HackTheBox — Poly Write-up. First I quickly analyzed...
1 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
Sign up
Open in app
Sign In
To make Medium work, we log user data. By using Medium, you agree to
Search
Medium
Privacy
Policy, including cookie policy.
our
HackTheBox — Poly Write-up
Akuto Sai · Follow
4 min read · Aug 9, 2022
Listen
Share
First I quickly analyzed on what was the platform was that binary based on with
the help of “file”.
So to run an aarch64 based binary I used qemu-aarch64. You can install it from
this link: “sudo apt install qemu-user”
After executing the binary I got this:
Sign up to discover human stories that deepen your
understanding of the world.
It was expecting some kind of input
& the error didn’t gave any clues.
Compare options
Let’s move onto the disassembly & reversing part. I am gonna use Ghidra.
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
2 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
After struggling couple of hours, I noticed something was fishy with this entry
function ‘FUN_400004d0’ with only a single parameter 0x8cf.
It seems that first 2 functions used a pseudo-random number generator
algorithm & rest all the functions gives output in the console.
After banging my head couple of times, I came to know that Ghidra wasn’t able to
decompile the calls/functions properly because of variadic parameters. So I wrote
my own code… which will print all the fake flags by terminating of the calls. I
can’t show the whole code because the challenge is still active ;)
Sign up to discover human stories that deepen your
understanding of
uint64_t mt_buf[0x140]
= the
{ 0world.
};
uint16_t mt_idx = 0x139;
void mt_init(uint64_t iv)
{
mt_buf[0] = iv;
mt_idx = 1;
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
3 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
}
temp To
= make
mt_buf[mt_idx++];
Medium work, we log user data. By using Medium, you agree to
temp our
^=Privacy
(temp
>> including
0x1d) cookie
& 0x5555555555555555ull;
Policy,
policy.
temp ^= (temp << 0x11) & 0x71d67fffeda60000ull;
temp ^= (temp << 0x25) & 0xfff7eee000000000ull;
temp ^= (temp >> 0x2b);
return temp;
}
fwrite("}\n", 1, 2, stdout);
va_end(va);
}
I figured out that this program first reads the srting from the console input &
matches with it’s specified character size(10) which is used to generate some type
of key which is based on the value returned from a syscall. You can check the
same by ‘strace ./poly’. I also noticed that it was acting as anti-debug trick.
The input buffer used MD5 hashing algorithm which is then converted into
hexadecimal string & bytes 0x13 and 0x37 are added at the end to the
hexadecimal string.
I ate this section ＞﹏＜
Pseudo Code ( ./poly )
Function: 0
• Create pipe [DEBUG]
• Write “\x02” (1 byte) to pipe [DEBUG]
Sign up to discover human stories that deepen your
understanding
of the world.
• Create pipe
[MD5]
• Goto function [1]
Function: 1
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
4 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
• Create pipe
[SKIP]
To make
Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
• Create pipe [SHA256]
• Create pipe [HASH RESULT]
• Create pipe [DEBUG RESULT]
• Fork — Child
• Invoke function [3]
• Fork — Parent
• Read x (1 byte) from pipe [DEBUG RESULT]
• Invoke function [x]
Function 2 : Real Password
• Read input from console
• Write length (8 bytes) to pipe [MD5]
• Write buffer (length bytes) to pipe [MD5]
• Read md5_results (32 bytes) from pipe [HASH RESULT]
• Convert md5_results to hex string
• Write 0x40 (8 bytes) to pipe [SHA256]
• Write buffer (0x40 bytes) to pipe [SHA256]
• Read sha256_results (32 bytes) from pipe [HASH RESULT]
Sign up to
• if (sha256_results
==discover
hash) =>human
true stories that deepen your
understanding of the world.
• Goto function [11]
Compare options
Function: 3
Not now
• Fork — Child
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
5 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
• Invoke function[5]
To make Medium work, we log user data. By using Medium, you agree to
• Fork — Parent
our Privacy Policy, including cookie policy.
• Fork — Child
• Invoke function [6]
• Fork — Parent
• Read x (1 byte) from pipe [SHA256]
• Read y (1 byte) from pipe [SHA256]
• if (x + y == 0xd7) => true
• Invoke handler [7]
• if (x + y == 0xd7) => false
• Write x (1 byte) to stdout
• Write y (1 byte) to stdout
Function 4 : Fake Password
• Read input from console
• Write length (8 bytes) to pipe [MD5]
• Write buffer (length bytes) to pipe [MD5]
• Read md5_results (32 bytes) from pipe [HASH RESULT]
• Convert md5_results to hex string
• Write 0x40 (8 bytes) to pipe [SHA256]
Sign up to discover human stories that deepen your
understanding
world.
• Write buffer
(0x40 bytes)of
tothe
pipe
[SHA256]
• Read sha256_results (32 bytes)Compare
from pipe
[HASH RESULT]
options
• if (sha256_results == 1 of 6 hashes) => true
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
6 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
• Invoke handler [12 + i]
To make Medium work, we log user data. By using Medium, you agree to
Function 5 : our
MD5
Privacy Policy, including cookie policy.
