Application 3 **BROKEN**

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

Re: Application 3 **BROKEN**

Post by Celius on Tue Nov 05, 2013 9:34 pm
([msg=78059]see Re: Application 3 **BROKEN**[/msg])

I'm curious, since this issue has been around for quite some time, why it hasn't been fixed, or why it hasn't been rebranded from easy to medium or hard.
Celius
New User
New User
 
Posts: 2
Joined: Tue Nov 05, 2013 2:44 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by Disk0rd on Mon Dec 30, 2013 1:31 pm
([msg=78660]see Re: Application 3 **BROKEN**[/msg])

Well... I tried sending a pm and emailing mods, but the forum has rejected me on both tries. I am guessing it has to do with my post count.
I would appreciate it if someone would tell me what is going on here, what I have tried so far has not worked so I wouldn't count it as a spoiler and since the mission is broken anyway... Meh.. If a mod sees this and decides its too spoilery I would have then gotten in contact with the mods so mission accomplished, feel free to delete the entire post.

I am pretty new to trying to hack an application. I understand some of the basics and I have access to a couple of tools.
I ran up against the hanging on "Reading Data" thing. I think I could do this mission if it worked properly.
I did a hexdump and found the url it sends its request to, then I made hackmysite.org point to my localhost and set up an auth.php that always echoed "true".
This would solve the mission if it worked as it was supposed to, right? (if so can a mod pm me the password? :D)

Running wget https://hackthissite.org/blah returned saying something about the certificates not matching up, so I thought maybe the app recognizes this as well. I used vim and edited the exe and changed the instances of "hackthissite.org" to "localhost". This messed up the exe and it didn't run anymore. Figuring it probably offset some data and ruined the program I tried it again but changed to "123456.localhost", a string of the same length. This seemed to work and the program ran, but hung on "Reading Data" again. I checked my access.log and my server never even received a request from the program.
I don't really care about the points too much, but reading through the thread it seems that despite this, some people have still been able to extract the password from it.

What I would love is for someone to explain to me how they did this, and why it worked. I want to understand the workings of it. I've opened the program in OllyDbg, but I don't understand how this is helpful at all. I don't know how to manipulate assembly to actually do anything (I've written programs in assembly for 16-bit and 8-bit processors, but I have no idea how to do anything with it on an actual 32 or 64-bit computer).
Disk0rd
New User
New User
 
Posts: 1
Joined: Mon Dec 23, 2013 8:01 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Tue Mar 11, 2014 1:20 am
([msg=79847]see Re: Application 3 **BROKEN**[/msg])

I've been stuck on this one forever. So much so that it's made me give up. At least at HTS. I moved on the Hellbound Hackers. But every so often I return and give it another shot, hoping I've gained enough new knowledge to beat it this time.

From what I've gathered, ppl complete this missing one of two way: using a hex editor to manually alter a very specific set of bytes to return 'true' instead of 'false', essentially resulting in if(success=true){good job};if(success=false){you fail}; into if(success=false){good job;}

The second method is finding the specfic test op code that does the comparison, and altering the operand to always return true.

-- Thu Mar 13, 2014 8:01 pm --

I'm bound and determined to finis this mission. Here's a bit more info on what's wrong; you're sending a null character in the beginning of the "key". That's why your web server is responding with a 400 Bad Request. Because it is a bad request.

http://imgur.com/a/Ct2AF
occamsrzr
Experienced User
Experienced User
 
Posts: 58
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by mersey01 on Mon May 12, 2014 2:36 pm
([msg=80654]see Re: Application 3 **BROKEN**[/msg])

When is the app gonna be sorted coz its still sticking at 'Status: reading data'.

I know I shouldn't of but I found a vid of the solution on yt and when he ran the app he got an immediate response from the server.
mersey01
New User
New User
 
Posts: 2
Joined: Fri May 09, 2014 2:50 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by cyberdrain on Thu May 15, 2014 10:32 am
([msg=80713]see Re: Application 3 **BROKEN**[/msg])

There's other ways to do it. Learn reversing and changing the binary, it will help with the rest in the long run.

If the only way to learn for you is to see others do it, then I'd say, go for it. Everyone learns differently, though there is a danger to this. Using this method it's much easier to just sit back and watch, not knowing how it works. Watching to learn is good (e.g. most of us got some information from DEF CON vids), learning by doing is better. Good luck!
Free your mind / Think clearly
User avatar
cyberdrain
Addict
Addict
 
Posts: 1119
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Tue Jun 17, 2014 10:23 pm
([msg=81500]see Re: Application 3 **BROKEN**[/msg])

Alright fellas,

I've found the culprit. It is indeed an HTTP GET Request that includes a null character between the php var and the value.

Put simply, one too many bytes is copied from the binary to memory. Here's your fix:

Open the binary in a Hex editor. Change the value of the byte at offset 166204 from 0x2D to 0x2C.

The correct solution will now work. But just be aware, if there is an indication that the pw was wrong, I haven't found it, mostly because I don't care to go looking.
occamsrzr
Experienced User
Experienced User
 
Posts: 58
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by asdf78dg on Fri Aug 15, 2014 8:27 pm
([msg=82840]see Re: Application 3 **BROKEN**[/msg])

I don't know if anyone has found the string "Ihate this shit" in the binary but not sure if that is relevant to the fix. I tried replacing certain return values so that the program would successfully run even while not able to connect to the remote server but I haven't had any luck. I am not sure if there are anymore hints anyone can give to where exactly one would modify the binary. If not else I might just try and setup a php script and point it at that to return true. Thanks.
asdf78dg
New User
New User
 
Posts: 2
Joined: Thu Aug 14, 2014 11:50 am
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Sat Aug 16, 2014 2:23 am
([msg=82842]see Re: Application 3 **BROKEN**[/msg])

asdf78dg wrote:I don't know if anyone has found the string "Ihate this shit" in the binary but not sure if that is relevant to the fix. I tried replacing certain return values so that the program would successfully run even while not able to connect to the remote server but I haven't had any luck. I am not sure if there are anymore hints anyone can give to where exactly one would modify the binary. If not else I might just try and setup a php script and point it at that to return true. Thanks.


The problem is the HTTP status codes. The app looks specifically for a 200. If it recieves a 301 or a 403 it goes haywire.

I've investigated the issue a bit further and hope to develop a patch that with take these two status codes into account, but I've been busy with work.

Heres the hint; and its a vague one: if you can get a webserver to return a 200, it'll work.
occamsrzr
Experienced User
Experienced User
 
Posts: 58
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by nexo on Thu Aug 28, 2014 1:52 am
([msg=83030]see Re: Application 3 **BROKEN**[/msg])

If you inspect your http packets youll see that you get a 400 response from the server (bad request). Inspect the GET that the app sends to the server, and youll find an akward null character, somewhere. If you fix that, you get nice 200 responses from the server (this is why this app was tagged "broken", but its completely fixable). From there everything is straight forward, you just need to get the appropriate answer from a server (the one the app is waiting for...).

BTW:
occamsrzr wrote:Change the value of the byte at offset 166204 from 0x2D to 0x2C.
will just break your app.
nexo
New User
New User
 
Posts: 6
Joined: Tue Aug 26, 2014 10:12 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Fri Aug 29, 2014 12:56 am
([msg=83049]see Re: Application 3 **BROKEN**[/msg])

nexo wrote:If you inspect your http packets youll see that you get a 400 response from the server (bad request). Inspect the GET that the app sends to the server, and youll find an akward null character, somewhere. If you fix that, you get nice 200 responses from the server (this is why this app was tagged "broken", but its completely fixable). From there everything is straight forward, you just need to get the appropriate answer from a server (the one the app is waiting for...).

BTW:
occamsrzr wrote:Change the value of the byte at offset 166204 from 0x2D to 0x2C.
will just break your app.


You're wrong. There's is actually two things wrong with this binary

1) When the URL is read from the binary by readfile, it has a read length of 1 byte too many and the following but is null
(more precisely, the read length from the data segment is one byte too many, as determined by byte 166204, readfile just loads data from outside the PE structures into the Heap). Resulting in a null character being submitted to the socket send method. Byte 166204 is the read length. Reduce it by one (0x2D - 0x01 = 0x2C). Hell, try changing the length and input data at the end of the string in the binary...

Here, have a laugh: http://imgur.com/a/n3lU0

2) The only HTTP status code this is being checked is 200. If you receive a 400 due to the extra null byte or a 301 because you're not logged in, it hangs. I've been considering trying to write a hot patch for this mission, just for the fun of it. But I've a lot going on at work right now.
occamsrzr
Experienced User
Experienced User
 
Posts: 58
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


PreviousNext

Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests