Tuesday, October 2, 2012

CSAW CTF Quals: Reversing 500

This one was a bit more of a headache. We start with an mrom and an mrom.tmp… Let’s start by running the file command:

We see that one of these is a BIOS ROM and the other is an ELF. Our team spent an enormous amount of time trying to reverse the ELF when we really should have just ignored it. It turns out that the elf is really just debugging symbols for what turns our to be an iPXE ROM. Next, let’s run strings to see if we can get more info on the files. We immediately noticed:

This shows that the .mrom is an iPXE rom.
After looking around their site for a while, we noticed a vmware installation guide that should let us play with the rom.
       *For more info, see here
To summarize the article, the site tells us that the 8086100f naming convention is for e1000-type network adapters. Blindly following the guide then leads us to create a blank vm and add the following lines to it:
   ethernet0.virtualDev = “e1000”
   ethernet0.opromsize = 262144
   e1000bios.filename = “[your path to]/8086100f.mrom”
Now we can start the vm and press ctrl-b to enter iPXE.

After trying to connect, we get an error that says we don’t have enough room. So, increase the oprom size (see above) to something larger (ex. 26214400) and restart. Now, the ROM is able to successfully connect to https://secure-doomsday-client-loader.c0.cx/boot/vmlinuz. Once it connects, it begins to download a kernel from https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=0 and boots into it. Here, we found a flag.txt file. Yay! But sadly it’s a fake. Catting this flag shows something along the lines of “This is not the initrd you are looking for”... Hilarious aren’t they?

Looking at the download link, we see a very obvious include_flag=0. Most of the URI string was encrypted in the binary, but after some searching we were able to find:

Patch the g=0 to g=1, restart the vm, press ctrl-b, and let it download the flag-included kernel. Cat the flag.txt file in the root directory and win!

Hope you enjoyed the write-up!

-- d1r3w0lf

No comments:

Post a Comment