Challenge Overview
Reverse engineering challenge where the malware author forgot to strip symbols, doxing themselves in the process
Description
A new hacker has created a flag exfiltration tool in Rust that sends captured flags to a remote logging service. We believe that the hacker has not been very careful with their operational security and has left a few clues in their work.
Your task is to analyze the binary to find the author’s handle.
Initial Analysis
First looking at this challenge, we can immediately notice that it is a reverse engineering problem involving a Rust binary. The description mentioned “bad operational security” which immediately suggests that the author left some identifying information in their compiled binary.
Possible Leaks to Expect
- Hardcoded usernames or handles in the binary
- Debug information that might leak personal details
- File paths that could reveal the author’s username
Step-by-Step Solution
Step 1: Understanding the Challenge Structure
The challenge provided a password-protected zip file (flagstealer.zip) with the password infected. This is a commonly done when distributing malware to prevent people from acidentially executing malicious code on their computers unknowingly.
Step 2: Extracting the Binary
We can use 7-Zip to extract the binary from the password-protected archive:
7z x flagstealer.zip -o/tmp/flagstealer_extract -pinfected -y
This extracted a single file: flagstealer – an ELF 64-bit executable.
Step 3: Analyzing the Binary
The binary was a Rust executable with debug information included (not stripped). This is crucial because it means the binary contains more information than a typical release build.
Step 4: Searching for Strings
We can start by using the strings command to extract all readable strings from the binary:
$ strings /tmp/flagstealer_extract/flagstealer
/lib64/ld-linux-x86-64.so.2
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
SSL_CTX_get_cert_store
SSL_CTX_set_verify
SSL_CTX_use_certificate
SSL_connect
SSL_CTX_set_default_verify_paths
SSL_CTX_use_PrivateKey
...
Step 5: Finding the Author’s Handle
There’s a lot of strings in the binary, but we can search to see if there’s perhaps a filepath that directly indicates a handle. One way to do this is to see if maybe there’s a file path in a home directory:
$ strings /tmp/flagstealer_extract/flagstealer | grep home
/home/MetaCTF{sup3r_l33t_hax0r_w0w}/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/native-tls-0.2.14/src/imp/openssl.rs
/home/MetaCTF{sup3r_l33t_hax0r_w0w}/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/native-tls-0.2.14/src/lib.rs
/home/MetaCTF{sup3r_l33t_hax0r_w0w}/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/openssl-0.10.73/src/util.rs
/home/MetaCTF{sup3r_l33t_hax0r_w0w}/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/openssl-0.10.73/src/ssl/connector.rs
...
The search revealed MANY file paths containing the author’s handle, and also revealed that the author was developing this binary as malware:
/home/MetaCTF{sup3r_l33t_hax0r_w0w}/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/...
/home/MetaCTF{sup3r_l33t_hax0r_w0w}/malware/flagstealer
...
Flag: MetaCTF{sup3r_l33t_hax0r_w0w}