Application 3 **BROKEN**

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

Re: Application 3 **BROKEN**

Post by nexo on Fri Aug 29, 2014 6:43 pm
([msg=83055]see Re: Application 3 **BROKEN**[/msg])

I think you know better than me what you are doing, but just changing that byte in that offset rendered my app unusable, it wont start (im running it through wine, that might be an issue...). What you say may explain why theres a null char at the end of the GET string (reading one byte too many), that null gets in between the end of the hardcoded string and the value entered as a S/N. What i actually did is to add a "1" following the "=" at the end of the hardcoded string, that way i stoped having bad responses (it could have been any valid char, i liked 1). I didnt decompile it so i dont actually know how it works.

Byte 166204 is the read length. Reduce it by one (0x2D - 0x01 = 0x2C). Hell, try changing the length and input data at the end of the string in the binary...


Well, thats nice ;) (saw the laugh). I dont know why it didnt work for me, just changing an integer shouldnt turn my app unusable. I think i did something wrong...
nexo
New User
New User
 
Posts: 6
Joined: Tue Aug 26, 2014 10:12 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by conscience on Wed Oct 15, 2014 4:39 pm
([msg=84155]see Re: Application 3 **BROKEN**[/msg])

Okay, so the application is broken. However, it is easy to fix, thanks mainly to occamsrzr who pointed out that tiny bit of editing that fixes up the null-character problem.
@nexo: It does so indeed. Give it a round of wireshark to see it yourself.
(It is however not about the length of the string, but a wrong starting offset)

The other bug is the Host HTTP header value sent being incorrect. Since you have plenty of space where you need to edit... Make a guess! You only have to add a few characters ;)

Now that you have verified your app is responding as it should, you can, at your pleasure, set up your whatever to make the application receive the answer it expects.

I hope I didn't spoil anything; my goal was only to help others fix the bugs so they can complete the challenge without any impediments.
Let him who has understanding recount the number of the beast, for it is a human number: His number is 0x029A.
conscience
Poster
Poster
 
Posts: 271
Joined: Thu Jan 08, 2009 9:05 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by LeDesassembleur on Tue Dec 09, 2014 6:02 pm
([msg=85742]see Re: Application 3 **BROKEN**[/msg])

thanks conscience : it has helped me. I was blocked until I read your post. :)
LeDesassembleur
New User
New User
 
Posts: 2
Joined: Tue Dec 09, 2014 6:00 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by Percival on Mon Jan 05, 2015 10:44 am
([msg=86140]see Re: Application 3 **BROKEN**[/msg])

This mission was so much fun. I finally completed it and couldn't have done it without these great hints.
Thank you guys :D
User avatar
Percival
New User
New User
 
Posts: 2
Joined: Sun Nov 10, 2013 3:33 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by amardeep234 on Thu Jul 09, 2015 4:04 pm
([msg=88897]see Re: Application 3 **BROKEN**[/msg])

2nd FIX:

So the 2nd the issue is actually a bad redirect, it doesn't seem to redirect to the A record "www" correctly. Anyway it can easily bypassed by giving a totally bad HOST and HTS ignores it.

I.e. this is good enough: "HOST: hts_admin_nooobs" and as you see a 200 OK response
Image

So the 2 fixes for this application:

1. at offset 166204, change read position from 0x2D to 0x2C
2. at offset 166277, replace "hackthissite.org" with "hts_admin_nooobs"
amardeep234
New User
New User
 
Posts: 10
Joined: Tue Nov 09, 2010 1:08 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by Guslarz on Wed Jul 29, 2015 11:37 am
([msg=89145]see Re: Application 3 **BROKEN**[/msg])

Call me a weirdo, but usually I like taking a long way.

Without changing any code, I just moved all my network traffic through custom proxy where i put listener, and on request I sent my custom php.

It took me a while, but it was fun :D.
Guslarz
New User
New User
 
Posts: 1
Joined: Wed Jul 29, 2015 11:32 am
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by luckily on Mon Sep 21, 2015 3:49 pm
([msg=89843]see Re: Application 3 **BROKEN**[/msg])

"1. at offset 166204, change read position from 0x2D to 0x2C" Is the only fix it needed.

Vim lets you edit hex, I love it.

load as binary:
vim -b binary.exe
go into hex mode:
:%!xxd

reverse back into binary before saving
:%!xxd -r
save and quit
:wq

Solved this one with local dns spoofing and running an apache server.
tools:
dnsmasq
apache2
luckily
New User
New User
 
Posts: 12
Joined: Mon Oct 27, 2014 2:22 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by Faithe25 on Thu Feb 11, 2016 10:11 pm
([msg=91588]see Re: Application 3 **BROKEN**[/msg])

occamsrzr wrote:Alright fellas,

I've found the culprit. It is indeed an HTTP GET Request that includes a null character between the php var and the value.

Put simply, one too many bytes is copied from the binary to memory. Here's your fix:

Open the binary in a Hex editor. Change the value of the byte at offset 166204 from 0x2D to 0x2C.

The correct solution will now work. But just be aware, if there is an indication that the pw was wrong, I haven't found it, mostly because I don't care to go looking.




If anyone is still having issues with this challenge, then try this fix. After implementing this fix I was able to finish the challenge in about 30 seconds. Thank you occamsrzr!
Faithe25
New User
New User
 
Posts: 8
Joined: Tue Aug 04, 2015 1:46 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by Starman11 on Sun Jul 31, 2016 7:17 am
([msg=92698]see Re: Application 3 **BROKEN**[/msg])

I'm still stuck on this challenge, I've fixed the reading data problem, but I'm not sure of what to do next. Also, why is the hosts file useful in this mission? I tried entering a value for the key in the hex editor and using it to authenticate the program, but it didn't work, am I on the right track?

Oh never mind, I got it! :D
Starman11
Experienced User
Experienced User
 
Posts: 51
Joined: Wed Jul 27, 2016 9:07 am
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by SemperFind on Mon Jul 03, 2017 8:20 pm
([msg=93896]see Re: Application 3 **BROKEN**[/msg])

This one made me suffer way too much for how easy it was xD

The annoying part was fixing the app so it would connect. (Wireshark helped)

After that, it was just flipping a switch. All I needed was a hex editor. :)
SemperFind
New User
New User
 
Posts: 3
Joined: Wed Jun 28, 2017 3:05 pm
Blog: View Blog (0)


Previous

Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests