Skip to main content

OWASP crackme write up version 2 level 2 !(•̀ᴗ•́)و ̑̑ (day 24)

Image result for version 2 meme

In this post, I'm going to show you how to solve the OWASP crackme challenge by patching the binary using radare2 and debugging it with gdbserver to get the secret string.

To all of you who don't know about patching a binary, I have a post that talks about specifically about the overview of this technique. Link: https://court-of-testing-analysing.blogspot.com/2019/10/patching-binary-with-radare2-day-22.html

Background:

what is gdb? according to access.redhat.com "The GNU Debugger, commonly abbreviated as GDB, is a command-line tool that can be used to debug programs written in various programming languages. It allows you to inspect memory within the code being debugged, control the execution state of the code, detect the execution of particular sections of code, and much more."

why should we need to use GDB inside android? although Java or kotlin is a pretty popular programming language used in the android application. But both of the languages are not one go-to tool to create android application because sometimes your application needs to interact with a low-level function of the android such as openGL, SSL and etc. This functionality can only be access by C and C++ programming language and we can embed it inside the application.

This so-called C or C++ library is stored inside the "lib" folder


as you can see from the above picture there are several multiple folders and it is named based on well-known hardware architecture. Why the android application has multiple folder? simple, to provide higher usability among device.

So there are a lot of types in mobile hardware architecture out there, it can be ARM or x86 intel. Because an android developer cannot control the distribution type of the architecture they just put all the libraries to the "lib" folder and when the application is installed inside the device it will choose the most compatible library for the application.



in this post, I used an android emulator with x86 arch specification.

Get your hands dirty:

Patching the binary

  • First, lets analyze the binary so we know what we are dealing with. 
    • ~# r2 -Aw libfoo.so (the -A means let the radare2 flag all important section and w is to open the binary file into write mode) 
    • (inside the r2 shell) ~# afl (this will list all the function of the binary)
    • we notice that there is a "ptrace" function,right ? so remember if you found this function it may that the binary equip itself with anti-debugging feature so you need to patch this function.

  • we need to trace this function call by doing xref (cross referencing) 
    • (inside the r2 shell) ~#axt sym.imp.ptrace 
    • As you can see the "ptrace" is called in function "sub.fork_720"

  • Go to the "sub.fork_720" and try to dump the assembly code. we got our two ptrace 
    • (inside the r2 shell) ~#s sub.fork_720 (move to the function)
  •  To patch the function we need to change into visual mode inside radare2
    • (inside the r2 shell) ~#Vp (switch to visual mode, your shell will turn like pic below)
    • Navigate into the ptrace function by using the arrow keys
    • Type "A" to enter append mode for edit the assembly code


    • Now try to insert "call 0" code and to the two ptrace (dont forget to save it)


    • You may be expect to enter a "nop" code replace the assembly but i dont recommend to use this because it will make the application crash
    • Exit the shell by press "q" and type "quit"

Reassemble the application

We got ourselves a new patched library but it is not done yet, since the application code with root and debugging detection we need to circumvent this function.
  • Use apktool to get the smali code and edit the main activity smali file to be like the below picture.

  • Repackage the application and sign it (i use appium-sign, check this link). To make everything faster i create a bash script to automate the process.

  • If everything goes according to the plan, there is only one thing to do. You have to put gdbserver into the device (there is an awesome github page that already provide all gdbserver according to its own architecture type github)
  • After you download the binary, we need to put it inside the device but you have to put it inside ("/system/bin") folder.
    • to do this, connect to the device using adb and type "mount"


    • As the picture show that the /system folder is read-only we need to change folder permission using "mount -o rw,remount /dev/block/sda6 /system"

    • Next, we can put our gdbserver to the /system/bin folder


Debugging the application:

  • Run the gdbserver and you have to supply the uid of the crackme application so it can attach process along with the app. Now the gdbserver is waiting for the connection. Note: in this situation the application cannot be operated because it halt all of the operation to listen for the server i suggest you guys don't do anything to the app or it will be crashed.

  • Connect to the gdbserver.

  • The last thing we need to know is to where to put the breakpoint so we can get the secret string. Simple ! as you can see when we try to list all the function of the binary there is "strncmp" right ? as you aware the function take two parameter to be compare "eax" and "esi" register. All we have to do is to examine this two reg because it contain either our input or the secret string.


  • How to put the breakpoint ? first we need to know the beginning of the address for the library and after we found it we just have to add the address to the "strncmp" address.

  • We go the beginning address which is 0xd616f000, add it with 0x0000ffb, we got 0x616fffb.
    • (inside gdb shell) ~# b *0xd616fffb
  • We need to trigger the application to reach the breakpoint and to do this you need to input a string that woth 23 char because before the application do string comparison, it compare the length first. (0x17 => 23)

  • After you input enough char, the application will hit the breakpoint and we can investigate the two register.

Yeayy we got the secret string :)

THANK YOU have nice day

KUDOSS to the this amazing web post to give a very thorough explanation regarding android library debugging:

http://sh3llc0d3r.com/owasp-uncrackable-android-level2/

http://resources.infosecinstitute.com/android-hacking-and-security-part-20-debugging-apps-on-android-emulator-using-gdb/#gref
Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th...
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct...
Post a Comment
Read More »

Easy Web Application Security Machine: CSharp VulnJSON ಠ_ಠ (day 101)

Hi everyone! Welcome back to another vulnhub machine walkthrough. In this post, we will try to solve the the Csharp VulnJSON machine, this particular machine are focus on introducing some key concept of known web application attacks. We will go through each of the vulnerability and we will see how we can elevate this into a working exploit. Background: Setting up this machine is easy, the author provide us with .ova file and all we have to do is just import the file then we good to go.     Information Gathering: first, we need to find out what is the machine ip address, to do this I used nmap to do ping sweep on my local network. from the result above we can see that the target machine is with 192.168.1.7. Now that we have our target IP address, let's proceed with scanning the open port on the machine. cool! so the machine only open port 80 and this will make it much more simple. If we go to the web server, we are welcomed with two forms: first is used for create a user and th...
Post a Comment
Read More »