30
Sep
2012

CSAW 2012 – Reversing 500

For this challenge, we’re given two files:


8086100f.mrom: BIOS (ia32) ROM Ext. (6*512)
8086100f.mrom.tmp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped


Googling the filenames suggests they’re related to PXE. So, we assume these are (dumps) from a PXE bootloader. Further investigation using strings quickly reveals some interesting strings:

$ strings 8086100f.mrom.tmp | grep http
http://ipxe.org
iPXE (http://ipxe.org) 
kernel https://secure-doomsday-client-loader.c0.cx/boot/vmlinuz
initrd https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=0
...
  1. These appear to be iPXE images
  2. It attemps to boot a linux kernel/ramdisk from https://secure-doomsday-client-loader.c0.cx
  3. Moreover, the initrd url contains a mysterious include_flag parameter

So, let’s try to grab that initrd with the include_flag parameter set to 1. Browse to https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=1:


400 Bad Request
No required SSL certificate was sent
nginx/1.1.19

It appears it wants us to authenticate using a client certificate, which we don’t have. Obviously, the iPXE loader does. Assuming it uses a common (x509) format, we might be able to extract the client key/certificate using an IDA plugin called sslkeyfinder. As the plugin is no longer available on its original location, you can grab it from the Collaborative RCE Tool Library instead.

Add it to your IDA plugin dir, load 8086100f.mrom.tmp into IDA (as a ‘binary file’, this is important!), then scan for SSL keys/certs by pressing shift+S. sslkeyfinder should find both a SSLPrivateKey and SSLCertificate. Dump both.

You should now have both the SSL certificate and key in DER format. You could import the certificate into your browser, but most browsers only accept PKCS#12 certificate/key bundles. Instead, we’ll use wget to grab the initrd:

$ wget -O initrd_inc.gz --certificate=ssl.crt --certificate-type=DER --private-key=priv.key --private-key-type=DER --no-check-certificate  'https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=1'
--2012-09-30 20:57:00--  https://secure-doomsday-client-loader.c0.cx/boot/initrd.gz?include_flag=1
Resolving secure-doomsday-client-loader.c0.cx... 128.238.66.211
Connecting to secure-doomsday-client-loader.c0.cx|128.238.66.211|:443... connected.
WARNING: cannot verify secure-doomsday-client-loader.c0.cx's certificate, issued by ‘/C=YO/ST=LO/L=None/O=None/OU=None’:
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 6701791 (6.4M) [application/octet-stream]
Saving to: ‘initrd_inc.gz’

100%[==========================================================================================================================================================================>] 6,701,791   1.56MB/s   in 4.3s   

2012-09-30 20:57:05 (1.49 MB/s) - ‘initrd_inc.gz’ saved [6701791/6701791]

Then, extract it and grab the key:

$ mkdir initrd
$ cd initrd
$ gunzip -c ../initrd_inc.gz | cpio -i
33269 blocks
$ cat flag.txt   
ebef709401cd0ce3665f541c00c0d512

All done! Surprisingly easy for a 500 points challenge.

{One Response to “CSAW 2012 – Reversing 500”}

  1. What I did at the time, was just hex-editing the mrom file by setting the flag at 1 and then booting the image with VmWare… But yes, really easy.