For this challenge, we’re given two files:
8086100f.mrom: BIOS (ia32) ROM Ext. (6*512)
8086100f.mrom.tmp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
Googling the filenames suggests they’re related to PXE. So, we assume these are (dumps) from a PXE bootloader. Further investigation using strings quickly reveals some interesting strings:
$ strings 8086100f.mrom.tmp | grep http http://ipxe.org iPXE (http://ipxe.org) kernel https://secure-doomsday-client-loader.c0.cx/boot/vmlinuz initrd https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=0 ...
So, let’s try to grab that initrd with the include_flag parameter set to 1. Browse to https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=1:
400 Bad Request
No required SSL certificate was sent
It appears it wants us to authenticate using a client certificate, which we don’t have. Obviously, the iPXE loader does. Assuming it uses a common (x509) format, we might be able to extract the client key/certificate using an IDA plugin called sslkeyfinder. As the plugin is no longer available on its original location, you can grab it from the Collaborative RCE Tool Library instead.
Add it to your IDA plugin dir, load 8086100f.mrom.tmp into IDA (as a ‘binary file’, this is important!), then scan for SSL keys/certs by pressing shift+S. sslkeyfinder should find both a SSLPrivateKey and SSLCertificate. Dump both.
You should now have both the SSL certificate and key in DER format. You could import the certificate into your browser, but most browsers only accept PKCS#12 certificate/key bundles. Instead, we’ll use wget to grab the initrd:
$ wget -O initrd_inc.gz --certificate=ssl.crt --certificate-type=DER --private-key=priv.key --private-key-type=DER --no-check-certificate 'https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=1' --2012-09-30 20:57:00-- https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=1 Resolving secure-doomsday-client-loader.c0.cx... 22.214.171.124 Connecting to secure-doomsday-client-loader.c0.cx|126.96.36.199|:443... connected. WARNING: cannot verify secure-doomsday-client-loader.c0.cx's certificate, issued by ‘/C=YO/ST=LO/L=None/O=None/OU=None’: Self-signed certificate encountered. HTTP request sent, awaiting response... 200 OK Length: 6701791 (6.4M) [application/octet-stream] Saving to: ‘initrd_inc.gz’ 100%[==========================================================================================================================================================================>] 6,701,791 1.56MB/s in 4.3s 2012-09-30 20:57:05 (1.49 MB/s) - ‘initrd_inc.gz’ saved [6701791/6701791]
Then, extract it and grab the key:
$ mkdir initrd $ cd initrd $ gunzip -c ../initrd_inc.gz | cpio -i 33269 blocks $ cat flag.txt ebef709401cd0ce3665f541c00c0d512
All done! Surprisingly easy for a 500 points challenge.