Challenge 19

Welcome to challenge 19. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Hiding in binaries part 1: the C binary

We need to put a secret in a mobile app! Nobody will notice the secret in our compiled code! This is a misbelief we have often encountered when presenting on mobile security topics.

Let’s debunk this myth for C: can you find the secret in wrongsecrets-c (or wrongsecrets-c-arm, wrongsecrets-c-linux)?

Answer to solution :

This challenge is specifically looking at a secret in a C binary

You can solve this challenge using the following steps:

  1. Find the secrets with Ghidra.

    • Install Ghidra.

    • Start it whit ghidraRun.

    • Load the application wrongsecrets-c into ghidra by choosing a new project, then import the file and then doubleclick on it.

    • Allow the Ghidra to analyze the application.

    • Search for the secret: Go to Functions on the left-hand side, select _secret . Now on the screen on the right-hand side you can see the secret. This is a string in C.

    • Search for the same secret, which is "hidden" as a char array: Go to Functions on the left-hand side, select _secret2. See that this returns a label on your right-hand side. Now open Labels on the left-hand side, select the label returned by _secret2 (_secret2.label) and find the answer in the center. This is a Char array in C.

  2. Find the secrets with radare2.

    • Install radare2 with either brew install radare2 on Mac or follow these steps: git clone; cd radare2 ; sys/

    • Launch r2 analysis with $ r2 -A wrongsecrets-c

    • Filter functions by term secret using afl: afl~secret, get the list of functions

    • Use command pdf @ sym._secret to see disassembled output of function which returns secret

    • Use command pdf @ sym._secret2 to see disassembled output of function which returns secret2

Why Using binaries to hide a secret will only delay an attacker.

With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.

Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.

Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.