April 2017 – My personal space

This is the second part of recent challenge posted by the Shabak.

Hey there fellow researcher! In every challenge in the ‘Airplane’ flow you’ll have to get to a point where a password is shown, feel free to use Dissasemblers, Debuggers or what ever you want.

Airplane 1

The intergalactic prison is in a secret location and we don’t know where it is…
We pulled some strings and found an intergalactic prison guard program which is willing to tell us the prison’s coordinates.
Sadly, we don’t know how to talk to it…
Show us what you got and get the prison’s location.

At this stage we have an executable file which should display the flag.
We can see an interesting path at the strings:

We created the file but Shabak will not make this challenge that easy, it is time to get our hands dirty and dive into assembly.
By searching for the folder, we can see that the program is reading folder’s attributes and compares them to hardcoded values.
There are two checks that will lead us to failure and will not let us reach the protected area which should reveal the flag.

Simply, fill these checks with NOPs and hope for the best.

And as expected we have the flag!

Airplane 2

HOMEBASE team is working on deciphering the prison messaging system, luckily for us our operatives found a program that knows the encryption key, but unfortunately the program is refusing to talk (maybe a technological approach is better suited for this job since Spanish didn’t work).
We need you to*Make It Talk*

At this level we get a Portable Executable file – ‘Second.exe’.
We run it and he is asking for a password, after some random password is given he is trying to execute ‘GettingSchwifty.bat’ batch file.

The file does not have any known magic number, and the content looks encrypted. I guess my password was wrong.

By looking at ‘Second.exe’ source code, we can see that ‘GettingSchwifty.bat’ is actually a DLL.

We also found out that XOR used to decrypt ‘GettingSchwifty.bat’ data.
At this point we have two options, we can reverse ‘Second.exe’ to find what should be the password, or we can XOR ‘GettingSchwifty.bat’ with a key to get the correct data.
The second method is easier (at this case), we can do it because we know that the used algorithm was XOR on each 4 bytes, and we know what the output should be – a DLL.
DLLs have the same struct (same as PE) and by knowing this we can find what should be the key for ‘GettingSchwifty.bat’ and get our desired DLL.

(Image from adlice.com)
We will take the 32 bit starting from offset 0x20 (00 00 00 00 on ‘regular’ PE file), and compare them to the bits on ‘GettingSchwifty.bat’ (BA DB A5 96).
Because we know that XOR was used, [00000000 XOR 5ADBA596 = 5ADBA596] – and this is our key.
The following script did the trick:

The next part is breaking that DLL, lets get to it.
We noticed the following code:

The DLL will open a pipe called ‘flumbus_channel’, ask us a question by writing it to the pipe, read our answer from the pipe.
The question is ‘What is cooler than being cool?‘.
I have never worked with pipes and I am too lazy to start coding, so I will just replace pipe’s path with my .txt file with the answer, so the DLL will read the answer straight from my file (also don’t forget to skip the WriteFile part so our answer will not get corrupted).
So after skipping the WriteFile part and reading the answer, the rest was clear and we have our password.

This is a write-up of the CTF Shabak posted at April 2017.

Step 0

We begin with the following image:

And after we decode as base64 we get:

Browsing to the given address will lead us to the actual challenge, I honestly don’t know why all those challenges starting with base64.
We will choose the development team and will return back to research team once we are done.

Homebase 1

“Staff Sergeant Foxy” Managed to get his hands on secret source code from the intergalactic prison!
unfortunately the code does not compile, Prove yourself worthy by compiling & executing the project.

We have unfinished project that we have to compile and run.

The mission isn’t that hard, we have some undeclared variables, useless code, incorrect function signatures.

After fixing all above and changing from debug to release, we get the flag!

Homebase 2

Success! Well.. Kinda…
Team Airplane managed to identify the encryption algorithm that the server uses to encrypt the content from the response.
Sadly, they only know how to write pseudo code, so as a programmer you need to buckle up buckaroo and implement the algorithm and decipher the response.

Now we to implement an algorithm and decipher the flag.

The algorithm is very straightforward and we also get an example to test our implementation.
Crafted python script:

The final result:

Homebase 3

Ok so our operative M. Smith managed to get to R. Sanchez’ cell in the prison, now he needs to transmit a message to him! Sadly the prison’s systems filter all messages that get through, so we need to figure out a way to fit its scheme.
You ‘member the decryption algorithm from the last mission? Yes you ‘member! now with a given encrypted message, you will need to find the correct key

Looks like we have to decrypt our way out through brute force:

We know that there are only 3 steps, and we know our alphabet.
By knowing the alphabet we can aim for a very specific range of values which will make brute force faster.
A-Z: 65-90 (decimal)
a-z: 97-122
Space, ‘.’, ‘?’: 32, 46, 63
First run of add,sub and xor yielded only one useful output:

Because add/sub will keep our values at the same range difference, we have to mix it up with xor in a way that all characters will be within a range of 26 (except for first capital letter and the last letter which reserved for space, ‘.’ and ‘?’).
At this point, after a quick google search, we found the desired quote (also the flag), which perfectly aligned with given encrypted message.
I consider this cheating because the key was never found, but hey – it works 🙂

root@localhost

Month: April 2017

Shabak CTF writeup Part 2