SSH-Client Nsec2020 Write-up

Martin Pouliot
May 18, 2020 · 2 min read

This challenge was pretty easy but was definitely interesting. We were told that there was a secret in a ssh client. We were given the binary. When I first executed the binary, it behaved like a normal OpenSSH client.

Console output of the given binary and the OpenSSH version

I then loaded the binary into Ghidra and looked at the decompiled code for the main function. The binary was not striped so main could be located easily. Using the original source code from the OpenSSH client and the decompiled code, I could locate a condition that was not present in the original client.

Decompilation from Ghidra with different code from the original OpenSSH client

I decided to patch the binary to execute this code directly. I patched the binary using Binary Ninja since it makes patching so easy. I patched the switch condition to go to the address 0xb275 this address is the start of the secret that was added in the code.

Patched binary in Binary Ninja

Once the patched binary is executed we can see the secret which is the flag we are looking for. We only need to add a bogus argument so we don’t get the help output. This flag was worth 2 pt.

Output of the patched binary

SharedSec Write-ups

SharedSec Write-ups for Nsec 2020

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store