PoliCTF 2012 - Bin-Pwn 100

1 minute read

Retrieve the key.

Oh man, PoliCTF takes the cake for having steganography in every freaking puzzle. In the tar.gz package included in the tar.bzip2 package included in the GPG encrypted file, the following files were found:

[email protected]:~/polictf/binpwn100$ tar tvfz umad.tar.gz
drwxrwxr-x fede/fede 0 2012-05-26 06:23 jpeg/
-rw-r--r-- fede/fede 1616 2012-05-26 06:23 jpeg/jconfig.h
-rw-r--r-- fede/fede 48569 2012-05-26 06:23 jpeg/jpeglib.h
-rw-r--r-- fede/fede 12558 2012-05-26 06:23 jpeg/jmorecfg.h
-rw-r--r-- fede/fede 14581 2012-05-26 06:23 jpeg/jerror.h
-rw-rw-r-- fede/fede 1446942 2012-08-08 22:11 libjpeg.a
-rw-rw-r-- fede/fede 56 2012-05-26 06:30 Makefile
-rw-rw-r-- fede/fede 3296 2012-05-26 16:51 umad.cpp

umad.cpp looks interesting. Examination of the file doesn’t reveal anything though. So, let’s compile and run this.

[email protected]:~/umad$ make
g++ -o umad umad.cpp -L. -ljpeg
[email protected]:~/umad$ ./umad
Done

It outputs the image you see above. :/ Assholes.

So let’s take a look at the rest of the files. libjpeg.a seems to be interesting. Strings indicate that this isn’t your standard libjpeg.a distributed by your friendly Linux distribution.

[email protected]:~/umad$ strings libjpeg.a | head -n 10
!
/ 1344435103 0 0 0 3688 `
jpeg_aritab
...
/home/haxor/Documents/coding/libraries/utilities/imaging/jpeg-8d
...
_vtable_offset
alloc_sarray
write_frame_header

An .ar file is simply an archive used by the linker, so let’s print a list of files in it.

[email protected]:~/polictf/binpwn100$ ar t libjpeg.a
jaricom.o
...
jcmarker.jpeg
...
jmemnobs.o

Why is there a .jpeg file in an .ar? A bi-winning jpeg of course. Extract and file it.

[email protected]:~/polictf/binpwn100$ ar vx libjpeg.a jcmarker.jpeg
x - jcmarker.jpeg
[email protected]:~/polictf/binpwn100$ file jcmarker.jpeg
jcmarker.jpeg: POSIX shell script text executable

Cries of ‘bullshit!’ fill the air. However, it’s just another case of stego though, and we can replace the ‘#!/bin/shx00’ header with a proper jpeg header ‘FF D8 FF E0 00 10 4A 46 49 46 00’.

Flag: 8d66668deee4964c2c429e2ae64ccc8667b5d911

Leave a Comment