Metasploitable3 is a free virtual machine that we have recently created to allow people to simulate attacks using Metasploit. In it, we have planted multiple flags throughout the whole system; they are basically collectable poker card images of some of the Rapid7/Metasploit developers. Some are straight-forward and easy to open, some are hidden, or obfuscated, etc. Today, we would like to share the secret to unlocking one of these cards: the King of Clubs.
The King of Clubs is one of the fun flags to extract. This card can be found in the C:\Windows\System32 directory, and it's an executable. To retrieve it, you will need to compromise the host first. In this demonstration, we will SSH into the host. And when calling the King of Clubs executable, we are greeted with the following riddle:
Obviously, this executable requires a closer examination. So ideally, you want to download this binary somewhere to your favorite development/reversing environment:
If you attempt to look at the executable with a debugger, you will notice that the binary is packed, which makes it difficult to read. There are multiple ways to figure out what packer is used for the executable. Either you will most likely discover it by inspecting the PE structure, which contains multiple UPX sections. Or you can use PEiD to tell you:
UPX is a binary compression tool that is commonly used by malware to make reverse engineering a little bit more difficult. It is so common you can find an unpacker pretty easily, as well. In this example, we are using PE Explorer because it's free. PE Explore will automatically recognize our binary is packed with UPX, and unpack it. So all you have to do is open the binary with it and click save:
There, that wasn't too painful. Was it?
At this point, we are ready to read the binary with a disassembler. Let's start with the main function:
As we can see, the first thing the program does is checking if there is a debugger attached or not. If there it, then the program exits:
If you are doing dynamic analysis, don't forget to disable this :-)
The next thing it does is checking if the current user is "hdmoore" or not. If yes, then it writes a card to disk. If not, it prints out the riddle that we saw previously:
Let's look at how the card is created a little more. First off, we see that the constructor of the Card class initializes something with the value 0x0f, this piece of information is important for later:
After the initialization, our main function calls the writeCard function.
The writeCard function does two things. First, it iterates through a big chunk of data of 76473h bytes, XORing each byte. If you pay attention to where EAX comes from, which is [EBP ARG_0], you should remember that it's the value the Card class initialized. So this means, the writeCard function is XORing a big chunk of data with 0x0F:
After the function is done XORing, it's ready to write the data to disk using ofstream. The first argument of ofstream's open function reveals that we are trying to write a file named "king_of_clubs.png":
After the file is written, we are at the end of the function, and that leads us to the end of the program.
Ways to Extraction
Now that we understand how the program works, we have some options to extract the XOR'd image from the binary
- Since IDA already tells us where the XOR'd PNG data is at, we can extract 76474h bytes, and then XOR back the data with 0x0f.
- Bypass the IsDebuggerPresent call with OllyDBG, and modify the JNZ jump for strcmp, which will force the program to always produce the card.
- This is probably the easier one: Create a user named "hdmoore", run the program again:
And that's how you reverse engineer the challenge. Now, go ahead and give this a try, and see who the King of Clubs is. If you like this challenge, don't feel shy to try the other 14 Metasploitable3 flags as well :-)
If you haven't tried Metasploitable3 but finally want to get your hands dirty, you can get it here. Keep in mind that Metasploitable3 is a vulnerable image that's heavily exploitable by Metasploit, so if you don't have Metasploit, you should download that and put it in your tool box :-)