Huntress 2024 CTF Go Malware GoCrackMe1 Challenge using IDA

Written By Alexander Commodore

In GoCrackMe1 from the Huntress 2024 CTF, we’re tackling a simple Golang binary using IDA Free (Interactive Disassembler). This is a chance to see what a Go binary looks like, non-stripped, so you can read function names plainly. Also create a familiarity with the decompiling and review of Go binaries where Go is becoming more popular in the toolkits of adversaries trying to make more complicated malware that is hard-to-detect.

Reverse Engineering with IDA against Go binaries:

When we run the Go binary from this challenge we are presented with an “Access Denied!” statement. We can examine the file and see it is a 64-bit ELF (Linux) file that is not stripped and written in Golang. We can open this with a variety of reverse engineering tools, in this particular case I will be using the IDA Free version.

We can load the binary into IDA by dissasembling a new file and accepting all the default parameters.

When we open the Go binary in IDA we can see it defaults to the main function in the main window. We’re able to get value from the main function because it calls on other functions and determines the program flow. We are looking at a lot of assembly language, so reading a book like “Hacking The Art of Exploitation” by John Erickson or taking a course on Hack The Box would prove invaluable for this type of work later- or use artificial intelligence to help explain concepts to you along the way- look for clear-text strings.

Where this is a non-stripped binary we’re able to read these function names easily which helps a ton. We do not need to do work to find the main function or others. This window is good for navigating our functions and potentially jumping to particular points in the program, if not choosing to click on instructions in the main window where they occur and have interest to you.

Scrolling to the bottom of the main function we can see a statement of “Access Denied” in clear-text. So we know this is where that part of the program executes, but we also see another arrow pointing out toward something that seems to be comparing and printing a string - this appears to be printing the flag.

What is interesting on the Assembly language side is that the top statement where the two arrows lead is a JZ statement next to short loc_483719. JZ means Jump if Zero so if it is zero it is jumping to the default Access Denied statement. We can actually change the way the program works by amending that to JNZ (Jump if Not Zero) and potentially redirect how the program works.

We can achieve this by highlighting the statement that is executing the JZ and changing to JNZ through the patch program function under EDIT:

When we go to Edit > Patch Program > Assemble we will change where JZ is to JNZ and click on ‘OK’ and we will see this change reflect in the window showing our Assembly code.

You can see the reflected change below. Now we need to go back to Edit > Patch Program > Apply Patches to Input File in order to save those changes to the binary itself. When we run the binary next we are going to be able to redirect the programs original intentions to our modified ones.

Now when we execute the program we will receive our flag.

Alexander Commodore
Previous

Starting with Large Language Models (LLMs) using Hugging Face and PyTorch
Next

Penetration Testing and Generative AI