SSH-Client Nsec2020 Write-up
This challenge was pretty easy but was definitely interesting. We were told that there was a secret in a ssh client. We were given the binary. When I first executed the binary, it behaved like a normal OpenSSH client.
I then loaded the binary into Ghidra and looked at the decompiled code for the main function. The binary was not striped so main could be located easily. Using the original source code from the OpenSSH client and the decompiled code, I could locate a condition that was not present in the original client.
I decided to patch the binary to execute this code directly. I patched the binary using Binary Ninja since it makes patching so easy. I patched the switch condition to go to the address 0xb275 this address is the start of the secret that was added in the code.
Once the patched binary is executed we can see the secret which is the flag we are looking for. We only need to add a bogus argument so we don’t get the help output. This flag was worth 2 pt.
