Skip to main content

OWASP crackme write up version 2 level 2 !(•̀ᴗ•́)و ̑̑ (day 24)

Image result for version 2 meme

In this post, I'm going to show you how to solve the OWASP crackme challenge by patching the binary using radare2 and debugging it with gdbserver to get the secret string.

To all of you who don't know about patching a binary, I have a post that talks about specifically about the overview of this technique. Link: https://court-of-testing-analysing.blogspot.com/2019/10/patching-binary-with-radare2-day-22.html

Background:

what is gdb? according to access.redhat.com "The GNU Debugger, commonly abbreviated as GDB, is a command-line tool that can be used to debug programs written in various programming languages. It allows you to inspect memory within the code being debugged, control the execution state of the code, detect the execution of particular sections of code, and much more."

why should we need to use GDB inside android? although Java or kotlin is a pretty popular programming language used in the android application. But both of the languages are not one go-to tool to create android application because sometimes your application needs to interact with a low-level function of the android such as openGL, SSL and etc. This functionality can only be access by C and C++ programming language and we can embed it inside the application.

This so-called C or C++ library is stored inside the "lib" folder


as you can see from the above picture there are several multiple folders and it is named based on well-known hardware architecture. Why the android application has multiple folder? simple, to provide higher usability among device.

So there are a lot of types in mobile hardware architecture out there, it can be ARM or x86 intel. Because an android developer cannot control the distribution type of the architecture they just put all the libraries to the "lib" folder and when the application is installed inside the device it will choose the most compatible library for the application.



in this post, I used an android emulator with x86 arch specification.

Get your hands dirty:

Patching the binary

  • First, lets analyze the binary so we know what we are dealing with. 
    • ~# r2 -Aw libfoo.so (the -A means let the radare2 flag all important section and w is to open the binary file into write mode) 
    • (inside the r2 shell) ~# afl (this will list all the function of the binary)
    • we notice that there is a "ptrace" function,right ? so remember if you found this function it may that the binary equip itself with anti-debugging feature so you need to patch this function.

  • we need to trace this function call by doing xref (cross referencing) 
    • (inside the r2 shell) ~#axt sym.imp.ptrace 
    • As you can see the "ptrace" is called in function "sub.fork_720"

  • Go to the "sub.fork_720" and try to dump the assembly code. we got our two ptrace 
    • (inside the r2 shell) ~#s sub.fork_720 (move to the function)
  •  To patch the function we need to change into visual mode inside radare2
    • (inside the r2 shell) ~#Vp (switch to visual mode, your shell will turn like pic below)
    • Navigate into the ptrace function by using the arrow keys
    • Type "A" to enter append mode for edit the assembly code


    • Now try to insert "call 0" code and to the two ptrace (dont forget to save it)


    • You may be expect to enter a "nop" code replace the assembly but i dont recommend to use this because it will make the application crash
    • Exit the shell by press "q" and type "quit"

Reassemble the application

We got ourselves a new patched library but it is not done yet, since the application code with root and debugging detection we need to circumvent this function.
  • Use apktool to get the smali code and edit the main activity smali file to be like the below picture.

  • Repackage the application and sign it (i use appium-sign, check this link). To make everything faster i create a bash script to automate the process.

  • If everything goes according to the plan, there is only one thing to do. You have to put gdbserver into the device (there is an awesome github page that already provide all gdbserver according to its own architecture type github)
  • After you download the binary, we need to put it inside the device but you have to put it inside ("/system/bin") folder.
    • to do this, connect to the device using adb and type "mount"


    • As the picture show that the /system folder is read-only we need to change folder permission using "mount -o rw,remount /dev/block/sda6 /system"

    • Next, we can put our gdbserver to the /system/bin folder


Debugging the application:

  • Run the gdbserver and you have to supply the uid of the crackme application so it can attach process along with the app. Now the gdbserver is waiting for the connection. Note: in this situation the application cannot be operated because it halt all of the operation to listen for the server i suggest you guys don't do anything to the app or it will be crashed.

  • Connect to the gdbserver.

  • The last thing we need to know is to where to put the breakpoint so we can get the secret string. Simple ! as you can see when we try to list all the function of the binary there is "strncmp" right ? as you aware the function take two parameter to be compare "eax" and "esi" register. All we have to do is to examine this two reg because it contain either our input or the secret string.


  • How to put the breakpoint ? first we need to know the beginning of the address for the library and after we found it we just have to add the address to the "strncmp" address.

  • We go the beginning address which is 0xd616f000, add it with 0x0000ffb, we got 0x616fffb.
    • (inside gdb shell) ~# b *0xd616fffb
  • We need to trigger the application to reach the breakpoint and to do this you need to input a string that woth 23 char because before the application do string comparison, it compare the length first. (0x17 => 23)

  • After you input enough char, the application will hit the breakpoint and we can investigate the two register.

Yeayy we got the secret string :)

THANK YOU have nice day

KUDOSS to the this amazing web post to give a very thorough explanation regarding android library debugging:

http://sh3llc0d3r.com/owasp-uncrackable-android-level2/

http://resources.infosecinstitute.com/android-hacking-and-security-part-20-debugging-apps-on-android-emulator-using-gdb/#gref
Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th...
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct...
Post a Comment
Read More »

Bypassing stack canaries protection :') (day 51)

In my previous blogs, I show you guys how to bypass some common protection usually used in Linux binary such as NX and ASLR but this time we are going to take it to the next level we are going to talk about protection employ in the modern Linux OS which is "The Canaries" and how to bypass it. note: this post was not originally mined it was inspired by the following resources https://ctf-wiki.github.io/ctf-wiki/pwn/linux/mitigation/canary/ (Credit goes to the author) we are going to start this post about what is stack canaries and types of different implementation of it then move to the implementation about how to bypass this protection. We are going to focus on "leak canaries" technique What is stack canary: In layman terms, canaries are just another protection mechanism to prevent stack overflow implemented by appending 4/8 bytes value (depend on the architecture) into the stack when a function is entered. When the function is at the end of its exec...
Post a Comment
Read More »