adding trend-micro-ctf-2015 analysis-100 writeup

Author: sudhackar

trend-micro-ctf-2015/analysis/defensive-100/sudhackar/README.md

@@ -0,0 +1,80 @@
+[](ctf=trend-micro-ctf-2015)
+[](type=analysis,reverse)
+[](tags=payload,drop)
+[](tools=gdb-peda)
+[](techniques=breakpoints)
+
+I think this is the unintended solution.
+
+We are given a [zip](../vonn.zip) password:wx5tOCvU3g2FmueLEvj5np9xJX0cND3K.
+This gives us a binary.
+
+```sh
+$ file vonn 
+vonn: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=7f89c2bb36cc9d0882a4980a99d44a7674fb09e2, not stripped
+
+$ ./vonn 
+You are not on VMM
+```
+Thats it! we don't know whats happening.
+So i quickly load it with gdb-peda and after setting some breakpoints,we're ready to step through the execution.
+
+```sh
+gdb-peda$ b *0x400b8d
+Breakpoint 1 at 0x400b8d
+```
+After some stepping when we get to puts call for output
+```objdump
+   0x400cd3 <main+326>:	cmp    rax,QWORD PTR [rbp-0x8]
+   0x400cd7 <main+330>:	je     0x400cfc <main+367>
+   0x400cd9 <main+332>:	mov    edi,0x401100
+=> 0x400cde <main+337>:	call   0x400990 <puts@plt>
+   0x400ce3 <main+342>:	mov    rax,QWORD PTR [rbp-0xd0]
+   0x400cea <main+349>:	mov    rax,QWORD PTR [rax]
+   0x400ced <main+352>:	mov    rdi,rax
+   0x400cf0 <main+355>:	mov    eax,0x0
+Guessed arguments:
+arg[0]: 0x401100 ("You are on VMM!")
+```
+And I still don't know how!!
+All thats left is to do a c(continue).
+```sh
+gdb-peda$ c
+Continuing.
+You are on VMM!
+process 9248 is executing new program: /tmp/...,,,...,,
+warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
+```
+
+This file dropped a payload that was automatically loaded in gdb. Nice!!
+Lucky for me the breakpoint 0x400b8d is still an instruction in the payload binary. 
+```objdump
+   0x0000000000400b74 <+248>:	call   0x400790 <MD5@plt>
+   0x0000000000400b79 <+253>:	mov    edi,0x54
+   0x0000000000400b7e <+258>:	call   0x400780 <putchar@plt>
+   0x0000000000400b83 <+263>:	mov    edi,0x4d
+   0x0000000000400b88 <+268>:	call   0x400780 <putchar@plt>
+=> 0x0000000000400b8d <+273>:	mov    edi,0x43
+   0x0000000000400b92 <+278>:	call   0x400780 <putchar@plt>
+   0x0000000000400b97 <+283>:	mov    edi,0x54
+   0x0000000000400b9c <+288>:	call   0x400780 <putchar@plt>
+   0x0000000000400ba1 <+293>:	mov    edi,0x46
+   0x0000000000400ba6 <+298>:	call   0x400780 <putchar@plt>
+   0x0000000000400bab <+303>:	mov    edi,0x7b
+   0x0000000000400bb0 <+308>:	call   0x400780 <putchar@plt>
+   0x0000000000400bb5 <+313>:	mov    DWORD PTR [rbp-0xc4],0x0
+   0x0000000000400bbf <+323>:	jmp    0x400be9 <rnktmp+365>
+```
+Looks good. Another c(continue)
+
+```sh
+gdb-peda$ c
+Continuing.
+TMCTF{ce5d8bb4d5efe86d25098bec300d6954}[Inferior 1 (process 9248) exited with code 0377]
+/tmp/...,,,...,,: No such file or directory.
+```
+
+Huh! Was easier than expected.
+FLAG
+
+> TMCTF{ce5d8bb4d5efe86d25098bec300d6954}