• Write “m” (1 byte) to pipe [SHA256]
• while (true)
• Read length (8 bytes) from pipe [MD5]
• Write “r” (1 byte) to pipe [DEBUG]
• Read buffer (length bytes) from pipe [MD5]
• Compute md5(buffer)
• Read salt suffix (1 byte) from pipe [DEBUG RESULT]
• Compute md5(salt)
• Write results (32 bytes) to pipe [HASH RESULT]
Function 6 : SKIP
• Write “j” (1 byte) to pipe [SHA256]
• while (true)
• Read buffer (32 bytes) from pipe [SKIP]
• Compute md5(buffer)
• if (md5_hash == hash) => true
• Perform strace register modification
• Force dispatch(9) instead of dispatch(11)
Sign up to discover human stories that deepen your
the world.
• Write AESunderstanding
IV (16 bytes) toofpipe
[HASH RESULT]
• if (md5_hash == hash) => false Compare options
• Write buffer (32 bytes) to pipe [HASH
RESULT]
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
7 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
Function: 7 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
• Fork — Child
• Invoke handler [10]
• Fork — Parent
• Read x (1 byte) from pipe [SHA256]
• if (x == ‘c’) => true
• Goto function [8]
Function 8 : SHA256
• while (true)
• Read length (8 bytes) from pipe [SHA256]
• Read buffer (length bytes) from pipe [SHA256]
• Compute sha256(buffer)
• Write results (32 bytes) to pipe [SKIP]
Function 9: TARGET
• Read AES IV (16 bytes) from pipe [HASH RESULT]
• Read input from console
• Invoke function [18]
Function 10: DEBUG
Sign up to discover human stories that deepen your
understanding
the world.
• Write “c” (1
byte) to pipe of
[SHA256]
• while (true)
Compare options
• Read x (1 byte) from pipe [DEBUG]
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
8 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
• Compute sum of strace tests on all fork processes
To make Medium work, we log user data. By using Medium, you agree to
• 5 = No debugging
our Privacy Policy, including cookie policy.
• Modify x with the XOR product of debugged fork processes
• No debugging = no mutation
• Write x (1 byte) to pipe [DEBUG RESULT]
Function 11 : Key Decryption
Function 12 -17: Fake Flags
•Reversing
Print fake flags.
Arm64
Htb Writeup
Poly
Exploit Development
Handler 18: Real Flag
• Print real flag.
Follow
Written by Akuto Sai
9 Followers
Cyber Security Geek
More from Akuto Sai
Sign up to discover human stories that deepen your
understanding of the world.
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
9 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Akuto Sai
Comprehensive Checklist for Secure SDLC
Requirements Gathering
4 min read · Jun 10
Sign up to discover human stories that deepen your
understanding of the world.
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
10 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
Akuto Sai
HP Andro To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Task To intercept TCP traffic and get a flag To intercept we use tcpdump and Wireshark
9 min read · Aug 9, 2022
Akuto Sai
Simple IoT Experiments
Prepare a Communication Channel to communicatewith the Software based Hardware
Sensors (Name of Application: IoTMQTTPanel) to the Broker…
3 min read · Aug 1, 2022
Sign up to discover human stories that deepen your
understanding of the world.
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
11 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Akuto Sai
Recommended from Medium
Practical Malware Analysis
Labs
6 min read · Feb 11, 2022
6
See all from Akuto Sai
Echo_Slow in InfoSec Write-ups
Write-up of the Blocky machine from HTB
Sign up to discover human stories that deepen your
Today I’ll take aunderstanding
look at Blocky, where
weworld.
will explore the easy-rated machine inspired by
of the
Minecraft.
6 min read · Apr 24
Compare options
1
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
12 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Ajay Yadav
SSTI (Server-Side Template Injection)
SSTI is a web application vulnerability that allows an attacker to inject code into a serverside template. This can occur when user input…
5 min read · Apr 14
2
Lists
Staff Picks
392 stories · 205 saves
Stories to Help You Level-Up at Work
19 stories · 168 saves
Self-Improvement 101
20 stories
saves human stories that deepen your
· 382
Sign
up to
discover
understanding of the world.
Productivity 101
20 stories · 389 saves
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
13 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Jayesh Gaba
HackTheBox Writeup- Pilgrimage
Hello everyone!
5 min read · Jul 3
1
Sign up to discover human stories that deepen your
understanding of the world.
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
14 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
0xAn0m4ly
To make Medium
work, we log Writeup
user data. By using Medium, you agree to
Mantis Hackthebox
| Detailed
our Privacy Policy, including cookie policy.
Not really hard box, rather medium, i just has a lot of enumeration and some unrealistic CTF
like stuff with no privesc doing intended way…
7 min read · Apr 12
21
@Subhankar Paul
HackTheBox : Jupiter
Intro: This is my new writeup on HackTheBox ‘Machine’ Jupiter. It is little difficult free
machine. Here you will find Command Injection…
7 min read · Jun 25
3
1
Sign up to discover human stories that deepen your
understanding of the world.
Compare options
Not now
8/10/23, 21:53
HackTheBox — Poly Write-up. First I quickly analyzed...
15 of 15
https://medium.com/@akutosai/hackthebox-poly-write...
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Fares Elsadek
HackTheBox Writeup — PC
This box was presented at the Hack The Box in May 2023 by sau123.
6 min read · Jun 23
51
See more recommendations
Sign up to discover human stories that deepen your
understanding of the world.
Compare options
Not now
8/10/23, 21:53