Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related word

1. Hacker Tools Online
2. How To Install Pentest Tools In Ubuntu
3. Hacking Tools Windows 10
4. Pentest Tools Bluekeep
5. Hacking Tools For Windows
6. Nsa Hack Tools
7. Pentest Tools For Windows
8. World No 1 Hacker Software
9. Hack Tools Github
10. Hack Tools For Games
11. New Hacker Tools
12. Pentest Tools Free
13. Pentest Tools
14. Hacking App
15. Hak5 Tools
16. Hacking Tools Download
17. Hack Tools Download
18. Hack Tool Apk No Root
19. Pentest Tools For Android
20. Hacking Tools Name
21. What Is Hacking Tools
22. Best Pentesting Tools 2018
23. Pentest Reporting Tools
24. Hacking Tools 2019
25. Hacker Techniques Tools And Incident Handling
26. Pentest Tools Review
27. Hacking Tools Usb
28. Pentest Tools Online
29. How To Hack
30. Pentest Tools Website Vulnerability
31. Hack Website Online Tool
32. Hacker Tools For Mac
33. Github Hacking Tools
34. Growth Hacker Tools
35. Pentest Tools Website
36. Hacking App
37. What Is Hacking Tools
38. Hacking Tools Windows
39. Pentest Tools Windows
40. Hak5 Tools
41. Hacking Tools Pc
42. Hacker Tools For Ios
43. Pentest Tools Bluekeep
44. Hack And Tools
45. World No 1 Hacker Software
46. Hackers Toolbox
47. How To Hack
48. Hack Tools For Ubuntu
49. Nsa Hack Tools Download
50. Pentest Tools Website Vulnerability
51. Hacking Tools For Kali Linux
52. Hack App
53. Hack Tools
54. Hack Tools Download
55. Pentest Tools Apk
56. Pentest Tools Website Vulnerability
57. Hacker Security Tools
58. Nsa Hacker Tools
59. Top Pentest Tools
60. Kik Hack Tools
61. Pentest Tools For Ubuntu
62. Black Hat Hacker Tools
63. Hacking Tools For Windows
64. Pentest Tools Apk
65. Hacker Tool Kit
66. Hack Tools Download
67. Hacking Tools Hardware
68. Hack App
69. Pentest Tools Nmap
70. Pentest Tools Url Fuzzer
71. Pentest Tools Find Subdomains
72. Hacking Tools Pc
73. Hacker Tools Free Download