Post

Microcorruption - New Orleans

Posted
By Evan
3 min read

Introduction

Welcome back! In this post I will be diving into the New Orleans challenge from the Microcorruption wargame. This challenge demonstrates the reason sensitive information should not be stored as plaintext in memory and why you should be careful with password generation.

Code Review and Solution

After setting a breakpoint on the main function and running the program, one thing instantly sticks out as suspicious. There is a new function being called which is named “create_password”! This seems like the password is being generated directly in the code so it can be compared to our input later. Let’s check the function out.

Looking through the code here, it seems that I was correct with my assumption. The memory address #0x2400 is loaded into r15 and then a set of ASCII values are loaded into that memory address at one byte offsets before using a null byte to terminate the string. This appears to be a seven character password (excluding the null byte at the end).

Since I’m fairly certain this is the password, I set a break point at the end of the function so I can read the password out from memory. I used the command r 2400 7 to read out the password.

1
2

> r 2400 7
2400 3d22 7032 6648 5a ="p2fHZ

This will end up being the password that solves the challenge!

At this point, you could solve the challenge by inputing this password however read on to see how to verify this solution!

Now we have an idea that the password our input is compared to is most likely the string stored at hex address #0x2400. Let’s validate the assumption by checking out the check_password function.

I type “testing” as my input and set a new breakpoint on the check_password function. In this function we can see that the value stored at the address in r13 is compared to the value stored at #0x2400 with an offset of r14 which is 0 at the moment. If we check what is at the memory address in r13 by using the command r r13 we can see that it stored my input that I entered earlier.

1
2
3

> r r13
439c 7465 7374 696e 6700 0000 0000 0000 0000  testing.........
43ac 0000 0000 0000 0000 0000 0000 0000 0000  ................

If the first characters from my password and the saved password are equal, then r14 is incremented. The value of r14 is then compared to #0x8 (we can assume this is how long the pasword is supposed to be), and then if its not equal, the program jumps back to the beginning of the function and repeats with the next character of the password. Once r14 equals #0x8, the r15 register is set.

However, if any character doesn’t match then the program clears the r15 register and returns. This r15 register is used as a flag to tell the program if the password was valid or not. If it is, then the door opens.

From this point, we can feel confident about the password we found in memory and use that as our final answer solving the challenge!

I hope that this post was helpful! Feel free to reach out if there is anything I should explain more thoroughly or in a different way. I want to make these the best I can.

Binary Exploitation, Microcorruption Wargame
This post is licensed under CC BY 4.0 by the author.