[H4CK1T 2016] Hex0gator – Paraguay Writeup

Standard

Description:

EN: All Experts of The Silver Shield Project can’t decipher the intercepted data. Who knows, maybe you can do it?
100_00edb54bed7e46bd5cdb7c06059881c2

 

In this PPC 250 pts challenge we got only one file. Let’s run File command on it to determine it’s type.

Megabeets:/tmp/h4ckit/paraguay# file 100_00edb54bed7e46bd5cdb7c06059881c2
100_00edb54bed7e46bd5cdb7c06059881c2: Zip archive data, at least v2.0 to extract

 

This is a zip file which contains another folder within. The folder contains a file named ‘99‘. Let’s extract it and figure out it’s type:

Megabeets:/tmp/h4ckit/paraguay# file 99
99: Zip archive data, at least v1.0 to extract

99 is also a zip file, and inside it has another zip, and another zip… well, I see where it going to. I wrote a simple Powershell script to extract all the archives using the ultimate archive manipulator – 7-zip.

# Set $path to a folder only with the file '99'
# 99 Exists in 'work_folder' inside the first archive

$path = "C:\\your\\\path"

while($true)
{
    $file = (gci $path)[0]
    &'C:\Program Files\7-Zip\7z.exe' e $file.Fullname -y > $null
    if($file.Name -eq 'flag')
    {
        # print the content of the file
        gc $file
        break;

    }
    else
    {
        Remove-Item $file.Fullname
    }
}

Now let’s run it:

PS C:\h4ckit\paraguay> C:\h4ckit\paraguay\solve.ps1
FLAG: 0W_MY_G0D_Y0U_M4D3_1T

 

Share

[CSAW 2016] Gametime Writeup

Standard

Description:

Guess what time it is! That’s right! Gametime! Wowwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww!!!!!!!!!!!!

Author: Brad Antoniewicz

note: flag is not in flag{} format

gametime.exe

To be honest, I downloaded the file, played the game once and got the key. It is possible for humans to win the game, or maybe it’s just my Super-Vegan powers LOL.
But I wanted, of course, to get the key using RE. I opened IDA and searched for interesting strings.
.rdata:00A17858 00000014 C \rGet ready to play\n                                     
.rdata:00A1786C 00000034 C \rZOMGZOMGOZMGKZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n     
...     
.rdata:00A17970 00000033 C \rZOMGZOMG           YOU DID IT!!!        ZOMGOZMG\n      
.rdata:00A179A4 00000033 C \rZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n      
...                                              
.rdata:00A179E0 0000000F C key is %s (%s)                                            
.rdata:00A179F4 0000002C C \nWhen you see an 's', press the space bar\n\n            
.rdata:00A17A20 0000002C C \nWhen you see an '%c', press the '%c' key\n\n            
.rdata:00A17A50 00000010 C key is %s (%s)\r                                          
.rdata:00A17A60 0000002B C \rUDDER FAILURE! http://imgur.com/4Ajx21P \n              
.rdata:00A17A8C 00000024 C \r                                 \r                     
.rdata:00A17AB0 0000002A C UDDER FAILURE! http://imgur.com/4Ajx21P \n                
.rdata:00A17ADC 00000005 C %02x                                                      
.rdata:00A17AEC 00000034 C \r\tZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n    
.rdata:00A17B20 00000010 C \tkey is %s (%s)                                          
.rdata:00A17B30 00000034 C \r\tZOMGZOMG                                ZOMGZOMG\n    
.rdata:00A17B64 00000034 C \r\tZOMGZOMG     TAP TAP REVOLUTION!!!!!!!  ZOMGZOMG\n    
.rdata:00A17B98 00000036 C \r\tZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n\n\n
.rdata:00A17BD0 00000020 C \r\t              R U READDY?!\n\n\n                      
.rdata:00A17BF0 0000001D C \rThe game is starting in...\n                            
.rdata:00A17C10 00000033 C \rTRAINING COMPLETE!                              \n      
.rdata:00A17C48 0000002A C \rNow you know everything you need to know                
.rdata:00A17C74 0000001F C \n\n\nfor the rest of your life!\n                        
.rdata:00A17C94 0000000D C LETS PLAY !\n                                             
.rdata:00A17CA4 00000016 C \rooooh, you fancy!!!\n                                   
.rdata:00A17CBC 00000011 C NIIICE JOB)!!!!\n                                         
.rdata:00A17CD0 00000012 C \rTURBO TIME!    \n

I highlighted the important lines: The success message (I know, I got it when I played) and the failure messages. Using X-Refs I found where the failure messages are printed out and patched the program to jump to the success instead. Notice that you’ll need to change two functions.

1st jump to change:

gametime_1

2nd jump to change:

gametime_2

Now apply the patches to the program and run it. Let the game play alone and the key will be printed.

The key is: (no5c30416d6cf52638460377995c6a8cf5)

Share

[CSAW 2016] Key Writeup

Standard

Description:

So I like to make my life difficult, and instead of a password manager, I make challenges that keep my secrets hidden. I forgot how to solve this one and it is the key to my house… Can you help me out? It’s getting a little cold out here.

NOTE: Flag is not in normal flag format.

Running the file we end up with a message: “?W?h?a?t h?a?p?p?e?n?”
Let’s open the exe in IDA and view it’s strings looking for interesting strings.
.rdata:00AB52B8 00000029 C C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
.rdata:00AB52E4 00000016 C ?W?h?a?t h?a?p?p?e?n?                        
.rdata:00AB52FC 00000021 C |------------------------------|             
.rdata:00AB5320 00000021 C |==============================|             
.rdata:00AB5344 00000021 C \\  /\\  /\\  /\\  /\\==============|        
.rdata:00AB5368 00000021 C  \\/  \\/  \\/  \\/  \\=============|        
.rdata:00AB538C 00000021 C                  |-------------|             
.rdata:00AB53B0 00000015 C Congrats You got it!                         
.rdata:00AB53C8 00000012 C =W=r=o=n=g=K=e=y=

We have 4 interesting strings:

  • A path: C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
  • The known message: ?W?h?a?t h?a?p?p?e?n?
  • Good key: Congrats You got it!
  • Bad key: =W=r=o=n=g=K=e=y=

Visiting the function that uses the path string (X-ref) we understand the program is trying to read the key from it, if it doesn’t exists we would get: ?W?h?a?t h?a?p?p?e?n?

I Created the txt file with “aaa” inside and ran again, this time I set a breakpoint before the decision whether to jump to the success or failure message.

asm_key_csaw

Now let’s see what we have in what seem like the comparison function.

Stepping the lines we can see that my “aaa” is compared with a string.

csaw_key_eax

This string is the key “idg_cni~bjbfi|gsxb” and also the flag to the challenge.

 

Share

[CSAW 2016] Sleeping Guard Writeup

Standard

Description:

Only true hackers can see the image in this magic PNG….
nc crypto.chal.csaw.io 8000

Author: Sophia D’Antoine
sleeping_dist.py

We are given with python script, Netcat command and a hint about a PNG file. Let’s run Netcat and see what we will get:

[Megabeets] /tmp/CSAW/clam# nc crypto.chal.csaw.io 8000
3j8PL1JLRUFleSEyHicFOl9BXrdleSGXX2lBaF9EZRcjeSE/UwgAJR5BX/rqct1eUm9BaH8iFxkoeSFFcW9B6NtBX7FleSG/v29BHW9BX6EFeSEFz29Bfy/d5RpZeSE/Xh8JMSxBX1kReSEtI26fDkA5X0tkIEhrDxsZJRN7PCQIV0BbOA0kRicsL0tleSE/axd7EDIxMi4RGAFHOgMvG2U5YmkEHU5
...
<alot of base64 text here>
...

We received a base64 encoded text from the server. It is probably our image so let’s decode it and save it to file:

[Megabeets]$> nc crypto.chal.csaw.io 8000 | base64 --decode > out.png

Trying to open the image we faced with an error, our image-viewer could not open the file. Open the file with text viewer and see that there is no PNG header. So, we have the image but it somehow encoded and we need to find out how to decode it. Let’s look at the script, the answer will probably be there. It’s not so long so I attached it here:

import base64
from twisted.internet import reactor, protocol
import os

PORT = 9013

import struct
def get_bytes_from_file(filename):  
    return open(filename, "rb").read()  
    
KEY = "[CENSORED]"

def length_encryption_key():
    return len(KEY)

def get_magic_png():
    image = get_bytes_from_file("./sleeping.png")
    encoded_string = base64.b64encode(image)
    key_len = length_encryption_key()
    print 'Sending magic....'
    if key_len != 12:
        return ''
    return encoded_string 
    

class MyServer(protocol.Protocol):
    def connectionMade(self):
        resp = get_magic_png()
        self.transport.write(resp)

class MyServerFactory(protocol.Factory):
    protocol = MyServer

factory = MyServerFactory()
reactor.listenTCP(PORT, factory)
reactor.run()

Look at the highlighted rows. You can see that after encoding the file with base64 the script is checking whether the size of the encryption key is 12 . We don’t see any encryption in the script except the encoding itself but we can assume that in the original script an encryption is done using 12 bytes long key. But what encryption? There are billion of options, how can we find the right decryption algorithm to use? Well, the answer is simple – this is a CTF and the admins know that we cannot try all the possible decryption methods so it will probably be the banal option: XOR.

After choosing our encryption method let’s think how can we find the key itself. We know the file is a PNG image, so we can XOR the first 12 bytes of the encrypted flle with the first 12 bytes of normal PNG file.

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D XOR DE 3F 0F 2F 52 4B 45 41 65 79 21 32 == 57 6F 41 68 5F 41 5F 4B 65 79 21 3F  

which  in ASCII is: “WoAh_A_Key!?”

Now that we have the key we can let python do it’s magic:

def xor(data, key):
    l = len(key)
    return bytearray((
        (data[i] ^ key[i % l]) for i in range(0,len(data))
    ))

# Read the encrypted image as bytearray
data = bytearray(open('out.png', 'rb').read())

# This is our key as bytearray: "WoAh_A_Key!?"
key = bytearray([0x57, 0x6f, 0x41, 0x68, 0x5f, 0x41, 0x5f, 0x4b, 0x65, 0x79, 0x21, 0x3f])

with open('decrypted.png', 'w') as file_:
    file_.write(xor(data,key))

And you’ll get the image and the flag:

sleping_guard

Share