Challenge 20 ☆☆☆☆

Welcome to challenge Challenge 20. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Hiding in binaries part 2: the C++ binary

Similar like hiding secrets in an application written in C, you end up in a similar situation with C++. Can you find the secret in our binary?

Let’s debunk the "secrets are hard to find in native compiled applications" myth for C++: can you find the secret in wrongsecrets-cplus (or wrongsecrets-cplus-arm, wrongsecrets-cplus-linux)?

Answer to solution :

This challenge is specifically looking at a secret in a C++ binary

You can solve this challenge using the following steps:

  1. Find the secrets with Ghidra.

    • Install Ghidra.

    • Start it whit ghidraRun.

    • Load the application wrongsecrets-cplus into ghidra by choosing a new project, then import the file and then doubleclick on it.

    • Allow the Ghidra to analyze the application.

    • Search for the secret: Go to Functions on the left-hand side, select __Z6secretv() . Now on the screen on the right-hand side you can see the secret. This is a string in C++, wrapped in another class (SecretContainer).

    • Search for the same secret, which is "hidden" as a char array: Go to Functions on the left-hand side, select Z7secret2v(). On the right hand side, you see the function: now click on the return result of the function at ZZ7secret2vE6harder . Now you can see the result in the Listing view.

    • Alternatively: when you have analyzed the application with Ghirda: do a search for strings in all blocks and see if you can spot the secret ;-).

  2. Find the secrets with radare2.

    • Install radare2 with either brew install radare2 on Mac or follow these steps: git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh

    • Launch r2 analysis with $ r2 -A wrongsecrets-cplus

    • Use command pdf @ sym.secret__ to see disassembled output of function which returns secret

    • Use command pdf @ sym.secret2__ to see disassembled output of function which returns secret2

Why Using binaries to hide a secret will only delay an attacker.

With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.

Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.

Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.