BalalaikaCr3w - No cON Name CTF Finals 2014

WireTap (Stegano 200)

Dor1s — Sun, 02 Nov 2014 19:37:53 +0000

Category:

stego

Event:

No cON Name CTF Finals 2014

Description: Does it sound like a flag? Maybe... I don't know...

File: wiretap.wav

Solution:

Let's quickly analyze the file:

 $ file wiretap.wav
wiretap.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 32 bit, stereo 44100 Hz
$ strings wiretap.wav
RIFFD
WAVEfmt 
data

Nothing interesting. Now look at data of .wav file:

$ ./diff.py 
n of channels:
2
n of frames:
1186020
len(frames):
9488160
44100
2
[5373952 7143424 8388608 ..., 5111808 4980736 4915200]
[5374089 7143504 8388686 ..., 5111991 4980814 4915379]

Values of frames from two different channels are close enough but not the same. Let's look at their difference (first 100 printed):

[137, 80, 78, 71, 13, 10, 26, 10, 0, 0, 0, 13, 73, 72, 68, 82, 0, 0, 2, 22, 0, 0, 0, 48, 8, 4, 0, 0, 0, 231, 36, 251, 90, 0, 0, 0, 2, 98, 75, 71, 68, 0, 0, 170, 141, 35, 50, 0, 0, 0, 9, 112, 72, 89, 115, 0, 0, 11, 19, 0, 0, 11, 19, 1, 0, 154, 156, 24, 0, 0, 0, 7, 116, 73, 77, 69, 7, 222, 10, 26, 15, 41, 21, 179, 51, 68, 152, 0, 0, 0, 29, 105, 84, 88, 116, 67, 111, 109, 109, 101]

Seems that all of them are in range of byte values [0..255]. Some of you may be have already noticed that bytes from 2 to 4 are printable characters ('PNG'). Let's write difference of channels into file and look at it:

$ file result 
result: PNG image data, 534 x 48, 8-bit gray+alpha, non-interlaced

Wow! Look there:

My script for solving this task:

#!/usr/bin/python
import wave
from scipy.io.wavfile import read

w = wave.open('wiretap.wav', 'r')
print 'n of channels:'
print w.getnchannels()

n = w.getnframes()
print 'n of frames:'
print n
frames = w.readframes(n)
print 'len(frames):'
print len(frames)

(fs, x) = read('wiretap.wav')
print fs
print len(x.shape) 
print x[:,0]
print x[:,1]

c1 = x[:,0]
c2 = x[:,1]
d = []
for a, b in zip(c1, c2):
	d.append(b - a)
print d[0:100]

out = open('result', 'wb')
for t in d: out.write(chr(t))
out.close()

Flag is: NcN_132238aba8928f9655eeb09939eba1f963c18183

buy footwear | ナイキエアマックスエクシー "コルク/ホワイト" (NIKE AIR MAX EXCEE "Cork/White") [DJ1975-100] , Fullress , スニーカー発売日抽選情報ニュースを掲載！ナイキジョーダンダンクシュプリーム SUPREME 等のファッション情報を配信！

vodka (forensics 400)

the_storm — Sat, 01 Nov 2014 19:13:51 +0000

Category:

forensics

Event:

No cON Name CTF Finals 2014

Description: We were given a pcap file called vodka were asked to get out the flag.

Solution:

We opened the pcap file with wireshark and take a look the statistics of the pcap file, we saw that 100% of the packets in the file was mainly tftp protocol packets.

Looking at the first packet in the pcap, we see a write request with a file named "openwrt-wrtsl54gs-squashfs.bin" and then we see the blocks are send with size 558 bytes and after each block we see an acknowledgment of receiving the block.

What we simply need now is to dump that binary file from the pcap. Using this command on tshark:

tshark -r vodka.pcap -Y "tftp and tftp.opcode==3" -Tfields -edata > openwrt-wrtsl54gs-squashfs.hex

The file now is dumped. However, it is in hex not in binary because the output of tshark is in hex. We wrote a simple python code to change the file from hex to binary.

f = open('openwrt-wrtsl54gs-squashfs.hex', 'r')
w = open('openwrt-wrtsl54gs-squashfs.bin', 'wb')
lines = f.readlines()
for l in lines:
	w.write(l.strip('\n').decode('hex'))
w.close()

Now we have the binary file. The first thing we did is we ran the "file" command trying to now the type of the file, but the output of file was nothing except "data". Then we use "binwalk" and that was the result of binwalk.

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------
32            0x20          TRX firmware header, little endian, header size: 28 bytes,  image size: 1323008 bytes, CRC32: 0x6CAC483 flags/version: 0x10000
60            0x3C          gzip compressed data, from Unix, NULL date: Thu Jan  1 02:00:00 1970, max compression
517152        0x7E420       Squashfs filesystem, little endian, version 2.1, size: 805671 bytes,  269 inodes, blocksize: 65536 bytes, created: Wed Oct 29 20:53:25 2014

So, there is a squash file system and there is a firmware. We thought that we will get the squashfs using dd, mount it and then get the flag. We "dded" the binary file and tried to mount the squash file system, but the mount has failed. Probably, to mount the squashfs correctly we need to read the firmware to extract some options and then we should be able to mount the squash fs correctly. We googled a bit about the squash fs and TRX firmware and we found this tool.

We downloaded the tool and compile it. Using "extract-firmware.sh" in the tool with the openwrt-wrtsl54gs-squashfs.bin as input, we managed to mount the squash file system correctly. Browsing the squashfs folder, we found three folders: "image parts", "logs" and "rootfs".

