Challenge 22 ☆☆☆☆☆

Welcome to challenge Challenge 22. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Hiding in binaries part 4: the Rust binary

Similar like hiding secrets in an application written in C, you can do this in Rust. Ghidra is not that good at analysing Rust by default, though…​ Can you find the secret in our binary?

Let’s debunk the "secrets are hard to find in native compiled applications" myth for Rust: can you find the secret in wrongsecrets-rust (or wrongsecrets-rust-arm, wrongsecrets-rust-linux)?

Answer to solution :

This challenge is specifically looking at a secret in a Rust binary based on a release profile.

You can solve this challenge using the following steps:

  1. Find the secrets with Ghidra.

    • Install Ghidra.

    • Start it whit ghidraRun.

    • Load the application wrongsecrets-rust into ghidra by choosing a new project, then import the file and then doubleclick on it.

    • Allow the Ghidra to analyze the application.

    • Now import demangle script and run it via the Ghidra Script manager to demangle the functions.

    • Find the main function in the rust namespace

    • Find the argument that needs to be compared (in our example that is local_80 as defined in std::env::args((env *)&local_80);)

    • Find where the argument is compared (in our example that is iVar1 = __stubs::_memcmp(local_80,puVar2,0x3b);)

    • Now search the input it is compared to (puVar2) its value. Can you find the secret?

    • Alternatively: Go to the data type manager in the bottom left, now filter for string, now right-click at string as a member of wrongsecrets-rust and select find uses of. Then, filter for known keywords: you should easily be able to find the secret now!

  2. Find the secrets with radare2.

    • Install radare2 with either brew install radare2 on Mac or follow these steps: git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh

    • Launch r2 analysis with $ r2 -AAA wrongsecrets-rust

    • Print the entrypoint s sym.rust::main::h66ace6a84e548891 and then pdf. (not the default main!)

    • Find the argument that needs to be compared with pdf | grep memcmp (in our example that is r12).

    • Try to find how this argument is prepared. Can you spot the secret?

    • Alternatively: after launching radare2, run iz | grep secret and find the string.

Why Using binaries to hide a secret will only delay an attacker.

With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.

Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.

Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.