Skip to content
Branch: master
Find file History

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
.gitkeep
README.md
mlinux.iso

README.md

Secret IMAGination

Category: Reverse

Points: 995

Description:

Here's a minimal system image. Evil kackers know a way to IMAGine secrets, so your task is to bring them to the real world.

You may need to surround flag with kks{}

https://drive.google.com/open?id=1GeXYdPdKDx2xeWaqd9_FxitWxkwpLlGY

@servidei9707

WriteUp

mlinux.iso

We have got image of filesystem. First of all, we try to run it in VirtualBox. After start the image demands password. Enter something string:

enter-something.png

We received:

Wrong password!

Then, we should to unpack image to understand the logic of application. For example, on Debian:

$ 7z x mlinux.iso

And we received:

ll-of-iso.png

We are interested in kernel.gz and rootfs.gz. Unpack them:

  • kernel.gz use binwalk: $ binwalk --extract kernel.gz

The result will be one file 43B1 - ELF 64-bit, statically linked, stripped.

  • rootfs.gz is simple: $ gunzip rootfs.gz. The outcome file rootfs - ASCII cpio archive (SVR4 with no CRC). To get init we again make use of binwalk:

$ binwalk --extract rootfs. And got:

rootfs.png

After reading init we see /bin/task.

Let`s begin reverse task - ELF 64-bit, statically linked, not stripped.

main-task.png

In main function we can see, that program get from stdin 20 symbols and open file descriptor /pass to write our string, which we input. Then syscall is called.

syscall.png

As you can see, program calls custom syscall with id 1337.

Then we should reverse 43B1 . In task is called path /pass. Try to find it in 43B1. After call kernel_path proceed to the next call function. We see string md5, suppose, that function generate md5 from our input string. The next function is called with 3 parameters:

  • edx - 16;
  • rsi - md5 from our input string;
  • rdi - string, which is located in .rodata;

Reverse this function, we have found out, that it has compared two strings.

kernel-check.png

Therefore, string, which is located in .rodata - md5 from true password.

true-md5.png

Take advantage of https://hashkiller.co.uk/Cracker to decode hash. We got diviz_)(159$=*@. Try to enter this string - you receive flag.

flag: kks{Y0u_d0n7_n33D_70_p47ch_k3rn3l_by_y0r53lf}

You can’t perform that action at this time.