The Vulnerable Space: CTF Writeup - Flare-On 2016

Name - khaki
Category - Reverse Engineering
Points - 6
Description - n/a
Binary - Download here

The binary is a simple game which requires you to guess the randomly-generated number:

Command Prompt

C:\>khaki.exe (Guesses: 1) Pick a number between 1 and 100:50 Too high, try again (Guesses: 2) Pick a number between 1 and 100:25 Too low, try again (Guesses: 3) Pick a number between 1 and 100:37 Too high, try again (Guesses: 4) Pick a number between 1 and 100:30 Wahoo, you guessed it with 4 guesses Status: 4 guesses C:\>

Running strings on the binary reveals a lot of python functions and files. More specifically, the program has been compiled using py2exe:

root@kali: ~/Desktop

root@kali:~/Desktop# strings khaki.exe | grep -i py2exe PY2EXE_VERBOSE PY2EXE_VERBOSE C:\Python27\lib\site-packages\py2exe\boot_common.pyR C:\Python27\lib\site-packages\py2exe\boot_common.pyR C:\Python27\lib\site-packages\py2exe\boot_common.pyR C:\Python27\lib\site-packages\py2exe\boot_common.pyR C:\Python27\lib\site-packages\py2exe\boot_common.pyR C:\Python27\lib\site-packages\py2exe\boot_common.pyR C:\Python27\lib\site-packages\py2exe\boot_common.pyt C:\Python27\lib\site-packages\py2exe\boot_common.pyt root@kali:~/Desktop#

The next step is to decompile the program and hopefully get the original python file back. We first use unpy2exe to get back the compiled python files (.pyc):

root@kali: ~/Desktop

root@kali:~/Desktop# python unpy2exe.py -o OUTPUT khaki.exe Magic value: 78563412 Code bytes length: 4386 Archive name: - Extracting C:\Python27\lib\site-packages\py2exe\boot_common.py.pyc Extracting poc.py.pyc root@kali:~/Desktop#

Then we try and decompile the pyc file back to it's original python code:

root@kali: ~/Desktop

root@kali:~/Desktop# python uncompyler.py OUTPUT\poc.py.pyc # 2016.09.30 23:29:57 GMT Daylight Time --- This code section failed: --- 0 LOAD_CONST -1 3 LOAD_CONST '' [ ... snip ... ] 900 ROT_THREE '' 901 ROT_THREE '' 902 ROT_THREE '' Syntax error at or near `POP_TOP' token at offset 18 # decompiled 0 files: 0 okay, 1 failed, 0 verify failed # 2016.09.30 23:29:57 GMT Daylight Time root@kali:~/Desktop#

The decompilation fails but we still get back some of the successfully-decompiled bytecode which is enough to complete the challenge. The bytecode contains a lot of NOPs which makes it difficult to read such as NOP, double ROT_TWO, triple ROT_THREE and LOAD_CONST -1; POP_TOP.

The following is the entire NOP-free python bytecode:

