recursion

[ltzehan]

recursion

Challenge Details

An executable contains a nested executable XOR'd with a 4-byte key. The first program accepts a 32-character string as an argument. Each executable uses the first 4 bytes of this string to decrypt the next executable and calls it with the rest of the string as an argument.

Will probably use memfd_create -> execve chain. Hopefully this doesn't trip players' AV 🤷

Key Concepts

Memory and file descriptor shenanigans. Recognizing certain files have fixed bytes that can be used to reduce the search space.

Solution

Running strace on the first executable should reveal the memfd_create and execve calls before it segfaults. By observing that the user input is used to XOR over a memory region, before executing it through a fd, players should realize this contains an encrypted ELF file.

Each chunk can be recovered by XORing the encrypted executable with the magic bytes expected in an ELF file. Not impossible for the player to brute-force, but they will need to realize how to brute-force 4 bytes at a time or they will experience pain (~60^22 should be hard enough right??).

8 layers of executables should be sufficient to motivate players to write a script instead of doing everything by hand. Should be possible to do the whole challenge statically.

Learning Objectives

Basics of how malware is packed and how fileless malware operate.

Flag

greyhats{p4cK_@ll_th3_th1Ng5!!!}

[ltzehan]

Need to leave a note to players that WSL1 bad: microsoft/WSL#3542