HTB University CTF 2023 — BioBundle (medium)

Here’s the challenge’s details:

As before, we received a zip file containing a binary file. We attempted to run it and examined its functionality.

Another password or flag checker. But the interesting part is when we open the file with IDA

We can see that this program is a simple console program that dynamically loads a function from a shared library and then uses that function on user input. dlsym(handle, "") is used to load a function named "" from the shared library. The function get_handle() is used to obtain a handle to a shared library, so we have to open that function to find out more about it

This function appears to create an in-memory file, write encrypted content to it, and then load it as a shared library using dlopen. First, the memfd_create function will create an anonymous file descriptor, or ‘fd’ in the memory. Then, a for loop will write the result of each element from the array _ with the value 0x37 to the memory. The s string will contain the path to the in-memory file using sprintf function. And then, dlopen is used to dynamically load the content of the in-memory file as a shared library.

We now have to find out the value inside _ array and xor it with 0x37.

This one is pretty long array, so we have to suspect that there something with it. So we xor first 10 element with 0x37

We find out that this is the file signature for linux executable file

So, we have to export it, write it as an executable file, and try to open it with IDA

with open('exe.txt', 'rb') as f:
    data = f.read().split()

val = [int(hex_data, 16) for hex_data in data]
res = [value ^ 0x37 for value in val]
res = bytes(res)

with open('inside_bio', 'wb') as f:
    f.write(res)

When we open the file, we will get the flag

We can verify that this is the flag by running the biobundle program again

---