Application 3 **BROKEN**

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

Re: Application 3

Post by impulse_x on Sun May 26, 2013 5:07 am
([msg=75785]see Re: Application 3[/msg])

liantinis wrote:
limdis wrote:The mission is still broken. Sorry for inconvenience.

To paraphrase extbasic mission 13 : "It does validate. It really does".
Just finished it (without program hanging @ Status : Reading data...).
Your friends (and mine) are a hex-editor (no disassembler for this one), wireshark and some creative* thinking.


I think I need some help with the 'creative thinking' part. I'm not known for my thinking (creative or
otherwise). My mind's blank most of the time... but will google it up and see how it goes. :)

Sure, fiddle with the hosts and/or setting up a server would work; but I'm curious as to how I'd
go about with the mission using hex-editing only.

Ix
impulse_x
New User
New User
 
Posts: 19
Joined: Fri May 10, 2013 4:57 am
Blog: View Blog (0)


Re: Application 3

Post by liantinis on Sun May 26, 2013 3:51 pm
([msg=75788]see Re: Application 3[/msg])

@impulse_x

All right, I must say that I respect people who don't give up trying, and since the following

limdis wrote:As for this thread. Until the challenge is fixed we're going to go soft on spoilers since a few of us are trying to rehack the simulation.


rather qualifies as a 'green light' (literally), I will try to clarify some basic concepts for you.

* As you already know, there aren't many things you can do (at least for this mission) with a hex editor apart from looking for strings and trying to figure out what they do, where are they used etc.,etc. In our case, especially if you don't know much about assembly, a hex editor is the 'only' way to go. As you found out yourself, Ollydb (and other disassemblers -like Win32dasm- ) fail to fetch the strings. So, what now? Well, now is a good time to remember that the 'original' mission (ie the one that has no communication problems) can be beaten with nothing more than a hex editor. This fact, should tell you right away that you have to change something in there to something else. (I know this sounds rather vague but I can't say more on this as it would ruin the mission altogether). All you have to do at this point is to find this 'something'. It's going to be a little hard since you can't actually verify that you have found the right one, due to the comm problem. But hey, the road to success is paved with trials-and-errors...

* Now, let's say you narrowed down your candidate 'somethings'. This is where wireshark comes in handy. At this point the communication schema should be quite obvious to you: app 'says' something, site 'says' something else, app does its things and all are OK (or not). In our case the site 'says' something 'crazy' -apparently- and the result is that our app doesn't know how to handle this and hangs... So, our goal here is to -somehow- make our app 'understand' what the site 'says'. In other words, we have to 'enhance its vocabulary': And wireshark will provide this vocabulary. All you have to do is look; and of course bear in mind that an HTTP 'Bad Request' Response is not a string saying 'Bad Request'. It comes 'packaged' into something bigger...

* ... which brings us to the last part of this tut... I mean post ;) : There's a possibility that the app still hangs, even though you were correct in finding your way through the previous steps. Then (even though you don't have access to the app's source code) you have to think a little bit like a programmer, and especially try to think what a programmer does when dealing with variables (that is if he/she wants to avoid 'bad' things like say... buffer overflow...).

There it is, I hope you'll find this helpful and I really hope that it doesn't spoil the fun.
Your next post should be a success one... 8-)


@limdis

limdis wrote:Right so, few days back I said I was going to try this. There are a couple of 'easy' ways but it REALLY got me thinking and now I've been trying to pull it off with some tcp injection, without being mitm.


Are you talking about TCP sequence prediction? That sounds interesting enough...

By the way, I noticed that the platform probably uses nginx as a load balancer proxy and, as you might already know, nginx has a reputation of throwing 'Bad Requests' a little too often. Maybe that's a reason for this situation.
liantinis
New User
New User
 
Posts: 4
Joined: Thu May 16, 2013 2:39 am
Blog: View Blog (0)


Re: Application 3

Post by impulse_x on Mon May 27, 2013 9:15 pm
([msg=75812]see Re: Application 3[/msg])

liantinis wrote:@impulse_x

All right, I must say that I respect people who don't give up trying, and since the following

Your next post should be a success one... 8-)


And boy aren't you right.

Just completed this mission.

The hints that helped me:

1) increase/modify app3win's vocab
2) the response to app3win's initial connection attempt when sending the key.

Of course, what I did kinda screwed up the app3win's response.. but I got it. :)

Thanks liantinis!!

Ix
impulse_x
New User
New User
 
Posts: 19
Joined: Fri May 10, 2013 4:57 am
Blog: View Blog (0)


Re: Application 3

Post by limdis on Tue May 28, 2013 7:15 am
([msg=75823]see Re: Application 3[/msg])

liantinis wrote:Are you talking about TCP sequence prediction? That sounds interesting enough...

By the way, I noticed that the platform probably uses nginx as a load balancer proxy and, as you might already know, nginx has a reputation of throwing 'Bad Requests' a little too often. Maybe that's a reason for this situation.

Yep, exactly. I know I'm making this far more difficult than it should be but its also pushing me into new territory so I consider it a win :geek:
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1319
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by whitewren on Wed Aug 21, 2013 1:49 pm
([msg=76928]see Re: Application 3 **BROKEN**[/msg])

Just generated an IP loopback and crashed my machine trying to do this one.

Nooby mistake if i do say so myself

So i changed a few values in HEX to what i'm sure would bypass the SN verification, but still no cookie. PM me? :)
whitewren
New User
New User
 
Posts: 2
Joined: Wed Aug 21, 2013 1:47 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Sun Sep 15, 2013 3:55 pm
([msg=77376]see Re: Application 3 **BROKEN**[/msg])

Is the GET request a false flag?

The app doesn't seem to care what the response is from any host (host tabes and IIS or not).
occamsrzr
Experienced User
Experienced User
 
Posts: 58
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by Karrax on Sun Sep 22, 2013 5:50 am
([msg=77461]see Re: Application 3 **BROKEN**[/msg])

This challenge is not broken for those wondering.
Yes it is. It can still be completed but it is much more difficult than originally intended as it no longer functions as it should. ~ limdis

Some hints:
* Wireshark does not sniff on localhost
* netcat is a nice helper program
* ProcessMonitor is a nice program to figure out what an application does
Karrax
New User
New User
 
Posts: 1
Joined: Thu Jan 28, 2010 6:32 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Tue Sep 24, 2013 11:00 pm
([msg=77490]see Re: Application 3 **BROKEN**[/msg])

Karrax wrote:* Wireshark does not sniff on localhost


Ah, good call.

I had forgotten that WinPcap wont capture localhost without...something. Can't remember what it is though...
occamsrzr
Experienced User
Experienced User
 
Posts: 58
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by limdis on Mon Sep 30, 2013 2:24 pm
([msg=77532]see Re: Application 3 **BROKEN**[/msg])

occamsrzr wrote:I had forgotten that WinPcap wont capture localhost without...something. Can't remember what it is though...

I have gotten some better results using wireshark after setting up multiple interfaces on the localhost. It's not perfect but will give you a better picture of what is going on.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1319
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by CollinJSimpson on Tue Oct 15, 2013 12:08 pm
([msg=77684]see Re: Application 3 **BROKEN**[/msg])

I solved app3 but I've got a few questions:

  • Does anyone know if there's actually a valid key for the auth script? (it's solvable without but I'm just curious)
  • Why can the relevant strings be found with a hex/text editor but apparently not in a debugger like OllyDbg?
  • The password is obviously obfuscated so that it can't be extracted right out of the binary, but can anyone share how it's retrieved when displayed in the message box? I understand that revealing that info might spoil many of these challenges, but again, I'm just curious. Maybe it'll be a good RE exercise instead :mrgreen:

PS: If it's not been mentioned, RawCap is a good Windows tool for sniffing local packets without adding a loopback adapter.
CollinJSimpson
New User
New User
 
Posts: 2
Joined: Tue Oct 15, 2013 11:54 am
Blog: View Blog (0)


PreviousNext

Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests