ANSSI ECSC ~~ Challenges pwn ~~ Armory

ANSSI ECSC Challenges pwn Armory

Présentation

Saurez-vous exploiter le binaire fourni et extraire le flag ?

nc challenges.ecsc-teamfrance.fr 4003

+ fichier armory sans extension

1 - file

file armory

armory: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=aaa2d5ba6d3a6cf3958eb9073e673795c2f1e24e, not stripped

2 - gdb

Comme on peut s'y attendre, s'agissant d'un fichier ARM, impossible de le lancer sur x86_64.

gdb ./armory

GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./armory...(no debugging symbols found)...done.
(gdb) r
Starting program: /mnt/c/Users/didier/Documents/ANSSI-ECSC/armory
/bin/bash: /mnt/c/Users/didier/Documents/ANSSI-ECSC/armory: cannot execute binary file: Exec format error
/bin/bash: /mnt/c/Users/didier/Documents/ANSSI-ECSC/armory: Success
During startup program exited with code 126.
(gdb) q

3 - qemu-user

Article intéressant : https://ownyourbits.com/2018/06/13/transparently-running-binaries-from-any-architecture-in-linux-with-qemu-and-binfmt_misc/

qemu-arm armory

/lib/ld-linux.so.3: No such file or directory

3 - strings

strings armory

/lib/ld-linux.so.3
libc.so.6
fflush
__isoc99_scanf
puts
abort
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
/bin/dash
Hello, what's your name?
Hello %s!
GCC: (Debian 6.3.0-18) 6.3.0 20170516
aeabi
/usr/lib/gcc-cross/arm-linux-gnueabi/6/../../../../arm-linux-gnueabi/lib/crt1.o
/usr/lib/gcc-cross/arm-linux-gnueabi/6/../../../../arm-linux-gnueabi/lib/crti.o
call_weak_fn
/usr/lib/gcc-cross/arm-linux-gnueabi/6/../../../../arm-linux-gnueabi/lib/crtn.o
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.9272
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
chall.c
elf-init.oS
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
printf@@GLIBC_2.4
__bss_start__
fflush@@GLIBC_2.4
_edata
__bss_end__
__data_start
puts@@GLIBC_2.4
__libc_start_main@@GLIBC_2.4
system@@GLIBC_2.4
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__end__
__bss_start
main
__isoc99_scanf@@GLIBC_2.7
__TMC_END__
evil
abort@@GLIBC_2.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.ARM.exidx
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.data
.bss
.comment
.ARM.attributes

Table of Contents