That was the content of the rootfs:

I entered the rootfs and found a minimal linux system. Not sure were to go in this system, I assumed that there will be something inside the "www" folder. I checked it, but it was empty. I decided to grep the entire system for the word "flag". I found a huge output. That was one of the lines in the output of the grep command.

Looks like the nc file is interesting. I checked the file, it was basically a bash file. Checking the source code of the nc file, I found in the comments this section.

######################
### Draw rainbow flag
######################

I decided to run the nc file after making sure it doesn't have something malicious, and that was the result of running it.

Looking at the bottm right corner of the output we see "NCNdeadface" which was simply the flag.

flag: NCNdeadface

PS: I managed to solve this after the end of the competition with like 15 mins. The reason why, is that the grep on flag returned a huge amount of data.

Running sports | jordan Release Dates

5h311 (reverse 200)

Dil4rd — Sat, 01 Nov 2014 02:00:04 +0000

Category:

reverse

Event:

No cON Name CTF Finals 2014

Description: Connect to the service listening at 10.210.8.1:6969 and get the flag.

Solution: We have x86 ELF binary (attached to this writeup). If you open it in disassembler, you will find that it's obfuscated, but strings aren't encrypted:

So, we have something like command interpreter... but the most intresting string is, of course, "flag.txt". Now take a look into function, where this string are used. It's sub_080488D0 which we can call on_cat. Because the only place, where it's used is:

Now it's time to understand obfuscation method:

\\some code ... 
while ( 1 ) {
 while ( 1 )  {
    while ( 1 )    {
      while ( 1 )      {
        while ( 1 )        {
          while ( 1 )          {
            curCmdCode = nextCmdCode;
            ni0 = nextCmdCode - 2044764020;
            if ( nextCmdCode <= 2044764020 )
              break;
            ni1 = curCmdCode - 2044764021;
            if ( curCmdCode == 2044764021 )
              nextCmdCode = -12968513931;
          }
          ni2 = curCmdCode + 2004157958;
          if ( curCmdCode > -2004157958 )
            break;
          ni3 = curCmdCode + 2087107103;
          if ( curCmdCode == -2087107103 )
            nextCmdCode = 646359876;
        }
        v77 = curCmdCode + 1904900740;
        if ( curCmdCode > -1904900740 )
          break;
        v76 = curCmdCode + 2004157957;
        if ( curCmdCode == -2004157957 ) {
          v12 = fprintf(
                  globalStream,
                  "error: permission denied\n",
                  v15,
                  v16,
                  v17,
                  v18,
                  v19,
                  v20,
                  v21);
          v86 = 0;
          nextCmdCode = 1903774409;
          v18 = v12;
        }
      }
      v75 = curCmdCode + 1549151840;
      if ( curCmdCode > -1549151840 )
        break;
      v74 = curCmdCode + 1904900739;
      if ( curCmdCode == -1904900739 ) {
        v14 = fprintf(
                globalStream,
                "error: cannot open flag.txt\n",
                v15,
                v16,
                v17,
                v18,
                v19,
                v20,
                v21);
        v86 = 0;
        nextCmdCode = -1116102172;
        v16 = v14;
      }
    }
    v73 = curCmdCode - 1903774408;
    if ( curCmdCode <= 1903774408 )
      break;
    v35 = curCmdCode - 1903774409;
    if ( curCmdCode == 1903774409 ) {
      v33 = -196240387;
      v32 = -2004157957;
      v3 = fprintf(
             globalStream,
             "error: permission denied\n",
             v15,
             v16,
             v17,
             v18,
             v19,
             v20,
             v21);
      v86 = 0;
      nextCmdCode = v33;
      v31 = v3;
    }
  }
  v72 = curCmdCode + 1488433617;
  if ( curCmdCode > -1488433617 )
    break;
  v71 = curCmdCode + 1549151839;
  if ( curCmdCode == -1549151839 )
    nextCmdCode = -184417779;
}
\\more code...

The original code was divided into blocks, which were divided between states of finite automata. Each state is defined by current state (curCmdCode). The next state is defined by variable nextCmdCode. The only thing we should do to deobfuscate is to find all possible ways in given finite automata. But there is an earsier way: in function named on_cat we can notice one strange thing:

v2 = 799129272;
if (!dword_804E894)
  v2 = 373595890;
nextCmdCode = v2;

this means that next execution flow depends of the value of global variable dword_804E894, which is changed to value 1 only in one place: function, named on_put. Now take a look into function on_put at address 0x0804AC80.

This function checks elements of global array globalVars at address 0x0804E8A8 (it's used to store pairs name&value, entered by user), where first 256 bytes is a name of variable and next 256 is suggested value or vice versa. So lets try to create variable in global array globalVar with name "puts" and value "printf" or vice versa, then type "puts" and "cat flag.txt".... and we will get the flag.

I didn't logging my actions during the ctf so the next code is just a local test:

>ncat 192.168.249.144 6969
#############################################################
#                 Welcome to 5h311.nsa.gov                  #
#        All connections are monitored and recorded         #
# Disconnect IMMEDIATELY if you are not an authorized user! #
#############################################################

$ set puts printf
$ puts
# cat flag.txt
Yahoooo_its_my_flag
#

So the task is done and no deobfuscation has been really needed.

Adidas shoes | Women's Nike Air Jordan 1 trainers - Latest Releases , Ietp

Attachments:

5h311.zip