LOAD_CONST        -1
LOAD_CONST        ''
IMPORT_NAME       'sys'
STORE_NAME        'sys'
LOAD_CONST        -1
LOAD_CONST        ''
IMPORT_NAME       'random'
STORE_NAME        'random'
LOAD_CONST        'Flare-On ultra python obfuscater 2000'
STORE_NAME        '__version__'
LOAD_NAME         'random'
LOAD_ATTR         'randint'
LOAD_CONST        1
LOAD_CONST        101
CALL_FUNCTION_2   ''
STORE_NAME        'target'
LOAD_CONST        1
STORE_NAME        'count'
LOAD_CONST        ''
STORE_NAME        'error_input'
SETUP_LOOP        '288'
LOAD_NAME         'True'
POP_JUMP_IF_FALSE '287'
LOAD_CONST        '(Guesses: %d) Pick a number between 1 and 100:'
LOAD_NAME         'count'
BINARY_MODULO     ''
PRINT_ITEM        ''
LOAD_NAME         'sys'
LOAD_ATTR         'stdin'
LOAD_ATTR         'readline'
CALL_FUNCTION_0   ''
STORE_NAME        'input'
SETUP_EXCEPT      '154'
LOAD_NAME         'int'
LOAD_NAME         'input'
LOAD_CONST        ''
CALL_FUNCTION_2   ''
STORE_NAME        'input'
POP_BLOCK         ''
JUMP_FORWARD      '197'
154_0 COME_FROM         '128'
POP_TOP           ''
POP_TOP           ''
POP_TOP           ''
LOAD_NAME         'input'
STORE_NAME        'error_input'
LOAD_CONST        'Invalid input: %s'
LOAD_NAME         'error_input'
BINARY_MODULO     ''
PRINT_ITEM        ''
PRINT_NEWLINE     ''
JUMP_BACK         '88'
JUMP_FORWARD      '197'
END_FINALLY       ''
197_0 COME_FROM         '151'
197_1 COME_FROM         '189'
LOAD_NAME         'target'
LOAD_NAME         'input'
COMPARE_OP        '=='
POP_JUMP_IF_FALSE '221'
BREAK_LOOP        ''
JUMP_FORWARD      '221'
221_0 COME_FROM         '218'
LOAD_NAME         'input'
LOAD_NAME         'target'
COMPARE_OP        '<'
POP_JUMP_IF_FALSE '253'
LOAD_CONST        'Too low, try again'
PRINT_ITEM        ''
PRINT_NEWLINE     ''
JUMP_FORWARD      '262'
LOAD_CONST        'Too high, try again'
PRINT_ITEM        ''
PRINT_NEWLINE     ''
262_0 COME_FROM         '246'
LOAD_NAME         'count'
LOAD_CONST        1
INPLACE_ADD       ''
STORE_NAME        'count'
JUMP_BACK         '88'
POP_BLOCK         ''
288_0 COME_FROM         '82'
LOAD_NAME         'target'
LOAD_NAME         'input'
COMPARE_OP        '=='
POP_JUMP_IF_FALSE '342'
LOAD_CONST        'Wahoo, you guessed it with %d guesses\n'
LOAD_NAME         'count'
BINARY_MODULO     ''
STORE_NAME        'win_msg'
LOAD_NAME         'sys'
LOAD_ATTR         'stdout'
LOAD_ATTR         'write'
LOAD_NAME         'win_msg'
CALL_FUNCTION_1   ''
POP_TOP           ''
JUMP_FORWARD      '342'
342_0 COME_FROM         '339'
LOAD_NAME         'count'
LOAD_CONST        1
COMPARE_OP        '=='
POP_JUMP_IF_FALSE '391'
LOAD_CONST        'Status: super guesser %d'
LOAD_NAME         'count'
BINARY_MODULO     ''
PRINT_ITEM        ''
PRINT_NEWLINE     ''
LOAD_NAME         'sys'
LOAD_ATTR         'exit'
LOAD_CONST        1
CALL_FUNCTION_1   ''
POP_TOP           ''
JUMP_FORWARD      '391'
391_0 COME_FROM         '388'
LOAD_NAME         'count'
LOAD_CONST        25
COMPARE_OP        '>'
POP_JUMP_IF_FALSE '451'
LOAD_CONST        'Status: took too long %d'
LOAD_NAME         'count'
BINARY_MODULO     ''
PRINT_ITEM        ''
PRINT_NEWLINE     ''
LOAD_NAME         'sys'
LOAD_ATTR         'exit'
LOAD_CONST        1
CALL_FUNCTION_1   ''
POP_TOP           ''
JUMP_FORWARD      '468'
LOAD_CONST        'Status: %d guesses'
LOAD_NAME         'count'
BINARY_MODULO     ''
PRINT_ITEM        ''
PRINT_NEWLINE     ''
468_0 COME_FROM         '448'
LOAD_NAME         'error_input'
LOAD_CONST        ''
COMPARE_OP        '!='
POP_JUMP_IF_FALSE '896'
LOAD_CONST        ''
LOAD_ATTR         'join'
LOAD_GENEXPR      '<code_object <genexpr>&lgt;'
MAKE_FUNCTION_0   ''
LOAD_NAME         'error_input'
GET_ITER          ''
CALL_FUNCTION_1   ''
CALL_FUNCTION_1   ''
LOAD_ATTR         'encode'
LOAD_CONST        'hex'
CALL_FUNCTION_1   ''
STORE_NAME        'tmp'
LOAD_NAME         'tmp'
LOAD_CONST        '312a232f272e27313162322e372548'
COMPARE_OP        '!='
POP_JUMP_IF_FALSE '590'
LOAD_NAME         'sys'
LOAD_ATTR         'exit'
LOAD_CONST        ''
CALL_FUNCTION_1   ''
POP_TOP           ''
JUMP_FORWARD      '590'
590_0 COME_FROM         '587'
LOAD_CONST        67
LOAD_CONST        139
LOAD_CONST        119
LOAD_CONST        165
LOAD_CONST        232
LOAD_CONST        86
LOAD_CONST        207
LOAD_CONST        61
LOAD_CONST        79
LOAD_CONST        67
LOAD_CONST        45
LOAD_CONST        58
LOAD_CONST        230
LOAD_CONST        190
LOAD_CONST        181
LOAD_CONST        74
LOAD_CONST        65
LOAD_CONST        148
LOAD_CONST        71
LOAD_CONST        243
LOAD_CONST        246
LOAD_CONST        67
LOAD_CONST        142
LOAD_CONST        60
LOAD_CONST        61
LOAD_CONST        92
LOAD_CONST        58
LOAD_CONST        115
LOAD_CONST        240
LOAD_CONST        226
LOAD_CONST        171
BUILD_LIST_31     ''
STORE_NAME        'stuffs'
IMPORT_NAME       'hashlib'
STORE_NAME        'hashlib'
LOAD_NAME         'hashlib'
LOAD_ATTR         'md5'
LOAD_NAME         'win_msg'
LOAD_NAME         'tmp'
BINARY_ADD        ''
CALL_FUNCTION_1   ''
LOAD_ATTR         'digest'
CALL_FUNCTION_0   ''
STORE_NAME        'stuffer'
SETUP_LOOP        '890'
LOAD_NAME         'range'
LOAD_NAME         'len'
LOAD_NAME         'stuffs'
CALL_FUNCTION_1   ''
CALL_FUNCTION_1   ''
GET_ITER          ''
FOR_ITER          '889'
STORE_NAME        'x'
LOAD_NAME         'chr'
LOAD_NAME         'stuffs'
LOAD_NAME         'x'
BINARY_SUBSCR     ''
LOAD_NAME         'ord'
LOAD_NAME         'stuffer'
LOAD_NAME         'x'
LOAD_NAME         'len'
LOAD_NAME         'stuffer'
CALL_FUNCTION_1   ''
BINARY_MODULO     ''
BINARY_SUBSCR     ''
CALL_FUNCTION_1   ''
BINARY_XOR        ''
CALL_FUNCTION_1   ''
PRINT_ITEM        ''
JUMP_BACK         '809'
POP_BLOCK         ''
890_0 COME_FROM         '788'
PRINT_NEWLINE     ''
JUMP_FORWARD      '896'
896_0 COME_FROM         '893'
LOAD_CONST        ''
RETURN_VALUE      ''

