# FAUST 2022 - ghost writeup

This challenge was a “hidden” service for FAUST 2022 CTF.

## The missing service

During this CTF, our deploy for the challenges was a bit weird and when we decrypted them we only found 7 services. Ghost was completely missing, and when the CTF started, unexpectedly, it was reported down.
It took us three hours to find the service and succesfully boot it, a gentle reminder that using the provided vulnbox is always a better idea :)

## Python, inside python, inside bash, inside bash, inside a binary

As the service was a “backdoor” it was lightly hidden inside a “setup” binary.
After fiddling a bit with gdb, unpacking many bash scripts, and fixing broken python indentations, we managed to extract the source code of the backdoor:

First thing we did was to analyze the s array, we found that it was just an array of chars shifted by 7, and printed them all.

Analyzing the rest of the code we realized that the backdoor was requesting commands from a server and returning results to a different port on it.

## Bringing the service up

Our first priority was bringing the service up, as at this point we were still not earning points for it.
Our quick patch was to edit the final for of the program in this way:

And running the code. This magically worked and we got our sweet sweet backdoor installed.

## (Guessing) The exploit

Reading the source code we could find some comments, telling a bit of lore behind the backdoor’s code.
In particular:

As usually comments are not left in a backdoor, we expected them to be needed for the exploit.
After a lot of brainstorming with my teammates and many random guesses, we realized that the comment was hinting us that the main server was connecting not only to the checksystem requesting for commands, but also somewhere else.
As the only way for this to be expoitable was for the server to ask us for commands, we tried opening a listener on the vulnbox on the port 1236 (as the comment says that the protocol is the same), and after a few seconds we got a connection!
We then sent the command {'cmd': 'GETFILE', 'outid': 'AAAAAAAAAA', 'sender': 'AAAAAAAAAA'} and listened on the other port (3334) for responses. Immediatly after we got a connection, which contained flags base64-encoded!

Now the task was automatizing it.

We set up two services on our vulnbox: one was sending commands, the other was collecting responses and submitting flags.

The sender code: