Slides



(Navigate using left/right keys, mouse scroll, or left/right swipe)

Download PDF

VM


We provide a virtual machine (VM) which can be used with VirtualBox. It come pre-installed with many tools which are useful for the CTF. The root password is "ctf" (without quotation marks).

Running ARM Binaries


QEMU system emulation

  • Install qemu and libc for ARM: sudo apt-get install libc6-dev-armhf-cross libc6-dev-arm64-cross qemu-system-arm qemu-user
  • Run hacklet:
    • qemu-arm -L /usr/arm-linux-gnueabihf ./<hacklet>
    • (for 32-bit ARMv5/ARMv6/ARMv7)
    • qemu-aarch64 -L /usr/aarch64-linux-gnu ./<hacklet>
    • (for 64-bit ARMv8)

ARM Laptop

If you have an ARM laptop, such as certain Chromebooks, or the Pinebook, you can run the hacklet directly.

Smartphone

You can also run the hacklets on your Android smartphone.
  • Enable debug mode in the settings (Google on how to do that your specific model)
  • Install the Android Debug Bridge (adb), e.g., using this tutorial: How to Install ADB on Windows, macOS, and Linux
  • Copy the hacklet onto the phone: adb push <hacklet> /data/local/tmp
  • Open shell on your phone: adb shell. This looks something like mido:/ $
  • Run the hacklet: /data/local/tmp/<hacklet>


Debugging ARM Binaries


QEMU

  • Install gdb-multiarch: sudo apt-get install gdb-multiarch
  • Start the binary with qemu, but add -g 12345 as additional argument.
    For example for a ARMv7 hacklet: qemu-arm -L /usr/arm-linux-gnueabihf -g 12345 ./<hacklet>
  • In a new terminal window, start gdb-multiarch with the hacklet: gdb-multiarch ./<hacklet>
  • In GDB:
    • set the remote target (gdb) target remote :12345
    • (you can ignore the warnings)
    • break at entry point (gdb) b main
    • start hacklet (gdb) c
    • tell GDB where to find the shared libraries (gdb) set solib-search-path /usr/arm-linux-gnueabihf
  • Now you can debug the hacklet in the same way as any other application
  • Hint: use (gdb) layout asm to show disassembly and/or (gdb) layout regs to show registers while debugging

Real Hardware

If you have ARM hardware (e.g., Chromebook), you can directly debug your binary with GDB.


A Simple Hacklet - Walkthrough


  • Download the hacklet: Download hacklet
  • What file is this?
    $> file main
    main: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=e7970306b9562336d8ebed24b564b288792e878a, not stripped
    (The $> represents a shell, you don't type that)
  • Ok, an ARM 32-bit binary. We need qemu to run it
  • (If you haven't done it yet: sudo apt-get install libc6-dev-armhf-cross qemu-system-arm qemu-user)
  • Let's run it: $> qemu-arm -L /usr/arm-linux-gnueabihf ./main
    Enter your name:
  • We can enter something:
    Enter your name: Michael
    Hello Michael
  • Let's check the strings, any hint to a flag?
    $> strings main | grep flag
    flag.txt
  • Ok, it will probably read the flag from a file called "flag.txt"
  • Any interesting function names?
    $> arm-linux-gnueabi-objdump -x ./main | grep F
  • Interesting lines are:
    00010610 g F .text 000000a8 cat <- maybe this outputs the file (as the Linux cat tool)
    00000000 F *UND* 00000000 strcat@@GLIBC_2.4 <- unsafe string concatenation
  • Open the binary in Cutter:
  • On the left, we see all functions
  • On the right, we see the graph view
  • If we look at the function calls and the (automatic) comments, we see that
    • The program calls printf with the string "Enter your name:"
    • It flushes the output (fflush)
    • Gets the user input using the (secure) getline function
    • Concatenates the string "Hello " and the user input with the insecure strcat function
    • Outputs the string using the secure puts function
    • Tests some local variable and calls cat("flag.txt") if it is not 0
  • The strcat function appends the user input to the buffer which already holds "Hello "
  • It does not check whether the strings actually fit into the buffer!
  • Let's enter something longer...
    $> qemu-arm -L /usr/arm-linux-gnueabihf ./main
    Enter your name: aaaaaaaaaaaaaaaaaaaaaaa
    Hello aaaaaaaaaaaaaaaaaaaaaaa

    {TEST_FLAG}

  • Nice, a flag!
  • What happened? We overflowed the string buffer, and consequently overwrote the local variable which was tested for 0.
  • We successfully solved the hacklet! Now we need to get the real flag.
  • Connect to hacklets2.attacking.systems 8003, e.g. on Linux with nc hacklets2.attacking.systems 8003
  • Enter the name which solved the hacklet (i.e., "aaaaaaaaaaaaaaaaaaaaaaa").
  • You now get the real flag, not the test flag.
  • Enter the real flag in the submission system to get the points.