Filtering the unnecessary parts, we get the following desired control flow:

Line 313 - Set win_msg to 'Wahoo, you guessed it with %d guesses\n'
- where %d is a number between 1 and 26 (Lines 396 - 419)
Lines 536 - 552 - tmp has to be equal to '312a232f272e27313162322e372548'
Lines 590 - 741 - Set stuffs to [67, 139, ..., 226, 171]
Lines 750 - 785 - Set stuffer to the MD5 of win_msg + tmp
Lines 788 - 890 - XOR stuffs with stuffer as the key, and print each value

The only unknown variable is %d and can be easily brute-forced. Let's convert the above points into code which iterates over all possible values:

import hashlib
import sys
 
stuffs = [67, 139, 119, 165, 232, 86, 207, 61, 79, 67, 45, 58, 230, 190, 181, 74, 65, 148, 71, 243, 246, 67, 142, 60, 61, 92, 58, 115, 240, 226, 171]
 
tmp = "312a232f272e27313162322e372548"
 
for y in range (26):
    win_msg = "Wahoo, you guessed it with " + str(y) + " guesses\n"
    bin_add = win_msg + tmp
    stuffer = hashlib.md5(bin_add).digest()
 
    for x in range(len(stuffs)):
        sys.stdout.write((chr(stuffs[x] ^ ord(stuffer[x % len(stuffer)]))))
 
    print '\r'

Running the program:

root@kali: ~/Desktop

root@kali:~/Desktop# python solution.py [ .. snip .. ] 1mp0rt3d_pygu3ss3r@flare-on.com [ .. snip .. ] root@kali:~/Desktop#

The Vulnerable Space

Friday, 4 November 2016

CTF Writeup - Flare-On 2016 - 06: khaki

No comments:

Post a Comment