SharifCTF misc 100 writeup

5 minute read

Today I am going to do a writeup for Sharif CTF challenge Mics100,

Find the camera model. 
Flag = SharifCTF{md5(Camera_Model)}

They provided us with a linux executable that displays a picture of palm trees and a beach.

running the binary

So the task should be pretty staraight forward, first we need to extract the picture from the executable, then mine the camera model from the picture itself. so lets open that image viewer in radare2 and see what we can get.

  ~ r2 Image_Viewer
[0x00401060]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x00401060]> iz
vaddr=0x00401468 paddr=0x00001468 ordinal=000 sz=13 len=12 section=.rodata type=ascii string=Image Viewer
vaddr=0x00401475 paddr=0x00001475 ordinal=001 sz=8 len=7 section=.rodata type=ascii string=destroy
vaddr=0x0040147d paddr=0x0000147d ordinal=002 sz=18 len=17 section=.rodata type=ascii string=/org/CTF/pic1.jpg

Third string is interesting, "/org/CTF/pic1.jpg" is most likely the picture we want to extract, although we don’t have any image in the this path, we can tell that it is jpg image, or at least it used to be before it was embedded in the binary. At this point I wanted to trace where is this sting used so I cross referenced it, and also figure what libarary is used for graphics.

[0x00401060]> afl
[0x00401060]> afl~imp
0x00400000    2 60           sym.imp._ITM_registerTMCloneTable
0x00400e70    2 16   -> 32   sym.imp.g_resources_lookup_data
0x00400e80    2 16   -> 48   sym.imp.gtk_image_new_from_pixbuf
...
...
...
0x00401030    2 16   -> 48   sym.imp.gtk_init
0x00401040    2 16   -> 48   sym.imp.g_bytes_get_data
0x00401050    2 16   -> 48   sym.imp.gtk_window_get_type
[0x00401060]> axt 0x0040147d
data 0x4012eb mov edi, str._org_CTF_pic1.jpg in sym.main

We are lucky because they used GTK, GTK is well documented, also interestingly the path of picture is referenced in main function, 0x4012eb should be good start point for disassembling.

[0x00401060]> s 0x4012eb
 [0x004012eb]> pd 20
           0x004012eb      bf7d144000     mov edi, str._org_CTF_pic1.jpg ; "/org/CTF/pic1.jpg" @ 0x40147d
           0x004012f0      e87bfbffff     call sym.imp.g_resources_lookup_data
           0x004012f5      488945c0       mov qword [rbp - local_40h], rax
           0x004012f9      e822fdffff     call sym.imp.gdk_pixbuf_loader_new
           0x004012fe      488945b8       mov qword [rbp - local_48h], rax
           0x00401302      488b45c0       mov rax, qword [rbp - local_40h]
           0x00401306      4889c7         mov rdi, rax
           0x00401309      e8a2fcffff     call sym.imp.g_bytes_get_size
           0x0040130e      4889c3         mov rbx, rax
           0x00401311      488b45c0       mov rax, qword [rbp - local_40h]
           0x00401315      be00000000     mov esi, 0
           0x0040131a      4889c7         mov rdi, rax
           0x0040131d      e81efdffff     call sym.imp.g_bytes_get_data
           0x00401322      4889c6         mov rsi, rax
           0x00401325      488b45b8       mov rax, qword [rbp - local_48h]
           0x00401329      b900000000     mov ecx, 0
           0x0040132e      4889da         mov rdx, rbx
           0x00401331      4889c7         mov rdi, rax
           0x00401334      e897fcffff     call sym.imp.gdk_pixbuf_loader_write; ssize_t write(int fd, void *ptr, size_t nbytes);
           0x00401339      488b45b8       mov rax, qword [rbp - local_48h]

so the non-existing path to pic1.jpg is passed to function g_resource_lookup_data, According gtk documentation this function will load file that used to have this file path from the binary resources, then we see 2 important functions too g_bytes_get_size and g_bytes_get_data These 2 should get the size of the jpg file as well as its contents. At this point we can load imageviewer in r2 debugger then intercept the data and dump it into another file

First lets exit the current session and start new one with -d argument for attach to debugger.

[0x004012eb]> q
  ~ r2 -d Image_Viewer 
Process with PID 30886 started...
= attach 30886 30886
bin.baddr 0x00400000
USING 400000
Assuming filepath /home/oddcoder/Image_Viewer
asm.bits 64

Next we need to set up 2 break points right after sym.imp.g_bytes_get_size and sym.imp.g_bytes_get_data and continue till the first breakpoint.

[0x7f6f8f970cd0]> db 0x0040130e
[0x7f6f8f970cd0]> db 0x00401322
[0x7f6f8f970cd0]> dc
hit breakpoint at: 40130e
= attach 30886 1

Now rax should hold the image size

[0x0040130e]> dr rax
0x00015fb0
[0x0040130e]> dc
hit breakpoint at: 401322

Which looks reasonable, next we need to dump 0x15fb0 byte of memory from the address returned by sym.imp.g_bytes_get_data into a file and that should be the original jpg image.

[0x00401322]> wtf pic1.jpg 0x15fb0 @ rax
dumped 0x15fb0 bytes
Dumped 90032 bytes from 0x0135b160 into pic1.jpg
[0x00401322]> q
Do you want to quit? (Y/n)
Do you want to kill the process? (Y/n)
  ~ file pic1.jpg 
pic1.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72,
segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=8,
model=DSLR4781, orientation=upper-left, xresolution=120, yresolution=128,
resolutionunit=2, software=GIMP 2.8.16, datetime=2016:12:02 11:38:04],
progressive, precision 8, 355x382, frames 3

and bingo we got the camera model model=DSLR4781.

Leave a Comment