SSH-Client Nsec2020 Write-up

Martin Pouliot
SharedSec Write-ups
2 min readMay 18, 2020

--

This challenge was pretty easy but was definitely interesting. We were told that there was a secret in a ssh client. We were given the binary. When I first executed the binary, it behaved like a normal OpenSSH client.

Console output of the given binary and the OpenSSH version

I then loaded the binary into Ghidra and looked at the decompiled code for the main function. The binary was not striped so main could be located easily. Using the original source code from the OpenSSH client and the decompiled code, I could locate a condition that was not present in the original client.

Decompilation from Ghidra with different code from the original OpenSSH client

I decided to patch the binary to execute this code directly. I patched the binary using Binary Ninja since it makes patching so easy. I patched the switch condition to go to the address 0xb275 this address is the start of the secret that was added in the code.

Patched binary in Binary Ninja

Once the patched binary is executed we can see the secret which is the flag we are looking for. We only need to add a bogus argument so we don’t get the help output. This flag was worth 2 pt.

Output of the patched binary

--

--