Application 3 **BROKEN**

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

Re: Application 3 **BROKEN**

Post by Celius on Tue Nov 05, 2013 9:34 pm
([msg=78059]see Re: Application 3 **BROKEN**[/msg])

I'm curious, since this issue has been around for quite some time, why it hasn't been fixed, or why it hasn't been rebranded from easy to medium or hard.
Celius
New User
New User
 
Posts: 2
Joined: Tue Nov 05, 2013 2:44 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by Disk0rd on Mon Dec 30, 2013 1:31 pm
([msg=78660]see Re: Application 3 **BROKEN**[/msg])

Well... I tried sending a pm and emailing mods, but the forum has rejected me on both tries. I am guessing it has to do with my post count.
I would appreciate it if someone would tell me what is going on here, what I have tried so far has not worked so I wouldn't count it as a spoiler and since the mission is broken anyway... Meh.. If a mod sees this and decides its too spoilery I would have then gotten in contact with the mods so mission accomplished, feel free to delete the entire post.

I am pretty new to trying to hack an application. I understand some of the basics and I have access to a couple of tools.
I ran up against the hanging on "Reading Data" thing. I think I could do this mission if it worked properly.
I did a hexdump and found the url it sends its request to, then I made hackmysite.org point to my localhost and set up an auth.php that always echoed "true".
This would solve the mission if it worked as it was supposed to, right? (if so can a mod pm me the password? :D)

Running wget https://hackthissite.org/blah returned saying something about the certificates not matching up, so I thought maybe the app recognizes this as well. I used vim and edited the exe and changed the instances of "hackthissite.org" to "localhost". This messed up the exe and it didn't run anymore. Figuring it probably offset some data and ruined the program I tried it again but changed to "123456.localhost", a string of the same length. This seemed to work and the program ran, but hung on "Reading Data" again. I checked my access.log and my server never even received a request from the program.
I don't really care about the points too much, but reading through the thread it seems that despite this, some people have still been able to extract the password from it.

What I would love is for someone to explain to me how they did this, and why it worked. I want to understand the workings of it. I've opened the program in OllyDbg, but I don't understand how this is helpful at all. I don't know how to manipulate assembly to actually do anything (I've written programs in assembly for 16-bit and 8-bit processors, but I have no idea how to do anything with it on an actual 32 or 64-bit computer).
Disk0rd
New User
New User
 
Posts: 1
Joined: Mon Dec 23, 2013 8:01 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Tue Mar 11, 2014 1:20 am
([msg=79847]see Re: Application 3 **BROKEN**[/msg])

I've been stuck on this one forever. So much so that it's made me give up. At least at HTS. I moved on the Hellbound Hackers. But every so often I return and give it another shot, hoping I've gained enough new knowledge to beat it this time.

From what I've gathered, ppl complete this missing one of two way: using a hex editor to manually alter a very specific set of bytes to return 'true' instead of 'false', essentially resulting in if(success=true){good job};if(success=false){you fail}; into if(success=false){good job;}

The second method is finding the specfic test op code that does the comparison, and altering the operand to always return true.

-- Thu Mar 13, 2014 8:01 pm --

I'm bound and determined to finis this mission. Here's a bit more info on what's wrong; you're sending a null character in the beginning of the "key". That's why your web server is responding with a 400 Bad Request. Because it is a bad request.

http://imgur.com/a/Ct2AF
occamsrzr
Experienced User
Experienced User
 
Posts: 56
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by mersey01 on Mon May 12, 2014 2:36 pm
([msg=80654]see Re: Application 3 **BROKEN**[/msg])

When is the app gonna be sorted coz its still sticking at 'Status: reading data'.

I know I shouldn't of but I found a vid of the solution on yt and when he ran the app he got an immediate response from the server.
mersey01
New User
New User
 
Posts: 2
Joined: Fri May 09, 2014 2:50 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by cyberdrain on Thu May 15, 2014 10:32 am
([msg=80713]see Re: Application 3 **BROKEN**[/msg])

There's other ways to do it. Learn reversing and changing the binary, it will help with the rest in the long run.

If the only way to learn for you is to see others do it, then I'd say, go for it. Everyone learns differently, though there is a danger to this. Using this method it's much easier to just sit back and watch, not knowing how it works. Watching to learn is good (e.g. most of us got some information from DEF CON vids), learning by doing is better. Good luck!
Free your mind / Think clearly
User avatar
cyberdrain
Contributor
Contributor
 
Posts: 659
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Application 3 **BROKEN**

Post by occamsrzr on Tue Jun 17, 2014 10:23 pm
([msg=81500]see Re: Application 3 **BROKEN**[/msg])

Alright fellas,

I've found the culprit. It is indeed an HTTP GET Request that includes a null character between the php var and the value.

Put simply, one too many bytes is copied from the binary to memory. Here's your fix:

Open the binary in a Hex editor. Change the value of the byte at offset 166204 from 0x2D to 0x2C.

The correct solution will now work. But just be aware, if there is an indication that the pw was wrong, I haven't found it, mostly because I don't care to go looking.
occamsrzr
Experienced User
Experienced User
 
Posts: 56
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)


Previous

Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests