", else it moves onto the green box, our goal for the time being. The hurdle here is to force Algorithm B to repeat itself exactly 0xA times. This happens only when the algorithm is fed a number who's binary representation contains exactly 10 1's.

In the green box, the result from Algorithm A is used as a seed (srand()). The logic that comes after this is not of interest to us as it does not depend on our input. It's there to convolute the flag. So we know the following about the value(s) that can make it successfully to the green box function:
  • It doesn't matter if we input X as the drink ID or X1 and X2, where X1 ^ X2 = X
  • The value(s) should be between 0x10 and 0xFFFF
  • The value(s) must contain 0xA number of 1's when represented in binary format
I've chosen to input a single number as it's easier. Since the number can be between 16 and 65,535 I've used a bash 1-liner to brute-force the answer. As the range is very small I didn't bother limiting the input to only those numbers which contain 10 1's. I personally felt that this section of the RE challenge was not well made. Most of the interesting complications of the binary's workings were invalidated by the small search-space and not even required to obtain the flag.


root@kali: ~/Desktop
root@kali:~/Desktop# for i in `seq 1 65535`; do echo $i >> answers.txt; ./zorro_bin <<< $'1\n'$i$'\n' | grep -i 'choose right mix' >> answers.txt; done


Few minutes later we end up with the flag in answers.txt : You choose right mix and here is your reward: The flag is nullcon{nu11c0n_s4yz_x0r1n6_1s_4m4z1ng}

Tuesday, 26 January 2016

Arduino - Welcome to the World of Microcontrollers

I've recently developed a keen interest in hardware and microcontrollers and decided to document my journey. My learning method usually involves head-diving into a big project but this time I've taken a pragmatic approach and decided to acquire a solid foundation before moving onto bigger projects.

The Arduino Environment


The Arduino environment is made up of the hardware itself, the Arduino board and shields, and the software, the Arduino IDE. Arduino Shields are add-on boards which can be stacked on top of the base Arduino board to extend its capabilites. A large range of shields exists, from Ethernet shields, to LCD shields, to RFID shields. We'll take a look at some of the shields in future posts. I'll be using the Arduino Uno in my examples but other Arduino boards can be used.

Arduino Board


The Arduino UNO board contains the following components:
  • ATmega328 Microcontroller - Main microcontroller; the only one that's programmable by the user.
  • ATmega16U2 Microcontoller - Handles the communication with the USB; non-programmable.
  • USB Connector - Used to transfer data and provides power to the board.
  • Reset Button - Resets the device.
  • Power Connector - Necessary when dealing with hardware which requires more power such as motors.
  • Pins - The connection to the outside world.
    • Digital I/O - Can be 1 (5V) or 0 (0V).
    • Analog Input - Accept analog input ranging from 0V to 5V. Note that they do not provide analog output.
    • Power/Reset - Provide power to a circuit.
    • ICSP (In-Cirduit Serial Programming) - Used to update the bootloader/firmware of the microcontrollers.



Arduino IDE


The Arduino IDE has everything required to get you started with coding for the Arduino. It can be downloaded from arduino.org.

It provides the following main features:
  • A coding environment to write sketches (Arduino Programs) in.
  • Debugs, cross-compiles and uploads sketches to the ATmega328 microcontroller.
  • A Serial Monitor used to debug sketches. We'll talk about this in the next part.
  • Several example sketches to get you started.



Setting up the Arduino Environment


Follow the steps below to set up a working Arduino environment:
  1. Download and install the Arduino IDE.
  2. Connect the Arduino board to the computer.
  3. Start the IDE.
  4. Select your Arduino board from Tools -> Board.
  5. Select the COM port your Arduino is attached to from Tools -> Port.
  6. To verify everything is working, load the Blink sketch from File -> Examples -> Basics -> Blink, and hit Upload.
  7. After a few seconds, the LED next to pin13 should be blinking.
For those who do not have access to the hardware, an online Arduino simulator can be found here.


Anatomy of a Sketch


Every Arduino sketch must contain these 2 functions:
  • Setup Function
    • Executes once at start, when the Arduino board is powered up
    • Used for initialisation
    • Does not take any arguments and returns void
  • Loop Function
    • Iterative for as long as the Arduino is powered on
    • Executes after the Setup function
    • Contains the main logic of the program
    • Does not take any arguments and returns void
As can be seen from the Arduino IDE screenshot, these 2 functions are already in place for us to use when a new sketch is created.


The Leap to Microcontrollers


A microcontroller is a System on a Chip (SoC) on a single integrated circuit containing a processor, memory (RAM & EEPROM) and I/O pins. Essentially it's the heart and brains of the circuit; it accepts input from sensors, processes it and serves output to electronic components. Microcontrollers simplify circuits. Without them it would be very hard to create logic and changes in logic could mean drastic changes to the circuit itself. Let's start by migrating a traditional simple circuit to an Arduino simple circuit.

A simple circuit looks like this:


The closed circuit contains a power source, in our case 5V supplied by the USB, an LED and a resistor. The resistor prevents the LED from burning as the power can be overwhelming. You can solder these components together or use a solderless breadboard. The latter is a board for prototyping of electronics as it allows components to be easily connected in a non-permanent fashon. The one I have looks like this:

The holes of a breadboard are internally connected to each other in rows of 5 holes and columns along the sides. So, for example, if an end of a resistor is in hole 3F and an end of an LED is in hole 3J, they're connected. If one end is in 15A and the other is in 30A, they're disconnected. With this at hand, let's create the simple circuit:
  • Connect a wire from the 5V pin to 1J
  • Insert a resistor in 1I and 7I
  • Insert an LED in 7H and 12H
  • Close the circuit by connecting 12I with ground

The circuit should look similar to this:



As expected, the LED lights as soon as the last wire is connected. If it doesn't, make sure the LED is placed in the right direction. LEDs allow current to flow only in one direction. In this example we do not need to program anything as we don't make use of the Arduino's microcontroller. Current simply flows from the 5V pin, to the resistor, to the LED, and back. Now let's do it the Arduino way.

The wiring is very similar. Instead of connecting the circuit to the 5V pin, connect it to one of the Digital I/O pins, say pin9. This is what gives us programmatic power as we can control the voltage on any of the Digital I/O pins. The electronic schematic of the circuit now looks like this:


The LED does not light straight away like it did in the previous example. We require code which tells the microcontroller to send power to pin9. Copy the code below to the Arduino IDE:

void setup() {
    pinMode(9, OUTPUT);
}

void loop() {
    digitalWrite(9, HIGH);
}


The code initialises pin9 as an OUTPUT pin and sets it to HIGH, allowing current to flow from this pin. Let's take this opportunity to introduce some basic, indispensable functions we'll be using in nearly every sketch.

  • pinMode (pin, mode) - Initialise pin to a specific mode
    • pin - The pin to be initialised
      • Digital Pins - 0 - 13
      • Analog Pins - A0 - A5
    • mode - The mode of operation
      • INPUT - Pin acts as a receiver
      • OUTPUT - Pin acts as a transmitter
      • INPUT_PULLUP - Pin acts as receiver with reverse polarity; HIGH becomes LOW and viceversa
    • Example - pinMode(9, OUTPUT)
  • digitalWrite (pin, value) - Assigns a voltage to a pin
    • pin - The pin in question
    • value - Voltage to be sent: HIGH(5V) or LOW(0V)
    • Example - digitalWrite(9, LOW)
  • digitalRead (pin) - Returns state of an INPUT pin.
    • pin - The pin in question
    • Return Values - HIGH(5V) or LOW(0V)
    • Example - int pinValue = digitalRead(9)

Hit the Upload button to verify the program and upload it to the microcontroller. If the LED lights up after a few seconds congrats, you've successfully built your first Arduino program. As a side node, pin 13 has a built-in LED attached to it which could be used instead without attaching any extra components.

This example might give the impression that the Arduino is just overhead as both circuits produce the same result but the 2nd example requires code. The leap to microcontrollers starts now! The LED in the 2nd example does nothing more than the LED in the 1st because we didn't program anything interesting for it to do. What if we want the LED to blink? I'll be honest, I'm not sure how this could be achieved using only electronics but, it is very easy to do with an Arduino. In fact, the circuit doesn't even need any changes; upload the following code:

void setup() {
    pinMode(9, OUTPUT);
}

void loop() {
    digitalWrite(9, HIGH);
    delay(1000);          
    digitalWrite(9, LOW); 
    delay(1000);          
}


This sketch sets pin9 to HIGH, waits for a second (delay(1000)), sets pin9 to LOW, waits for another second and repeats the process indefinitely. The result should like something like this:



Awesome isn't it ?? We now have a blinking light with no more complications than a simple circuit's.

Dealing with Digital Input


We'll now take a look at one of the most simple input devices a circuit can contain, the push-button. A push-button can be 1 of 2 states, ON, when pressed, and OFF, when released. Let's extend our previous circuit to include this and light the LED only when the button is being pressed.

The schematic of the input part looks like this:

Wire the circuit in the following manner:
  • Connect a wire from the 5V pin to 20J
  • Insert a push-button in 20F and 22F
  • Insert a resistor in 22H and 28H
  • Close the circuit by connecting 28I with ground
  • Connect the sensor wire to 22G and pin10

Once again we need a resistor to avoid frying the circuit. When the button is pressed, current flows from the 5V pin to the ground, since it's a closed circuit, but also to pin 10, which is used to detect when the push-button is pressed.

At this point the LED won't light up when the push-button is pressed. You've guessed it, we need code.

void setup() {
    pinMode(10, INPUT);
    pinMode(9, OUTPUT);
}

void loop() {
    if (digitalRead(10) == HIGH)
        digitalWrite(9, HIGH);
    else
        digitalWrite(9, LOW);
}


The setup function establishes that pin9 and pin10 are used as OUTPUT and INPUT pins, respectively. When pin10 is HIGH, i.e. the push-button is being pressed, pin9 is set to HIGH, i.e. the LED lights. When the switch is off, no current flows to pin10 and hence the LED is set to LOW, i.e. it's switched off. The sketch could be condensed to the following:

void setup() {
    pinMode(9, OUTPUT);
    pinMode(10, INPUT);
}

void loop() {
    digitalWrite(9,digitalRead(10));
}

Andddd a video of it working cause why not: