31C3 CTF - whatson writeup

In this challenge we got a binary called whatson. Unfortunately not able to run it, it’s always complaining with Unable to open/validate interpreter Google helps us with this phrase and leads us to “sherlocked” https://github.com/elfmaster/sherlocked, basically a script-lock tool that contains the script in an encrypted version.

The way to solve this was: first getting what interpreter it tries to run and then (obviously) getting the flag.

Disassembling a bit and looking into the main function we see it’s trying to open ‘./python2.7’ as the interpreter. Looking into sherlocked’s stub.c we find out what actually happens there (better than any decompiler ;) ) https://github.com/elfmaster/sherlocked/blob/master/stub.c

The MD5 check later with a (to me unknown) MD5-hash of a python2.7 interpreter was easy to bypass: Just patch the binary, it’s not doing any checks on itself. I solved it by patching bail_out() at 0x4010ca with a simple “ret”. Then it was just easy to use any python binary (or actually cat if you want to see the source) like:

ccm@ctf:~$ cp `which python2.7` python2.7
ccm@ctf:~$ ./whatson
Greetings from elfmaster
31C3_there_is_nothing_like_first_hand_evidence
ccm@ctf:~$

The python code is:

ccm@ctf:~$ cp `which cat` python2.7
ccm@ctf:~$ ./whatson
#!/usr/bin/env python2

import binascii
bindata = "cccebccca08b979a8d9aa0968ca091908b97969198a09396949aa099968d8c8ba0979e919ba09a89969b9a919c9a"
flag = ""
for x in binascii.unhexlify(bindata):
    flag += chr(ord(x)^0xff)
print "Greetings from elfmaster"
print flag