Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related word

1. Pentest Tools Review
2. Pentest Tools Online
3. Hacker Tools
4. Pentest Tools Find Subdomains
5. Hacking Tools For Games
6. Hacking Apps
7. Hacker Tools Hardware
8. Hacking Tools Kit
9. Game Hacking
10. Pentest Tools Download
11. Hacker Tools Apk
12. Hackrf Tools
13. Pentest Tools Review
14. Pentest Tools Review
15. Pentest Tools Find Subdomains
16. Easy Hack Tools
17. Pentest Tools Android
18. Hacker Tools Github
19. Best Hacking Tools 2020
20. Hacker
21. Pentest Tools For Android
22. Hacking Tools Usb
23. Hacking App
24. Hacker Tools Free Download
25. Best Hacking Tools 2020
26. Hacker Tools List
27. Hack Tools 2019
28. Bluetooth Hacking Tools Kali
29. Hack Tools For Ubuntu
30. Pentest Tools Alternative
31. Pentest Tools For Ubuntu
32. Hacker Tools Software
33. Hacker Hardware Tools
34. Hack Tools
35. Hacker Tool Kit
36. Pentest Tools For Ubuntu
37. Best Pentesting Tools 2018
38. Hack Apps
39. Hacking Tools For Windows Free Download
40. Wifi Hacker Tools For Windows
41. Pentest Tools Apk
42. Pentest Recon Tools
43. Pentest Tools Find Subdomains
44. Kik Hack Tools
45. Pentest Tools Port Scanner
46. Pentest Box Tools Download
47. Hacking Tools For Windows
48. Hacking Tools Mac
49. Easy Hack Tools
50. Hacking Tools Pc
51. Hacking Tools Github
52. Termux Hacking Tools 2019
53. Hacker Tools Github
54. Hacking Tools Software
55. Hacking Tools Kit
56. Hacking Tools Online
57. Hacking Tools Usb
58. Pentest Tools Android
59. Blackhat Hacker Tools
60. Wifi Hacker Tools For Windows
61. Pentest Tools Windows
62. Tools Used For Hacking
63. Blackhat Hacker Tools
64. Nsa Hack Tools
65. Hacking Tools Windows 10
66. Hacking Tools For Pc
67. Hacker Tools
68. Blackhat Hacker Tools
69. Pentest Tools Apk
70. Hack Tool Apk
71. Hacking Tools
72. Hacking Tools And Software
73. Hack Tools For Pc
74. Blackhat Hacker Tools
75. Hack Tool Apk
76. Hacker Tools Hardware
77. Pentest Tools Online
78. Hacker Tools
79. Hacker Tools Github
80. Tools For Hacker
81. Hack And Tools
82. Pentest Tools Apk
83. Pentest Tools Linux
84. Hack Tools Pc
85. Hacker Tools For Ios
86. Nsa Hack Tools
87. Hacking Tools For Windows
88. Install Pentest Tools Ubuntu
89. Kik Hack Tools
90. How To Hack
91. How To Hack
92. Hacker Tools For Windows
93. Pentest Tools For Android
94. Growth Hacker Tools
95. Hacker Tools List
96. Hack Tools Download
97. Usb Pentest Tools
98. Growth Hacker Tools
99. Tools 4 Hack
100. Hacking Tools Kit
101. Hack Apps
102. Underground Hacker Sites
103. New Hack Tools
104. Termux Hacking Tools 2019
105. Hacker Search Tools
106. Hacker Tool Kit
107. Pentest Tools Android
108. Hackers Toolbox
109. Pentest Tools For Android
110. Hacker Tools Windows
111. Install Pentest Tools Ubuntu
112. Computer Hacker
113. Hack Rom Tools
114. Hacking Tools 2020
115. Pentest Tools Nmap
116. Hacker Tools Free Download
117. Pentest Tools Bluekeep
118. Hack Tools For Games
119. Hacking Tools Online
120. Hack Tools Pc
121. Hacker Tool Kit
122. Pentest Tools Bluekeep
123. Pentest Tools Android
124. Hacking Tools 2019
125. How To Make Hacking Tools
126. Physical Pentest Tools
127. Hack Tools For Windows
128. Termux Hacking Tools 2019
129. Hack Tools Mac
130. Hacking Tools Download
131. Hacker Hardware Tools
132. Pentest Tools Website Vulnerability
133. Hacker Tools For Mac
134. Hacking Tools And Software
135. Pentest Tools For Windows
136. Hacking Tools For Kali Linux
137. Physical Pentest Tools
138. Best Pentesting Tools 2018
139. Hacking Tools For Beginners
140. Pentest Tools Download
141. Hack Tools
142. Hak5 Tools
143. Hacker Search Tools
144. Tools 4 Hack
145. Nsa Hacker Tools
146. Hacker Tools For Ios
147. Hack Tools 2019
148. Hacking Tools And Software
149. Install Pentest Tools Ubuntu
150. How To Install Pentest Tools In Ubuntu
151. Pentest Tools Nmap
152. Hacker Tools Software
153. Pentest Box Tools Download
154. New Hacker Tools
155. Github Hacking Tools
156. Pentest Tools Port Scanner
157. Pentest Tools Tcp Port Scanner