Overview

bin100 is a zip file containing modified ssh binaries and an encrypted password dump. Flipping the bits of the password dump reveals the plaintext and the key.

Writeup

After downloading the binary, we unzip it to find 3 files: modified versions ssh and sshd and a binary blob mac.h. We noticed that flipping the bits of mac.h gave us a plain text dump of passwords:

1
2
3
4
5

$ cat bitflip.py
import sys

for byte in open("mac.h", "rb").read():
	sys.stdout.write(chr(~ord(byte) & 0xFF))

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$ python bitflip.py
SSH2_OUT: 192.168.88.61 	user: root 	pass: foobar 	(ddtek.biz)
SSH2_OUT: 192.168.88.61 	user: root 	pass: f00bar 	(ddtek.biz)
SSH2_OUT: 192.168.88.61 	user: root 	pass: mypassw0rd 	(ddtek.biz)
SSH2_OUT: 10.0.2.15 	user: root 	pass: supr3m3p0w3r 	(defcon.org)
pass_from: 10.0.2.15 	user: root 	pass: supr3m3p0w3r 	(defcon.org)
SSH2_OUT: 192.168.88.151 	user: emily 	pass: l0v3ly
SSH2_OUT: 192.168.88.151 	user: emily 	pass: w0nd3rful
SSH2_OUT: 192.168.88.151 	user: emily 	pass: n0pa$$w0rd
pass_from: 192.168.88.151 	user: emily 	pass: l0v3ly 	(hackeruniversity.edu)
pass_from: 192.168.88.61 	user: feather 	pass: l1ght3rthand1rt 	(ddtek.biz)
pass_from: 192.168.88.61 	user: feather 	pass: wh@tsmypa$$ 	(ddtek.biz)
pass_from: 192.168.88.61 	user: feather 	pass: justw@it 	(ddtek.biz)
pass_from: 192.168.88.61 	user: feather 	pass: ohmygoD 	(ddtek.biz)
pass_from: 192.168.88.61 	user: feather 	pass: l1ght3rthand1rt 	(ddtek.biz)
pass_from: 192.168.88.61 	user: emily 	pass: l0v3ly 	(ddtek.biz)

At this point, we got stuck for a while. We tried every string in the decrypted text with no luck so we started digging further. The format of the text dump and the name mac.h made it clear that this was a reference to skynet. We reversed all the modified functions in the ssh binaries and found that the ssh binary had a backdoor if one provided a password such that crypt(password) == "xzoQHjF6pMZlY". We started brute forcing on our GPUs while we took another look to see if there was an easier way.

And then we learned that the key server was initially malfunctioning and one decrypted passwords was the key: supr3m3p0w3r.